Employer Vicarious Liability
The big question here is whether an employer can be vicariously liable for the criminal actions of an employee that has breached the Data Protection Act (DPA)
If you are vicariously liable, it means that you are held responsible for someone else’s actions or omissions. Therefore, in this context, an employer may be responsible for their employee’s actions. For this to be the case it needs to be evidenced that the employee’s actions were in the course of their employment.
A recent case involving Morrisons has just provided a judgment allowing employers to be vicariously liable in criminal proceedings. In this case, a disgruntled employee of Morrisons leaked the personal data of nearly a 100,000 staff, which led to a number of them seeking legal action against Morrisons for a breach of the Data Protection Act.
The employee responsible for the leak was a senior IT Manager and therefore had access to this information as part of his job role. However, he had released this information from his home computer and it was not during his working hours. At first, the Courts considered Morrisons primary liability. They found that the only breach of the DPA was that the data from his private computer had not been deleted, however, this didn’t cause any loss. This rule focused on the retention of data rather than its misappropriation. The Employee had also released this information with the deliberate intention of harming Morrisons’.
In order for vicarious liability to succeed the Court had to consider whether the breach was during the course of employment. It was determined that because the Manager had this information as well as copying it to his personal computer, as part of his job role, that the unlawful behaviour was closely linked to his authorised obligations as part of his employment. Also, as the breach was continuous from his original duties with the data, it was held that Morrisons could be vicariously liable for the employee’s breach because the only reason the employee had this data was to fulfill his job and complete an audit for the Company.
However, Morrisons was granted the right to an appeal on the grounds that the employee had intended to cause detriment to Morrisons and the breach was malicious with the intent to cause loss for the employer. The consequences of the current decision could mean that the Court is an accessory to the criminal actions of the employee.
What does this mean to you?
Employers should be more careful than ever when dealing with data protection issues, as the actions of a rogue employee could lead to criminal prosecution for your business.
Should you have any concerns or queries about the information above or believe you may be involved in a similar situation, please Talk to Tollers. We’re here for you.