Vicarious liability of employers in relation to data protection law

The UK Supreme Court has recently handed down its decision in the case of WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 which has particular implications for the vicarious liability of employers in relation to the acts of their employees under data protection law.

The case involves actions taken by a Morrisons employee (an internal IT auditor) involving payroll data which resulted in a significant data breach involving such data. The relevant employee removed payroll data through activities related to his role and posted the data on the internet and to three national newspapers. The claimants in the case were 9,263 Morrisons’ employees or former employees that claimed damages from Morrisons for misuse of private information, breach of confidence and breach of statutory duty under section 4(4) Data Protection Act 1998.

The Supreme Court overruled the Court of Appeal’s previous October 2018 decision to uphold a finding of vicarious liability against Morrisons in respect of the data breach. The decision was principally made on the basis that the actions of the relevant Morrisons employee did not give rise to a vicarious liability scenario. The Supreme Court ruled that, as the DPA 1998 neither “expressly nor impliedly indicated otherwise”, the principles of vicarious liability applied to the breach of obligations ‘committed by an employee who is a data controller in the course of their employment’.

The judgment demonstrates that the Courts will take a common sense approach when presented with data breaches that have been caused maliciously (e.g. by an embittered employee) outside of the course of the relevant employee’s activities in their role. However, specifically in relation to data protection law, it is significant for employers that the Supreme Court found that the DPA 1998 does not contain any blanket exclusion of vicarious liability for breaches of the DPA 1998/misuse of private information/breach of confidence by data controllers under their employment. As such, employers must remain vigilant in ensuring that employees with access to personal data are appropriately vetted and should maintain consistent procedures for reviewing and controlling such access. For example, if there is a failing on the part of an employer that exposes personal data (even where that failing is then maliciously exploited by an employee) the employer will likely still be directly liable. Although the case was decided under the previous DPA 1998 regime, as the GDPR and the DPA 2018 are based on broadly similar principles, it is likely that both statutory regimes will not be obstacles to potential vicarious liability actions in data privacy claims against employers.

In a nutshell, this case will come as a relief to any clients looking to protect themselves against vicarious liability for the actions of their employees in a data breach scenario. However, this does not in any way mean that clients should take their security obligations under GDPR or the DPA 2018 any less seriously. Employers must continue to pursue the highest possible compliance with such obligations given that data security failings, whether exploiting by disgruntled employees or not, will nevertheless continue to attract direct liability for data controllers under GDPR / the DPA 2018. Based on the Supreme Court’s interpretation of the DPA 1998 in its ruling, vicarious liability is still not likely to be expressly excludable under the DPA 2018. Clients should consider whether they have sufficient vetting processes in place for employees handling personal data and sufficient training programs to ensure employees handle personal data securely and appropriately at all times.

For further information, please see a recent article here produced by our Dispute Resolution team on both the Morrisons case and a further recent Supreme Court decision relating to vicarious liability of employers over their employees.