Case Study: Various Claimants (Respondents) v WM Morrison Supermarkets Plc (Appellant) [2018] EWCA Civ 2339

The Court of Appeal in the United Kingdom recently delivered a judgment finding WM Morrison Supermarkets (Morrisons) vicariously liable for the misuse of private information by one of its employees, Mr Andrew Skelton.

Andrew was a senior IT internal auditor at Morrisons, a position in which he was privy to substantial confidential information relating to his co-workers. In January 2014, Andrew posted a file containing personal information, including payroll data relating to 99,998 employees of the company on a file-sharing website, from where it was copied to other websites on the internet. The data included names, addresses, phone numbers, national insurance numbers and bank account details of all the employees. Anonymously, he further shared the same information with three local newspapers purporting to be concerned that the information was available on the internet.

The Case for Vicarious Liability

Vicarious liability is the legal responsibility imposed on an employer for a tort committed by an employee in the course of their employment. In order for vicarious liability to be imposed, it must be proven to the court that:

  1. a tort has been committed;
  2. the person who committed the tort was an employee of the company; and
  3. the tort was committed in the course of employment.

After Morrisons discovered that Andrew was behind the leak, he was arrested and charged with fraud, an offence punishable under the UK Data Protection Act, 1998 (UK DPA). He was then convicted and sentenced to eight years in prison. Proceedings for damages, misuse of private information, breach of confidence and breach of duty under the UK DPA (the Tortious Acts) as well as for vicarious liability were instituted against Morrisons by over 5,000 of its employees whose data was published on the basis that it was responsible for Andrew's actions.

The High Court found that there was a sufficient connection between Andrew's position as an employee and his wrongful conduct to justify the company's vicarious liability for the breach. In doing so, the High Court took a lenient approach towards the strict interpretation of "in the course of employment", even though the tort was committed by Andrew at home and strictly, not "in the course of employment" and decided to adopt the 'close connection test'. It weighed the social interest in protecting employees, against the undue burden that may be placed on employers who may, as a result of this decision, be liable for all manner of their employees' actions outside of work premises. In this instance a close connection was established between Andrew and Morrisons and Morrisons was thus held vicariously liable.

Morrisons appealed the decision of the High Court on two grounds:

  1. The UK DPA is silent on the applicability of vicarious liability and therefore excluded it as a potential claim by the aggrieved employees and that Andrew, and not the company, was the 'data controller' (the person who determines the purposes and the manner in which any personal data is to be processed); and
  2. In terms of the elements required to prove Andrew's Tortious Acts, the 'close connection test' was not satisfied since the acts that caused the breach were committed by Andrew at home using his own computer and not with the company's computer or on the company's premises.

The Court of Appeal, in agreeing with the decision of the High Court made the following findings:

The vicarious liability of an employer for the misuse of private information and breach of confidence by an employee is not excluded in the UK DPA;

While Andrew was the data controller, this did not exclude the company from liability for Andrew's breach of statutory duty under the UK DPA with respect to the personal information;

The close connection test was satisfied as there was a seamless and continuous sequence of events that led to the employee's tortious acts, which were within the field of activities assigned to him by the company; and

The company fell short of its duty under the UK DPA to take appropriate organisational measures to guard against unlawful disclosure and data loss.

The company fell short of its duty under the UK DPA to take appropriate organisational measures to guard against unlawful disclosure and dataKenya does not currently have any specific legislation that collectively governs data protection.

In addition to Article 31 of the Constitution, which enshrines every citizen's right to privacy, the current laws regulating the collection and use of personal data in Kenya include the Access to Information Act, the Kenya Information and Communications Act and the Consumer Protection Act.

The Data Protection Bill (the Bill), which seeks to regulate the use and protection of personal data, was tabled in parliament in 2018 and is currently at the public participation stage. If the Bill is passed into law, it will apply to any person who collects or processes any personal data, except for public bodies processing personal data for the purpose of national security or the prevention and combating of money laundering activities.

The Bill contains similar provisions to the UK DPA and does not exclude the vicarious liability of an employer in the event of misuse of private information and for breach of confidence by an employee, irrespective of whether the employee was the data controller or not. Therefore, in the event of a data breach and misuse of private information by an employee, it is highly likely that a Kenyan court will hold a similar view to that of the UK Court of Appeal and find an employer vicariously liable for the misdeeds of its employee.

Conclusion

This case serves as a caution to Kenyan employers as the decisions of courts in the UK have persuasive authority in Kenya. Should an employer be found culpable for the unlawful disclosure of personal data by its employees, the Bill proposes a penalty of a fine of up to KES 5 million (approx. USD 5,000).

Employers should, therefore, take steps to ensure that they are not exposed to liability as a result of the misuse of personal data by errant employees. Appropriate measures can include undertaking awareness training, continuous monitoring of employee activity and log analysis, risk assessments and independent reviews.

Editor's Note

Proposed amendments to the Employment Act have been put forward and two Employment Act Amendment Bills have so far been published for public comment. A&K will be submitting its comments on the Bills which we will share in the coming weeks through our legal alert updates, highlighting some of the potential impacts of these Bills on employment legislation in Kenya.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.