In the midst of the COVID-19 crisis the Supreme Court has reminded us the wheels of justice continue to turn by handing down two keenly awaited and very significant judgements relating to the law of vicarious liability (the concept of one party being held liable for the acts of another).

What do these verdicts mean in practice for businesses’ data security and personal injury liabilities?

WM Morrison Supermarkets plc v Various claimants [2020] UKSC 12

An aggrieved employee of Morrisons whose duties included transmitting payroll data made a copy of that personal data and deliberately uploaded it to a publicly accessible file-sharing website. He also sent the data anonymously to three UK newspapers, one of which notified Morrisons. The data was removed from the internet, with Mr Skelton subsequently being prosecuted and imprisoned. 5,518 of the affected personnel raised a class action against Morrisons for breach of the Data Protection Act (DPA), misuse of private information, and breach of confidence.

Barclays Bank plc v Various Claimants [2020] UKSC 13

Dr Bates was a self-employed medical practitioner whose work included conducting medical examinations of prospective Barclays employees from a consulting room at his home. It is alleged that he sexually assaulted 126 persons, who then sought damages from Barclays after Dr Bates died in 2009.

At first instance and at appeal Morrisons and Barclays were held to be vicariously liable for any losses caused by Mr Skelton and Dr Bates respectively. The Court of Appeal agreed. Both decisions have now been unanimously overturned by the Supreme Court. The key points are as follows:

  • For vicarious liability to be established, the wrongful conduct must have been closely connected with acts which the employee was authorised to do. This involved the Supreme Court asking two questions in the case against Morrisons:

    • What functions or “field of activities” had the employer trusted to the employee?
    • Was there a sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice?
  • Mr Skelton’s wrongful disclosure of the data was not so closely connected with his role that it could fairly and properly be regarded as having being carried out while he was acting in the ordinary course of his employment. Although his employment gave him the opportunity, in committing the wrongful act he was not engaged in furthering his employer’s business, but was pursuing a personal vendetta. The “close connection” was not satisfied.
  • Even though it was held that Morrisons could not be held vicariously liable based on the facts of the case, the court did express a view that in other circumstances, an employer could be found vicariously liable for breaches which are committed by an employee who is acting as a data controller in the course of his or her employment.  This leaves the door open for future claims to be raised – for example where an employee negligently leaves confidential documents on a train, or causes a data breach by not complying with data security policies.
  • There must be a relationship between the two persons which makes it proper for the law to make one pay for the fault of the other. Whilst a person can be held vicariously liable for the acts of someone who is not their employee when the relationship between them is sufficiently akin or analogous to employment, the position is different for independent contractors carrying on business for their own account.
  • Dr Bates was in business on his own account as a medical practitioner. Although Barclays made the arrangements for the medical examinations and chose the questions to which it wanted answers, Dr Bates was not paid a retainer and was free to refuse to conduct an examination offered to him. He would have his own insurance. Dr Bates was therefore not at any time an employee or anything close to an employee of Barclays.

What does this mean for vicarious liability in the future?

The Supreme Court judgements will be welcomed by employers, public authorities and their insurers following a number of judgements in recent years which appeared to stretch the boundaries of vicarious liability in respect of (i) who an employer is vicariously liable for; and (ii) what type of actions are considered to be “in the course of employment”. Recent judgements included:

  • The prison service being vicariously liable for the negligence of a prisoner who was “working” in the kitchen;
  • The operator of a petrol station being vicariously liable for the racially aggravated  assault by an employee;
  • A company being vicariously liable for the brain injuries caused by its Managing Director during an assault at a Christmas party; and
  • A local authority being found vicariously liable for abuse committed by foster parents.

While the judgements in Morrisons and Barclays do not contain new law per se, they do appear to signal a change in the direction of travel. Each case will of course depend on its own facts but employers facing claims resulting from actions by rogue employees can perhaps approach their claims defence with a greater degree of confidence than before.

The actions by rogue employees can often have the most devastating of results (as the above examples demonstrate) and at a time where damages for significant injuries have increased and where the legal expenses regime is due to shift in favour of pursuers, this is a timely development.