When is an employer liable for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web?
That was the question raised in Various Claimants v Wm Morrisons Supermarket Plc  EWHC 3133 (QB) (click here for the judgment).
In early 2014 a rogue employee had posted a file containing personal details of 99,998 employees of Morrisons on a file sharing website. That data contained names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers, and salaries.
A copy of this data, on CD, was passed on to newspapers in Bradford, where Morrisons had its head office. The papers told Morrisons. The risk to Morrisons was substantial: it carried the implication that Morrisons could not be trusted to keep data secure, and that had serious implications for Morrisons’ share values. More seriously, the information could facilitate fraud and/or dishonest access to bank accounts (etc).
The source of the data was traced to one Andrew Skelton, a senior IT auditor in Morrisons’ employment. He was arrested and charged with offences contrary to the Computer Misuse Act 1990 and s 55 Data Protection Act 1998: he is still serving a sentence of 8 years imprisonment.
Some 5,518 employees whose data had been disclosed brought claims for compensation for breach of statutory duty under s 4(4) DPA 1998 and at common law (the tort of misuse of private information, and an equitable claim for breach of confidence). The basis of the claim was that Morrisons had primary liability for their own acts or omissions, and vicarious liability for the actions of one of their employees harming his fellow workers. The claim under the DPA was on the basis that primary liability was absolute or strict, or, in the alternative, that if the Act did not impose strict liability then Morrisons had fallen below the appropriate standards.
The Data Protection Principles
The Claimants said that there had been a number of breaches of the Data Protection Principles (“DPP”). For instance, the first – DPP1 – is that data is not processed without consent. That did not happen, because none of the Claimants had consented to Skelton processing the data by copying it, extracting the information, and uploading it to a file sharing website.
The decision in Morrisons has some interesting discussion of the Data Protection Act at para 44 & onwards. In particular, Langstaff J noted the point made in Your Response Ltd v Data Team Business Media Ltd  EWCA Civ 281, that “the concept of possession in the conventional sense had no meaning in relation to intangible property, and thus it was not possible for a lien to exist over an electronic database.” Entering information into an electronic data storage system did not render the information itself a physical object.
The duties under the DPA 1998 are imposed on a data controller. A data controller is a person who makes decisions about how and why the data is processed. A person who processes data as an agent for a data controller is not himself a data controller in respect of those data: Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd  EWCA Civ 121 at para 70 – 71.
The DPA 1998 derives from European law – Directive 95/46/EC of 24th October 1995 – and so, applying Marleasing, the Court had to adopt a purposive approach. The acts which had been said to break the data protection principles were those of a third party, and not those of Morrisons. Morrisons were not therefore liable for having broken (most of) the Data Protection Principles, because they did not themselves, as data controller, offend against those principles (para 64 of the decision in Morrisons).
However, the seventh data protection principle (“DPP7”) required Morrisons to take “appropriate technical and organisational measures” to protect against unauthorised or unlawful processing of personal data. Since this was a large organisation dealing with data of around 100,000 employees, the magnitude of risk was accordingly great. So, in principle, the Claimants could argue that Morrisons had not taken appropriate steps. But Langstaff J found that Morrisons did not know nor ought they reasonably to have known that Skelton posed a threat; Morrisons had generally implemented appropriate measures; the management could not properly be criticised for not having asked Skelton before mid December that the data had been deleted (or checking that it had been); however, there was no organised system for the deletion of data and to that extent Morrisons had fallen short of DPP7. But even if they had implemented appropriate measures, any reasonable measure that might have been implemented would not have prevented Skelton’s criminal misuse of the data (para 125).
The remaining issue was of vicarious liability – i.e. “liability for an employee’s unauthorised or not negligently permitted unlawful mode of doing an authorised act in the course of employment” – that is, “truly vicarious liability”. And of course there are well-known legal issues arising here. The relationship between the parties is one such issue: a restriction to the relationships being employment or agency might in some cases be unjust (as in Armes v Nottinghamshire County Council  UKSC 60, where the Supreme Court considered whether a Council might be liable for wrongs done by a foster-parent to whom it had entrusted the care of a child). A second issue is the proper approach to “the course of employment”.
So, what of a case such as this, where the employee commits a serious criminal act? Langstaff J referred back to another Morrisons case – Mohamud v William Morrison Supermarkets Plc  UKSC 11 – in which a Morrisons employee, working in a sales kiosk, in response to a customer’s enquiry had used racist, abusive and violent language towards the Claimant, had followed him back to his car, and had subjected him to a serious physical attack. The Supreme Court considered that the employee’s job was to attend to customers and to respond to their queries, such that the manner in which he responded was within the field of activities assigned to him and what had happened afterwards formed an unbroken series of events. Morrisons in that case were therefore liable.
Applying Mohamud (and going via a lengthy detour into some preliminary issues on vicarious liability, which I will skip over), Langstaff J summarised in detail the relevant authorities relied upon in the course of argument and found that (paragraphs 183 & onwards):
So, there was a sufficient connection between the position in which Skelton was employed and his wrongful conduct to make it right for Morrisons to be held liable “under the principle of social justice which can be traced back to Holt CJ”. That would apply equally to a breach under the DPA, a misuse of private information, or a breach of the duty of confidence, because the essential actions which constituted the tort were the same in each case.
Interestingly, Langstaff J closes with the following:
The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims. I grant leave to Morrisons to appeal my conclusion as to vicarious liability, should they wish to do so, so that a higher court may consider it: but would not, without further persuasion, grant permission to cross-appeal my conclusions as to primary liability.
This may not, therefore, be the end of the matter.