The Supreme Court last week heard the supermarket chain Morrisons argue that it should not be held vicariously liable for its then in-house senior internal auditor publishing the personal data of almost 100,000 employees deliberately and without authorisation.

In seeking to overturn the judgment of the Court of Appeal that it is vicariously liable, Morrisons is arguing that the wrongful actions of its former in-house auditor were outside the scope of his job functions; and that there was no "sufficiently close connection" between those actions and the auditor's employment. Both elements need to be present for an employer to be vicariously liable for an employee's actions.

This type of claim is by its nature fact specific; but in the context of a company managing and maintaining its data, it is important to note that the auditor's role included being entrusted with the payroll data. The High Court found that Morrisons appointed the auditor on the basis that he would deal with this data and "Morrisons took the risk they might be wrong in placing the trust in him" – a finding the Court of Appeal described as "plainly correct". It will be important to see how the Supreme Court deals with this point, and in view of this many companies may need to consider what additional safeguards they put in place in relation to those employees who are entrusted with personal data such as payroll data so as to mitigate the risk of similar incidents.

This is particularly the case in light of the fact that the law that applied at the time the auditor published the data without authorisation was the Data Protection Act 1998 – this has now been superseded by the GDPR and the Data Protection Act 2018, under which companies face much greater penalties for failures to keep data secure (up to 4% of the overall undertaking's global turnover).  It is therefore increasingly important for any company to have appropriate procedures in place to minimise the risk of data being published or disseminated without authorisation, including where this is done by a "rogue" employee given the more draconian sanctions that can now be imposed and the related increase in the costs and risks associated with a data breach in the current regulatory environment.  

In our next update we will be looking at the Supreme Court judgment and considering the effect of that judgment on the way businesses should seek to mitigate the risks associated with data breach; it will be of particular interest to see whether the effect of the Supreme Court judgment is that companies must monitor certain employees more closely than others, in circumstances where those employees are trusted to handle important data such as payroll data.

The case is Wm Morrison Supermarkets plc v Various Claimants; the Court of Appeal judgment is [2018] EWCA Civ 2339 and the first instance judgment is [2017] EWHC 3113 (QB).

Originally published November 11, 2019.

Visit us at mayerbrown.com

Mayer Brown is a global legal services provider comprising legal practices that are separate entities (the "Mayer Brown Practices"). The Mayer Brown Practices are: Mayer Brown LLP and Mayer Brown Europe – Brussels LLP, both limited liability partnerships established in Illinois USA; Mayer Brown International LLP, a limited liability partnership incorporated in England and Wales (authorized and regulated by the Solicitors Regulation Authority and registered in England and Wales number OC 303359); Mayer Brown, a SELAS established in France; Mayer Brown JSM, a Hong Kong partnership and its associated entities in Asia; and Tauil & Chequer Advogados, a Brazilian law partnership with which Mayer Brown is associated. "Mayer Brown" and the Mayer Brown logo are the trademarks of the Mayer Brown Practices in their respective jurisdictions.

© Copyright 2019. The Mayer Brown Practices. All rights reserved.

This Mayer Brown article provides information and comments on legal issues and developments of interest. The foregoing is not a comprehensive treatment of the subject matter covered and is not intended to provide legal advice. Readers should seek specific legal advice before taking any action with respect to the matters discussed herein.