Personal data protection breaches and employer liability

In the course of their activities, employees are often tasked with handling and managing personal data of colleagues, contractors or the public. Employees are then responsible for complying with data protection law on behalf of the employer, who is the data controller or processor. Whereas the relationship between employees and employer is of mutual trust, breaches of data protection law by employees could result in the employer bearing the financial, operational and publicity cost of employee behaviour. Under certain circumstances, the employees’ misconduct could hold the employer vicariously liable for their wrongdoing under EU data protection law and the common law misuse of private information and breach of confidence. If employers are held vicariously liable, they are considered entirely responsible for their employees’ wrongdoing, even if they did not breach the law directly.

This article outlines circumstances in which employers may be liable based on the decision of the UK Supreme Court decision of 1 April 2020. In this article, we also summarise the conditions and safeguards that could prevent employers from being held vicariously liable for breaches of data protection law.

Facts

The main issue, in this case, revolved around the misconduct of an employee of the Morrisons supermarkets. The employee, a senior auditor, was responsible for transmitting the company’s payroll data of around 126,000 employees to its external auditors, as he had done the previous year. As a retaliation after recent disciplinary proceedings, he copied the data from his work laptop to a personal USB stick and then uploaded the personal data of 98,998 colleagues to a publicly-accessible filesharing website under a fake account. He also sent this file anonymously to three UK newspapers purporting to be a concerned citizen who had found it online. The newspapers did not publish the data and one of them alerted Morrisons. Morrisons spent more than £2.26m in dealing with this breach, but this loss was just the beginning of the repercussions of the actions of the wrongdoer employee. Some of the affected employees alleged they suffered distress, anxiety, upset and damage and that the employer is vicariously liable for breaching the UK data protection legislation, misusing private information and breaching confidence.

The question for the Supreme Court

The crucial question for the Supreme Court was whether an employer could be vicariously liable for data breaches caused by rogue employees, even where the employer had taken appropriate measures and reasonable care to comply with their data protection obligations.

Court decision

Contrary to the Court of Appeal, the Supreme Court found that the employer was not vicariously liable. The Court explained that the online disclosure of the data was not part of the employees’ field of activities and was not an act which he was authorised to do. Moreover, the employee acted so pursuing a personal vendetta in this case. Therefore, the employee’s wrongdoing did not occur in the ordinary course of his employment and the employer was not vicariously liable.

Conditions for vicarious liability for personal data breaches

This decision is of salient importance because it sheds light on the conditions under which employers will have to do justice for their employees’ breach of data protection law. The Court outlined several legal and factual elements, crucial for imputing employee wrongdoing to employers, including

  • A close connection between the wrongdoing with the acts the employee is authorised to do in his or her employment;
  • The finding that the employee acts in the ordinary course of his or her employment and within the field of his or her activities;
  • An “unbroken” or “seamless” sequence of events that takes place between the wrongdoing and employee duties;
  • The employee acts on his or her employer’s business reasons.

Conditions indicating lack of employers’ vicarious liability

On the contrary, the Court argued that that the mere fact that employment gives an employee the opportunity to commit the wrongful act does not suffice to hold the employer vicariously liable. In this context, it is unlikely that an employer will be held vicariously liable if the below conditions apply:

  • The employee misconduct is not closely related to what the employee is tasked to do;
  • The connection between the wrongdoing and employee duties is temporal or causal;
  • The employee acts for purely personal reasons, e.g. when the employee pursues a personal vendetta.

Employers should bear in mind that the above conditions have an indicative value and this is a rather open-ended list for the Court to consider depending on the legal and factual elements of each case.

Risk-mitigation measures for employers

Although this Supreme Court’s judgement should be welcomed by employers, this decision also highlights the importance of implementing appropriate preventive and reactive measures to mitigate the risk of employee wrongdoing. These measures enable employers to monitor, assess and improve the level of compliance with data protection law internally and in relation to external parties, e.g. customers and contractors. In particular, employers should:

  • Ensure that employees are fully aware of their personal responsibilities and contractual obligations to confidentiality;
  • Provide sufficient data protection training and regular data protection reminders;
  • Review policies in identifying, alarming and managing personal data breaches;
  • Establish mechanisms for employees and external parties to raise data protection concerns and complaints confidentially and safely;
  • Establish roles and responsibilities for the management and oversight of personal data;
  • Conduct regular audits to check the management and department level of data protection compliance.

This case highlights the importance of organisational and technical measures in the workplace to ensure data protection compliance and, by extension, compliance with employment law. Feel free to get in touch with Trilateral’s Data Protection and Cyber Risk Team, who would be happy to assist you with designing mechanisms and safeguards for improving data protection compliance in the workplace.

Adam Panagiotopoulos, Data Protection Advisor at Trilateral Research

Adam Panagiotopoulos


‘Risk Assessment Report and Methodology’

You can view the Executive Summary and Table of contents of the Project Solebay Risk Assessment Methodology Report.

Please sign up to the Solebay mailing list to download the Full Solebay project report.