A good day for employers. With a data protection sting in the tail.

I’m not going to usurp those who know a lot more than me (Panopticon, I’m looking at you). But today’s Supreme Court decisions on vicarious liability are a big deal.

There’s a thematic beauty to the fact that the Supreme Court decided to release its judgments in WM Morrisons Supermarkets plc v Various Claimants [2020] UKSC 12 and Barclays Bank plc v Various Claimants [2020] UKSC 13 on the same day. Taken together, the two judgments offer a solid dose of relief to employers worried about the circumstances in which they can be held liable for the acts of employees (Morrisons) and independent contractors (Barclays). But there’s at least a slight sting in the tail of the Morrisons judgment, which anyone responsible for keeping an organisation on the data protection straight and narrow would do well to recognise.

I don’t propose here to go into huge detail. If you want a really in-depth look at Morrisons – and it pains me to point you to another Chambers, of course – 11KBW’s Panopticon blog does a lovely job, while the estimable UKSC Blog’s writeup of Barclays will give you what you need in just a few paragraphs.

But these cases are so interesting that I couldn’t let the day pass without at least a quick note.

On the vicarious liability front, the main lesson from Barclays appears to be that nothing dilutes the fundamental question where the wrongdoer is in fact an independent contractor, which is to determine whether their role and their actions are akin to an employment relationship. In doing so, it’s important not to get hung up on the five “incidents”, factors identified in the Christian Brothers case ([2012] UKSC 56) such that one loses sight of that central question. If the independence of the contractor is clear, there’s no need to waste time going through the incidents. They’re a guide, not a test.. So the incidents aren’t a test; they’re a guide.

Unsurprisingly I find Morrisons even more fascinating. Just to recap the facts: Andrew Skelton, a Morrisons employee with access to payroll data as part of his job was disciplined for misconduct in 2013. In retaliation, in early 2014 Skelton put a copy of payroll data for the supermarket group’s entire workforce online, and tried to leak it to the papers – who, thankfully, instead told Morrisons. (Skelton is now in jail for having done this.)

Some of Morrisons’ employees sought to hold the company vicariously liable for the leaker’s breach of their data protection rights. At first instance and appeal, they won.

The Supreme Court has now decided otherwise. Critically, the Court points out that just because Morrisons gave Skelton access to the data, making him a data controller, that doesn’t make them responsible for everything he did with it. In this case the Christian Brothers incidents aren’t relevant – no-one argues Skelton wasn’t an employee. But his misuse of the data wasn’t sufficiently part of the task he was entrusted with (which was to send it to Morrisons’ auditors) to make Morrisons responsible for his actions. The fact that he had a strongly personal motive – to retaliate against Morrisons – was highly relevant to the analysis too.

Before everyone starts getting too comfortable, though, Morrisons doesn’t leave companies with a free pass for their employees’ data protection errors:

  • For one thing, the Data Protection Act and the GDPR (for as long as it remains applicable…) can impose direct liability on organisations if the wrongdoing is in practice on the employer’s behalf, or if the organisation’s slipshod controls played a part in enabling it.
  • For another, and this is the real sting in the tail: Morrisons sought to argue that the DPA excluded vicarious liability, whether for common law or statutory wrongs, limiting liability only on data controllers and even then only if they’d acted without reasonable care. The Supreme Court had little time for this. It drew the comparison with vicarious liability for an employee’s negligence: assuming the normal test for vicarious liability was met, there was no reason why, if strict employer liability applied to that, there was no reason absent explicit statutory language (which there isn’t), it shouldn’t apply to employee data protection wrongdoing too.

So a big day for employers, a fascinating one for employment lawyers – and good times for the data protection geeks as well.