Vicarious Liability and Data Protection
The UK Supreme Court decision in relation to whether an employer could be held vicariously liable for the actions of an employee who had breached the DPA was a very high-profile case, eagerly awaited by data protection and employment law practitioners. The Supreme Court gave its decision on the Morrisons case on 6 April 2020.
This article provides analysis and comment from a data protection and cyber security point of view and highlights what lessons employers may be able to take from what happened to Morrisons. The decision on vicarious liability from an employment law perspective is detailed in a separate article.
Various Claimants v Morrisons
The background to this decision is that Mr Skelton, a senior auditor in Morrisons’ internal audit team, harboured a grudge against his employer following a relatively minor disciplinary matter which crucially did not involve the misuse of personal data. Some time following this incident, he legitimately had a copy of the payroll data of all of Morrisons’ workforce which he was tasked with providing to external auditors. But, he also retained a copy himself. A couple of months later, and at home, he uploaded this data to a publicly accessible file-sharing website. He did this whilst attempting to cover his tracks, implicating another Morrisons’ employee. A further two months later, he sent CDs containing the data anonymously to 3 newspapers on the day that Morrisons’ financial results were due to be published purporting to be a concerned member of the public who had found the file on the file-sharing website. One of the newspapers alerted Morrisons, who in turn alerted the police. The data was removed from the website within hours and Mr Skelton was found out and convicted of numerous offences, receiving an eight-year prison sentence.
Morrisons took steps to assist staff, who were informed and provided with identity protection measures, all of which cost Morrisons £2.26 million. The ICO investigated the matter and took no enforcement action against Morrisons.
However over 9,000 employees or former employees brought a claim against Morrisons saying that (1) Morrisons were directly at fault and/or (2) Morrisons were vicarious liable for breaching the security provisions of the Data Protection Act 1998 i.e. for Mr Skelton’s actions.
The lower courts found that Morrisons were not directly liable for the breach but that they were vicariously liable for the actions of Mr Skelton. The UK Supreme Court provided important guidance on vicarious liability from a data protection point of view directly in relation to this case and also more generally, clarifying whether an employer could ever be held to be vicariously liable for a data breach.
Vicarious Liability and Data Protection
Although this case concerned a claim for compensation under the old Data Protection Act 1998, it is likely to apply in just the same way to claims under the GDPR which has similar provisions in relation to compensation. So the decision remains relevant to current data protection law.
Although the facts in this case led the court to decide that Morrisons were not vicariously liable for the actions of their employee (see this article), the UK Supreme Court decided that it was possible for an employer to be vicariously liable, despite arguments to the contrary that the provisions of the DPA 1998 excluded that.
Before starting that analysis it is important to note that the Claimants’ position was that Mr Skelton had become a data controller in his own right when he began to use the payroll data for his own purposes, i.e. to harm Morrisons. This is a very technical point but one that will be significant to data protection practitioners.
The arguments for Morrisons that vicarious liability should never be available when the employer was not at fault were based on the provisions of section 13 of the DPA 1998. This section provided for awards of compensation if there had been a breach of the provisions of the Act, but crucially provided that if the employer could show that it had taken reasonable steps to avoid the breach, then compensation would not be due. So the provisions excluded compensation on a ‘no fault’ basis, including vicarious liability – so the argument went.
But the Supreme Court disagreed saying that the DPA 1998 did not specifically deal with the issue of vicarious liability when an employer entrusts an employee to process personal data and that employee becomes a data controller in their own right. The Supreme Court felt that there was nothing anomalous about imposing no fault, vicarious liability under common law on the employer, even when a claim under the statute could only be fault based.
What This Means for Employers
That’s the legal bit. But what practical lessons can we learn from this case and how can employers avoid claims arising from data breaches, either being held directly or indirectly responsible for the actions of employees – rogue or not?
It is important to note that the decision of the lower court that Morrisons was not directly responsible for a security breach, was not without comment. Interestingly no expert evidence was led at that stage to assist the court in establishing what security measures were appropriate. The incident took place in 2013 and it is true that technology has moved forward since then but I suspect that these days an organisation the size of Morrisons would be expected to have better systems in place. The data was encrypted when it was entrusted to Mr Skelton but there was nothing in place to prevent him from taking a copy of the data which he did shortly after he sent the data to the external auditors, on a personal pen drive that he was able to plug into the Morrisons’ IT system to extract a significant amount of data. The NCSC has guidance on the secure use of removeable media, such as pen drives which can be found here.
The Morrisons’ decision left open the possibility of an employer who is not at fault at all being responsible for the unlawful processing of personal data carried out by an employee when they are going about their employer’s business, or asserting that they are acting under the authority given to them by their employer.
Morrisons escaped this because Mr Skelton was not at work and was not using work equipment when the unlawful processing occurred. The court also held that it was significant that his actions were motivated by a desire to harm his employer. But it is not difficult to envisage a situation where the same actions are carried out in the workplace without that motivation but which lead to a security breach and so employers must minimise the likelihood of that happening.
What To Think About
Providing adequate levels of security is required under the security principle of the GDPR and the Morrisons’ decision has emphasised just how important taking the appropriate steps is. The fact that Morrisons’ employees took the claim in the first place is part of a trend that will continue.
Claims for data breaches are on the increase, with high profile claims pending against BA and Google to name just two. But all employers process a lot of personal data and are vulnerable to claims just like Morrisons if they are not focusing on security and data privacy.
If you are grappling with data protection and security challenges, please get in touch with our specialist Data Protection Team.