Case 1: Directors Can Be Personally Liable For Dismissing Whistleblowers
In Timis and another v Osipov  EWCA Civ 2321 the Court of Appeal (CoA) upheld a decision that individual co-workers, in this case two non-executive directors (NEDs), can be personally liable for being a party to the decision to dismiss an employee who has made a protected disclosure. Further, the claimant employee can recover losses from that co-worker flowing from the dismissal. This decision clarifies the law relating to co-worker liability under the whistleblowing legislation, and confirms that this protection is as effective as the scheme of protection for victims of other kinds of discrimination. The decision reinforces the need for employers in the UK to ensure that whistleblowing is treated with care and in line with good practice and internal procedures, and should consider training for senior managers and directors.
In the UK, workers (an intermediate category of individual between and employee and a selfemployed consultant) are protected under Part V of the Employment Rights Act 1996 (ERA) from being subjected to detriment by their employer and individual co-workers, where such detriment results from making a protected disclosure (whistleblowing). Where the detriment is occasioned by a co-worker, the whistleblower worker can also claim against the employer on the ground that it is vicariously liable for the acts of the co-worker. However, Part V also states that a detriment claim is not permitted if the whistleblower is an employee and the detriment ‘amounts to a dismissal,’ as employees have an automatic claim for unfair dismissal (under Part X of the ERA) if they are dismissed for the principal reason of making a protected disclosure. The main differences between protections under Part V and Part X are that:
1. Part V (regarding detriment) allows claims for damages for injury to feelings, whereas Part X (regarding dismissal) does not; and
2. Part V requires the protected disclosure to be a ‘material influence’ on a detriment, whereas Part X has a higher causation threshold such that the protected disclosure must be the ‘sole or principal’ reason for dismissal.
Mr. Osipov was employed by International Petroleum Limited (IP Limited) as CEO. During his tenure, he made four protected disclosures regarding governance and compliance with foreign law. Mr. Osipov alleged that he was then subjected to detriments by two NEDs, and was dismissed by one of the NEDs acting on the instructions of the other, shortly after the final protected disclosure was made. The Employment Tribunal (ET) found that Mr. Osipov had been unfairly dismissed by IP Limited on the basis that the protected disclosures he made were the principal reason for his dismissal. However, as IP Limited had become insolvent, Mr. Osipov had to show that the NEDs were personally liable in order to be awarded adequate compensation. The ET held that the two NEDs were jointly and severally liable with IP Limited to compensate Mr. Osipov for the losses he suffered as a result of his dismissal (with the exception of the basic award for unfair dismissal, which only IP Limited was required to pay), as they had subjected him to detriments on account of his protected disclosures. The Employment Appeal Tribunal dismissed an appeal by the two NEDs, in which they argued that their liability was restricted to detriments prior to dismissal, on the basis that the ERA implemented a framework for individual coworker liability ‘without restriction’ such that detriments amounting to dismissal are not excluded.
The CoA dismissed the NEDs’ appeal, holding that the exclusion of a detriment amounting to a dismissal under Part V applies only to a claim against the employer, and not to claims against individual coworkers. Mr. Osipov was therefore able to claim against the NEDs for subjecting him to the detriment of dismissal, in that the NEDs were party to the decision to dismiss him, and against IP Limited under a claim of vicarious liability. The CoA stated that to rule otherwise would lead to incoherent results, given that a co-worker would be liable where they subjected an employee to detriments short of dismissal but not in respect of the decision to dismiss itself, and disparities in treatment depending upon whether the claimant was a worker or an employee. Moreover, the CoA did not accept that the distinction between Part X of the ERA, dealing with dismissal, and Part V of the ERA, dealing with detriments other than dismissal, evidenced a statutory intention to regard dismissal and detriment as fundamentally differing concepts. In respect of compensation, the CoA held that the exclusion in Part V where the detriment ‘amounts to a dismissal’ does not preclude recovery of compensation for losses which flow from a dismissal caused by a prior act of whistleblowing detriment, subject to the usual rules regarding remoteness and quantification of loss.
The CoA’s judgment touches on a complex area of the law. However, the implications of the judgment are important. The award of compensation in this case was approximately £1,745,000, which the NEDs were individually liable for. The CoA’s judgment clarifies that individual coworkers, in addition to the employer, can be held personally liable for their actions towards whistleblowers, and be liable to compensate whistleblowers for losses flowing from dismissal. Employees who have been dismissed on account of making a protected disclosure may potentially bring both:
1. a claim against their employer for unfair dismissal, benefitting from the basic unfair dismissal award; and
2. a claim of vicarious liability against their employer, if the detriment of dismissal was caused by an individual co-worker allowing them to seek damages for injury to feelings.
The personal liability of individual co-workers provides whistleblowing employees with an additional route to pursue compensation in scenarios where the employer is insolvent, as was the case with IP Limited, and where the employer has limited funds, as may be the case for many fledgling businesses. Directors and executives are at risk of exposure, particularly if they are not insured against such claims.
It is being reported at the time of writing that there will be no further appeal in this case to the Supreme Court.
Practical Tips for Employers
Disciplinary proceedings or management decisions regarding an employee should be documented and conducted in accordance with relevant procedures, to ensure evidence can be produced that any alleged detrimental action is unrelated to any protected disclosures. This is because an employer may not be held liable where they are able to show that reasonable steps, such as ensuring awareness of the required treatment of an employee who has made a protected disclosure, have been taken to prevent detriment to a whistleblower. Employers should have a whistleblowing policy in place, along with appropriate training, to make employees aware of the consequences of victimizing a whistleblower on account of their disclosure
In addition, employers may wish to advise that their directors obtain directors’ liability insurance providing a sufficient level of cover to mitigate the potential exposure arising from this decision.
Case 2: Employer Vicariously Liable For Employee’s Deliberate Disclosure Of Personal Data
In Wm Morrison Supermarkets Plc v Various Claimants  EWCA Civ 2339 the CoA upheld a decision of the High Court that an employer could be vicariously liable for its employee’s unauthorized deliberate disclosure of employees’ personal data to third parties. This decision confirms that the potential for vicarious liability remains even where the employer otherwise complies with data protection laws, and where the employee’s motive for disclosure was to harm the interests of the employer. The CoA also highlighted that employers should use insurance to limit their exposure to the potential increase in claims that this well publicized decision may precipitate.
In the UK, the personal data of individuals is protected from disclosure under statute, common law and equity. The Morrisons case was decided under the Data Protection Act 1998 (DPA), which has subsequently been superseded by the General Data Protection Regulation (GDPR), and also concerned the equitable action for breach of confidence and the common law action in tort for wrongful disclosure of private information. Employers can be vicariously liable for the tortious actions of an employee where there is a sufficiently close connection between the tortious action and the employment for the imposition of liability on the employer to be just and reasonable.
Mr. Skelton, the employee responsible for the unauthorized data disclosure, was employed by Wm Morrison Supermarkets Plc (WMMS) as an internal IT auditor. He was aggrieved after receiving a verbal warning from his employer in relation to a disciplinary matter. Mr. Skelton then downloaded employee data that he was tasked with sending to KPMG for external auditing purposes onto his personal USB stick. The personal data included payroll data for a large number of WMMS’ employees. The employee posted the data onto a file-sharing website under the name of one of his colleagues, and was subsequently charged and convicted of fraud under the DPA. A group of 5,518 employees, whose personal data was disclosed in the data breach, brought actions against WMMS – for breach of statutory duty under the DPA, in equity for breach of confidence and under the common law for wrongful disclosure of private information – claiming that the company had both primary liability for its own acts and vicarious liability for the acts of the rogue employee.
The High Court found that WMMS did not bear primary liability in respect of the DPA, as its failure to adhere to the statutory data protection requirements did not cause or contribute to the employee’s unlawful disclosure, or in respect of the other grounds as the company did not directly misuse, or permit such misuse, of the claimants’ personal data. However, the High Court found that potential claims for vicarious liability were not excluded by the DPA. Given that the employee received the data in the course of his employment, and the fact that the unauthorized disclosure was, aside from disclosing to the public, similar to the task he had been asked to perform, there was a continuous sequence of events linking Mr. Skelton’s employment to the disclosure. This conclusion was not prevented by the fact that the disclosure was made on a non-working day from the employee’s home rather than the workplace. Moreover, it was irrelevant that the employee’s motive was to harm WMMS – even though the harm to WMMS would be increased by finding it was vicariously liable for the breach. For these reasons, WMMS was found to be vicariously liable.
WMMS appealed this decision on the grounds that:
1. the DPA excluded the possibility of vicarious liability under the common law and equitable regimes; and
2. even if this was not the case, the unauthorised disclosure did not occur during the course of Mr. Skelton’s employment.
The CoA did not accept the argument that vicarious liability was excluded by the DPA. In respect of the connection between the unauthorized disclosure and employment, the CoA agreed with the ruling of the High Court that there was sufficient connection on account of the continuous sequence of events from work matters to the unauthorized disclosure. Moreover, the CoA decided that vicarious liability could be found despite the fact that, by the CoA doing so, it was furthering the aim of the employee (to harm his employer). However, a decision that WMMS was not liable would leave those affected by the disclosure with a remedy against only the rogue employee (whose pockets will not be as deep as his employer). The risk of employers being subject to significant liability as a result of the decision could, in the CoA’s view, be mitigated by insurance against the unauthorized actions of employees.
Despite bringing clarity to the relationship between data protection law and vicarious liability, this decision – the first class action brought in respect of an unauthorized disclosure of data in the UK – has significant financial implications. Employers are exposed to potential claims of vicarious liability regardless of their compliance with their primary duties under data protection legislation and regardless of the motive of any rogue employee responsible for a data breach. The CoA acknowledged that the quantum of such claims could extend to ‘potentially ruinous amounts.
’ In addition to the increased liability, employers may suffer reputational damage and the consequent effect on share price. This was the case for WMMS, as the unauthorized disclosure occurred just before its announcement of financial results.
WMMS has indicated that it will seek to appeal to the Supreme Court.
Practical Tips for Employers
The decision of the CoA demonstrates that it is virtually impossible for most employers to completely avoid the risk of vicarious liability for data breaches caused by their employees.
The CoA suggested that the increased exposure to such claims could be mitigated by insurance, for example under a bespoke policy or public liability policy. This will be especially important given that damages calculated under the GDPR are likely to be much higher than those which may be awarded in the Morrisons case (which will be calculated under the DPA) due to the possibility of compensation for nonmaterial damage such as distress. The GDPR also increases the scope for class actions given the expansion in data subject rights, compounding the effect of increased public awareness of data protection rights.
Employers should consider amending any relevant insurance policies they hold to account for this increased exposure, or take out specific policies in light of this decision. However, the cyber insurance industry is still developing, and we query the extent to which employers will be able to procure full cover against such claims. Employers should also be cognizant of any exclusions or policy limits introduced by insurers to reduce exposure to claims by employers in respect of employee class actions. Of course, there is no effective insurance against the reputational harm a data breach can cause, and this underlines the need for employers to ensure that their organizational procedures regarding access to confidential information are of a high standard and are continually monitored. Employees should be given training to raise their awareness of the requirements of the GDPR and also to help them spot potentially suspicious activity by colleagues and third parties who have access to their employer’s data.