Employers’ vicarious liability – Supreme Court rulings in April.

WM Morrissons PLC v various claimants

Earlier this month, the UK Supreme Court ruled that the supermarket, WM Morrisons Supermarket PLC ("Morrisons") was not vicariously liable for its employee's deliberate data breach back in 2013. This decision marks the end of a long legal battle and overturns the previous decisions made by the High Court and Court of Appeal. This decision will certainly provide welcome relief for employers that they will not always be liable for data breaches committed by rogue employees.

Summary of the Morrisons case

By way of background, Andrew Skelton was employed by Morrisons as an internal auditor. He was issued with a verbal warning for minor misconduct in 2013, which led him to develop a grudge against the company. Mr Skelton was asked to provide payroll information for the whole Company to external auditors. In doing so, Mr Skelton copied payroll data he had access to and put it online and sent it to newspapers using an alias. This data included personal and banking details of around 120,000 Morison's employees.

A newspaper alerted Morrisons to the breach, who within a few hours shut down the file sharing website. Skelton was arrested shortly after and subsequently convicted of criminal offences under the Data Protection Act 1998, the Computer Misuse Act 1990 and the Fraud Act 2006 - the latter attracting a custodial sentence. Skelton was sentenced to 8 years' imprisonment in July 2015.

Some of the employees and former employees (approximately 5,500) who were impacted by the breach took action against Morrisons for losses under the Data Protection Act 1998, the misuse of private information, and an equitable claim for breach of confidence. If their claim failed for direct liability, the group submitted that Morrisons were vicariously liable for the actions of their employee. For further information on our previous article from when this case reached the Court of Appeal and for practical tips on what employers can do to protect themselves from data breaches, click here.

Supreme Court decision on the Morrisons case

The Supreme Court ruled in Morrisons' favour, after determining that the Court of Appeal had misunderstood the principles governing vicarious liability. The Court noted that in previous decisions of the case, it was ruled that sending the data to third parties was closely related to what Mr Skelton was tasked to do resulting in a "seamless and continuous sequence" or "unbroken chain of events". The Supreme Court however found that the disclosure did not form part of Mr Skelton's functions and it was not an act he was authorised to do. Although Mr Skelton's role provided him with the opportunity to commit the data breach, he was pursuing a personal vendetta. His conduct could not properly be regarded as done by him while acting in the ordinary course of his employment.

For completeness, the Supreme Court also considered whether the Data Protection Act 1998 excluded vicarious liability and it ruled that there was no such exclusion regardless of the different legal tests. Although the Data Protection Act 1998 has now been replaced with the General Data Protection Regulations (GDPR), the principle will still apply.

Barclays Bank PLC v various claimants

Also this month, the Supreme Court ruled that Barclays Bank plc was not vicariously liable for any wrongdoing of Dr Bates (who was self-employed) in the course of medical examinations he carried out for the Bank between 1968 and 1984.

Summary of the Barclays case

During that period, Barclays required some new employees to receive medical assessment prior to starting their employment. 126 employees, who were mainly female teenagers, alleged that Dr Bates had sexually assaulted them.

Dr Bates was not employed by Barclays. Barclays arranged the appointments with Dr Bates to take place at a consulting room at his home address and provided him with a proforma report for him to complete. Dr Bates was also paid for each appointment individually, not on a retainer. Dr Bates died in 2009 and in 2015, the Claimants sought damages from Barclays.

Supreme Court decision

At first instance, the judge held that Barclays were vicariously liable for the assaults and the Court of Appeal dismissed Barclay's appeal. This was on the basis that they found the relationship to be sufficiently "akin to employment" and the doctor's wrongdoing occurred as a result of activity undertaken by him on behalf of the bank.

Last week the Supreme Court unanimously allowed Barclay's appeal. The court ruled that Dr Bates was carrying on business on his own account and was not at any time an employee or anything close to an employee of Barclays. Instead he was in business on his own as a medical practitioner, he had a portfolio of patients and clients (one of which was the bank), he was paid a fee for each report, was free to refuse a medical examination and there was little doubt that he would have had his own medical liability insurance. Therefore, a company that engages an independent contractor (and the relationship in practice reflects that) is, in general, not liable for the tort committed by the contractor.

These decisions are landmark judgments and will provide a degree of comfort to employers. In the words of Lord Phillips of Worth Matravers, “The law of vicarious liability is on the move.” Although, thankfully less than we thought they might have been.