In a judgment that will be welcomed by private and public sector employers throughout the country, the Supreme Court has today upheld the appeal in the Morrisons Supermarkets case about whether vicarious liability may arise for data protection breaches by a rogue employee. Read more here.
In a judgment that will be welcomed by private and public sector employers throughout the country, the Supreme Court has today upheld the appeal in the Morrisons Supermarkets case about whether vicarious liability may arise for data protection breaches by a rogue employee. A copy of the judgment can be found here.
The facts of this case are now well known. Briefly, an employee of Morrisons (Mr Skelton) uploaded the company’s entire payroll data to a publicly accessible filesharing website because he bore a grudge against the company after he was the subject of disciplinary proceedings. He also sent the data anonymously to three UK newspapers, purporting to be a concerned member of the public who had found it online. One of the newspapers alerted Morrisons, which took immediate steps to have the data removed from the internet and to protect its employees, including by alerting police. Mr Skelton was subsequently arrested and imprisoned for his actions.
Some of the affected employees brought proceedings for breach of statutory duty under the Data Protection Act 1998 (“DPA 1998”), misuse of private information, and breach of confidence against Morrisons in its own right and on the basis of its vicarious liability for the acts of Mr Skelton. Both the High Court and Court of Appeal held that Morrisons was vicariously liable.
The Supreme Court unanimously allowed the appeal. Morrisons was not vicariously liable because the wrongful disclosure of the data was not so closely connected with the task for which Mr Skelton was instructed that it could fairly and properly be regarded as made by Mr Skelton while acting in the ordinary course of his employment. This was because: (1) the online disclosure of the data was not an act which Mr Skelton was authorised to do by his employer; (2) the fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability; and (3) it was highly material that in making the disclosure Mr Skelton was acting for purely personal reasons rather than on his employer’s business.
Whilst this resolved the appeal, the Court also proceeded to consider separately the issue of whether the DPA 1998 impliedly excluded vicarious liability for either statutory or common law wrongs – the argument advanced by Morrisons being that the statutory liability of a data controller under section 13 of the DPA 1998 1 is based on a lack of reasonable care, whereas vicarious liability is not based on fault (ie it involves strict liability). This argument was rejected by the Court, which was of the view that there was nothing inconsistent between the two regimes given that the DPA 1998 was silent about the position of a data controller’s employer (the lower courts having concluded that, in making the disclosure, Mr Skelton became a data controller in his own right).
The judgment will provide significant comfort to those employers who take their data protection responsibilities seriously but are faced with a serious data breach when one of their employees ‘goes rogue’ and commits an act which is unauthorised, outside their usual tasks and done purely for personal reasons.
1 The reasonable care defence is not available under the Data Protection Act 2018.
Senior Associate
matthew.alderton@brownejacobson.com
+44 (0)330 045 2747
Law firm Browne Jacobson has collaborated with Wiltshire Council and Christ Church Business School on the launch event of The Council Company Best Practice and Innovation Network, a platform which brings together academic experts and senior local authority leaders, allowing them to share best practice in relation to council companies.
In the Autumn Statement delivered on 17 November, rises to the National Living Wage and National Minimum Wage rates were announced, to take effect from 1 April 2023.
Announced in September but scrapped on 17 November the investment zone proposals were very short lived. The proposal has now morphed into the proposal for a smaller number of clustered zones earmarked for investment.
Settlement agreements are commonplace in an employment context and are ordinarily used to provide the parties to the agreement with certainty following the conclusion of an employment relationship.
On 2 November 2022, the Supreme Court handed down its judgment in the much awaiting case of Hillside Parks Ltd v Snowdonia National Park Authority [2022] UKSC 30. The Court’s judgment suggests that the long established practice of using drop-in applications is in fact much more restricted than previously thought. This judgment therefore has significant implications for both the developers and local planning authorities.
Across the UK, homelessness is an urgent crisis, and one that is set to grow amid the rising cost of living. Local authorities are at the forefront of responding to this crisis, but with a lack of properties that are suitable for social housing across the UK, vulnerable individuals and families are often housed in temporary accommodation.
Updates include UK Shared Prosperity Fund, contracts, Subsidy Control Bill, data controller liability, Government Covid-19 procurement and Highway Code revisions.
The complex and rather nebulous transitional subsidy control regime set out in the UK-EU Trade and Co-operation Agreement and the UK’s wider international commitments has made it difficult for public authorities and those working with them to proceed with certainty where subsidies are involved.
Investment zones have been introduced by the Conservative party to get the United Kingdom (UK) ‘working, building and growing’. They are to be designated sites which provide time-limited tax incentives, streamlined planning rules and wider support for local growth to encourage investment and accelerate the development of housing and infrastructure that the UK needs to drive economic growth. Processes and requirements that slow down development will be stripped back with the intention of attracting new investment.
Created at the end of the Brexit transition period, Retained EU Law is a category of domestic law that consists of EU-derived legislation retained in our domestic legal framework by the European Union (Withdrawal) Act 2018. This was never intended to be a permanent arrangement as parliament promised to deal with retained EU law through the Retained EU Law (Revocation and Reform) Bill (the “Bill”).
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Three months on from the commencement of the new statutory Integrated Care Systems (ICS) Anja Beriro and Gerrard Hanratty reflect on the main themes and issues that have come from the new relationship between local government and health.
The Procurement Bill (the Bill) has now been with us for about four months, during which time there have been a huge number of amendments proposed in the House of Lords (circa 320). Lately, there has been less mention of it — unsurprising, really, given everything else going on in politics recently — but here’s a summary of some of the key issues and themes so far.
Browne Jacobson has been named as a supplier on Crown Commercial Service’s (CCS) Public Sector Legal Services Framework on Lot 1a – full-service provision (England and Wales) and Lot 2a – general service provision (England and Wales).
Welcome to our September edition of Public Matters, our monthly round-up of legal updates, news and insights for the public sector.
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
