The law on vicarious liability has recently been the subject of an important United Kingdom Supreme Court judgment which has limited its scope, providing a welcome relief for employers who would otherwise have been held accountable for the unauthorised actions of their own disgruntled employees. This article discusses this recent development and its potential impact for employers here in the Isle of Man.
What is vicarious liability?
Expressed simply, vicarious liability is a legal concept by which one person can be held responsible for the wrongful acts of another. The most common example of a relationship giving rise to vicarious liability is that of employer and employee. An employer can be held responsible for the wrongful actions of the employee if committed in the course of his or her employment.
There is a two stage test to establish vicarious liability. One must consider:-
- Is there a relationship between the primary wrongdoer and the person held to be liable which is capable of giving rise to vicarious liability? In many cases there are well established legal relationships which give rise to such liability such as employment.
2. Is there a sufficiently close connection between:
a. the relationship of the wrongdoer and the person liable, and
b. the wrongful act
such to make it just and reasonable to hold the person liable.
To use an example, a courier company may be held liable for the actions of an employee driver if, whilst delivering parcels, that driver causes a road traffic collision because he is using his mobile phone whilst driving. In this example there is an established relationship and also a close connection given that the wrongful act occurred during the course of employment. There would be no liability if, for example, the driver was using his mobile whilst driving his own vehicle on his way to work.
Once established, the liability of the employer is strict, and requires no fault on their part; effectively removing any defence that the employer may put forward that the wrongful act had not been authorised.
It is the second element of this test which has been subject to recent analysis by the Supreme Court.
WM Morrisons v Various Claimants  UKSC 12
An employee was employed by Morrisons as a senior IT auditor. Having received a warning, the employee developed a grudge against his employer and when later asked to provide payroll data for every Morrisons’ employee to an external auditor, the employee took a copy of the data for himself. He later published this information on the internet and sent it to three national newspapers.
Over 9,000 employees brought a claim against Morrisons for breach of confidence, misuse of private information and breaches of the then English Data Protection Act. In particular, the employees argued that under the doctrine of vicarious liability Morrisons was liable for the actions of the employee.
Both the High Court and the Court of Appeal initially considered Morrisons liable under the doctrine of vicarious liability, holding that the employee had been acting in the course of his employment and that the nature of his role included the handling of such data and the sending of it to third parties. However, on appeal the Supreme Court disagreed and allowed the appeal holding that Morrisons was not liable.
In reaching its decision, the Supreme Court clarified that disclosure of information on the internet was not a part of the employee’s role – it was not in the nature of his job. The Court also held that the employee’s motive was relevant, commenting that:
‘…it is abundantly clear that [the employee] was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.’
Although there was an unbroken chain of events in receiving and then disclosing the information, this was not enough. All matters considered, the Supreme Court held that there was not a sufficiently close connection between the employee’s employment and the wrongful act. Therefore, Morrisons could not justly or reasonably be liable under the doctrine of vicarious liability.
This landmark decision limits the scope of vicarious liability and is a welcome relief for businesses. In this regard, it confirms that an employer will not be liable for an employee’s wrongful act where that act is not engaged in furthering the employer’s business, and is an effort to deliberately harm the employer as part of a vendetta.
This was the first data class action of its type in the UK and one of the key determinations from the case is that an employer will not be liable for the data breaches of a rogue employee. The decision ensures that if careful and appropriate data protection and security measures are put in place by businesses, in full compliance with the GDPR, then employers can be relatively comfortable that they will be protected against third-party claims arising under vicarious liability should there be a vindictive data breach by a rogue employee.
Whilst this case is not strictly binding in the Isle of Man, decisions of the UK Supreme Court are nevertheless highly persuasive and therefore given the identical test for vicarious liability in the Isle of Man and the similarities in employment and data protection legislation, it is likely that the Isle of Man High Court of Justice would adopt a similar approach.
DQ’s leading Dispute Resolution team routinely advises both employers and claimants on issues concerning vicarious liability. If you would like further information or assistance in respect of this area, please contact Mark Emery.