Case law updates

Supreme Court sets boundaries on vicarious liability claims

The Supreme Court has ruled that supermarket Morrisons was not vicariously liable for an employee’s breach of data protection laws. It says that the Court of Appeal had “misunderstood the principles governing vicarious liability in a number of relevant respects”.

The previous Court of Appeal decision had held that an organisation could be vicariously liable for data breaches caused by rogue employees, even where those organisations had taken appropriate measures to comply with their data protection obligations.

The judgement means that 9000 current and former employees of the supermarket are not entitled to compensation over the disclosure of their payroll data on the intenet by a former staff member.

In a separate judgment issued on the same day, the Supreme Court dismissed claims that Barclays Bank was vicariously liable for sexual assaults allegedly carried out by a doctor on 126 people. The Bank had required new joiners to pass a medical examination with the doctor as part of its recruitment and employment procedures.

Commentators have viewed both cases are a useful reminder of the two distinct elements of vicarious liability – whether the relationship is close enough to employment to justify imposing vicarious liability at all, and whether the connection between the act and the functions of the employee is such that it is fair to impose liability. Both cases had attempted to extend what had been viewed as a judicial trend to expand the net of liability ever wider.

In the Barclays case, the doctor could not be considered a Bank employee so did not meet the first test; in the Morrisons case there was not a sufficient connection between what the employee did and his employment, to take the view that the employer should be liable where the employee was ‘pursuing a personal vendetta’. The Supreme Court did confirm, however, that it may be possible in other cases for employees to hold their employer vicariously liable for statutory breaches of data protection law, or for misuse of private information or a breach of confidence.