Gemma is an experienced employment lawyer, providing advice for a variety of clients from senior executives…View Profile View all
Cases on vicarious liability for employers are, it seems, like buses. No cases for months and then two decisions are handed down in one day…
In April, the Supreme Court dealt with this very issue issue for employers. The first case concerned a data breach by an employee of Morrison's, the second allegations of sexual assault by a doctor retained by Barclays Bank to carry out medicals for its staff.
In each case, the Supreme Court found that the employer was not vicariously liable for the actions of the individuals concerned. However, there are important measures you must take as I will now explain.
Firstly, what is vicarious liability?
In employment law, vicarious liability is an employer's liability for the acts of its employees. In common law an employer is vicariously liable for the tortious acts of its employees if they are carried out "in the course of employment".
Let's explore the two cases.
What happened next?
Morrison argued that it was not responsible for the disclosures made by the individual employee. It argued that he had acted outside of his duties, at home, on personal IT equipment and on a non-working day. However, the Court of Appeal originally found that he had been entrusted with the payroll data and his acts of sending the data to third parties was within the work which he was required to carry out as part of his duties. The fact that he had acted as a result of a grudge against Morrison was not relevant.
The Supreme Court, however, did not agree. It held that there was not a sufficiently ‘close connection’ between the acts which the employee was authorised to carry out and the acts complained of so as to mean that his unlawful acts could be regarded as carried out by him ‘in the course of his employment’. He was not acting so as to further the interests of his employer – indeed, he was pursuing a personal vendetta against them. The mere fact that he had the opportunity to disclose the data simply because of his employment did not of itself mean that Morrison was vicariously liable for his acts. Morrison was not therefore vicariously liable for the disclosure of the data.
What happened next and what was the subsequent ruling?
Following an appeal to the Supreme Court, that decision was overturned. They found that Barclays could only be held vicariously liable for the acts of the doctor if he was an employee, or in a relationship which was ‘sufficiently akin or analogous’ to employment. In this case, the doctor was self-employed. He had his own portfolio of work and was paid a fee for each report produced. He did not receive a retainer from Barclays and could refuse any particular offer of work which was made. He was clearly carrying on business on his own account and was not therefore in a relationship with Barclays akin to employment. Barclays could not therefore be vicariously liable for his actions.
The decisions in both cases at the Court of Appeal were potentially concerning for employers faced with rogue employees or self-employed contractors, and these decisions of the Supreme Court will therefore come as welcome news.
Both cases represent a significant narrowing of the scope of vicarious liability for employers when compared to the decisions made in the lower courts. However, employers must of course not be complacent and the Morrison case comes as a stark reminder of the need to ensure that data security is tight. All reasonable steps need to be taken to ensure that anyone with access to data is unable to commit such a breach.
The team and I will support you every step of the way to ensure you take the right steps to protect yourself. Call us on 0113 849 4000 or email email@example.com and we will help you.