Vicarious Liability. When is an employer responsible for the data breaches by their employees?

Vicarious liability is a situation in which one party is held partly responsible for the unlawful actions of a third party. The third party also carries his or her own share of the liability. 

The Supreme Court, the highest court in the land, has recently passed down a landmark decision on this very subject. In 2019 the Court of Appeal decision found that the supermarket, Morrisons, was vicariously liable for the acts of a rogue employee. By way of background, a senior IT auditor employed by Morrisons had a grudge against the company. He downloaded details of around 100,000 employees onto a personal USB stick and some months later at his own home posted the personal data on a file sharing website. The employee was subsequently jailed. Over 9,000 of the employees alleged vicarious liability against Morrisons. Given that the IT auditor in question was an employee of Morrisons, the Appeal Court held that Morrisons was vicariously liable for the actions of its employee. 

The Court of Appeal’s decision had caused concern for employers because Morrisons was an “innocent data controller” but was found vicariously liable for the actions of a malicious employee.

The Supreme Court reversed the Court of Appeal Decision. They found that the disclosure of the data on the internet did not form part of the employee’s functions or field of activities assigned to it by Morrisons and therefore the Court of Appeal was mistaken in law on this point. The fact that the employee had leaked the data of his own volition was not sufficiently closely connected to his job for vicarious liability to apply. 

However, the ruling by the Supreme Court establishes a wider principle namely that that companies can be held vicariously liable for employees’ actions which result in a data breach.

As an employer, you should have robust data control measures in place and should carefully consider who is entitled to hold and have access to personal data. Employers should only provide access to personal data where it is necessary for that employee to fulfil their role. 


Are you an employer faced by a data breach or rogue employee? Are you sure that your office procedures and manuals are up to date? Why not contact one of Alexander JLO’s expert employment lawyers and see what we can do for you?

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.