The Supreme Court has decided that Wm Morrison Supermarkets plc (Morrisons) is not vicariously liable for the actions of an employee who, without authorisation and in a deliberate attempt to harm his employer, uploaded payroll data to the internet using personal equipment at home.
The Supreme Court found that the circumstances in which the employee had committed the wrongful disclosure of payroll data were not so closely connected with acts which he was authorised to do that they could fairly and properly be regarded as having been done by him while acting in the course of his employment.
This decision will provide welcome confirmation for employers that they will not always be liable for data breaches committed by rogue employees. It similarly provides helpful clarification for practitioners on the way in which the judgment should be applied in future cases concerning vicarious liability.
The facts in this case were extreme. It seems that Morrisons were wholly unaware of the grudge held by the employee. The employee also took extraordinary actions to cover up what he had done and even to frame another employee. In the circumstances, this judgment seems sensible in many respects.
Employers should take away from the judgment that although this case was decided under the previous data protection regime, the DPA 1998 and the GDPR are based on broadly similar principles and the GDPR and Data Protection Act 2018 (DPA 2018) will not be a barrier to vicarious liability actions in data privacy proceedings commenced under the current regime. The GDPR makes compliance far more onerous now for controllers who will run the risk of exposure, if they fail to safeguard data to statutory standards and neglect to have governance in place to curb the malicious acts of rogue employees.