The High Court has decided that an employer may be vicariously liable where an employee has disclosed the sensitive personal data of other employees online.
In the case of Various Claimants v Wm Morrisons Supermarkets plc, the High Court was deciding the liability of Morrisons following the criminal conviction of the employee who had committed the data breach.
The employee in question had been employed by Morrisons as a senior internal auditor and, as such, had come into possession of sensitive data relating to Morrisons’ many other employees during the course of his work.
As a result of a verbal warning (supported in writing) that had been issued to the employee following an incident in Morrisons’ post room that could have had a dire impact on the business, the employee had, over a period of time, gathered payroll information relating to 99,998 employees of Morrisons. He had transferred this information from an encrypted USB drive to an unencrypted USB drive, obtained a separate mobile phone to assist in publishing the data online and attempted to implicate another employee in the publication of this sensitive data. At the relevant time, the employee had published the data online at his home on a personal computer on a Sunday. The employee had then later notified several newspapers anonymously that these publications had been made in an attempt to avenge himself upon Morrisons for the verbal warning against him, which he felt was unjust.
The employee was sentenced to 8 years imprisonment in separate criminal proceedings associated with these facts.
Although the High Court agreed that Morrisons had not directly been involved in the unlawful publication of the sensitive employee data, there had been a “sufficient connection” between the employee’s employment and his wrongful conduct. This was enough to make Morrisons vicariously liable for the employee’s actions, as they had been performed in the course of the employee’s employment by Morrisons.
However, in reaching this conclusion, Langstaff J had additionally made the following findings:-
(1) There was an “unbroken thread” between the employee receiving the sensitive data relating to the other employees from Morrisons and his unlawful disclosure of that data. Despite the fact that there were deliberate gaps in time during the various stages of his unlawful disclosure of the data, during which the employee attempted to cast suspicion away from himself, “what happened was a seamless and continuous sequence of events”;
(2) The employee had been specifically tasked with dealing with the data by Morrisons; he wasn’t simply able to access the data because he was employed by Morrisons. In fact, Morrisons was held to have taken “the risk that they might be wrong in placing trust in him”;
(3) It was a specific part of the employee’s role that he was to receive the data, store it and disclose it to a third party. Even though Morrisons expected that the employee would only disclose that data to third parties of its choosing, the fact that it could be disclosed to third parties generally was “closely related” to the task that the employee was expected to perform;
(4) The employee was acting in his capacity as an employee when he received the data from Morrisons. It was therefore irrelevant “that the disclosures...were made from home, by use of his personal equipment, on a Sunday”;
(5) It was irrelevant that the employee did something that was wrong. The true question was whether his acts were closely connected with his employment;
(6) It was also irrelevant that the acts were not performed for the benefit of Morrisons (in fact, the breaches had been part of a “cold and calculating” act of revenge aimed at Morrisons), and
(7) It was relevant to consider “not so much at whom the conduct was aimed, but rather upon whose shoulders is it just for the loss to fall”.
However, Langstaff J granted Morrisons leave to appeal his decision to the Court of Appeal, but only in relation to the issue of its vicarious liability for the employee’s actions. Based on the arguments brought by the employer, he was concerned that, in finding the employer to be vicariously liable for the employee’s actions, he may have made the Court an accessory in furthering the “criminal aims” of the employee; namely in attempting to discredit and cause damage to Morrisons.
Although the right to appeal the decision in relation to vicarious liability does exist in this case, it is a subject of debate as to whether Morrisons will do so, especially given Langstaff J’s detailed findings.
Importantly, employers should note that vicarious liability applies to a range of areas where an employee either does an act or fails to perform an act during the course of his or her employment. Popular examples include acts or omissions that cause damage, loss or nuisance to third parties. In determining whether an employer should be held responsible for the acts or omissions of an employee, a court will look specifically at the facts of a case.
Employers understandably need to know who their employees are, both when entering into the employment relationship and afterwards. However, this is not an easy area for employers in an age of heightened awareness from employees about their rights, especially given that an employee who is subjected to rigorous scrutiny by an employer may be able to argue that this amounts to a breach of mutual trust and confidence, potentially giving rise to claims for breach of contract and constructive dismissal.
Ultimately, employers should do no more than they consider is necessary to ensure that their employees are performing their roles appropriately, without infringing upon the rights of those employees. This in itself is a very good reason for seeking legal advice before taking action!
This article is not a substitute for legal advice on specific facts and circumstances. It is designed as a free update on the law at the time of publishing. Knight Polson Limited trading as QualitySolicitors Knight Polson accepts no responsibility for reliance on this article and recommends that you seek independent legal advice on your specific circumstances prior to taking any steps.
If you have any questions or would like to discuss the contents of the above article, please do not hesitate to contact us on email@example.com or 023 8064 4822.