This was an appeal by WM Morrison Supermarkets plc (Morrisons) on the issue of whether an employer can be liable in damages to its current and former employees whose personal and confidential information has been misused by the criminal act of another employee in breach of the Data Protection Act 1998 (DPA) and in breach of that employee’s obligation of confidence.
The factual background to the proceedings can be found in a One Brick Court case note of the judgment at first instance: available here.
Morrisons appealed to the Court of Appeal on three grounds (at ):
(1) The Judge ought to have concluded that, on its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability.
(2) The Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same.
(3) The Judge was wrong to conclude:
(a) that the wrongful acts of the employee occurred during the course of his employment by Morrisons; and, accordingly,
(b) that Morrisons was vicariously liable for those wrongful acts.
The Court of Appeal considered that, whatever the position on the first ground of appeal, it was clear that the vicarious liability of an employer for misuse of private information and breach of confidence by an employee had not been excluded by ‘necessary implication’ under the DPA (at -). There were three major obstacles to Morrisons’ proposition that the DPA had excluded an employer’s vicarious liability at common law and in equity:
(1) Firstly, if Parliament had intended such a substantial change in common law and equitable rights, it might have been expected to say so expressly (at ).
(2) Secondly, Morrisons’ acceptance that actions for misuse of private information and for breach of confidence operate in parallel with the DPA, while at the same time contending that vicarious liability for the same causes of action has been excluded by the DPA is a difficult line to tread; “not least because it may be said to present an inconsistency in the application of one of the principal objects of the Directive and of the DPA, namely the protection of privacy and the provision of an effective remedy for its infringement (including by an employee of limited means), rather than their curtailment” (at ).
(3) Thirdly, the difficulty of treading that line was deemed to be insuperable on the facts because the DPA is silent on the liability of an employer, who is not a data controller, for breaches of the DPA by an employee who is a data controller (at ). The Court of Appeal noted that the contrast between the fault based primary liability on an employer data controller under the DPA and the imposition of a strict vicarious liability on an employer for the defaults of an employee data controller is no more of an anomaly than the position at common law (at ).
On the third ground of appeal, it was noted that the relevant test to apply is set out in Mohamud v WM Morrison Supermarkets plc  AC 667, at -:
(1) What functions or ‘fields of activities’ have been entrusted by the employer to the employee; and
(2) Whether there was a ‘sufficient connection’ between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
In relation to the first limb of the Mohamud test, at first instance Langstaff J found (at -) that Morrisons deliberately entrusted the employee with the payroll data, and his role in respect of that data was to receive and store it, and to disclose it to a specified third party. Accordingly, the employee’s unauthorised disclosure to wider third parties was closely related to what he was tasked to do. The Court of Appeal considered these findings to be ‘plainly correct’ (at ).
Similarly, the Court of Appeal considered Langstaff J’s undisputed findings of fact (at ) in relation to the second limb of the Mohamud test to be correct: ‘what happened was a seamless and continuous sequence of events’ (at ).
In accepting these findings of fact, the Court of Appeal rejected Morrisons’ submission that vicarious liability only applies if the employee was ‘on the job’ when the tortious act was committed: a phrase not found in any of the authorities. The Court of Appeal’s preferred approach was to use the ‘within the field of activities assigned to the employee’ test set out in Mohamud (at ).
At first instance, Langstaff J concluded his judgment by expressing some concern at the fact that, as the employee’s intentions were to harm Morrisons, his conclusions on vicarious liability might ‘seem to render the court an accessory in furthering his criminal aims’ (at ): leave was therefore granted to appeal on the point. In dealing with this issue, the Court of Appeal did not accept that there was an exception to the principle that motive was irrelevant, where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer (at ).
At the end of its judgment the Court of Appeal noted that whilst the availability of insurance is not a reason for imposing liability, the availability of insurance against losses caused by dishonest or malicious employees is a valid answer to the burden shouldered by innocent employers (at ).
The judgment is available here.