Background
The case arose as a result of an employee of Morrisons (who had developed a grudge against them as a result of disciplinary proceedings against him) publishing payroll data which contained personal data of just under 100,000 other employees on the internet. The individual was employed as a senior IT internal auditor and obtained the personal data from a colleague so that he could make a copy on a USB stick and give that to an external auditor. However, he also made a separate copy on a personal USB stick. A few weeks later he posted information which was on his personal USB stick on a file sharing website on the internet, put links elsewhere on the internet to where the personal data was located and sent CDs to various newspapers to inform them that the information was online.
A claim was raised against Morrisons by just over 5,000 of its employees whose data had been published on the internet. At first instance it was held that there was no primary liability for Morrisons as a result of the individual's actions. However, it was held that Morrisons could be vicariously liable for the liability arising as a result of the individual's actions on the basis of the Data Protection Act 1998 or misuse of private information or breach of confidence.
Morrisons appealed the initial decision on three grounds. The first two grounds were arguments about whether the Data Protection Act 1998 excluded claims for vicarious liability based on it or misuse of private information and breach of confidence. The third ground challenged the judge's findings that the wrongful acts of the individual occurred during the course of his employment with Morrisons, and accordingly, that Morrisons was vicariously liable for those acts. It was in relation to this ground that the court had to consider the relevance of the point that the intention of the individual was to cause damage to Morrisons.
The Court of Appeal's decision
Morrisons was unsuccessful in respect of all three arguments. The final paragraphs of the Court of Appeal's decision discusses the relevance of the fact that the motive of the individual was to harm Morrisons rather than achieve personal benefit or inflict injury to a third party. This was something which the judge at the first instance had expressed concern about when he allowed Morrisions permission to appeal his decision and the Court of Appeal describe this as a novel feature of the case.
They discussed other motives where vicarious liability had arisen such as greed, sexual gratification and personal racism but noted that it had been held that motive was irrelevant. They did not accept that there was an exception to this where the motive of the individual giving rise to vicarious liability was to cause harm to the person who could be vicariously liable. They were also not persuaded by arguments about the enormous burden that a finding of vicarious liability would place on Morrisons and other innocent employers in future cases.
Comments
This result will, no doubt, be of considerable concern to employers who will wonder what they can do to protect themselves in circumstances similar to these. The Court of Appeal suggested that the solution is for employers to insure themselves against the actions of dishonest or malicious employees as they would do for catastrophes where data breaches on a massive scale occur as a result of corporate system failures or negligence by employees.
The scope of vicarious liability has broadened as a result of a number of decisions over the last few years. This case, with its decision that it does not matter that the person who caused the harm intended to damage the person or organisation who may be held vicariously liable, sits within that trend of widening scope. It will, of course, not just be relevant to traditional employee/employer relationships as vicarious liability can arise out of other relationships as well.
The cost of vicarious liability where there has been a deliberate breach of data protection legislation (which would now be covered by the General Data Protection Regulation rather than the Data Protection Act 1998) could be significant where the actions have caused loss to a large number of individuals. The option of seeking insurance to offer some protection should such an event occur is therefore one which merits serious consideration.