The Supreme Court has delivered its judgment in two important cases that give some welcome and helpful clarification on the application of law on vicarious liability. The good news for employers is that in both cases the companies were found not to be vicariously liable for the actions of a rogue individual.
WM Morrison Supermarkets plc v Various Claimants
In this case, the Supreme Court held that the Court of Appeal and lower courts had misunderstood the correct test for determining whether an employer was vicariously liable for the actions of a disgruntled employee who posted the payroll details of around 100,000 employees online.
The employee had received the data in the course of his employment as a senior IT internal auditor and had been asked to send it to the company’s external auditor. However, he had copied it and disclosed it in an unauthorised way. The Court of Appeal held that, as this was closely connected to what he had been asked to do, there was a sufficient connection between the employee’s actions and his employment to make Morrisons vicariously liable.
However, the Supreme Court held that a sufficient causal connection between the employment and the actions of the employee does not in itself satisfy the close connection test. The correct analysis of the close connection test is whether 'the wrongful conduct was so closely connected with acts the employee was authorised to do that it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.'
To establish this, the Supreme Court considered the 'field of activities' that Morrisons had entrusted to the employee and held that the online disclosure of data did not form part of his field of activities. He was authorised to transmit payroll data to the external auditor, he was not authorised to publish the payroll data online, and so this act was not sufficiently closely connected with what he had been given authority to do that it could fairly and properly be regarded as being done in the ordinary course of his employment.
The simple fact that an individual’s employment gives them the opportunity to commit a wrongful act is not sufficient to impose vicarious liability on their employer. The Supreme Court held that, on the correct analysis of the close connection test, the connection was not made out and Morrisons was not vicariously liable as the employee was pursuing a personal vendetta outside the authority given to him.
The Supreme Court did agree with the Court of Appeal that the Data Protection Act 1998 (DPA) did not exclude vicarious liability, stating that it was possible for a breach of the DPA by an employee, and a finding of vicarious liability against the employer, to co-exist.
Barclays Bank plc v Various Claimants
In another vicarious liability case, the Supreme Court had to determine whether Barclays Bank was vicariously liable for historic sexual assaults allegedly committed by a medical practitioner who had been engaged to conduct medical assessments on prospective employees as part of its recruitment processes.
The Supreme Court considered whether there was a relationship between Barclays and the doctor of the sort that would make it proper for the law to hold Barclays accountable for his acts. The doctor was an independent contractor, not an employee, and so Barclays argued that the relationship with him was not sufficient as to make the Bank liable for his actions. The Supreme Court examined in detail the case law on vicarious liability, which is clear that vicarious liability can arise in situations lacking a normal employment relationship, as long as the relationship is sufficiently "akin to or analogous with employment".
The Supreme Court had to determine whether the doctor was carrying on business on his own account, or whether his relationship with Barclays was akin to employment, and it held that the doctor was not anything close to an employee of Barclays. He was an independent contractor with his own portfolio of clients. He had conducted the examinations unaccompanied in his own home, he was not paid a retainer, but a fee for each assessment completed and he was free to refuse to conduct the examinations if he chose to. As there was a distinction between independent contractors and those in an employment (or analogous) relationship, the Supreme Court held that Barclays was not vicariously liable for his actions.
Implications for employers
The fact that the Supreme Court has clarified the law on vicarious liability in this way will be welcome news to employers because, on the face of it, there is little that Morrisons could have done differently to have prevented what happened in light of what the employee was employed to do. It should be noted that the Morrisons case was considered in light of the DPA, whereas the GDPR now applies. Under the GDPR, the ICO has the power to issue substantial fines and it is easier for individuals and consumer groups to bring claims regarding a data breach. Non-pecuniary damages may be also be claimed where there has been no monetary loss, which could include, for example, claims for reputational damage or distress arising from the loss of personal data.
With many employees now working away from the office, employers need to be more mindful than ever about the security measures and procedures they have in place to protect personal data. With this in mind, what can you do to minimise the risks for your organisation?
- Stress-testing your data security systems is essential; were it not for Morrisons’ robust security measures they would probably have faced primary liability under the DPA as well.
- Organisations are increasingly aware of the risk of external hacks to their systems but the risk of an ‘inside job’ could be even higher. Consider what systems you have in place to control access and use of personal data by employees. Have you limited the number of people who can access certain data, and considered who those people should be? Can you readily identify who has accessed or copied data from your systems?
- Breaches can happen accidentally as well as maliciously.Are your employees sufficiently trained in data security and reminded of basic data protection measures regularly?
- Are you prepared for a crisis situation? What procedures do you have in place to deal with accidental loss of data, (for example a briefcase left on a train) or theft? Do employees know who to contact with concerns, and do you have someone in place to deal with issues? Quick action can make a big difference, especially in limiting reputational damage.
If you have any questions please contact Luke Bowery or anyone in the Burges Salmon employment team, who would be happy to advise you.