Barclays & WM Morrison - x2 Important Supreme Court decisions on vicarious liability – 1 April 2020

The Supreme Court has handed down two important decisions on vicarious liability, both of which have clarified the law and will be welcomed by employers.nt Supreme Court decisions on vicarious liability

The Supreme Court has [1 April 2020] handed down two important decisions on corporate liability for the acts of employees – both involving class actions by groups of employees against their employers

• Barclays Bank v Various Claimantsand
• WM Morrison v Various Claimants

Summary of both the Barclays & Morrisons decision

1. The Barclays decision focuses on the first issue:

• whether the nature of the relationship between the parties is sufficiently close for it to be proper to impose vicarious liability.
• The Supreme Court held that Barclays Bank was not vicariously liable for sexual assaults allegedly committed by a self-employed medical practitioner who conducted medical assessments and examinations of prospective Barclays employees, as the medical practitioner was operating his own business.

1. The Morrisons decision involves acts taking place in an employment relationship but focuses on the second issue, namely whether the acts were committed in the course of employment.

• The Supreme Court found that Morrisons was not vicariously liable for its employee’s breach of statutory duty under the Data Protection Act 1998 (the DPA), misuse of private information and breach of confidence.

1. > Access the full judgment in WM Morrison Supermarkets plc v Various Claimants[2020] UKSC 12 = https://www.supremecourt.uk/cases/docs/uksc-2018-0213-judgment.pdf
2. >Access the full judgment in Barclays Bank v Various Claimants[2020] UKSC 1 = https://www.supremecourt.uk/cases/docs/uksc-2018-0164-judgment.pdf

Morrisons

• In a judgment that will provide considerable relief to employers, the Supreme Court on 1 April 2020 overturned the Court of Appeal’s October 2018 decision to uphold a finding of vicarious liability against Morrisons in respect of its 2014 payroll data leak.
• Many will by now be familiar with the facts of the data breach, which occurred when a disgruntled Morrisons employee (a Mr Skelton) stole and posted into the public domain the personal data of nearly 100,000 employees.

SIMMONS-SIMMONS full article on the Court of Appeal decision is available here; https://www.simmons-simmons.com/en/publications/ck09n4zlxmjo70b3676l48zt0/321018-court-of-appeal-upholds-vicarious-liability-finding-after-malicious-data-breach

• however, in summary, the Court of Appeal agreed with the first instance judge’s finding that Morrisons      was vicariously liable for the data breach. It found that Mr Skelton’s acts were “within the field of          activities     assigned to him by Morrisons” [71] and that his motive (to cause harm to Morrisons) was    “irrelevant” [76].
• The Supreme Court heard submissions on 6 and 7 November 2019 on two main issues: (i) whether Morrisons was vicariously liable for Mr Skelton’s conduct and (ii) whether the DPA excluded an employer’s vicarious liability for statutory torts committed by the employee under the DPA or the misuse of private information and breach of confidence.
• The key findings of the Supreme Court on each of these issues is set out below.

Vicarious liability for Mr Skelton’s conduct

• Lord Reed’s judgment (with which the rest of the Supreme Court unanimously agreed) makes clear the Court’s view that the lower courts had “misunderstood the principles governing vicarious liability in a number of relevant respects” [31]. In applying the test of whether Mr Skelton’s wrongful conduct was so closely connected with acts that he was authorised by Morrisons to do (such that the conduct may properly be regarded as done by Mr Skelton in the course of his employment), the Court of Appeal had erred in the following key respects (see [31]):

1. First, the Court of Appeal had taken too broad an approach to the consideration of the “field of activities” assigned to Mr Skelton. Disclosure of personal data on the internet, for Mr Skelton’s own purposes, did not form part of his functions or field of activities; he was not authorised by Morrisons to do so.
2. Second, although the factors listed by Lord Phillips in Various Claimants v Catholic Child Welfare Society [2013] 2 AC 1 [35] were all present, those factors were irrelevant. Lord Reed made clear that those factors relate to the distinct question of whether vicarious liability should be imposed on a party for the actions of someone who is not an employee, but where the relationship between the wrongdoer and the defendant is “sufficiently akin” to employment that vicarious liability should apply.
3. Third, the fact that Mr Skelton’s wrongful conduct was linked (both temporally and causally) to the duties he carried out during the course of his employment by Morrisons was not enough to establish vicarious liability. Although Mr Skelton’s job had provided him with the opportunity to carry out the wrong (see [35]), it was not perpetrated in the course of his carrying out of the duties he was employed to do.
4. Fourth, Mr Skeltons’ motive was relevant to the analysis; he was not engaged in furthering Morrisons’ interests when he committed the wrongdoing, but was pursuing his own “personal vendetta” (see [47]), which equated to a ‘frolic of his own’. The conduct could not therefore be regarded as so closely connected with the field of activities that Mr Skelton was authorised by Morrisons to do, and he could not be said to have carried out the data breach in the ordinary course of his employment.

• On this basis, the Supreme Court overturned the Court of Appeal’s finding of vicarious liability against Morrisons; recognising that to uphold the lower Court’s decision would have constituted “a major change in the law” [16].

Vicarious liability under the DPA

• Although it found that Morrisons was not as a matter of fact vicariously liable for Mr Skelton’s data breach, it then went on to consider whether vicarious liability is excluded by the DPA.
• Morrisons advanced the argument that, on the basis of domestic principles of statutory interpretation (as expressed by Lord Nicholls in Majrowski[2007] 1 AC 224, [10]) the DPA impliedly excluded the vicarious liability of an employer for
  1. statutory torts committed by an employee under the DPA or
  2. the misuse of private information and breach of confidence.
• Morrisons argued that the DPA impliedly excluded vicarious liability because it provided that liability was
  1. “to be imposed only on data controllers, and only where they had acted without reasonable care” [53].
• Morrisons relied on section 13 of the DPA (which imposes liability on a data controller by reason of
  1. “any contravention by a data controller” of the DPA) and the seventh data protection principle (Schedule 1, para 10),

which requires data controllers to

• “take reasonable steps to ensure the reliability of any employees…who have access to personal data”.
• Morrisons argued that because it was common ground that it had performed its obligations as a data controller, and that Mr Skelton was a data controller in his own right (in relation to the data he copied and uploaded), Morrisons could not be vicariously liable for Mr Skelton’s breach of his duties.
• The Supreme Court found this argument to be unpersuasive. It held that the imposition of a statutory liability upon a data controller was not inconsistent with the imposition of a common law vicarious liability upon his employer, for any of the relevant statutory torts or causes of action under consideration (see [54]).
• It therefore found that

1. “since the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment” [55].

Barclays

• The Supreme Court held that Barclays Bank was not vicariously liable for sexual assaults allegedly committed between 1968 and about 1984 by a self-employed medical practitioner with a portfolio practice who conducted medical assessments and examinations of prospective Barclays employees.
• Lady Hale’s judgment (with which the rest of the Supreme Court unanimously agreed) overturned the Court of Appeal’s decision.
• The judgment contains a detailed analysis of the leading case law on vicarious liability. It is fair, just and reasonable to impose vicarious liability upon an employer for the torts committed by an employee in the course of his employment.
• The case law broadened this to make clear that a person can be held vicariously liable for the acts of someone who is not their employee, provided the relationship between them is sufficiently akin or analogous to employment.
• But the distinction between work done for an employer as part of the business of that employer and work done by an independent contractor as part of the business of that contractor, has not been eroded. A company that engages an independent contractor is, in general, not liable for the negligence or other torts committed by the contractor in the course of the execution of the work.
• On the facts, Dr Bates was not at any time an employee or akin to an employee of Barclays. He was in business on his own account. Relevant facts included:

1. He did work for Barclays, amongst other clients and patients.
2. Barclays made the arrangements for the medical examinations and chose the questions to be answered.
3. He was not paid a retainer, which might have obliged him to accept a certain number of referrals from Barclays.
4. He was paid a fee for each report and was free to refuse to conduct an offered examination.
5. He was thought to have his own medical liability insurance.

• Lady Hale made an interesting comparison between the evolving case law on “worker status” (known as limb (b) workers under section 230(3)(b) of the Employment Rights Act 1996) –
• Considering whether an individual is a “worker” may be helpful in identifying whether or not the individual is a true independent contractor, as opposed to being in a relationship akin to employment.
• She did not go so far as to align this directly with the common law concept of vicarious liability, but this approach to the analysis may be helpful in future cases.

Comments

• The Morrisonsand Barclays decisions are landmark judgments that will provide a significant degree of comfort to employers, and will likely put an end to the trend of decisions that sought to expand the scope of vicarious liability.
• The Morrisonsjudgment shows in particular that the Courts will take a common-sense approach when confronted with a data breach that has been caused maliciously (e.g. by a disgruntled employee) outside of the course of the activities that the employee has been authorised to carry out.
• However, employers should continue to take care to ensure that they comply with their security obligations under the GDPR and the DPA; if there is a failing on the part of the employer that exposes personal data (even if that failing is then maliciously exploited by an employee), the employer will still be directly liable.
• This judgment does not in any way diminish the importance of ensuring that rigorous controls are in place over any personal data that is being processed on behalf of the employer.
• Employers should also take note of the Court’s finding that the DPA does not exclude vicarious liability for breaches of the DPA/misuse of information/breach of confidence by data controllers under their employment; there is no blanket exclusion for vicarious liability.
• Hence the vetting of employees with access to personal data, and the constant review of the nature and scope of the data to which they have access, remains paramount.

> Access the full judgment in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 = https://www.supremecourt.uk/cases/docs/uksc-2018-0213-judgment.pdf

>Access the full judgment in Barclays Bank v Various Claimants [2020] UKSC 1 = https://www.supremecourt.uk/cases/docs/uksc-2018-0164-judgment.pdf

Post-script:

1. While the Supreme Court’s decision in Morrisonswill be most directly relevant for employers, it also gives rise to considerations for parties to commercial transactions who face the risk of dealing with individuals acting outside the proper scope of their authority.
2. Similar considerations arose in the Supreme Court’s recent decision in Singularis Holdings Ltd v Daiwa Capital Markets Europe Ltd[2019] UKSC50,
   • where a bank executed payment instructions given by the director of a company, in circumstances where the payments were a misappropriation by the director of the company’s funds.
   • In Singularisthe Supreme Court refused to attribute the acts of the director to the company, defeating the bank’s defence to a claim by the company.
     • https://www.supremecourt.uk/cases/docs/uksc-2018-0039-judgment.pdf
     • https://www.simmons-simmons.com/en/publications/ck2m08j230avk0b15l858h000/a-bank-s-duty-to-spot-misappropriation-by-a-company-director

3. While that decision concerned the attributionof the acts of individuals to corporates, rather than the vicarious liability of corporates for individual employees, both cases demonstrate that
   • parties to commercial transactions will need to exercise care when dealing with individuals who act for corporate entities, on the basis that the individual’s actions may not give rise to a cause of action against the company they represent.

Source

• https://www.simmons-simmons.com/en/publications/ck8hfn0ox11af0952q969t2q0/important-supreme-court-decisions-on-vicarious-liability