We would like to ensure that you are still receiving content that you find useful – please confirm that you would like to continue to receive ILO newsletters.
02 January 2019
The High Court recently considered a case where an internal auditor from the supermarket chain Morrisons disclosed payroll data on the Internet relating to about 100,000 of his colleagues following an internal disciplinary process. He was tracked down, charged and sentenced to eight years in prison. But was Morrisons liable to the employees whose information he had leaked?
The High Court held that Morrisons had no direct liability but that, even though it had done nothing wrong, it was indirectly or vicariously liable for the leak because the auditor was acting in the course of his employment. Although only 5,500 employees had brought a claim, there was potential liability to all 100,000 employees. Even if an individual employee might recover only a small amount for the distress caused, the overall financial impact on Morrisons might be enormous.
Morrisons appealed to the Court of Appeal on two main grounds. First, Morrisons argued that vicarious liability had no place in data protection law and did not apply. Second, it said that the auditor was not acting in the course of his employment.
The Court of Appeal rejected the appeal.(1) On the first ground, it could see no reason why vicarious liability should not apply. If Parliament had intended to eradicate an individual's normal common law rights, it would have said so.
The Court of Appeal then turned to the second ground and whether or not the auditor was acting in the course of employment. Previous cases on vicarious liability had established a two-step test:
The first step was simple – the employee had clearly been entrusted with payroll data. But was there sufficient connection between his position and leaking the data? The leak had occurred some weeks after he had taken the data, at his home, using his own computer. In addition, his aim was to cause harm to his employer. If Morrisons were found liable, the result – albeit indirectly – would be to help him achieve that aim.
After looking at various previous cases, the Court of Appeal concluded that the employee was acting in the course of his employment and so Morrisons was liable.
Normally, the law will impose liability only on an individual who is blameworthy, but vicarious liability is an exception to this. In essence, vicarious liability is about loss distribution and achieving fairness and justice, imposing liability on the person most able to pay. Since the late 1990s, however, the courts have extended the scope of vicarious liability, taking a flexible and expansive approach.(2)
One can argue over whether it is right that an employer should be responsible for, say, the actions of a racist employee who attacks a customer, but normally the imposition of liability causes little difficulty. Claims are limited in number – for example, even cases about allegations of sustained sexual abuse rarely involve more than 100 claims against one institution. The costs of meeting such claims are generally manageable and may be insured.
The Morrisons case breaks new ground but at least it was limited to an identifiable, albeit very large group. Facebook has recently admitted that up to 50 million users were affected by a data breach. Will they bring claims for the distress caused?
Although Morrisons has said it will seek to appeal to the Supreme Court, the issues raised by the case go well beyond its specific facts. Ultimately, Parliament may need to decide on the extent of liability. Pending that, employers should dig out their insurance policies and check the scope of their cover.
For further information on this topic please contact Steven Lorber at Lewis Silkin by telephone (+44 20 7074 8000) or email (email@example.com). The Lewis Silkin website can be accessed at www.lewissilkin.com.
(2) "Company held liable for managing director's violent conduct" (18 October 2018).
The materials contained on this website are for general information purposes only and are subject to the disclaimer.
ILO is a premium online legal update service for major companies and law firms worldwide. In-house corporate counsel and other users of legal services, as well as law firm partners, qualify for a free subscription.