Can an employer be vicariously liable for data protection breaches?
Image credit: Shutterstock
Yes, held the High Court, in Various Claimants v Wm Morrisons Supermarkets plc.
In early 2014, the personal details of almost 100,000 Morrisons employees were deliberately published on the internet and sent to three newspapers. The culprit, a senior IT manager, had harboured a grudge against his employer following disciplinary action the year before. Over 5,500 employees brought claims for breach of statutory duty in relation to the Data Protection Act (DPA), the misuse of private information and breach of confidence. The High Court first considered Morrisons’ primary liability under the DPA. The IT manager responsible had been given access to the data as part of his role, it was needed for an audit, but it had been published from his home, on his personal computer, outside working hours and with the deliberate intent of harming Morrisons. The court identified only one breach of the DPA “Morrisons had not organised the deletion of the data from his work computer” but this failure did not cause any loss, the rule being aimed at the inadvertent retention of data rather than its deliberate misuse.
As for vicarious liability, the issue was whether the employee’s actions had been in the course of their employment, that is, whether their wrongful conduct was closely connected to their authorised duties. The manager had been entrusted with the data, and received it and copied it as part of his role. The court held that the breach (the later publication) was part of a seamless and continuing sequence of events, and there was sufficient connection with his employment and the wrongful conduct.
Finally, the court granted Morrisons the right to appeal on the basis that the employee’s aim had been to cause loss to his employer, and this decision could render the Court a witting accessory to his criminal actions.