Two elements have to be shown before one person can be made vicariously liable for the torts committed by another. The first is a relationship between the two persons which makes it proper for the law to make the one pay for the fault of the other. […] The second is the connection between that relationship and the tortfeasor’s wrongdoing.

Barclays Bank related to the first element, and Morrison Supermarkets related to the second element. In both cases, the court limited the reach of the test.

Facts

This case saw an appeal by the supermarket Morrisons to the Supreme Court against a group of Respondent employees.

Andrew Skelton was employed by Morrisons to its internal audit team. He took umbrage at receiving a disciplinary warning and when asked to pass payroll information to an external auditor, he made a copy and posted the information on a publically accessible website. He also forwarded it to three newspapers (on the day of the company’s annual financial results), who alerted Morrisons of the breach. Morrisons alerted the police and took steps to stop the information from remaining publically accessible. Despite attempts to cover his tracks, Mr Skelton was caught, convicted and sentenced to eight years’ imprisonment.

Employees who had been victims of the data breach brought proceedings against Morrisons for the following:

• Breach of the Data Protection Act 1998 (DPA), specifically a breach of the statutory duty created by section 4(4) of the DPA (compliance with the data protection principles in relation to all personal data with respect to which a person is the data controller)
• Misuse of private information
• Breach of confidence

Each of the claims were brought against Morrisons personally and on the basis of vicarious liability for the actions of Mr Skelton. The claims of personal liability were dispensed with in the High Court. A trial on Quantum has not yet taken place. The primary issue before the Supreme Court was Morrison’s vicarious liability for the actions of Mr Skelton. As a secondary issue it was asked to rule on whether Parliament, by passing the DPA and introducing new statutory claims, had by implication excluded any common law claims for vicarious liability, misuse of private information, and breach of confidence.

The Supreme Court reversed the decisions of the lower courts, which had ‘misunderstood the principles governing vicarious liability in a number of relevant respects’ (Lord Reed at [31]). They had misunderstood the principles in four ways:

1. Interpreted the ‘field of activities’ test too widely. The act complained of did not form part of Mr Skelton’s field of activities for the company. It did not fall within the scope of the activities he had been employed for.
2. Used a five factor test (from Various Claimants v Catholic Child Welfare Society [2012] UKSC 56) relevant to whether vicarious liability exists between an employer and someone who was not an employee, but might have a relationship akin to employment. This had nothing to do with the present case as Mr Skelton was an employee.
3. Incorrectly decided the ‘close connection test’ had been satisfied. The Appeal Court had said that there was both a close temporal link and an unbroken chain of causation between Morrisons providing Mr Skelton the data and his unlawful disclosure, which it judged satisfied the test. The Supreme Court decided that this alone was not enough to satisfy the close connection test. 
4. Said that Mr Skelton’s motive was irrelevant (following the judgement of Mohamud v Morrisons [2016] UKSC 11). The Supreme Court decided that motive was highly material. Mr Skelton had been acting on a personal vendetta rather than for his employer’s business. Motive was only irrelevant where the employee had already been found to be acting for his employer’s business.

Therefore the Court held that Morrisons was not subject to vicarious liability for the actions of Mr Skelton.

Having concluded that the necessary conditions for the imposition of vicarious liability did not exist in this case, the Court stated that it was not strictly necessary for them to consider the second issue of the appeal. However, given the second issue had been fully argued, the Court felt it was ‘desirable’ that it should express its view (Lord Reed at [48]).

The Appellant argued that the DPA impliedly excluded the vicarious liability of an employer, relying on the principle set out by Lord Nicholls in Majrowski v Guy’s and St. Thomas’ NHS Trust [2006] UKHL 34 at [17]:

“Unless the statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of a statutory obligation sounding in damages while acting in the course of his employment.”

Additionally, the Appellant referred to s.13 of the DPA in support of its argument, which provides that:

s.13(1) “An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.”

s.13(3) “In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.”

In essence, the Appellant argued that the DPA made it clear that liability was to be imposed only on data controllers, and only where they had acted without reasonable care. That statutory scheme was inconsistent with the imposition of strict liability on the employer of a data controller, whether for that person’s breach of the DPA or for his breach of duties arising at common law or in equity.

The Court was not persuaded by the Appellant’s argument. Instead, it held that Parliament had not, by creating a statutory claim for direct liability in the DPA, excluded common law claims. ‘The imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under the common law or in equity’ (Lord Reed at [54]). The Court noted that the DPA was silent on the issue of vicarious liability and held there could not be any inconsistency between the two regimes. Therefore, vicarious liability was not excluded by the DPA.

While the judgement will be a relief to Morrisons, who would have been liable for claims from the over 100,000 people whose data had been breached, the Supreme Court’s view on the secondary issue has wider implications.

Employers will remain directly liable for breaches of the Data Protection legislation where an employee is processing data exclusively on behalf of their employer and the breach happens by accident. They are likely to be vicariously liable where a rogue employee has caused a data breach, even maliciously, if the employee is acting or purports to act, in their employer’s business. Employers will not be liable for employees who cause a data breach maliciously where the act which led to the breach forms no part of the employee’s duties or responsibilities.

The Court’s finding on the secondary issue clarifies that the risk of vicarious liability remains for breaches of the Data Protection Act and other associated claims for misuse of private information or breach of confidence. Employers need to be especially vigilant of the roles and responsibilities of those entrusted to access and protect personal data and keep data security under constant review, particularly if employees fall under suspicion. The judgment may however leave data subjects exposed to data breaches without a remedy where a malicious actor misuses their data for their own purposes.

Barclays hired Dr Gordon Bates to conduct medical assessments and examination of prospective Barclays employees. Dr Bates had allegedly committed sexual assaults between 1968 and 1984 on the 126 Respondents, which they claimed the bank was vicariously liable for. Dr Bates died in 2009 and his estate had been distributed at the time of the judgement, meaning the Respondents could not claim from it.

The case law prior to this was that an individual had to have a relationship of employment with a company, or ‘akin to employment’ by fulfilling the five factors in Various Claimants v Catholic Child Welfare Society [2012] UKSC 56 [35]:

1. The employer is more likely to have the means to compensate the victim than the employee and can be expected to have insured against that liability
2. The tort will have been committed as a result of activity being taken by the employee on behalf of the employer
3. The employee’s activity is likely to be part of the business activity of the employer
4. The employer, by employing the employee to carry on the activity will have created the risk of the tort committed by the employee
5. The employee will, to a greater or lesser degree, have been under the control of the employer

Barclays therefore argued that Dr Bates was an independent contractor, while the Respondent attempted to show that he fell within the factors.

Dr Banks was paid a fee for each assessment report, but there was no retainer. He was free to refuse any offered examination, which were all conducted at Dr Bates’ home. Although his reports were completed on a form with the bank’s logo on, he had his own medical liability insurance.

The relevant test is whether or not there is a relationship of employment or ‘akin to employment’. The five factors may be useful in unclear cases but this is the primary test. In the present case, Dr Bates’s relationship with the bank was neither. He was an independent contractor in business on his own account and therefore the bank was not vicariously liable for his actions.

The Court declined to align the test with those for employment status under the Employment Rights Act 1996. Lady Hale stated [29]:

It would be tempting to say that limb (b) encapsulates the distinction between people whose relationship is akin to employment and true independent contractors […] Asking that question may be helpful in identifying true independent contractors. But it would be going too far down the road to tidiness for this court to align the common law concept of vicarious liability, developed for one set of reasons, with the statutory concept of “worker”, developed for a quite different set of reasons.

The lines of employment status continue to blur. Employers and those provide labour to them will be given no solace in the lack of clarity that the law provides, and the judgment makes no attempt to resolve this. The various tests around employment status for vicarious liability, employment rights, and tax law will leave employers unclear as to their liabilities and creates unnecessary confusion. Parliament should legislate to clarify this area, remove limb (b) worker status, and consolidate rights for that larger pool of employees and liabilities for employers.