Can an employer be held liable for data breaches committed by a mischievous employee?

Tuesday 21st April, 2020

In April 2020, the Supreme Court handed down a landmark judgment regarding the principle of vicarious liability in relation to data breaches.

Under English law, a company can be held liable for the misconduct of an employee committed in the ordinary course of his/her employment, known as vicarious liability.

Mr Skelton, a disgruntled former senior IT auditor at Morrisons, against whom the company had previously brought disciplinary proceedings, deliberately copied and uploaded the data of 99,998 employees to the internet in revenge against the supermarket chain. Mr Skelton was convicted of criminal offences.

Some of these employees brought a claim against Morrisons for breach of the Data Protection Act 1998 (“DPA”), misuse of private information and breach of confidence. The claim was brought on the basis that Morrisons was liable both on its own behalf and also vicariously on Mr Skelton’s behalf.

The High Court and the Court of Appeal both found that Morrisons was vicariously liable for Mr Skelton’s wrongdoing.

Morrisons appealed the Court of Appeal’s decision. In allowing the appeal, the Supreme Court stated that the relevant question to ask was whether Mr Skelton’s disclosure of the data was so closely connected with acts he was authorised to do under his employment that, for the purpose of Morrisons’ liability to the aggrieved employees, Mr Skelton’s wrongful disclosure may fairly and properly be regarded as done by him in the ordinary course of his employment.

Answering this question, the Supreme Court determined that Morrisons was not vicariously liable for the following reasons:

  1. the disclosure of personal data to the internet did not form part of Mr Skelton’s functions or field of activities entrusted by Morrisons to him;
  2. although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Mr Skelton for the purpose of transmitting it to the auditors and his disclosing it on the internet, this did not in itself satisfy the close connection test; and
  3. Mr Skelton’s motive for disclosing the data was not irrelevant: whether he was acting on his employer’s business or for purely personal reasons was material and it was clear Mr Skelton acted deliberately in pursuit of a personal vendetta and was not furthering his employer’s business.

The decision of the Supreme Court provides clarity on the potential scope of vicarious liability when the misconduct is committed by a mischievous employee.

Although irrelevant for the purposes of this case, the Supreme Court confirmed that the DPA did not exclude as a matter of principle the imposition of vicarious liability on an employer whose employee during the course of his or her employment acts in breach of the DPA, the laws of misuse of private information or breach of confidence.

Finally, it was the Data Protection Act 1998 here that had been breached and not the most recent Data Protection Act 2018. However, it is likely that this judgement will also shape interpretation of the 2018 Act in conjunction with the General Data Protection Regulation (GDPR) moving forward.

Articles by Chris Mooney