UK: worrying High Court data protection ruling imposing vicarious liability on employers

A recent High court decision (subject to appeal) has ruled that an employer can be vicariously liable for an employee's misuse of data even where it has done as much as reasonably possible to prevent the misuse and where the misuse of data is intended to cause reputational or financial damage to the employer.

The case concerned a claim brought by 5,500 employees for distress-based damages against Morrisons in relation to the leak of payroll data by a rogue employee.  The employee had copied the data as part of his job and then used his personal computer to publish it online outside working hours.

The Court accepted that it was the employee, not Morrisons, who was the data controller when the data was wrongly published.  Morrisons' only direct breach of data protection law was to fail to provide an organised failsafe system for the deletion of data stored temporarily on an employee’s own device, but this had not enabled the particular misuse.  Morrisons had not breached data protection laws by allowing the employee to have access to the data, as there was no sufficient reason to think he posed a risk to the security of the data at the time.

Nevertheless, the Court held that Morrisons was vicariously liable for the employee's conduct, even though the purpose of the conduct had been to damage Morrisons, a purpose which the court would indirectly be assisting by imposing liability.  The judge considered that the Data Protection Act did not impliedly exclude the possibility of vicarious liability and equally did not prevent there being vicarious liability for common law claims of misuse of private information and breach of the duty of confidence in respect of the same data disclosure.

On the facts, the test of vicarious liability was satisfied: the employee had been acting "in the course of his employment" because he had received and copied the data as part of his role and the chain of events followed on unbroken from that receipt.

The judge did have reservations about his conclusions, in particular given that the rogue employee's data breaches were aimed at inflicting harm on his employer, and so gave permission to appeal on vicarious liability.  Morrisons has confirmed that it intends to appeal.