Morrisons not to blame for actions of an employee with a grudge
Carrying the can: What does the UK Supreme Court’s decision in Morrisons tell us about liability under data protection law? By Victoria Hordern of Bates Wells.
In what circumstances should an employer be vicariously liable for the actions of an employee where those actions have an impact on other individuals’ data protection rights? This was the core question that the UK courts considered as part of the series of decisions which culminated in the Supreme Court’s judgment published in early April(1). Many employers were concerned by the implications of the lower court rulings which held that an innocent employer was vicariously liable for the criminal actions of an employee.
Data protection authorities that investigate complaints determine liability when deciding whether to take any enforcement action (and in this case for Morrisons, the Information Commissioner (ICO) took no enforcement action). With the advent of the General Data Protection Regulation 2016/679 (GDPR), there are increasing attempts by individuals (through class or individual actions) to seek compensation through the courts. Working out who bears liability is essential.