Vicarious liability and leaks of sensitive data

A High Court judge recently rejected a claim that a council was vicariously liable after an employee on a “frolic of her own” leaked social care records. Jack Harding explains why.

In an important decision for local authorities and other organisations handling sensitive data, the High Court has explained and applied the principles governing vicarious liability set out by the Supreme Court in Various Claimants v Morrisons Supermarkerts [2020] AC 989.

In Ali v Luton Borough Council [2022] EWHC 132 (QB), an employee – RB –  worked for the local authority’s social services department as a Contact Assessment Worker. Her role was to supervise and assess contact sessions between children and adults in circumstances where, under the relevant legislation (principally, the Children Act 1989) the Defendant was under a legal duty to safeguard the child’s emotional or physical wellbeing.

The claimant made a complaint to Bedfordshire Police about incidents of domestic abuse by her then husband, with whom she had two children. The complaint was shared by the police with the local authority (as a Multi-Agency Referral) because of potential child safeguarding concerns.

As part of her work as a Contact Assessment Worker, RB had access to the social services records held on the defendant’s computer system. She was not, however, working on any files relating to the claimant or her children at any time. Whilst she was at work, she accessed a number of records relating to the claimant’s police complaint about her ex-husband. It would appear that she did so at the behest of the husband, with whom RB was in a relationship. It is likely that she took photographs of the documents using a mobile phone and printed a document containing the information. The images/documents were sent or shown to the husband, who told others within the community. The claimant became concerned for her safety and alleged that she suffered distress and anxiety.

RB was arrested and charged with the offence of unauthorised access to computer material, contrary to section 1 of the Computer Misuse Act 1990. She pleaded guilty and was sentenced to three months' imprisonment, suspended for 12 months. The sentencing judge referred to and endorsed the comments of RB’s then line manager that her conduct was “deliberate, planned and goes against every professional code of conduct we adhere to and…put the family at risk of harm”.

The claimant, Ms Ali, brought proceedings against the defendant alleging that it was vicariously liable for RB’s actions, which it was common ground had breached the claimant’s rights under the General Data Protection Regulations (EU 2016/679), at common law and under the Human Rights Act 1998.

In Morrisons, a senior auditor – Skelton – had been tasked with carrying out an internal audit of payroll data which he was then to send to KPMG, the external auditors. Having been personally entrusted with the payroll data of some 126,000 employees, he made a copy of it from his work laptop onto a personal USB stick and subsequently posted it on the internet in a vindictive attempt to damage Morrisons’ reputation, against whom he harboured a grudge following earlier disciplinary proceedings. The High Court and Court of Appeal found in favour of the claimant employees. The Supreme Court overturned those decisions, concluding that Skelton had been on a frolic of his own. In doing so, Lord Reed identified the ‘authoritative’ test for determining vicarious liability in cases of employment:

“whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment”

Lord Reed drew a distinction between cases where, on the one hand, the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’.

In the course of his judgment, Lord Reed observed also that cases involving sexual abuse have followed a different approach, and focus on different factors, such as misuse/abuse of authority over the victims, over whom they have some element of responsibility or trust.

The claimant in Ali sought to distinguish the decision in Morrisons, arguing that the fact that the primary purpose of RB’s job was the safeguarding and welfare of vulnerable persons, including children, meant that it was appropriate to apply, by analogy, the principles which had been developed and refined in the sex abuse cases.

In Ali, the High Court (Richard Spearman QC, sitting as a Deputy High Court Judge) rejected the claimant’s arguments. It concluded that the different approach adopted in the sexual abuse cases was a ‘principled’ one which focuses on the fact that the wrongdoer is the very person to whom the defendant has entrusted the care, custody or education of the victim. It is not enough, however, for the employment to present the wrongdoer with the opportunity to abuse their position, however sensitive the subject matter they are tasked to deal with.

Although RB gained the opportunity to access and process data relating to the claimant and her children by reason of the unrestricted access to the computer system which she needed in order to perform her role as a contact centre worker, it formed no part of any work which she was engaged by the defendant to do to access or process those particular records. In Morrisons, it could at least be said that Skelton was engaged in using unlawfully data which he had been tasked with processing lawfully, whereas RB was not tasked in any shape or form with either accessing or disseminating the information in question.

The court found that, in doing what she did, RB was engaged solely in pursuing her own agenda, namely divulging information to the claimant’s husband, with whom she had some form of relationship. The fact that there was a safeguarding element to her job only served to underline how plainly she was not engaged in furthering her employer’s business. The disclosure of the data to the husband was to the detriment of the claimant and children, whose safety and interests as users of the defendant’s services it formed part of her core duties to further and protect. She was, on any analysis, on a frolic of her own.

This is a clear and forthright application of the decision in Lord Reed in that case emphasised that cases of vicarious liability cannot be decided by judges according to their personal sense of justice, but must consider how guidance derived from decided cases furnishes a solution to the case before the court so that claims can be decided on a basis which is principled and consistent. It is submitted that Ali represents a robust expression of this in practice, and is a strong vindication for an employer who was in no way responsible for the criminal conduct of a rogue employee.

Jack Harding is a barrister at 1 Chancery Lane. Together with Andrew Clarke of Weightmans, he represented Luton Borough Council, and its insurer Zurich Municipal, in the case.