Rogue employees and Data Breaches
Published: February 4th, 2022
7 min read
In an important decision for local authorities and other organisations handling sensitive data, the High Court has clarified and applied the principles governing vicarious liability set out by the Supreme Court in the earlier judgment in Various Claimants v Morrisons Supermarkets [2020] AC 989.
In Ali v Luton Borough Council [2022] EWHC 132 (QB), an employee - RB - worked for the local authority's social services department as a Contact Assessment Worker. Her role was to supervise and assess contact sessions between children and adults in circumstances where, under the relevant legislation (principally, the Children Act 1989) the Defendant was under a legal duty to safeguard the child's emotional or physical wellbeing.
The Background
The claimant made a complaint to Bedfordshire Police about incidents of domestic abuse by her then husband, with whom she had two children. The complaint was shared by the police with the local authority (as a Multi-Agency Referral) because of potential child safeguarding concerns.
As part of her work as a Contact Assessment Worker, RB had access to the social services records held on the defendant's computer system. She was not, however, working on any files relating to the claimant or her children at any time. Whilst she was at work, she accessed a number of records relating to the claimant's police complaint about her ex-husband. RB was in a relationship with the claimant's husband and it seems he persuaded her to obtain information. It is likely that she took photographs of the documents using a mobile phone and printed a document containing the information. The images/documents were sent or shown to the husband, who told others within the community. The claimant became concerned for her safety and alleged that she suffered distress and anxiety.
Consequences
RB was arrested and charged with the offence of unauthorised access to computer material, contrary to section 1 of the Computer Misuse Act 1990. She pleaded guilty and was sentenced to three months imprisonment, suspended for 12 months. The sentencing judge referred to and endorsed the comments of RB's then line manager that her conduct was "deliberate, planned and goes against every professional code of conduct we adhere to and…put the family at risk of harm".
The claimant, Ms Ali, then brought proceedings against the defendant alleging that it was vicariously liable for RB's actions. It was not in issue the claimant's rights under the General Data Protection Regulations (EU 2016/679), at common law and under the Human Rights Act 1998 had been breached, but were the council to be held liable?
What happened in the Morrisons case?
In Morrisons, a senior auditor, (S) had been tasked with carrying out an internal audit of payroll data which he was then to send to external auditors. Having been personally entrusted with the payroll data of some 126,000 employees, he made a copy of it from his work laptop onto a personal USB stick and subsequently posted it on the internet in a vindictive attempt to damage Morrisons' reputation, against whom he harboured a grudge following earlier disciplinary proceedings. The High Court and Court of Appeal found in favour of the claimant employees. However, the Supreme Court overturned those decisions, concluding that S had been on "a frolic of his own". In doing so, Lord Reed identified the 'authoritative' test for determining vicarious liability in cases of employment:
"whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment"
Lord Reed drew a distinction between cases where, on the one hand, the employee was engaged, however misguidedly, in furthering his employer's business, and cases where the employee is engaged solely in pursuing his own interests: on a 'frolic of his own'. Lord Reed observed also that cases involving sexual abuse have followed a different approach, and focus on different factors, such as misuse/abuse of authority over the victims, over whom they have some element of responsibility or trust.
The Outcome in Ali.
The claimant in Ali sought to distinguish the decision in Morrisons, arguing that the fact that the primary purpose of RB's job was the safeguarding and welfare of vulnerable persons, including children, meant that it was appropriate to apply, by analogy, the principles which had been developed and refined in the sex abuse cases. Richard Spearman QC, sitting as a Deputy High Court Judge rejected the claimant's arguments. He concluded that the different approach adopted in the sexual abuse cases was a 'principled' one which focuses on the fact that the wrongdoer is the very person to whom the defendant has entrusted the care, custody or education of the victim. It is not enough, however, for the employment to present the wrongdoer with the opportunity to abuse their position, however sensitive the subject matter they are tasked to deal with. Although RB gained the opportunity to access and misuse the records, it formed no part of any work which she was engaged on by the defendant to do. She was not authorised or requested to access or process those particular records. In Morrisons, it could at least be said that S was engaged in using unlawfully data which he had been tasked with processing lawfully, whereas RB was not tasked in any shape or form with either accessing or disseminating the information in question.
The court found that, in doing what she did, RB was engaged solely in pursuing her own agenda, namely divulging information to the claimant's husband, with whom she had some form of relationship. The fact that there was a safeguarding element to her job only served to underline that she was certainly not engaged in furthering her employer's business. The disclosure of the data to the husband was to the detriment of the claimant and children, whose safety and interests as users of the defendant's services it formed part of her core duties to further and protect. She was, on any analysis, on "a frolic of her own".
Forbes Comment
This is an important decision which will come as some relief to all employers, particularly those, such as local authorities who are responsible for storing, handling, and disseminating personal sensitive data. Ali clearly follows the reasoning of Lord Reed in the Morrisons case. Just as in those cases where an employer is rightly held not to be liable for the actions of an employee who embarks on a stupid practical joke at work that causes another's injury, it would in my submission be unjust to hold the employer legally liable for a rogue employee who goes on a frolic of his/her own, of a criminal nature involving data, irrespective of the unfortunate consequences of such action. Thankfully the courts appear to agree.
For further information please contact John Myles