When can employers in the United Kingdom be held responsible for their employees' actions? This article answers that question with help from a recent high-profile case and applies the lessons learned to manage the potential data and confidentiality risks when a large proportion of the workforce is working from home.

As employers may recall, in November 2018 the UK Court of Appeal held that Morrisons, a UK supermarket chain, was liable for a deliberate data breach committed by a rogue employee. In that case, the employee (Mr. Skelton) was a senior auditor and posted personal data of 100,000 employees on the internet and sent the same information to newspapers with the intention to cause damage to his employer. Morrisons appealed that decision, and the UK Supreme Court recently held that Morrisons was not vicariously liable for the actions of Mr. Skelton (overturning the lower court). Employers will breathe a sigh of relief, but the case nevertheless demonstrates the amount of damage that can be caused by an employee's deliberate (or even accidental) lack of regard for confidentiality or data security: Morrisons spent over £2 million remedying Mr. Skelton's actions.

When might employers be held liable for an employee's actions?

The answer will depend on the following questions:

  1. What is the employee's job and what are their responsibilities?
  2. Was the wrongful act "so closely connected" to their job that it is fair and just to impose liability on the employer?

The point is that employers will be liable for an employee's wrongdoing if it is closely connected to what they are ordinarily required to do as part of their role. For example, if a senior sales director had falsified sales figures to give a more favourable picture to an investor, the employer would likely be liable for the employee's wrongdoing.

When is a wrongful act "closely connected" to an employee's role?

This is often a difficult question, especially if the wrongdoing results from the information that the employee had access to as part of their role. The Morrisons case turned on this issue, with the UK Supreme Court noting the following points:

  • It is not enough that the employee's act was closely related to his role - Mr. Skelton was a senior auditor and was therefore entrusted with payroll data as part of his role. He was not authorised to post the data on the internet and his action did not form part of his functions.
  • The employee was not furthering the business of the employer - what was relevant was whether Mr. Skelton was concerned with furthering the business of the employer (which would attract vicarious liability), or whether he was "on a frolic of his own" (for which the employer would not be vicariously liable). In this case, Mr. Skelton had carefully calculated his actions to damage his employer, even committing the breach a few days before its financial results were published and framing another employee in the process.
  • Close connection was not about timing - the Court of Appeal had previously referred to a "seamless and continuous sequence of events" and whether there was a change in the nature of the relationship between the employer and the employee. The Supreme Court held that this connection was less about the temporal/causal connection but instead related to the capacity in which Mr. Skelton was acting.
  • Motive was relevant - contrary to what had been decided in the Court of Appeal case, motive was relevant to the extent that it related to whose business on behalf the employee was acting. In this case, Mr. Skelton was acting off the back of his own personal grudge and this demonstrated that he was acting in his own personal capacity, rather than on behalf of his employer.
  • Opportunity to commit the wrongful act not sufficient - just because the nature of Mr. Skelton's role gave him the opportunity to commit the wrongful act, this was not sufficient to warrant the imposition of vicarious liability.

For the reasons set out above, the UK Supreme Court held that Mr. Skelton's wrongful conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

What are the implications of this case?

The facts in this case were extreme, with Mr. Skelton sentenced to eight years in prison as the result of his actions. It seems that Morrisons was wholly unaware of Mr. Skelton's grudge against it. Mr. Skelton had access to a large amount of confidential information as part of his role, took extraordinary actions to cover up what he had done, and caused a significant amount of damage in the process.

The Morrisons case was decided under the previous data protection regime. The new European General Data Protection Regulation (GDPR) is based on broadly similar principles. The UK Supreme Court confirmed that vicarious liability actions could be brought in respect of data breaches in future cases. The main difference is that GDPR makes compliance far more onerous for employers and in addition, there is a risk of revenue-based fines and compensation for breaches of the regulation.

How does COVID-19 change things?

During the current situation, employees will often share their home (and by extension, their office space) with those who do not work for the same company and may even work for competitors or others in the same industry. Where employees are working from home, employers do not have the same level of control over an employee and cannot take for granted that the same standard of data security applies as in a traditional office environment. This may give rise to confidential documents or conversations being easily accessible to others who you would not normally allow into your office. Employees may also make personal use of technology, exposing the company to potential security risks.

As working from home becomes the new normal for many companies, employers should take steps to minimise these risks, for example by:

  • Asking employees to use headphones and/or a separate workspace for particularly sensitive calls;
  • Use of privacy screens where appropriate;
  • Shredding confidential documents;
  • Locking computer screens and not sharing technology computers with others; and
  • Data security training refreshers.

These are challenging times and as we adapt to the new way of working employers should think about what their expectations are for staff and communicate these expectations clearly and sensitively during this period.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.