InsightsWebinar | Video - Data Protection and GDPR - POSTED: April 8 2020
Data protection liability: The Morrisons Case
Data protection liability – why the Supreme Court ruled in favour of Morrisons Supermarkets
- Share this article
- Print this article
Brachers Partner Colin Smith takes a look at the case of Morrisons Supermarket, who were involved in a serious breach of data protection legislation.
Today we’re going to look at an important Supreme Court decision in a case called Morrisons. Now this case involved a serious breach of the data protection legislation. An internal auditor pursuing his own personal vendetta decided to upload a significant proportion of Morrisons’ employee database to the internet and share it with the world. As a result, thousands of claimants sued Morrisons for breach of their duties under the Data Protection Act, as well as under general other breach of confidence laws.
The question therefore arose whether or not Morrisons was vicariously liable for the actions of an employee when they were so far at the outer limits of what you were actually employing that person to do. Now the claimants succeeded at the High Court level in establishing vicarious liability. This was upheld on appeal at the Court of Appeal, and then matters have now proceeded and been judged by the Supreme Court.
The Supreme Court took the opportunity to review vicarious liability law and how it applies, particularly within the employment context. What they said is that the Court of Appeal and the High Court had rather missed the point and that they had failed to consider enough of the statutory test for vicarious liability. What they said is that it wasn’t simply enough to establish that the employee’s act arose from a task that was sufficiently closely related to what that the employee was tasked with doing. You have to also establish that what the employee was doing, however misguided it may be, was in furtherance of the employer’s business.
In other words, to use a very old phrase that certainly all of the lawyers out there will be familiar with, you have to show for vicarious liability that the employee was not “off on a frolic of their own”. What they held in this case is that the actions of the auditor were sufficiently detached from what he was there to be doing, to be considered to be off on a frolic of his own. So it wasn’t merely enough that he was carrying out his job and that he had access to this information because of his job. Because what he had done pursuing this personal vendetta took the outside of the area for liability for Morrisons.
As a result, Morrisons now have succeeded, therefore, in defending these claims and have re-established some orthodoxy to vicarious liability laws that will be of considerable benefit to employers, but will be of little benefit or comfort to employees.
Can we help?
Take a look at our Data Protection and GDPR page for useful information, resources, guidance, details of our team and how we may be able to help you
Get in touch
Please fill out the below form or alternatively you can call us on 01622 690691