Employers Vicarious Liability

April 8, 2020

The issuance of the Supreme Court’s judgment in WM Morrisons Supermarket PLC v Various Claimants [2020] UKSC 12 has provided welcomed clarity on an employers vicarious liability for acts of its employees. Jersey’s customary law on vicarious liability has been held to be identical to the English common law

It is a long-standing principle that employers can hold vicarious liability for the acts of their employees, this includes employees’ actions in relation to data protection issues.  The Court of Appeal had in the Morrisons case confirmed that organisations can be vicariously liable for data breaches caused by employees (resulting from employee misconduct).  This was the case even if the employer had implemented appropriate measures to meet its obligations in relation to data protection legislation e.g. appropriate policies and procedures.

The Court of Appeal decision meant that employers could be exposed to a significant number of claims for compensation in relation to data breaches.  The Court of Appeal decision laid the foundations for all future victims of data breaches to pursue the employer as vicariously liable for the actions of its employees.

However, the UK Supreme Court has quashed this line of potential liability.

Background and the Court of Appeal decision on Employers Liability

  • In 2013 an employee of Morrisons, who was a Senior IT auditor at Morrisons was subjected to disciplinary proceedings.  This was a verbal warning for a minor misconduct issue.

  • This led to a souring of relations between the employee and Morrisons.

  • The employee proceeded to download payroll data for circa 100,000 Morrisons employees.  The employee then uploaded this information to a public website.

  • The employee was convicted of offences under the UK Computer Misuse Act 1980 and the (pre-GDPR) Data Protection Act 1998.  The employee was also given a custodial prison sentence for his actions.

  • The UK Information Commissioner investigated the incident and deemed that no action was necessary against Morrisons.

  • However, over 5,000 of the employees impacted by the breach sought compensation from Morrisons.

  • The employees claimed that Morrisons was both primarily liable for its own acts and omissions and vicariously liable for the actions of the employee.

  • Primary liability for the data breach had already been rejected by the English High Court.  This was on the basis that the employee had become a data controller in his own right when he downloaded the payroll data and decided to act without the authority of his employer. The Employer had no primary responsibility as it had neither caused nor contributed to the disclosure which occurred.

  • However, The High Court thought Morrisons should be held vicariously liable for the actions of its employees.  This was the question which was referred to the Court of Appeal.

  • The Court of Appeal agreed with the High Court and held Morrisons vicariously liable.  The court viewed the employee’s actions as being connected to the employee’s employment with Morrisons, despite the fact the disclosure took place on the employee’s own computer and was outside of his working hours (on a Sunday).  

The Supreme Court’s decision

The Supreme Court reversed the decision of the Court of Appeal and found Morrisons should not be held liable for the actions of the employee.

  • The Supreme Court confirmed that the appropriate test to establish vicarious liability is:-
    • if the actions in question were within the acts the employee was authorised to do.  The court referred to this as in the employee’s “field of activities”; and
    • if the wrongful conduct and the employee’s authorised acts were so closely connected that the wrongful conduct may fairly and properly be regarded as done whilst acting in the ordinary course of the employee’s employment.
  • In this case the employee publishing the payroll details was clearly not within his “field of activates”  i.e. he was not authorised to carry out the acts.
  • The court has made clear a “temporal or casual” link alone will not be enough to satisfy the close connection test to hold the employer vicariously liable.

  • The fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability.

  • Whether the employee is acting on the employer’s business or for personal reasons is indeed important for the purpose of establishing vicarious liability.

  • The decision will be welcome news to employers in light of two significant developments:-
    • The growth in claimant firms actively looking for opportunities to pursue claims on a collective basis on behalf of a large number of claimants; and
    • The coming into force of the more stringent data protection legislation, which has raised the profile of data protection rights like  never before  and  increased the sanctions for failing to comply with those obligations.

Click here to go to the Supreme Court judgement. 

Find out more about our Employment Law services and potential employer liability here.

Get in touch
+44 (0) 1534 760 860
Get in touch