In April, the Supreme Court overruled the Court of Appeal’s decision in 2018 that Morrisons Plc was vicariously liable for a disgruntled employee’s offences under the Data Protection Act 1998. In reaching its decision the court found that the employee had disclosed data in satisfaction of an “irrational grudge” and in doing so had acted outside the course of his employment.
Mr Skelton was asked by his line manager to compile a list of employee data comprising of names, contact details, national insurance numbers, bank details, and salaries to send to external auditors. In the process he made a copy of this data on a personal USB stick which he later uploaded to a file-sharing website. Mr Skelton then leaked the information to several newspapers, who in turn alerted Morrisons to the data breach.
Morrisons acted quickly, notifying the police and affected employees, as well as seeking to remove the data from the internet. Mr Skelton was arrested a short time later; in his trial it was admitted that the breach had been a deliberate act aimed at damaging his employer’s reputation after they had undertaken a disciplinary process in respect of his conduct.
Court of Appeal’s findings
The Court of Appeal (upholding the High Court’s decision) found that Morrisons were vicariously liable because the conduct amounting to the breach was carried out in the course of his employment, they ruled that:
• the breach began when he saved a copy of the data to his personal USB stick;
• he copied the data during his working hours, at his place of work and from his work computer; and
• he had been authorised to access the data for the performance of his duties.
Findings of the Supreme Court
The Supreme Court however considered that Mr Skelton’s deliberate, and criminal acts were not carried out in the course of his employment for the following reasons:
• Morrisons had not authorised Mr Skelton to copy the data to a personal device;
• The copying of the data itself was not done in furtherance of his employer’s business but instead in pursuit of a personal vendetta.
As such, Morrisons could not be deemed vicariously liable for Mr Skelton’s breach of statutory duty under the DPA 1998.
Although the DPA 1998 has now been superseded by GDPR and the DPA 2018, the Supreme Court’s decision will likely be persuasive in any future claims of vicarious liability under the new legislation. While the ruling comes as a relief to many employers, it serves as a reminder of the importance of implementing strong data protection measures and ensuring that data breaches are dealt with efficiently.
If you have any questions about data protection or any other employment law issue please contact us.