A landmark group claim for compensation under data protection laws in the UK between employees and employer has failed. The UK’s Supreme Court has held that a rogue employee’s activities were not sufficiently connected with his employment to make Morrison, his employer, vicariously liable for the data protection breach. If it had been held liable Morrison would have been in line to make compensation payments to nearly 10,000 employees.
The case relates to an incident in 2014 and was brought under the Data Protection Act 1998 (DPA), but it is likely that findings would be the same under the GDPR and the UK Data Protection Act 2018.
As this case rested upon the payroll details of almost 100,000 individuals the quantum of liability could have been significant and clarity on the scoping of liability for the employer in light of a data protection breach in this context is welcome.
The Court also considered the question of whether the DPA excludes the imposition of vicarious liability for (a) statutory torts committed by an employee data controller under the DPA and (b) misuse of private information and breach of confidence and held that, as the legislation neither expressly nor implicitly excluded such liability, the principle of vicarious liability would apply to an employee who is a data controller in the course of his employment and commits a breach of the statutory obligations, as well as to a breach of obligations arising at common law or in equity.
However, it should be noted that this does not mean employers are freed from liability obligations to affected individuals in all cases. The facts of this case are unusual, an employee with the right to access payroll data to perform his job taking a copy of the data and using it in an unauthorized manner, in this case by offering it to the national news media for publication. There are many other circumstances in which a personal data breach may lead to the unauthorized disclosure of large amounts of personal data and the potential class compensation claims enshrined in the GDPR and DPA 2018.
The outcome of this case has been of particular concern for businesses around the country, given the Court of Appeal’s previous finding that individuals which acted contrary to their employer’s best interests and without their knowledge (and, indeed, illegally) could be held to have done so in the course of their employment. That position has now been overturned, thereby making it easier for organisations to defend data protection-related claims resulting from a disgruntled employee’s actions.
Whilst future cases will still turn on their facts, today’s decision will no doubt be well received by HR departments and company boards, many of whom are now considering the potential liability from data processing and security risks arising from the sudden shift to a remote workforce as has been mandated by the response to the COVID-19 pandemic.