News and Events






Court of Appeal confirms vicarious liability for data breaches not excluded by the DPA

View profile for Lucy Sorell

You may remember our report on the case of Various Claimants v WM Morrisons Supermarket PLC, in which the High Court held that Morrisons was vicariously liable for the actions of one of its employees in posting online personal details of 100,000 other Morrisons staff members. Morrisons appealed the decision on vicarious liability. One of its arguments was that the Data Protection Act 1998 (DPA) excluded vicarious liability for breaches of confidence and misuse of private information. It argued that if employers fulfilled the comprehensive obligations set out in the legislation in relation to their internal data protection measures, they should not also be liable for the actions of rogue employees. The Court of Appeal disagreed, on the basis that if Parliament had intended to exclude vicarious liability from the DPA in this way it would have done so expressly, whereas the DPA was silent on this issue. 

This is a worrying decision for many employers, as it seems that it is difficult to escape liability for potentially very damaging and costly breaches committed by employees whose actions may be out of their control. However, there are a number of practical solutions employers can use to avoid these situations and/or to minimise damage:

  1. Clearly communicate the disciplinary consequences (and where appropriate, the regulatory consequences) of any data breaches to employees, in order to deter them from engaging in this behaviour;
  2. Provide employees with thorough information security training and appropriate support and advice to avoid any inadvertent breaches and ensure that guidelines and expectations are clear;
  3. Ensure that your insurance covers data breaches by employees and any other staff who are entrusted with personal data; and 
  4. Consider carefully whether disgruntled employees should be entrusted with data which empowers them to damage the organisation. In this case, Morrisons knew that the employee in question was unhappy as he had unsuccessfully appealed disciplinary action which he felt to be disproportionate, and yet he was tasked with sending a large amount of personal data to one of the supermarket’s auditors. Sometimes employers will have no choice in the matter if data handling is an integral part of an employee’s role, but where there is discretion it should be exercised sensibly.