In WM Morrison Supermarkets plc v Various Claimants, the Supreme Court held that Morrisons were not vicariously liable for data breaches that had been committed by a rogue employee. During an incredibly uncertain period for many businesses in the current climate, employers can take some comfort from this judgment.
Interestingly, the Supreme Court has also ruled this week that Barclays Bank PLC is not vicariously liable for alleged sexual assaults by a self-employed doctor during staff medical examinations. Whilst the circumstances in the Barclays case are different, notably that the doctor was self-employed and therefore was not in a relationship “akin to employment” with Barclays, these judgments suggest a possible trend that may be reassuring to employers.
The decision in the Morrisons case
Overturning the Court of Appeal’s ruling, the Supreme Court held that Mr Skelton’s wrongful conduct “was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment”. The Supreme Court found Mr Skelton to have been undertaking a “frolic of his own” in pursuing a personal vendetta against Morrisons, highlighting the distinction to be drawn between cases where an employee is engaged, however misguidedly, in furthering his employer’s business and cases where the employee is engaged solely in pursuing his own interests.
Practical tips for employers
It is important for employers to recognise that the Supreme Court emphasised that this decision was fact specific. It therefore does not leave any room for complacency in respect of ensuring that appropriate steps are taken to protect personal data and prevent employee wrongdoing in the first place. As such, employers should consider the following:
• Implement appropriate vetting and monitoring processes that are compliant with data protection legislation – had Morrisons been aware of Mr Skelton’s personal vendetta through the use of more robust internal monitoring processes, they may have been able to take early steps to prevent, or at least limit the impact of, the wrongful acts committed by Mr Skelton;
• Implement robust data protection/confidentiality procedures and ensure employee awareness of such policies – it is possible that, with the benefit of clear protocols and staff training, employers might be able to avoid the situation Morrisons found themselves in; namely, in circumstances where there are clear procedures in place that prevent employees from accessing and uploading confidential internal data to personal devices (or to monitor such activity and flag up any risks immediately). Employers also ought to consider developing company-wide training in order to generate awareness in respect of any such policies and the implications of non-compliance.
• Ensure appropriate safeguards and procedures are in place in the event of a data breach – notably, within a few hours of the breach, Morrisons had taken steps to ensure that the data uploaded by Mr Skelton was removed from the internet, instigated internal investigations and informed the police. Morrisons also informed its employees and spent more than £2.26m in dealing with the immediate aftermath of the disclosure, a significant part of that having been spent on identity protection measures for its employees. As a result, the Information Commissioner’s Office chose not to pursue enforcement action against Morrisons. One of the key take home points from the Supreme Court judgment is that vicarious liability can apply to breaches of the obligations imposed by data protection legislation. Therefore, employers must be extra vigilant in respect of acts of rogue employees and ensure that they have all relevant safeguards in place to protect personal data.
• Consider updating relevant policies/procedures relating to other types of wrongdoing committed by rogue employees – the Supreme Court ruling also has implications for employers in respect of other types of wrongdoing committed by a rogue employee. For example, if an employee were to physically harm a third party as a personal vendetta and not in the ordinary course of employment (in the context explained in the Morrisons case), an employer may escape a finding of vicarious liability, however they may find themselves defending other types of claims. In such circumstances, employers ought to consider whether they have adequate health and safety protocols in place and review disciplinary policies/precedent contracts to ensure that they have the ability to take appropriate measures, such as suspending and removing the individual concerned from the premises.