Employer not vicariously liable for employee misuse of sensitive data

Out-Law News | 25 Feb 2022 | 2:59 pm | 3 min. read

A local authority in England was not vicariously liable for an employee’s misuse of sensitive data, the High Court in London has ruled.

Rosie Nance of Pinsent Masons said the judgment has reinforced the legal test, set by the UK Supreme Court in a case involving supermarket Morrisons, for determining whether an employer should be held vicariously liable for the mishandling of personal data by an employee.

Rosie Nance

Pinsent Masons

This decision is likely to be reassuring to data controllers

The case before the High Court revolved around the handling of personal data by an employee at Luton Borough Council in the aftermath of a complaint made to the police by a citizen, Isma Ali, concerning her husband at the time. The complaint resulted in a multi-agency referral by the police to Luton Borough Council, as the complaint gave rise to safeguarding concerns relating to Ali and the couple’s children. Ali suspected information relating to her had been leaked, and learned that her husband had been informed of her complaint by an individual who worked at the council who he was now seeing. 

Rhully Begum, an employee of Luton Borough Council, accessed case records relating to Ali and the children. Some of those records contained data of a highly sensitive nature capable of placing a family at risk. Begum was dismissed from her employment with the local authority and was charged with and pleaded guilty to an offence under the Computer Misuse Act 1990.

It was not disputed that Begum required unrestricted access to Luton Borough Council’s case management system to perform her role, which involved safeguarding vulnerable individuals, but the court considered the fact that she had no need to access Ali’s records to carry out her duties.  It also considered evidence that Begum had also received recent data protection training and been informed that she should only access records as required for her role at her induction and on numerous occasions subsequently. The local authority also made employees aware that they should notify their line managers if they have a personal connection to any clients on the system.

In the Morrisons case, the UK Supreme Court held that in determining whether vicarious liability is made out “the question is whether [the employee’s act] was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment”.

The court considered that the answer to this question could be determined by considering whether the employee’s acts were within the “field of activities” assigned to them by the employer; and whether there was a “sufficient connection” between the position in which they were employed and the wrongful conduct to make it right that the employer be held liable.

The test would not be satisfied where the employee was engaged in pursuing their own interests and not in furthering their employer’s business, i.e. on a “frolic of his own”.

The High Court found that Ali’s claim based on vicarious liability was not made out. It considered that while Begum gained the opportunity to access and process data relating to Ali by reason of her employment, accessing those particular records formed no part of her work. It found that Begum was engaged solely in pursuing her own agenda, that was to the detriment of Ali and the children for whose interests she was tasked with safeguarding. The sitting judge, Richard Spearman QC, said it was “a classic case of Ms Begum being on a ‘frolic of her own’”. He considered it not relevant that the “frolic” took the form it did rather than a vendetta against her employer, as in the Morrisons case.

Spearman also considered the extent to which analogies could be drawn with cases concerning claims for sexual abuse, where the court had concluded that vicarious liability was made out. However, he considered that cases, including the Canadian case of Bazley v Curry, illustrated that the employer needed to significantly increase the risk of harm by putting the employee in his or her position, and that an incidental or random attack would not justify holding the employer liable.

In Begum’s case, in contrast, the fact that her responsibilities were to safeguard vulnerable individuals underlined the extent to which she was not furthering her employer’s business. She had accessed information she had no need to access to further her own agenda, which led to vulnerable individuals being put at risk, Spearman held. Applying the Morrisons test, the judge ruled that Begum’s wrongful conduct was not so closely connected with acts she was authorised to do that it could fairly and properly be regarded as done by her while acting in the ordinary course of her employment.

“Like the Morrisons case, this decision is likely to be reassuring to data controllers,” said Nance.

“The High Court confirmed that the principles codified in the Supreme Court’s judgment in that case should always be applied to the facts. The fact that the rogue employee was responsible for safeguarding sensitive data relating to vulnerable individuals did not automatically lead to the conclusion that the employer was vicariously liable for a disclosure of that data,” she said.

“This judgment also confirms that the Morrisons case now provides a comprehensive precedent on vicarious liability cases,” Nance said.