Landmark Supreme Court decision on employer’s vicarious liability

In 2014,  a Morrisons employee leaked his colleagues’ payroll data in an act of revenge against his employer after he was issued a verbal warning for using the company’s post room to run an online business selling ‘legal highs’. He was subsequently jailed for eight years for fraud, securing unauthorised absence to computer material and unlawfully disclosing personal data.  Then, a group of more than 9,000 of the affected staff launched the UK’s first data breach-related group action against Morrisons for the alleged upset and distress caused to them by the employee’s actions. The claimants alleged that Morrisons was also liable for the data breach because it was carried out by the employee in the course of his employment. In 2017, the High Court ruled that Morrisons was indeed liable for the data breach and ordered it to pay compensation to the employees.

Morrisons appealed and it was dismissed by the Court of Appeal in October 2018, leading the supermarket to launch a further appeal in the Supreme Court.

Morrisons’ argument has always been that the employee’s actions were so far removed from what he was paid to do that they should not be liable. It said this was a vindictive act that could not in any way have been foreseen by the employer and was not connected to the tasks that he was employed to do. Morrisons was clear that it had done everything it reasonably could have done to protect the data and therefore should not be liable for the employee’s unlawful and unpredictable behaviour.

The employees, on the other hand, argued that they had entrusted their data to their employer and that the leaking of the information caused them distress for which they would have no meaningful recourse if Morrisons was not held liable.

The Supreme Court has now found unanimously that Morrisons was notliable for the employee’s actions. They noted that this case was one of a kind and they had never been asked to rule on a case that involved someone trying to deliberately inflict harm on their employer, stating that in these circumstances, the employer was not vicariously liable.

To avoid liability, employers need to ensure they are taking all necessary steps to ensure compliance with the GDPR, including having the appropriate safeguards in place (ie training, policies and monitoring) to protect against data breaches by employees.