This may be a hypothetical question which fleetingly crosses the minds of employers when their employment advisor asks them if they have a policy in place to deal with GDPR.
However, that question was in fact recently asked by Morrison Supermarkets before the Supreme Court and the Supreme Court decided that Morrisons were not vicariously liable for unauthorised breaches of the then Data Protection Act 1998.
What happened that led to the decision?
Mr Skelton who was an employee of Morrisons was an internal IT auditor. He was given a verbal warning for minor misconduct. Taking umbrage at that verbal warning, he developed an irrational grudge against his employer. He was asked by Morisons to provide payroll data for the entire workforce to external auditors and to satisfy his grudge, he copied the data onto a USB stick. He then took that stick home and posted the data on the internet using another employee’s details in order to disguise that he was the perpetrator. He also then sent this information on to three national newspapers pretending to be a concerned member of the public.
The details were not published in the Press but one newspaper contacted Morisons who immediately took steps to remove the data from the internet, contacted the police and began an internal investigation. Mr Skelton was arrested and found guilty of criminal offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 which was in force at the time.
Morrisons then had to deal with 9,263 claims from its employees and former employees for damages that there had been misuse of private information and breach of confidence.
Why did the Supreme Court not hold Morrisons liable?
The Supreme Court looked at two issues:-
- What function or fields of activities had been entrusted by the employer to the employee; and
- Was their sufficient connection between the position in which the employee was employed and his wrongful conduct to make it right for the employer to be held liable.
In addressing issue 1, the Court said that the disclosure of the data on the internet had not formed part of Mr Skelton’s functions or field of activities and this was not an act which he was authorised to do.
In addressing issue 2, the Court also said that the reason why Mr Skelton acted wrongfully was not irrelevant. The question of whether he was acting on his own personal reasons or on his employer’s business was highly material.
The Supreme Court said that the mere fact that Mr Skelton’s employment gave him opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability.
At the time that he committed the act, Mr Skelton was not actually engaged in furthering his employer’s business when he committed the wrong doing. He was pursuing a personal vendetta. What he did was not so “closely connected with acts that he was authorised to do that it could be fairly and properly regarded as done by him while acting on the ordinary course of his employment”.
Am I vicariously liable for breaches by a “data controller”?
This question was also asked before the Supreme Court.
The secondary argument that Morrisons had run before the Supreme Court was that vicarious liability was excluded by the Data Protection Act as liability was only on data controllers where they had acted without reasonable care.
Although the Supreme Court had determined the main argument that Morisons was not vicariously liable for the data breach, it did feel it was necessary to comment on that argument.
The Supreme Court said that in the absence of express provision in the Data Protection Act, that vicarious liability did apply to breaches of obligations committed by an employee who is a data controller acting in the course of their employment.
What does this mean for my business?
Although this case involved the Data Protection Act 1998, the same principles are likely to apply under GDPR.
The case confirms that employers will not always be liable for data breaches committed by rogue employees.
The key issue for employers to ask is “was my data controller acting in the course of their employment when the breach was committed?”
If you require any assistance on your data protections policies, even just reassurance that they are up to date, then please contact me, Julie Sullivan atjks@businesslaw.co.uk
