Wm Morrison Supermarkets v Various Claimants, Court of Appeal

A recent case has highlighted the importance of safeguarding personal data. Everyone responsible for holding or processing personal data should carefully evaluate their security processes and procedures in light of the findings in this case.

Data protection laws state that employers who collect personal data must take appropriate technical and organisational measures against unauthorised or unlawful processing of that data, and against its accidental loss damage or destruction. Employers can be ‘vicariously liable’ (that is, liable on the employee’s behalf) for any negligent act or omission by an employee which breaches these data protection laws during the course of employment, so long as the act is ‘so closely connected with employment that it would be fair and just to hold the employer vicariously liable’. Importantly, the actual motives or intentions of the parties are irrelevant.

The case of Wm Morrison Supermarkets (Morrisons) v Various Claimants confirmed that an employer who is entirely without fault can still be vicariously liable for an employee’s breach of confidence or misuse of private information, even if the employee’s acts were expressly prohibited.

Here, an employee with a grudge against Morrisons was tasked with sending payroll data to an outside firm for external auditing purposes. He downloaded the contents of an encrypted USB stick onto a secondary USB stick, and provided it to the third party as required. However, he made additional copies of the information and, having set up an account in a colleague’s name, released the personal data onto a file-sharing website.

The Court of Appeal found the employee’s disclosure to be inherently similar to that which he had been tasked to do: receive personal data, store it, and then disclose it to a third party. Despite the employee using his personal equipment at home on a Sunday to make the unauthorised disclosure, this was not held to be enough to separate the employee’s actions from his employment. The court gave particular weight to the employee having received the information during the course of his employment, and using his colleague’s name when setting up the file-sharing account. The court found this to be a seamless and continuous sequence of events linking the employee’s disclosure to his employment and, consequently, the employer was found vicariously liable for the employee’s conduct.

Morrisons argued that, as the employee’s motive was to cause financial or reputational damage to the employer, imposing vicarious liability upon them would render the court an accessory in furthering the employee’s criminal aims. However, the court found no exception to the rules relating to motive in vicarious liability.

The court confirmed that the onus is on employers to put in place security arrangements which minimise the possibility of unauthorised data leaks. They recommended that, if employers are concerned that a finding of vicarious liability will lead to claims for potentially ruinous amounts, they should take stringent measures to mitigate against this possibility.

Morrisons has since indicated its intention to appeal this judgment to the Supreme Court, and on the face of it there is much to commend the appeal – should an employer be liable if an employee maliciously drives the company van off a cliff to cause the employer embarrassment? In the meantime, employers should be careful to heed the warning to safeguard the data they control. The fact that in Morrisons the employee received a sentence of 8 years’ imprisonment for all the connected criminal offences involved may deter some employees from similar wilful acts, but will inevitably fail to deter all.