Last year, the High Court heard how disgruntled Morrisons auditor, Andrew Skelton, had posted the personal details of 100,000 employees’ online. In December 2017, more than 5000 employees brought the claim against Morrisons after a disgruntled former employee posted their personal financial details online. The High Court allowed the claim, stating that although Morrisons was not at fault and could not have known that the disgruntled employee would harm its other employees, it was liable vicariously as an employer.
The Court of Appeal has heard and dismissed Morrisons’ appeal. Morrisons has said that it will appeal to the Supreme Court. If this final appeal is unsuccessful, 94,000 employees who were affected could also claim compensation.
This data breach was internal, and the case turned on whether Morrisons was at fault because it had breached the Data Protection Act 1998 (‘DPA’) to control data adequately, or it was vicariously liable as it had entrusted the perpetrator with access to the information. On Monday 22nd October Morrisons failed in its attempt to overturn the High Court’s ruling that it was liable for the auditor’s actions.
Primary Liability
In May 2013, Skelton was disgruntled because he had been suspended after ordering an envelope of a legal drug to work, for which he was arrested, until laboratory tests proved the drug to be phenylalanine, a slimming drug. Skelton returned to work, but was given a formal verbal warning at a disciplinary hearing. His appeal against this warning was dismissed.
In November 2013, Skelton downloaded the payroll information of 100,000 employees. This included personal data such as names, addresses, dates of birth, national insurance numbers, bank sort codes and account numbers, and salaries. His role was to access this information and pass it on to KPMG to audit. However, he posted it onto a file-sharing website. In March 2014, within a few hours of discovering what had occurred, Morrisons made sure that the website was taken down.
Skelton himself was charged under the Computer Misuse Act 1990 for fraud. He was sentenced to 8 years of imprisonment, which he is currently serving. He was also charged under the DPA 1998 , but despite many years of campaigning by the Information Commissioner, breaches of data protection laws do not carry the threat of imprisonment for a data breach, even if deliberate or malicious.
The court ruled that Morrisons was not primarily liable under the DPA 1998: it was not personally at fault for the data breach. Indeed, the judge commented that the powder incident did not amount to any grounds for dismissal, and the judge acknowledged that ‘It is difficult to see how he could have done his job without access to the data’. Secondly, the technological and organisation measures available in 2013 could not ‘altogether prevent the risk posed by a rogue employee who was trusted and had given no real reason to doubt his trustworthiness’.
In summary, the judge found that ‘Morrisons did not know nor ought they reasonably to have known that Skelton posed a threat to the employee database.’
Vicarious Liability
Vicarious liability is the “legal responsibility imposed on an employer, although itself free from blame for a tort committed by an employee in the course of his employment”. In this case the court held that Morrisons were vicariously liable for Skelton’s activities and must pay compensation to the employees.
There are two aspects to vicarious liability:
- strict liability for an employer if an employee has harmed someone else in the course of his employment; and
- recourse for the victims against a ‘financially responsible defendant’.
With regard to the ‘course of employment’, the time-honoured phrase “on a frolic of their own” is used: are an employee’s actions closely connected with their employment role, and therefore should the employer be liable for entrusting them with that role?
In one case, after an altercation, an off-duty constable told a man he was a policeman, assaulted him and locked him in a police van which he had taken without permission. Here, the constable used his employment role, powers of arrest and work van, despite such behaviour not being permitted by his employer, and therefore the court found the employer was vicariously liable.
In another case, where an off-duty policeman collected a drunken woman from a nightclub and seriously assaulted her, the court ruled there was no vicarious liability. The policeman was wearing his uniform, but he was off-duty, outside his working area, and he did not perform any police function such as arrest; he merely used his uniform to commit a criminal act, rather than using his employment role. He was not acting ‘in the performance or purported performance’ of his employment.
Although Skelton ‘grossly abused’ his position, his role was to access payroll data, and pass it on to a third party auditor. Although he was not authorised to disclose the information to other parties this action was nevertheless ‘closely related’ to his role. The judge commented that when Skelton received the data, he was acting as an employee, and the chain of events from then until disclosure was unbroken. Morrisons had entrusted Skelton with the data, and took the risk that they might be wrong in placing trust in him.
Although Morrisons are not at fault, they are liable to compensate multiple victims of a data breach. The court found that the correct question was whether the acts of the employee were closely connected with his employment, which they were.
Commentary
How can employers reduce the risk of vicarious liability? Background checks, monitoring and spot checks are all permissible in the UK if there is sufficient transparency and employees are told it is happening. The key thing is to treat your staff well and do not just monitor them at the outset. Many of these cases start from a disgruntled employee. Employers should invest in Speak-Up programmes to allow staff to informally and formally raise grievances and these should be handled fairly. Also a one-off background check is often only undertaken before employment commences. Consider making these standard for all promotions or where new roles and responsibilities are offered.