Employer found to be vicariously liable for employee’s data breach

In the case of Various Claimants v  Morrison Supermarkets, the High Court has held that an employer was vicariously liable (a situation where someone is held responsible for the actions or omissions of another person) for the actions of an employee who disclosed, on the internet, the personal information of around 100,000 colleagues. Although this was done from the employee’s personal computer and took place outside working hours, there was a sufficient connection between the employee’s employment and the wrongful conduct to hold the employer liable.

S, who was employed by Morrison’s, was involved in assisting the external auditors by providing payroll data. In 2013, disciplinary proceedings were brought against him for an unrelated incident, which resulted in a warning. He was aggrieved by this disciplinary and resolved to do damage to Morrison’s. He downloaded the payroll data to a USB stick and then posted a file containing the personal details of around 100,000 employees on a file-sharing website. S was later convicted for this offence.

A group of 5,518 Morrison’s employees then sought to claim compensation from Morrison’s for breach of statutory duty under the Data Protection Act (DPA), as well as for misuse of private information and breach of confidence.

The judge found that there was no liability on Morrison’s under the DPA as it was not the data controller when S disclosed the information on the internet. The judge also rejected the argument that Morrison’s should have had a system in place to detect the fact that S had searched on the internet, using his work computer, for software that disguises a computer’s identity. Such monitoring would have been difficult to justify since it could amount to an unlawful interference with employees’ rights to privacy and family life.

However, the judge went on to hold that Morrison’s was vicariously liable for S’s conduct. The test was whether S’s actions were carried out in the course of his employment. In the judge’s view, S’s disclosure on the internet of the payroll data was not disconnected by time, place and nature from his employment. The judge took into account the fact that Morrison’s had deliberately entrusted S with the payroll data. Also, S was appointed on the basis that he would receive confidential information and that Morrison’s took the risk that it might be wrong in placing its trust in him. The judge pointed out that part of S’s role was to receive and store payroll data and to disclose it to a third party (the external auditor). The fact that he chose to disclose it to others who were not authorised was nonetheless closely related to his role at Morrison’s. When S received the data he was acting as an employee and the chain of events was unbroken from then until disclosure. Even though the disclosures were made later from his home, outside working hours and through his personal computer, this did not break the connection with S’s employment.

In conclusion, the judge held that there was a sufficient connection between the position in which S was employed and his wrongful conduct to make it right for Morrison’s to be held liable.

Do you need advice on employment law? We are experts in this area of the law and members of the Employment Lawyers Association (ELA). Call our Highcliffe office 01425 275555 for your FREE initial consultation.


You might also like: