UK: Vicarious liability – Data theft by an Employee
Mr Skelton, a disgruntled employee of Morrisons, leaked the personal details (including bank account details) of almost 100,000 employees on the internet. He was a senior IT auditor and had been motivated by a grudge against Morrisons.
The Supreme Court (the highest UK court) allowed the appeal. It said that the Court of Appeal had misunderstood the principles of vicarious liability, and in particular the “close connection” test. The “close connection” test can be broken down into two questions:
- What was the function or field of activities that the employer had entrusted to the employee?
- Was there sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice?
The Supreme Court clarified the following points:
- Field of activities: uploading personal data online was not part of the employee’s “field of activities”, as Mr Skelton was not authorised to do so.
- Sufficient connection: a causal connection alone does not satisfy the close connection test.
- It is highly relevant whether an employee is acting on their employer’s business, or if it is for purely personal reasons.
The Supreme Court held that no vicarious liability arose because Mr Skelton was authorised to transmit payroll data to the auditors, and not to upload the personal date online. His online disclosure was not so closely connected to that task that it could be regarded as having been made by the employee in the course of their employment.
Practical point
This decision has significant implications for employers who feared that this case would set a precedent for future class actions arising out of data breaches by rogue employees. It offers some reassurance to employers, that although employment may provide an opportunity to commit a wrongful act, this is not of itself sufficient to make an employer vicariously liable for such an act. Employers will not normally be vicariously liable where an employee is not engaged with furthering the employer’s business and commits a wrongful act while pursuing a personal vendetta.
Employers should also note that they may be vicariously liable under data protection laws for the acts of their employees, in circumstances where the “close connection” test is satisfied – but this will depend on the particular circumstances.
WM Morrisons Supermarkets plc v Various Claimants