The High Court has found for Luton Borough Council in a claim arising from one of its employee’s misuse of the claimant’s personal data. The case concerned Stage 2 of the test for vicarious liability and so involved the application of the principles set down by the Supreme Court in Various Claimants v WM Morrison Supermarkets [2020] AC 989.
The employee (RB) was a Contact Assessment Worker in the council’s social services department. She was responsible for supervising and assessing contact for looked after children. To fulfil her role, she had full access to social services records held on the council’s computer system. This was standard practice.
The claimant was married in 2015 and she and her then husband later had two children. However, the marriage faltered, which led to the family having contact with the council’s social services department. On 1 March 2019, the claimant complained to Bedfordshire Police that her husband had engaged in domestic abuse. That in turn prompted a multi-agency referral by the police to the council, on the basis that it gave rise to potential safeguarding concerns.
At no time was RB working on any files concerning the family. However, she had begun a relationship with the claimant’s husband and following the police complaint (and apparently at the husband’s behest) she wrongfully accessed and disclosed to him a number of records relating to the claimant contained on the council’s computer system. When the claimant learned of this she became anxious, distressed, and concerned for her safety. Following an investigation, the council dismissed RB. She was also arrested and charged with one offence of unauthorised access to computer material, contrary to section 1 of the Computer Misuse Act 1990. RB pleaded guilty and was sentenced to three months imprisonment, suspended for 12 months.
RB had clearly breached the claimant’s rights under the GDPR, at common law, and under the Human Rights Act 1998. The question was whether the council was vicariously liable.
To succeed in a claim against a defendant based on its vicarious liability for the wrongful action of a primary tortfeasor, a claimant must satisfy a two-stage test. Firstly, there must be a relationship between the defendant and the tortfeasor which is sufficient to trigger vicarious liability. Secondly, the wrongful action committed by the tortfeasor must be sufficiently connected with that relationship to make the defendant vicariously liable for the tort. It was on this second stage that the case turned.
The law on Stage 2 was recently clarified by the Supreme Court in the Morrisons case, which also happened to involve the misuse of personal data. In that case, one of Morrisons internal IT auditors was asked to transfer payroll data for its workforce to its external auditors. Harbouring a grudge against his employer, the auditor did as he was asked, but also made and kept a personal copy of the data, which he then posted online to cause Morrisons embarrassment. Consequently a group of the affected employees sued Morrisons and the High Court and Court of Appeal found in their favour. However, the Supreme Court found for Morrisons instead. Giving judgment Lord Reed emphasised that the test at Stage 2 was whether “the wrongful conduct was so closely connected with acts the employee was authorised to do, that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment”. In the Morrisons case, the auditor’s wrongful conduct was not so closely connected: he was pursuing a personal vendetta. Lord Reed also observed that in cases involving child sexual abuse the courts have taken a different approach to Stage 2, focusing on factors such as the wrongdoer’s abuse of authority over the victims, over whom they have some degree of responsibility or trust.
The claimant submitted that that the proper application of the Stage 2 test leads to the conclusion that vicarious liability is made out. The claimant further submitted that other decided cases, including those concerning sexual abuse, provide additional helpful guidance. RB’s role had welfare and safeguarding aspects and so it was right to apply by analogy, the principles referred to by Lord Reed that had been developed in sex abuse cases.
The defendant submitted that the Morrisons case was not only the starting point, but also the finishing point for the applicable analysis. Both concerned data breaches, and an employee who misused data to further their own personal agenda rather than the business of the employer. Indeed, if anything, the argument against imposing vicarious liability was stronger in this case. In Morrisons the employee had misused data to pursue his own vendetta, but it could at least be said that he had been tasked with using it lawfully for purposes of the employer’s business. In this case, by contrast, RB misused for her own purposes data which she was not even required to use in the first place and which she had accessed improperly. In any event the further authorities upon which the claimant relied did not assist her and, in common with the outcome in Morrison, pointed to the conclusion that the claim had to fail.
Richard Spearman QC, sitting as a Deputy High Court Judge, found for the council. As was the case with the Morrisons auditor, RB “was in no way engaged, whether misguidedly or not, in furthering the business of her employer”. While her role gave her the opportunity to access the data, it “formed no part of any work which she was engaged by the defendant to do to access or process those particular records”. Indeed, “if (RB) had disclosed her connection with the claimant’s husband, as she ought to have done, her access to these records would have been restricted by the defendant”. In sum, RB “‘was engaged solely in pursuing her own agenda, namely divulging information to the claimant’s husband, with whom she had some relationship. Further, that was to the detriment of the claimant (and the children) whose safety and interests as users of the defendant’s services it formed part of (her) core duties to further and protect”. As such, RB was on “a frolic of her own”. Applying Lord Reed’s test “her wrongful conduct was not so closely connected with acts which she was authorised to do that, for the purposes of the defendant’s liability to third parties, it can fairly and properly be regarded as done by her while acting in the ordinary course of her employment”.
Moreover the judge was unpersuaded by the claimant’s contention that the principles developed in sex abuse cases applied by analogy to this one. Among other things, RB “was never put in charge of any aspect of the affairs of the claimant (or the children), or indeed information relating to them”.
This is a clear and authoritative judgment and is entirely consistent with Lord Reed’s approach in the Morrisons case. After a long period in which vicarious liability was on the move, we now have some welcome stability.
The service you deliver is integral to the success of your business. With the right technology, we can help you to heighten your customer experience, improve underwriting performance, and streamline processes.