The High Court has held that an employer was vicariously liable for the actions of an employee who disclosed the personal information of around 100,000 colleagues on the internet. Although the disclosure took place outside working hours and from the employee’s personal computer, there was a sufficient connection between the employee’s employment and the wrongful conduct for it to be right to hold the employer liable.
S, a senior IT internal auditor employed by WMMS plc, was involved in assisting the external auditors by providing payroll data. In July 2013 he was subject to disciplinary proceedings for an unrelated incident, which resulted in a warning. Aggrieved at the disciplinary action, S resolved to do damage to WMMS plc. He downloaded the payroll data to a USB stick and posted a file containing the personal details of around 100,000 employees on a file sharing website. S was later convicted of offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA). A group of 5,518 employees of WMMS plc then sought to claim compensation from WMMS plc for breach of statutory duty under the DPA, as well as for breach of confidence and misuse of private information.
The High Court found that there was no primary liability on WMMS plc under the DPA. Liability under the DPA attaches to the ‘data controller’ and WMMS plc was not the data controller when S disclosed the information on the internet. WMMS plc had failed to discharge its duty under para 7 of Schedule 1 to the DPA to take appropriate measures to guard against unlawful disclosure and/or data loss with regard to the deletion of data; however, that failure neither caused nor contributed to the disclosure which occurred. Mr Justice Langstaff, sitting alone, rejected various arguments as to ways in which WMMS plc should have taken further steps to protect its data. In particular, he rejected the submission that WMMS plc should have been aware that S had used his work computer to research ‘The Onion Router’ (TOR) software, which disguises a computer’s identity on the internet. WMMS plc had no system in place that would have enabled it automatically to detect when employees might be researching TOR. Langstaff J noted that it would be impracticable for WMMS plc to routinely monitor all internet searches and that, even if it were feasible, it would have been disproportionately expensive. In any event, such monitoring would have been difficult to justify, since it would most probably amount to an unlawful interference with employees’ rights to privacy and family life, with little by way of balancing factor to suggest otherwise.
However, Langstaff J went on to hold that WMMS plc was vicariously liable for S’s conduct. The test was whether S’s actions were carried out in the course of his employment, as defined by the Supreme Court in Mohamud v WM Morrison Supermarkets plc (Brief 1043). In Langstaff J’s view, S’s disclosure on the internet of the payroll data was not disconnected by time, place and nature from his employment. Langstaff J took into account several factors justifying this conclusion, including that WMMS plc had deliberately entrusted S with the payroll data, that S was appointed on the basis that he would receive confidential information, and that WMMS plc took the risk that it might be wrong in placing its trust in him. Langstaff J pointed out that S’s role in respect of payroll data was to receive and store it, and to disclose it to a third party (i.e. the external auditor). The fact that he chose to disclose it to others who were not authorised was nonetheless closely related to what he was tasked with doing. When S received the data, though covertly intending to copy it for misuse, he was acting as an employee and the chain of events from then until disclosure was unbroken. The fact that the disclosures were made much later, from home, outside working hours and by use of personal equipment did not break the connection with S’s employment. Thus, applying Mohamud, there was a sufficient connection between the position in which S was employed and his wrongful conduct to make it right for WMMS plc to be held liable. This conclusion would be the same with regard to a breach of duty under the DPA, a misuse of private information or a breach of confidence.
(c) Thomson Reuters