This article first appeared in Insurance Day, March 2022.
A recent High Court ruling signalled another positive step for organisations, and their insurers, in whether they should be held vicariously liable when employees break the law.
In Isma Ali v Luton Borough Council , a case involving the leaking of sensitive personal data by a council employee, the judge concluded the local authority could not be held responsible for the actions of someone acting on a “frolic of their own”.
While the case involved breach of data protection by a social services team member, the legal principles have wider applicability and should provide welcome relief to defendants, particularly following the 2020 Supreme Court ruling, which held that Morrisons was not vicariously liable for an extensive data breach intentionally caused by a disgruntled member of staff.
In the most recent case Rhully Begum, who was employed as a contact assessment worker in the family partnership service at Luton Borough Council, leaked information about the claimant and her children to her ex-husband, whom Begum was in a relationship with.
Begum was dismissed, arrested and charged with the offence of unauthorised access to computer material, handed down under Section 1 of the Computer Misuse Act 1990.
The claimant then sought damages from the defendant on the basis that, as the employer, it was vicariously liable for Begum’s actions. This was denied by the council, who argued that accessing the claimant and her children’s file was contrary to its professional code of conduct and the ethos of Begum’s role.
While Begum required unrestricted access to the system for several reasons and her level of access accorded with standard practice, as part of her induction and training, it was made clear that she should only access files as required and further, she had received General Data Protection Regulation and data protection training.
The defendant argued if Begum had followed the correct process, her access to the claimant’s files would have been restricted. As such, the defendant submitted it could not have done anything differently nor included safeguards within the system to have prevented what Begum did.
The issues in this case fell to be dealt with by reference to the law as declared by the Supreme Court in Various claimants v Wm Morrison Supermarkets plc  and in particular Lord Reed’s test: “[In] a case concerned with vicarious liability arising out of a relationship of employment, the court generally has to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment”.
The court accepted the defendant’s submissions that in applying Lord Reed’s “close connection” test, the critical distinction is between cases where, on the one hand, an employee is engaged, however misguidedly, in furthering their employer’s business and cases where the employee is engaged solely in pursuing their own interests on a “frolic of their own”.
The fact the employment provides the employee with the opportunity to commit the wrongful act is never, in itself, sufficient to establish vicarious liability. The court therefore had “little hesitation” in finding the claim based on vicarious liability was not made out.
Before the Supreme Court’s judgment in Morrison Supermarkets, both the High Court and Court of Appeal had found against the supermarket, ruling organisations could be held vicariously liable for data breaches by rogue employees, even when they had taken all the appropriate steps to comply with data protection requirements.
The Supreme Court’s ruling and the Luton Borough Council case provide clear guidance as to how these matters will be considered by the courts, which will be welcomed by employers. It is important to note, however, all cases are fact-specific and there will be many acts that fall outside this ambit.
A distinction was also drawn between data breach and sexual abuse cases, which have followed a different approach, focusing on abuse of authority of the victim over whom the perpetrator has some element of responsibility or trust.
On a wider note, and from a data protection perspective, the case is a reminder to organisations of the importance of ensuring appropriate technical and organisational measures are in place to protect personal data and in particular, sensitive, 'special category' data.
There is a requirement to analyse the risks associated with the processing of such data, to protect the integrity and confidentiality of the data, to ensure any information security policy or equivalent document is in place and is being implemented and regularly reviewed.
Crucial to the safeguarding of sensitive data is ensuring access is not unrestricted but accessible to only those individuals who absolutely require it in the performance of their role, and with appropriate safeguards and training.