Employer not liable for data breaches

Posted: 1st April 2020

To what extent do employers bear indirect, or vicarious, liability for breaches of the Data Protection Act 1998 (DPA) perpetrated by their staff? The Supreme Court decisively resolved that issue in a test case concerning a supermarket worker who placed highly confidential payroll information online as part of a personal vendetta.

LaptopThe man worked for a supermarket chain as part of its internal audit team. Having previously received a verbal warning following disciplinary proceedings, he bore a grudge against the chain. After being tasked to send payroll data for the chain’s entire workforce to external auditors, he took the opportunity to make a personal copy.

He uploaded the data onto a publicly accessible file-sharing website and also sent it anonymously to three newspapers, posing as a concerned member of the public. They refrained from publishing the material and one of them alerted the chain, which took immediate steps to have the data removed from the website and to protect is staff. The man was subsequently prosecuted and jailed.

Some affected employees were concerned that the privacy of their personal data had been compromised and brought proceedings against the chain. Their claims were upheld by a judge on the basis that the man had acted in the course of his employment and that the chain was vicariously liable for his breaches of the DPA, misuse of private information and breaches of confidence. The judge’s ruling was subsequently confirmed by the Court of Appeal.

In upholding the chain’s challenge to that outcome, the Supreme Court noted that, in order to establish vicarious liability on the chain’s part, the employees had to show that the man’s wrongdoing was closely connected to the field of activities he was authorised to perform in the ordinary course of his employment. Such a connection had to be sufficient to make it right, as a matter of social justice, for the chain to be held indirectly liable for the man’s misconduct.

The reason why the man acted as he did could make no material difference to the outcome. It was, however, highly relevant whether he was acting on his employer’s business or for purely personal reasons. Although he was authorised to transmit the data to external auditors, his wrongful public disclosure of the material was not so closely connected to that task that it could fairly be viewed as having been made while acting in the ordinary course of his employment.

On long-established principles, the Court noted that an employer would not normally be held vicariously liable where, far from being engaged in furthering its business, an employee is pursuing a personal vendetta. The fact that the man’s employment afforded him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability on the chain.