Vicarious liability and data protection - Morrisons
The Supreme Court has ruled that Morrisons, the supermarket company, was not vicariously liable for the actions of an employee who unlawfully published employee payroll data on the internet.
The employee had been given payroll data as part of his job as a senior auditor. Bearing a grudge, he published the data to harm his employer. He was convicted of, amongst other things, securing unauthorised access to computer material, disclosing personal data and fraud, and was given an eight year prison term.
The Supreme Court took the view that, on the facts of the case, the disclosure of data on the internet did not form part of the employee’s functions or field of activity, and was not an act he was authorised to do. The court found it was highly material that he was acting for purely personal reasons.
The ruling does not change the doctrine of vicarious liability, which allows for liability to be imposed on an employer for accidental acts, and even in cases of deliberate acts of misconduct or where employees defy express instructions.
Companies must put in place adequate controls, processes and training, to ensure compliance with the GDPR and other data protection laws. They must have clear processes setting out what action should be taken in the event of a data breach and must act very quickly once a data breach is identified, including notifying the Information Commissioners Office and contacting those affected.