What is it?
Vicarious liability is the principle that means that employers are liable for the actions of their employees where there is a sufficient connection between their employment and the wrongdoing.
There have been a number of notable cases recently on vicarious liability. One of the most well-known is the case of Mohamud v Morrisons, where the employer was held liable for the unprovoked attack on a member of the public by one of its employees.
Unfortunately for Morrisons, they have been in court again arguing about vicarious liability, but this time the outcome was much more favourable for them and employers generally.
Mr Skelton worked as an internal IT auditor for Morrisons Supermarkets. In 2013, he was given a verbal warning for minor misconduct, which resulted in him holding an irrational grudge against his employer.
Later, when asked to provide payroll data for the entire workforce which constituted over 100,000 individuals, he copied the data onto a USB stick and took the memory stick home. From there, Mr Skelton:
- posted it on the Internet using a colleague’s logon; and
- sent the information to three national newspapers pretending to be a concerned member of the public.
Morrisons was alerted to the situation and started an internal investigation into the data breach. All told, the ordeal cost Morrisons over £2M.
Mr Skelton was arrested and convicted of criminal offences. Morrisons were probably sighing with relief and hoping that this was the end but unfortunately for them 9,263 employees and former employees brought claims against Morrisons for damages on the basis that they were vicariously liable for the data breach caused by Mr Skelton.
The case proceeded through the High Court where initially Morrisons were held to be vicariously liable and on appeal to the Court of Appeal, the ruling was upheld.
However, Morrisons appealed to the Supreme Court who discussed the Mohamud case and considered where some of the lower courts had perhaps misunderstood the principles. The Supreme Court found that ultimately Mr Skelton had not been engaged in furthering Morrisons’ business when the wrongdoing had occurred. Instead, he had been furthering his own private vendetta against the company. On this basis Morrisons was not vicariously liable for his actions.
The above case is a welcome relief for employers who will be pleased to hear that they will not always be found to be liable for the data breaches of their employees. Whilst this is helpful clarification on the Mohamud case, it does not mean that employers will always get off the hook for these types of actions.
Additionally, this case was considered under the previous Data Protection Act 1998, which was slightly different to the current law. Whilst the GDPR and Data Protection Act 2018 do not in themselves change the law on vicarious liability, the Data Protection Act 2018 does cover more areas including reporting breaches within 72 hours and having a data protection system that is safety by design.
The takeaway advice from the case is that employers will only be liable for the actions of their employees where they are engaged, however misguided, in furthering the employer’s business, i.e. not on a frolic of their own.