In a landmark judgment, the Supreme Court has provided an important clarification regarding the scope of an employer’s vicarious liability for acts by its employees. The decision has also corrected misunderstandings arising from the Court’s previous landmark decision in this area in Mohamud v. WM Morrison Supermarkets plc [2016] UKSC 11.

Background

This case arose from criminal acts by a disgruntled employee, Andrew Skelton, a senior IT auditor. In order to carry out his role, Mr Skelton had ‘super user’ access privileges, allowing him to access Morrisons’ database of employee personal information, including all kinds of payroll data. In January 2014, motivated by a grudge against the company following minor disciplinary proceedings, Mr Skelton made an unauthorised copy of this data, uploaded the data onto a file-sharing website and later sent it to three newspapers under the guise of a concerned member of the public, using VPN IP-blocking software and untraceable mobile phones. The newspapers did not publish the data but instead alerted Morrisons, who took immediate action to remedy the situation and mitigate financial loss.

Subsequently, 9,263 of Morrisons’ current and former employees brought claims against the company. The basis of the claims was that (i) Morrisons was primarily liable for breach of statutory duty under the Data Protection Act 1998 (DPA), misuse of private information, and breach of confidence; and/or (ii) Morrisons was vicariously liable for Mr Skelton’s conduct (under the same three heads of claim).

The decisions at first instance and appeal

At first instance, Morrisons was held not to be primarily liable, and this issue was not taken up on appeal. However, Langstaff J found Morrisons was vicariously liable for the acts of Mr Skelton, given that (i) the DPA did not preclude vicarious liability in respect of the three heads of claim; and (ii) Mr Skelton’s conduct was committed during the course of his employment, in “a seamless and continuous sequence of events ... an unbroken chain” (adopting the wording from Mohamud). Mr Skelton’s actions had a sufficient connection between the position in which he was employed and his wrongful conduct, making it right for Morrisons to be held liable under the principle of social justice.

The Court of Appeal dismissed Morrisons’ subsequent appeal, finding that the tortious acts of Mr Skelton causing the data breach were “within the field of activities assigned to him by Morrisons”, and that the relevant facts constituted a “seamless and continuous sequence” or “unbroken chain” of events. The Court of Appeal also concluded that the ratio of Mohamud was that motive was irrelevant to these sorts of claims, meaning that although Mr Skelton’s motive in committing the wrongdoing was to harm his employer, it was ruled that such a motive was irrelevant to the question of Morrisons’ vicarious liability.

Supreme Court decision

The Supreme Court unanimously allowed the appeal, concluding that the lower courts had misunderstood the principles underlining vicarious liability in a number of relevant respects, and that Morrisons was not vicariously liable for the torts committed by Mr Skelton.

The Court stated that the relevant question (applying Dubai Aluminium [2003] 2 AC 366) was whether Mr Skelton’s tortious acts in causing the data breach were sufficiently closely connected to his employment by the company and his employment duties, that it would be fair and just to hold the company vicariously liable for the same. Ultimately, the Court concluded that the answer to this was no, given that:

  1. The disclosure of data on the internet (i.e., the tortious conduct) did not form part of Mr Skelton’s general job function or “field of activities”, meaning his actions were insufficiently closely connected with the tortious act, so they could not fairly and properly be described as being made by him whilst acting in the ordinary course of his employment.
  2. Vicarious liability could not be attributed, simply because the employee’s role allowed him the “mere opportunity” to commit a wrongful act, or that the employee was “doing acts of the same kind as those which it was within his authority to do”. The fact his employment gave Mr Skelton the opportunity to commit the tortious acts did not justify the imposition of vicarious liability.
  3. While there was a close temporal link and an unbroken chain of causation between Mr Skelton’s access to data in the course of his employment, and his subsequent unlawful copying and disclosure of the data on the internet, “a temporal or causal connection does not in itself satisfy the close connection test”. The point of Mohamud was a focus on the “capacity” in which the employee was acting when the relevant events occurred. In Mohamud, the employee had been purporting to act in his employer’s interests – which was not the case with Mr Skelton, whose actions were malicious.
  4. Motive was not irrelevant – and to argue that it was, regardless of context, was a misreading of Mohamud. Rather, “whether he was acting on his employer’s business or for purely personal reasons was highly material”. Mr Skelton was “not acting on his employer’s business, but in pursuit of his own private ends” and “seeking vengeance for the disciplinary proceedings some months earlier”.

The Supreme Court went on to rule however, that the imposition of a statutory liability upon a data controller was not inconsistent with the imposition of common law vicarious liability upon their employer. This means that, in theory, an employer could be vicariously liable for data breaches by employees, depending on the circumstances – leaving the door open to mass claims relating to data breaches resulting from employee misconduct.

Although this case was decided under the previous data protection regime, the DPA and the GDPR (and the Data Protection Act 2018 which implements the GDPR in the UK), are based on similar principles. Given the GDPR is even more prescriptive than the previous data protection regime, this may well place even higher governance standards on employers.

This judgment, while leaving the possibility of future mass claims open, represents an important clarification of the law on vicarious liability, and will act as reassurance for many employers (and their insurers). Although considerations of vicarious liability do require value judgments (including consideration of social justice principles), it is clear that employers will not be held accountable where an individual acts entirely beyond the remit of their employment, and where there is an insufficient connection between their actions and their duties as an employee.