25 October 2018

Morrisons' Appeal FAQ

Morrison's head office in Bradford
Author Michael Ely
Licence Creative Commons Attribution Share Alike 2.0
Source Wikipedia

Jane Lambert

The retailer, Wm Morrison Supermarkets Plc ("Morrisons"), is one of Yorkshire's biggest companies and the fourth largest supermarket chain in the UK.   On Monday, 22 Oct 2018 it lost its appeal against the judgment of Mr Justice Langstaff that it was answerable for the misdeeds of one of its members of staff who had posted personal details about all its employees on to a file sharing site on the internet.   The staff member, who was convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998, acted out of spite because he had a grudge against his employer.  I blogged about the Mr Justice Langstaff's judgment in Morrisons - Primary and Vicarious Liability for Breaches of Data Protection Act 1998 in my data protection blog on 11 Dec 2017 and on the appeal in The Morrisons Appeal - Vicarious Liability for Enployees' Breaches of Confidence and Statutory Duty yesterday.

Why is the Appeal in the News?
Except in so far as it might be argued that Morrisons should have been more careful when recruiting, monitoring and supervising staff, the supermarket chain was an innocent party.  It now faces a potentially massive claim for compensation from its employees as a result of that data security breach which is exactly what the perpetrator had intended.

The thought that the court was helping him achieve that object troubled Mr Justice Langstaff which is why he gave Morrisons permission to appeal his judgment. 

On the other hand, Morrisons' employees whose personal details were exposed have rights under the Data Protection Act 1998 and at common law.  They could sue the person who breached their rights but he is serving a custodial sentence for his crimes. If they are to get any compensation they will have to claim it from their employer.

So why should Morrisons be liable?
Both Mr Justice Langstaff and the Court of Appeal held that Morrisons were liable for the misdeeds of its employee under a doctrine known as "vicarious liability". That has nothing to do with vicars.  "Vicarious" in this sense simply means "in place of".  It is a rule of law developed by the judges in a succession of cases that enables claimants who can't get damages from the person who harmed them to sue the wrongdoer's employer.

How does Vicarious Liability work?
The first thing to say is that employers are not liable for every misdeed that their employees may do.  If a member of staff robs a bank on his day off the bank cannot sue the bank robber's employer because that would be absurd.  But if the employee hurts someone while doing his job - say a delivery driver runs down a pedestrian while driving his van - then most people would say that the van owner (or rather its insurer) should pay.

In a previous case against Morrisons involving one of their petrol station attendants one of the Supreme Court justices set a simple two stage test:
  • The first step is to ask "what functions or 'field of activities' have been entrusted by the employer to the employee, or, in everyday language, what was the nature of his job?" and
  • The second is to consider whether there is a sufficient connection between the position in which the wrongdoer was employed and his wrongful conduct to make it right for the employer to be held liable for his wrongdoing.
The Court of Appeal and trial judge applied that test in this case.  The wrongdoer had been given the personal files together with instructions as to what to do with them in the course of his work as an internal auditor.  That was enough to make Morrisons vicariously liable.

That still seems a but hard on Morrisons
Maybe but the alternative was to leave the employees without a remedy.  The Supreme Court judge who set out the test said that the risk of an employee misusing his position is one of life's unavoidable facts.  The Court of Appeal said that the solution was to insure against that risk.  When you think of it, the position is no different from the position of a van owner who insures against accidents caused by his employees when carrying out their everyday tasks.

I believe that Data Protection Law changed on 25 May
That is correct.  The General Data Protection Regulation ("the GDPR") and the Data Protection Act 2018 came into force on that day.  The new Act repealed the Data Protection Act 1998.  However, the new legislation provides for claims against  data controllers. I blogged about the topic in Claims by Data Subjects against Data Controllers and Processors under the GDPR on 5 Jan 2018.  A claim on similar facts would probably be decided the same way under the new law.

Is this the Last Word on the Topic?
Not necessarily.   Radio reports said that Morrisons hopes to appeal to the Supreme Court.  Even if there is no appeal or the appeal fails it is possible that other courts will seek to distinguish or explain the decision in future cases.

Where can I find Further Information?
You can find lots of information on data protection law including the GDPR and the new Act in my data protection blog.   If you want to discuss this case or data protection generally call me on 020 7404 5252 during office hours or send me a message through my contact form.