Further to my colleague’s recent blogs regarding the looming GDPR, a significant and ground-breaking case, Various Claimants v WM Morrison Supermarkets plc has come through the High Court which makes an employer vicariously liable for a rogue employee’s data breach.
The law surrounding vicarious liability was confirmed last year in the case of Mohamud v WM Morrison Supermarkets plc. The test is the “close connection test”, which says that in situations where an employee carries out a negligent act, the act must be closely connected to the work that the employee was employed to do, in order for the employer to have vicarious liability. You may remember that in last year’s case, Morrisons were held vicariously liable for an employee who assaulted a customer at a petrol station.
Unfortunately for Morrisons, they have again been held vicariously liable, this time for an aggrieved employee’s response to a disciplinary warning. In the first group action of its kind, the High Court has held that Morrisons are vicariously liable for the actions of the employee, an internal IT auditor, who disclosed the personal information of 100,000 colleagues on the internet.
The facts of the case make the decision appear harsh. The aggrieved employee’s disclosure took place outside of working hours, from his personal computer and constituted a deliberate act to harm Morrisons. In fact, the employee was imprisoned for his actions. Further, the High Court found that there was no primary liability on Morrisons under the Data Protection Act 1998.
However, the High Court applied the “close connection test”. The personal data disclosed was payroll data, which the aggrieved employee had been entrusted with. The employee’s role in respect of the payroll data was to receive it, store it and disclose it to a third party, namely the external auditor. His unauthorised disclosure was therefore closely related to what Morrisons had tasked him to do. Further, when the employee received the data and covertly copied it to his USB stick, he was acting as an employee and the chain of events from then until disclosure was unbroken. For the reasons above, the High Court held there to be a sufficiently close connection between the employee’s employment and his wrongful conduct, making it right for Morrisons to be held liable.
Perhaps unsurprisingly, the judge gave Morrisons leave to appeal and Morrisons has indicated that it will do so. How the Court of Appeal will treat the case remains to be seen. However the case is a further reminder to employers of the importance of taking precautions to prevent data breaches. Where employees process data, there is always risk of error, misuse or malice which could, as this case shows, result in financial liability, as well as reputational damage for the employer.
If you would like to know more about the employment law services we provide please click here.