01 April 2020

After long-running legal action, the UK Supreme Court has decided that companies should not be held vicariously liable for the actions of rogue employees who leak personal data for their own purposes. In doing so, it reversed previous decisions by the High Court and the Court of Appeal.

Supreme Court Crest 480x665The decision turned on the facts of the case that involved supermarket chain Morrisons and a former member of their internal audit team, Andrew Skelton - now languishing in jail. It was found that as there wasn’t a close connection between the acts of their former employee and the normal work he did for the Company, his employer could not be held liable.

In other words, an employer is not liable where an employee is not engaged in furthering the employer's business, but is instead acting for his or her own purposes.  The employee becomes a data controller of the data involved, when using it for his or her own purposes and perhaps causing the employer to suffer a data breach.  This shows that while the employee's employment gave him the opportunity to commit the data breach, this fact alone was not enough to implicate his employer.

As the breach occurred back in 2013, the case was brought under the Data Protection Act 1998, but that act's subsequent replacement by the 2018 Act and the GDPR would not seem to fundamentally affect the basis for the judgement.

While this decision may come as a welcome relief to businesses, the facts of the case were crucial in determining liability and it does not mean that employers can never be vicariously liable for data breaches caused by their employees. It only means that employers are not vicariously liable if the employees' acts are so well outside their duties that their actions can no longer be regarded as being done in the ordinary course of employment.

Companies should also note that, whatever the facts concerning an employee's actions, they can be held separately liable under current legislation if there is a data breach and they haven't taken sufficient technical and other security measures to protect the personal data that is subject to that breach.

See also the Supreme Supreme Court Press Release.