What’s this all about?
In the 2020 Morrisons case the UK Supreme Court ruled that an employer can be legally responsible for data breaches caused by their employees, although in the particular situation in that case the court ruled that Morrisons (the employer) was not liable for the actions of their rogue employee. We wrote about the case here https://www.corderycompliance.com/uk-court-of-appeal-ruling-in-morrisons-vicarious-liability-case/. In the recent case of Isma Ali v. Luton Borough Council (“Mrs. Ali” & “the Council”) the High Court ruled that in committing the data security breach actions that the rogue employee undertook in that case she had solely pursued her own interests and so the employer was not liable for her conduct. This article sets out highlights of the case.
An employee of the Council accessed records in a social care database that she had no need to obtain access to in her role and obtained highly sensitive information about Mrs. Ali (and her family) which the employee then disclosed to Mrs. Ali’s estranged husband. The employee was in a relationship with the estranged husband at the time.
It seems that the employee took photographs of the materials in question using a mobile phone and printed a document containing the information. The images/documents were either sent or shown to the estranged husband who told others about the information within the local community. Mrs. Ali found out about this from members of that community.
Mrs. Ali made a complaint to the Council who undertook an investigation and discovered what had happened. The employee was then dismissed. The (former) employee was charged with the criminal offence of unauthorized access to computer material, contrary to Section 1 of the Computer Misuse Act 1990 to which she pleaded guilty and was sentenced to three months’ imprisonment, suspended for twelve months, together with 150 hours of unpaid community service.
Mrs. Ali then brought proceedings against the Council alleging that that Council was vicariously liable for the employee’s actions. She claimed £6,250 in compensation. The Council denied liability.
What did the court rule?
The court ruled as follows:
- In carrying out the acts in question the (former) employee was in no way engaged, whether misguidedly or not, in furthering the business of her employer, the Council;
- Although the employee gained the opportunity to access and process data relating to Mrs. Ali (and her children) by reason of the unrestricted access to the database system in question which she was required to be afforded in order to perform her role, it formed no part of any work which she was engaged by the Council to do to access or process those particular records. If the employee had in fact disclosed her connection with Mrs. Ali’s estranged husband, as she ought to have done, her access to these records would have been restricted by the Council;
- In doing what she did, the employee was engaged solely in pursuing her own agenda, namely divulging information to Mrs. Ali’s estranged husband, with whom she was having a relationship. Further, that was to the detriment of Mrs. Ali (and her children) whose safety and interests as users of the Council’s services formed part of the employee’s core duties to further and protect. The employee had, in the time-honoured phrase, been on a “frolic of her own”;
- Accordingly, the employee’s wrongful conduct was not so closely connected with acts which she was authorized to do that, for the purposes of the Council’s liability to third parties, it could fairly and properly be regarded as done by her while acting in the ordinary course of her employment.
Accordingly, the court dismissed the claim.
This case is in effect a clear practical application of the principles governing the vicarious liability of an organization when acting as a data controller. This case should also be seen in the context of a general trend of pushback by the UK courts on data breach compensation claims.
Organizations should nevertheless remain vigilant. Under both UK and EU GDPR there is a very strong emphasis on the need for organizations to have “technical and organizational measures” (so-called “TOMs”) in place to ensure UK and EU GDPR compliance, including with regard to keeping data secure such as with regard to access rights. In order to manage litigation risk against the possible actions of a rogue employee, organizations not only need to make it clear through internal policies and training that the type of conduct seen in this case is unacceptable, and can lead to criminal sanctions for individuals. Organizations should also consider doing the following:
- Taking a close look at security measures and ensuring that access rights etc. are policed. Data loss prevention and monitoring systems should also be in place to check for large data files leaving the organization – depending on the circumstances, a rogue employee might be after a lot of data;
- Putting in place appropriate policies and procedures to make sure that data protection principles like data security and data minimization are properly understood;
- Doing a Data Protection Impact Assessment for new processes;
- Making sure that employees in trusted roles are reliable and that their access rights are reviewed, especially if there are concerns – implement monitoring of employees as the business thinks necessary, in compliance with data protection and employee monitoring rules and guidance;
- Putting in place and rehearsing a data breach notification procedure, including detection and response capabilities;
- Training staff on all of the above; and,
- Last but not least, thinking about either checking any existing insurance or taking out new insurance to cover the range of potential risks from “innocent” errors to the actions of a rogue employee. Be aware however that this is unlikely to remove the need to take some or all of the steps outlined above.
We have written about data protection litigation and compensation cases including here: https://www.corderycompliance.com/dp-infringement-stadler-currys/ and here https://www.corderycompliance.com/data-protection-breaches-and-compensation-litigation-issues-for-consideration/ and here https://www.corderycompliance.com/damages-minor-dp-infringement/ and here https://www.corderycompliance.com/lloyd-v-google-ruling/ and here https://www.corderycompliance.com/ukdp-damages-claim-threshold/ and here https://www.corderycompliance.com/scope-restrictions-data-breach-comp-claims/.
The court’s ruling can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2022/132.html.
We report on data protection issues here: https://www.corderycompliance.com/category/data-protection-privacy/.
We report about compliance issues here: https://www.corderycompliance.com/news/.
For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|