COVID-19 has been dominating the headlines, but ultimately it will pass and we will come out on the other side and have to continue to deal with matters which were previously at the forefront of legal minds. Vicarious Liability is no exception and this article will deal with the current state of the law as decided by the recent Supreme Court Judgment in WM Morrison Supermarkets PLC v Various Claimants  UKSC 12.
A total of 9,263 employees brought claims against Morrisons where their data had been published on the Internet by a fellow colleague, Mr Skelton.
Following a verbal warning resulting from a disciplinary in July 2013, Mr Skelton harboured a grudge against Morrisons leading him to commit the data breach; he was tasked with collation and transmission of the internal audit data. In committing the breach, Mr Skelton deliberately attempted to frame a fellow employee, Mr Kenyon. Morrisons retrieved the data and informed the police. Mr Skelton was eventually arrested and convicted for a number of offences leading to a custodial sentence of 8 years.
Subsequently, the aggrieved employees whose personal data had been compromised brought proceedings against Morrisons for its own breach of statutory duty under section 4(4) of the Data Protection Act 2018 arguing that Morrisons was vicariously liable to the employees for Mr Skelton’s conduct.
The High Court initially found that Morrisons was not primarily liable but was vicariously liable for Mr Skelton’s actions breaching the statutory duty. The Court of Appeal agreed with the High Court stating that Mr Skelton’s “tortious acts...were within the field of activities assigned to him by Morrisons”.
The Supreme Court grappled with a number of issues; for the purposes of this article the focus is on whether Morrisons was vicariously liable for Mr Skelton’s conduct.
The Supreme Court ultimately overturned the judgments of the High Court and Court of Appeal noting that those Courts had erroneously applied the decision in Mohamud  AC 677 where paragraph 47 of that decision had been taken out of context, namely the references to the connection between the employee’s conduct in that case and his employment as “an unbroken sequence of events”, or “a seamless episode”.
Lord Reed restated the general principle applicable to vicarious liability arising out of a relationship of employment: “the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment” (this having derived from the Lister v Hesley Hall case).
The Mohamud case went on to illustrate two matters that needed to be considered which are derived from the Dubai Aluminium  2 ACC 366 case:
Mr Skelton was tasked with collating and transmitting payroll data to KMPG. True to say that he could not have made the disclosure but for the task he was assigned to complete. However, Mr Skelton was pursuing a personal vendetta, namely acting out as a result of the disciplinary proceedings that concluded adversely against him.
A long time coming indeed but this decision by the Supreme Court is to be welcomed by employers. It has sought to redress the balance where the principles of vicarious liability were being taken out of its desired context.
As had occurred with the Court of Appeal, the test was being misapplied. Lord Reed considered the above to have been the approach taken by Lord Toulson in the Mohamud decision which in his view was not a departure from previous case law. It was a mistake to regard Lord Toulson’s reasoning as a manner of holding employers liable as a matter of social justice where the existed a temporal or causal connection and nothing more. It is not correct to conclude that any act by an employee which would be considered wrongful would be considered as beyond the scope of employment. A good example of this is from the Mohamud case where the employee, part of his duties, was to attend to customers and their inquiries. In doing so, Mr Khan left the sales kiosk and followed the customer to his vehicle following an argument. Mr Khan reinforced what happened by making threats telling the customer never to return to the petrol station. He was purporting to act about his employer’s business meaning his actions were in connection with the business, temporally, causally and actively. Unlike Mr Skelton who was not furthering his tasks in any way by making the personal disclosures designed to hurt the business ultimately.
The approach to the question of whether vicarious liability ought to be imposed on an employer is best answered as follows:
This second point might be the “je ne sais quoi” factor. Not in the literal sense. But because there is something more required than simply an act which is committed during the course of employment. Mr Skelton would not have committed the data breaches if he had not be designated with the payroll task which involved the collation of data. There existed a clear temporal and causal link. It must be right that such a link is insufficient. Otherwise many employees weekly, if not daily, may be committing acts in the course of employment. However, the close connection test does not stop there. The act must have been to further the employer’s business. Breaching data protection legislation could not have further the employer’s business. Trying to ward off a customer from the employer’s premises would be.
An employee’s reason for his or her actions is not irrelevant. As per Lord Reed, Mr Skelton’s “disclosure of data on the Internet did not form part of [his] functions or field of activities, in the sentence in which those words were used by Lord Toulson: it was not an act which he was authorised to do”. A temporal or causal link was not of itself sufficient to satisfy the close connection test. The reason for Mr Skeleton acting wrongfully was not irrelevant because context was key: was it to act on his employer’s business or for purely personal reasons, the latter being the reason for Mr Skelton.
Whilst there is a respite for employers, the risk of vicarious liability being found is not wholly eliminated. The judgment purports to bring the application of the legal principles back to how they should have been applied. It is a refinement and a slight limitation in its application that has been pronounced by the Supreme Court, as opposed to a complete re-statement of the law. In doing so, employers must still take all precautions and actions in order to obviate any data breaches, this perhaps being the area in which risks and opportunity is ripe for misdemeanours to occur.