The Supreme Court last week heard the supermarket chain Morrisons argue that it should not be held vicariously liable for its then in-house senior internal auditor publishing the personal data of almost 100,000 employees deliberately and without authorisation.

In seeking to overturn the judgment of the Court of Appeal that it is vicariously liable, Morrisons is arguing that the wrongful actions of its former in-house auditor were outside the scope of his job functions; and that there was no “sufficiently close connection” between those actions and the auditor’s employment. Both elements need to be present for an employer to be vicariously liable for an employee’s actions.

This type of claim is by its nature fact specific; but in the context of a company managing and maintaining its data, it is important to note that the auditor’s role included being entrusted with the payroll data. The High Court found that Morrisons appointed the auditor on the basis that he would deal with this data and “Morrisons took the risk they might be wrong in placing the trust in him” – a finding the Court of Appeal described as “plainly correct”. It will be important to see how the Supreme Court deals with this point, and in view of this many companies may need to consider what additional safeguards they put in place in relation to those employees who are entrusted with personal data such as payroll data so as to mitigate the risk of similar incidents.

This is particularly the case in light of the fact that the law that applied at the time the auditor published the data without authorisation was the Data Protection Act 1998 – this has now been superseded by the GDPR and the Data Protection Act 2018, under which companies face much greater penalties for failures to keep data secure (up to 4% of the overall undertaking’s global turnover).  It is therefore increasingly important for any company to have appropriate procedures in place to minimise the risk of data being published or disseminated without authorisation, including where this is done by a “rogue” employee given the more draconian sanctions that can now be imposed and the related increase in the costs and risks associated with a data breach in the current regulatory environment.  

In our next update we will be looking at the Supreme Court judgment and considering the effect of that judgment on the way businesses should seek to mitigate the risks associated with data breach; it will be of particular interest to see whether the effect of the Supreme Court judgment is that companies must monitor certain employees more closely than others, in circumstances where those employees are trusted to handle important data such as payroll data.

The case is Wm Morrison Supermarkets plc v Various Claimants; the Court of Appeal judgment is [2018] EWCA Civ 2339 and the first instance judgment is [2017] EWHC 3113 (QB).