Data Protection and Vicarious Liability

In: News Published: Wednesday 01 April 2020

Share

Summary

The Supreme Court has today handed down judgement in the case of WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12, on appeal from [2018] EWCA Civ 2339. The unanimously agreed judgement given by Lord Reed cautions against an overly literal interpretation of Lord Toulson's judgement in Mohamud [2016] AC 677 and restates the "close connection" test as being authoritatively laid down by Lord Nicholls in Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48.

The Facts

In July 2013, a senior auditor employed in Morrisons’ internal audit team was subject to minor disciplinary proceedings and was given a verbal warning for a trivial conduct matter.

In November 2013, the employee was instructed to provide KPMG with the company's payroll data for the purposes of a routine annual audit. This included names, addresses, genders, dates of birth, phone numbers, national insurance numbers, bank account information, and the salaries of each of the 126,000 individuals employed by Morrisons.

Whilst collating and transferring the data to KPMG, the employee surreptitiously downloaded the records to a personal USB drive. Using the TOR anonymity overlay network, he uploaded the records to a publicly accessible file sharing website, and posted CDs containing the data to three UK newspapers.

The newspapers did not publish the information, but instead alerted Morrisons to the data breach. Morrisons immediately contacted the Police, took steps to ensure the removal of the data from the internet within hours, and spent in excess of £2,000,000 on identity protection measures for its employees. The employee was arrested several days later and sentenced to an eight year term of imprisonment.

9,263 employees and former employees of Morrisons then commenced proceedings against the company, alleging breach of statutory duty under s4(4) of the Data Protection Act 1988, misuse of private information, and breach of confidence, on the basis that Morrisons was vicariously liable for the employee's conduct.

The High Court made a group litigation order and selected 10 lead claimants to proceed to trial on liability, with the remainder of the claims being stayed pending judgement.

First Instance and Court of Appeal

At first instance at the trial on liability, Langstaff J rejected the contention that Morrisons were in breach of any primary liability, but held that it was vicariously liable for the employee's breach of statutory duty under the Data Protection Act 1988, misuse of private information, and breach of his duty of confidence. The judge also rejected Morrisons contention that the Data Protection Act excluded vicarious liability for misuse of private information and breach of confidence.

In respect of vicarious liability, the judge held that Morrisons had provided the employee with the data in order for him to carry out the task assigned to him, and that what has happened thereafter was, in the words of Lord Toulson in Mohamud,

"a seamless and continuous sequence of events… an unbroken chain.”

The judge held that Morrisons had trusted the employee to deal with confidential information and therefore assumed the risk that it might be wrong in placing that trust in him. The employee's role in respect of the payroll data was to receive, store, and transfer it to a third party (KPMG). Although he was not authorised to disclose the data to anyone except KPMG, disclosure was “closely related” to what he had been tasked by his employer to do, and accordingly :

Adopting the broad and evaluative approach encouraged by Lord Toulson JSC in Mohamud’s case [2016] AC 677, I have therefore come to the conclusion that there is a sufficient connection between the position in which he was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable under the principle of social justice which goes back to Holt CJ."

Morrisons then appealed to the Court of Appeal, which held:

“the tortious acts in sending the claimants’ data to third parties were in our view within the field of activities assigned to him by Morrisons”.

As had been held at first instance, the Court of Appeal also emphasised that the relevant facts constituted a “seamless and continuous sequence” or “unbroken chain of events". Although it was an unusual feature of the case that the employee's motive in committing the wrongdoing was to harm his employer, Lord Toulson had said in Mohamud that motive was irrelevant. The court therefore agreed with the judge, that Morrisons was vicariously liable for the employee's wrongdoing.

Supreme Court

Lord Reed held that whilst the judge at first instance and Court of Appeal had “applied what they understood to be the reasoning of Lord Toulson in Mohamud [2016] AC 677” they had “misunderstood the principles governing vicarious liability in a number of relevant respects.”

Lord Reed held that if the Court of Appeal had been correct, it would have constituted “a major change in the law,” whereas Lord Toulson’s judgement upon which their approach was based had not been “intended to effect a change in the law of vicarious liability: quite the contrary.”

The Court of Appeal were said to have “focused on the final paragraphs, in which Lord Toulson summarised long established principles in the simplest terms and applied them to the facts of the case then before the court. A few phrases in those paragraphs, taken out of context, were treated as establishing legal principles: principles which would represent a departure from the precedents which Lord Toulson was expressly following.

Those incorrect new principles were the notions that: 

 

  • the Court had a broad discretion to determine the existence of vicarious liability according to “the principle of social justice”;
  • vicarious liability depended upon “an unbroken temporal or causal chain of events;
  • the “motive of the employee is irrelevant” in determing whether there is vicarious liability.

Fallacies in determining vicarious liability

Fallacy 1 - "Social Justice" discretion

In Mohamud, it was held that a petrol station owner was vicariously liable for an assault perpetrated by a petrol station attendant, who upon declining the request of a customer, ordered the customer to leave the premises using racist and threatening language, and then followed him to his car where he assaulted him.

In that case, Lord Toulson referred back to the doctrinal origins of vicarious liability, and in particular the influential role of Sir John Holt CJ in developing the concept in the late 17th and early 18th century. In essence, the rationale was that where an employer employed a wrongdoer, and the employee committed a wrongful act against the claimant within the area of the authority given to him, it was fairer that the employer should suffer for the wrongdoing than the person who was wronged.

Lord Toulson referred to Salmond on Torts 1907 which defined a wrongful act by a servant in the course of his employment as:

 
  • (a) a wrongful act authorised by the master; or
  • (b) a wrongful and unauthorised mode of doing some act authorised by the master; 
  • with the amplification that a master is liable for acts which he has not authorised if they are “so connected with acts which he has authorised, that they may rightly be regarded as modes - although improper modes - of doing them.”

The Salmond formula had been stretched in sexual abuse cases such as Lister v Hesley Hall Ltd [2001] UKHL 22 where despite the fact that sexual abuse was clearly not a mode of caring for children, the abuse was so closely connected with employment that it was held to be just to make them liable.

In the present case, Lord Reed held that the "social justice" fallacy was essentially a misinterpretation of the "close connection" test, which involved assessing whether the connection between the tortious act and an employee's duties was such as to make it "fair and proper" to say that actions were undertaken "in the ordinary course of employment."

In support of this contention, Lord Reed proceeded to cite the “close connection” approach enunciated by the House of Lords in Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48, where Lord Nicholls of Birkenhead held:

"....it is a fact of life, and therefore to be expected by those who carry on businesses, that sometimes their agents may exceed the bounds of their authority or even defy express instructions. It is fair to allocate risk of losses thus arising to the businesses rather than leave those wronged with the sole remedy, of doubtful value, against the individual employee who committed the wrong. To this end, the law has given the concept of ‘ordinary course of employment’ an extended scope.... 

 

 

....the wrongful conduct must be so closely connected with acts the partner or employee was authorised to do that, for the purpose of the liability of the firm or the employer to third parties, the wrongful conduct may fairly and properly be regarded as done by the partner while acting in the ordinary course of the firm’s business or the employee's employment....

 

 

...This ‘close connection’ test focuses attention in the right direction. But it affords no guidance on the type or degree of connection which will normally be regarded as sufficiently close...

.

 

...Essentially the court makes an evaluative judgement in each case, having regard to all the circumstances and, importantly, having regard also to the assistance provided by previous court decisions...."

Lord Reed summarised this as:

"the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment"

but stressed

"The words “fairly and properly” are not, therefore, intended as an invitation to judges to decide cases according to their personal sense of justice, but require them to consider how the guidance derived from decided cases furnishes a solution to the case before the court. Judges should therefore identify from the decided cases the factors or principles which point towards or away from vicarious liability in the case before the court, and which explain why it should or should not be imposed."

Fallacy 2 - Vicarious Liability depends on "an unbroken temporal or causal chain of events"

Lord Reed cited Lord Toulson’s reasoning in Mohamud in respect of the connection between the assault perpetrated by the attendant and his role as an employee of the petrol station :

“What happened thereafter was an unbroken sequence of events. It was argued by the respondent and accepted by the judge that there ceased to be any significant connection between Mr Khan’s employment and his behaviour towards the claimant when he came out from behind the counter and followed the claimant onto the forecourt. I disagree for two reasons. First, I do not consider that it is right to regard him as having metaphorically taken off his uniform the moment he stepped from behind the counter. He was following up on what he had said to the claimant. It was a seamless episode. Secondly, when Mr Khan followed the claimant back to his car and opened the front passenger door, he again told the claimant in threatening words that he was never to come back to the petrol station. This was not something personal between them; it was an order to keep away from his employer's premises, which he reinforced by violence. In giving such an order he was purporting to act about his employer's business. It was a gross abuse of his position, but it was in connection with the business in which he was employed to serve customers.”

Lord Reed explained that:

"Read in context, Lord Toulson’s comments that there was “an unbroken sequence of events”, and that it was “a seamless episode”, were not directed towards the temporal or causal connection between the various events, but towards the capacity in which Mr Khan was acting when those events took place." 

 

"Lord Toulson was explaining why, in his view, Mr Khan was acting throughout the entire episode in the course of his employment. When he followed the motorist out of the kiosk and on to the forecourt, he was following up on what he had said to the motorist in the kiosk. He ordered the motorist to keep away from his employer's premises, and reinforced that order by committing the tort. In doing so, he was “purporting to act about his employer's business”. As Lord Toulson said, “this was not something personal”."

Fallacy 3 - the "motive of the employee is irrelevant"

Lord Reed cited the third element of Lord Toulson's judgement that had been misconstrued:

Mr Khan’s motive is irrelevant. It looks obvious that he was motivated by personal racism rather than a desire to benefit his employer's business, but that is neither here nor there.”

Lord Reid explained that:

"Lord Toulson had already concluded that Mr Khan was going, albeit wrongly, about his employer's business, rather than pursuing his private ends, and had treated that fact as supporting the existence of a close connection between his field of activities and the commission of the tort. Having reached that conclusion, the reason why Mr Khan had become so enraged as to assault the motorist could not make a material difference. That is all, I believe, that the remark that “Mr Khan’s motive is irrelevant” was intended to convey."

The Correct Approach 

The two stage test

Lord Reed held that Lord Toulson had cited the correct "two stage test" approach for determining whether an employer was vicariously liable for the act of an employee.

 “In the simplest terms” the court has to consider two matters.

  1. The first question is what functions or “field of activities” had been entrusted by the employer to the employee.
  2. The second question is "whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ

Lord Reed explained the second question "not a free standing assessment of the social justice of the circumstances, but the court has to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment. That statement of the law, endorsed in Mohamud and in several other decisions at the highest level, is authoritative."

Lord Reed clarified:

Lord Toulson was not suggesting any departure from the approach adopted in Lister and Dubai Aluminium. His position was the exact opposite.

 

Nor was he suggesting that all that was involved in determining whether an employer was vicariously liable was for the court to consider whether there was a temporal or causal connection between the employment and the wrongdoing, and whether it was right for the employer to be held liable as a matter of social justice.

 

 

Plainly, the close connection test is not merely a question of timing or causation, and the passage which Lord Toulson cited from Dubai Aluminium makes it clear that vicarious liability for wrongdoing by an employee is not determined according to individual judges’ sense of social justice. It is decided by orthodox common law reasoning, generally based on the application to the case before the court of the principle set out by Lord Nicholls at para 23 of Dubai Aluminium, in the light of the guidance to be derived from decided cases.

Conclusion in the Present Case 

Lord Reed concluded that the question is whether the employee's wrongful disclosure of data was so closely connected with the collation and transmission of the data to KPMG that, for the purposes of the liability of his employer to third parties, the disclosure may fairly and properly be regarded as made by him while acting in the ordinary course of his employment.

The connecting factor between what he was authorised to do and the disclosure, is that he could not have made the disclosure if he had not been given the task of collating the data and transmitting it to KPMG. It was the provision of the data to him, so that he could perform that task, that enabled him to make a private copy of the data  which he subsequently used to make the disclosure.

Clearly, the mere fact that his employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability

Lord Reed held that the fallacy in imposing vicarious liability when employment provides the opportunity to commit a wrongful act was explained by Lord Wilberforce in Kooragang Investments Pty Ltd v Richardson & Wrench Ltd [1982] AC 462, which concerned an employee who was authorised to carry out valuations, and negligently carried out a valuation without authority from his employers and not on their behalf. Lord Wilberforce held:

“the underlying principle remains that a servant, even while performing acts of the class which he was authorised, or employed, to do, may so clearly depart from the scope of his employment that his master will not be liable for his wrongful acts.

To use the expression coined by Parke B in Joel v Morison (1834) 6 C & P 501, an employer is not responsible where an employee "goes on a frolic of his own"

“The master is only liable where the servant is acting in the course of his employment. If he was going out of his way, against his master's implied commands, when driving on his master's business, he will make his master liable; but if he was going on a frolic of his own, without being at all on his master's business, the master will not be liable.

As Lord Nicholls held in Dubai Aluminium [2003] 2 AC 366, para 32:

“A distinction is to be drawn between cases such as Hamlyn v John Houston & Co [1903] 1 KB 81, where the employee was engaged, however misguidedly, in furthering his employer's business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase ... The matter stands differently when the employee is engaged only in furthering his own interests, as distinct from those of his employer. Then he ‘acts as to be in effect a stranger in relation to his employer with respect to the act he has committed’

As Lord Reed held:

In the present case, it is abundantly clear that the employee was not engaged in furthering his employer's business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances, applying the test laid down by Lord Nicholls in Dubai Aluminium in the light of the circumstances of the case and the relevant precedents, his wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Does the DPA exclude the Vicarious Liabilty for statutory torts or misuse of private information and breach of confidence?

As Lord Reed held, the relevant principles were explained by Lord Nicholls in Majrowski [2007] 1 AC 224:

“The rationale [of the principle of vicarious liability] also holds good for a wrong comprising a breach of a statutory duty or prohibition which gives rise to civil liability, provided always the statute does not expressly or impliedly indicate otherwise.

Lord Nicholls summarised the resultant position:

“Unless the statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of a statutory obligation sounding in damages while acting in the course of his employment.”

Counsel for Morrisons argued that the DPA impliedly excluded the vicarious liability of an employer. They referred in particular to section 13 of the DPA 1998.

Subsection (1) provides that: “an individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage”.

Subsection (2) makes similar provision in relation to compensation for distress.

Subsection (3) provides that: “in proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.

The seventh data protection principle (Schedule 1, paragraph 10) also provides:

“The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to personal data.”

Lord Reed held:

"The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity. Since the DPA is silent about the position of a data controller’s employer, there cannot be any inconsistency between the two regimes. That conclusion is not affected by the fact that the statutory liability of a data controller under the DPA, including his liability for the conduct of his employee, is based on a lack of reasonable care, whereas vicarious liability is not based on fault...... 

It follows that, applying the orthodox principles of statutory interpretation explained by Lord Nicholls in Majrowski, since the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment, as explained in Dubai Aluminium."

KEVIN HOLDER 2020

BARRISTER

33 BEDFORD ROW

NOTICE: This article is provided free of charge for information purposes only; it does not constitute legal advice and should not be relied on as such. No responsibility for the accuracy and/or correctness of the information and commentary set out in the article, or for any consequences of relying on it, is assumed or accepted by the author, any member of Chambers, or by Chambers as a whole.