Another one bites the dust: Further vicarious liability data breach claim fails

In a critical decision for organisations handling sensitive data, Luton Borough Council has been found not vicariously liable for the acts of a rogue employee who deliberately leaked sensitive data about a woman and her children.

What happened?

Isma Ali pursued Luton Borough Council after council employee Rhully Begum divulged information from a social care case management database to Ali’s ex-husband, with whom Begum had started a relationship (who then went on to tell others). Begum had access to the social services records on the Council’s system, but was not working on any files relating to Ali or her children at the time. She likely took photographs of the information using a mobile phone and printed the information. Ali alleged that she suffered distress and anxiety as a result of the data breach.

Begum was consequently dismissed, arrested and charged with the offence of unauthorised access to computer material (to which she pled guilty), with a penalty of three months’ imprisonment, suspended for 12 months, handed down under the Computer Misuse Act 1990. The Council denied that it was vicariously liable for the wrongful and criminal acts of Begum, which it stated had violated its code of conduct.

What did the court decide?

The High Court dismissed Ali’s claim, applying principles established in the landmark Supreme Court judgment WM Morrison Supermarkets PLC v Various Claimants [2020] AC 989 (“Morrisons”), in which a group claim seeking to hold a supermarket vicariously liable for an employee’s criminal leak of staff personal data was shut down.

The court held that although Begum gained access to and processed data relating to the claimant as a result of her unrestricted access to the Liquid Logic system (which was required to enable her role as a contact centre worker), her accessing and processing of those particular records formed no part of any work which she was engaged by the Council to do. Begum acted on a “frolic of her own”, to the detriment of the safety and interests of users of the Council’s services, the protection of which formed part of Begum’s core duties. Crucially, it is not enough for the employer to present the wrongdoer with the opportunity to abuse their position, however sensitive the subject matter they are tasked to deal with.

The employee in Morrisons was engaged in unlawful use of data (in a vindictive attempt to tarnish Morrisons’ reputation) which he had been tasked with processing lawfully. The judge held that the defence in this case was even stronger than in Morrisons, as Begum had not been tasked with accessing or disseminating the information in question (and indeed would have been barred from accessing such information, had she disclosed her relationship with Ali’s ex-husband).

What does this mean for employers?

Employment law is seeing the development of a tiered approach to vicarious liability. A distinction was drawn in Ali between data breach and sexual misconduct cases (which focus on different factors, such as abuse of authority over victims), and there is a separate regime altogether under the Equality Act 2010, which demands more from employers to avoid vicarious liability. Under the Equality Act, an employer will be liable for discrimination or harassment committed by its employees in the course of their employment, unless it can show that it has taken all reasonable steps to prevent it (a high bar in practice).

Therefore, while employers can heave a sigh of relief post-Morrisons and -Ali, employers should be aware that there are other circumstances where their vicarious liability may be more easily established. For that reason, employers should continue to take all possible steps to prevent misconduct at an employee level.