In a brief respite from coronavirus, the Supreme Court has decided two important cases about the circumstances in which an employer can be liable for the acts of its employees or other individuals it engages (vicarious liability).
The first case concerned a Morrisons employee who deliberately uploaded a substantial amount of payroll data (which was personal data under data protection law) onto a public website using his personal computer, at home, on a day off. It appeared that he was motivated by a grudge against his employer due to a disciplinary sanction which had been imposed on him. The Court of Appeal had held that Morrisons was liable to compensate the victims of the personal data breach, even though the employee's wrongful disclosure of the data was not authorised by Morrisons and was intended to damage the business. However, in a judgment that will make employers breathe sighs of relief, the Supreme Court has held that the employee's unlawful action was not so closely connected with the employee's duties that it could be regarded as something he had done in the ordinary course of his employment. The Court considered that there is a distinction between an employee going about his employer’s business in an unlawful way, and engaging in an enterprise of their own. Vicarious liability does not apply to the second scenario.
The second case concerned whether an employer can be held liable for the acts of non-employees. It involved a self-employed medical practitioner who carried out medical assessments of a bank’s prospective employees and was alleged to have assaulted them while doing so. The Supreme Court held that the bank was not liable for the alleged assaults, as the doctor was an independent contractor in business on his own account. The Supreme Court also commented that there was no legal basis for saying that a business is always liable for the acts of individuals who are 'workers', as opposed to employees. In each case, it depends whether the relationship is sufficiently similar to employment.
Both these cases are good news for employers – the first one will have particular resonance for businesses which now have a large number of people working from home, often handling large amounts of confidential information and personal data. However, employers should remember that the circumstances of the Morrison's case which allowed it to escape liability were fairly unusual. Many data breach cases will involve accidental disclosures or disclosures more closely connected with the employee's work, in which case the employer could still be liable. Prevention is better than cure, so employers should ensure that their policies on confidential information and personal data are robust and communicated to all staff.