Barclays Bank And Morrisons Supermarket NOT Vicarious Liable for their Employee’s unlawful actions
Earlier this year the Supreme Court issued two judgments on the scope of an employer’s vicarious liability. The decisions in WM Morrisons Supermarkets plc v Various Claimants  UKSC 12 and Barclays Bank plc (Appellant) v Various Claimants  UKSC 13 will provide relief to employers and insurers and disappointment to employees who have suffered harm following negligence and are seeking compensation.
Both cases had specific facts; therefore, it is prudent to consider both separately.
An employee with a grudge
WM Morrisons Supermarkets plc v Various Claimants
In 2015, ex-Morrisons Supermarket employee, Andrew Skelton, was jailed for eight years, having been found guilty of fraud, securing unauthorised access to computer material, and disclosing personal data.
His motive appeared to be revenge – he had received a warning from his employer after he was discovered using the mailroom at Morrison’s Bradford headquarters to distribute eBay packages.
Skelton subsequently leaked the personal details of over 100,000 Morrison’s employees, including information related to salaries, National Insurance numbers, dates of birth, and bank account details. This information was sent to several newspapers and also uploaded to data sharing websites. Not only did he purchase a phone specifically to leak the data and to avoid detection, he used the Tor network to access the dark web.
Following the criminal case, affected employees brought a group action against Morrisons for compensation. They argued that the supermarket was vicariously liable for its employer’s actions.
In decisions that shocked employers, the High Court and Court of Appeal found Morrisons vicariously liable for Skelton’s actions. This was despite the fact Morrisons had adequate data protection policies and procedures in place and the harm was directed at the employer, rather than employees.
However, the Supreme Court unanimously held that the supermarket was not vicariously liable for the data breach, dashing employees’ compensation hopes.
The Supreme Court concluded that the Court of Appeal had misunderstood the rules of vicarious liability. There is a two-stage test laid down in Various Claimants v Institute of the Brothers of the Christian Schools for establishing vicarious liability; namely
a) is there a relationship between the two persons that makes it proper for the law to make one pay for the negligent actions of another, and
b) is there a connection between the relationship and the tortfeasor’s wrongdoing?
If there is doubt as to part A of the test, Lord Phillips stated in Christian Schools:
“The relationship that gives rise to vicarious liability is in the vast majority of cases that of employer and employee under a contract of employment. The employer will be vicariously liable when the employee commits a tort in the course of his employment. There is no difficulty in identifying a number of policy reasons that usually make it fair, just and reasonable to impose vicarious liability on the employer when these criteria are satisfied:
- the employer is more likely to have the means to compensate the victim than the employee and can be expected to have insured against that liability;
- the tort will have been committed as a result of activity being taken by the employee on behalf of the employer;
- the employee’s activity is likely to be part of the business activity of the employer;
- the employer, by employing the employee to carry on the activity will have created the risk of the tort committed by the employee;
- the employee will, to a greater or lesser degree, have been under the control of the employer.”
He went on to say (at para 47):
“At para 35 above, I have identified those incidents of the relationship between employer and employee that make it fair, just and reasonable to impose vicarious liability on a defendant. Where the defendant and tortfeasor are not bound by a contract of employment, but their relationship has the same incidents, that relationship can properly give rise to vicarious liability on the ground that it is ‘akin to that between an employer and an employee’”.
Through live-stream video link, Lord Reed, who delivered the Morrison’s judgment, concluded that employers could only be held liable for an employee’s actions if those actions were “closely connected” with their work tasks.
“In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier.
In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”
The Supreme Court went on to conclude that although there was a close temporal link and an unbroken chain of causation linking Skelton having access to the Appellant’s personal data on its employees and being able to transfer that data to the file share, this was not enough to satisfy part B of the test laid down in Christian Schools.
Historic sexual assault
Barclays Bank plc (Appellant) v Various Claimants
The second major vicarious liability decision released in early April involved the Supreme Court ruling on whether Barclays Bank was vicariously liable for sexual assaults allegedly committed between 1968 and circa 1984 by the late Dr Gordon Bates.
Dr Bates was hired by Barclays to perform unchaperoned medical examinations on prospective employees. He had his own patients and private practice and Barclays paid a fee for each completed report but did not provide Dr Bates with a retainer.
The group action for vicarious liability consisted of 126 Claimants, all of whom claimed to have been sexually assaulted by Dr Bates. The court at first instance and the Court of Appeal found Barclays Bank vicariously liable for the sexual assaults. However, the Supreme Court reversed these decisions, declaring that Part A of the two-stage test set out in Christian Schools was not satisfied because Dr Bates was clearly an independent contractor.
Lady Hale, in delivering the judgment, said:
“Clearly, although Dr Bates was a part-time employee of the health service, he was not at any time an employee of the Bank. Nor, viewed objectively, was he anything close to an employee. He did, of course, do work for the Bank. The Bank made the arrangements for the examinations and sent him the forms to fill in. It therefore chose the questions to which it wanted answers. But the same would be true of many other people who did work for the Bank but were clearly independent contractors, ranging from the company hired to clean its windows to the auditors hired to audit its books. Dr Bates was not paid a retainer which might have obliged him to accept a certain number of referrals from the Bank. He was paid a fee for each report. He was free to refuse an offered examination should he wish to do so. He no doubt carried his own medical liability insurance, although this may not have covered him from liability for deliberate wrongdoing. He was in business on his own account as a medical practitioner with a portfolio of patients and clients. One of those clients was the Bank.”
The impact of these decisions
The decision in Barclays Bank plc (Appellant) v Various Claimants clarifies that, although the traditional rule that only an employer/employee relationship (in an employment context) can give rise to vicarious liability has widened over recent years, liability does not extend to independent contractors.
With regards to the decision in Morrisons, employers should not take for granted that the issue of vicarious liability has been settled. There are several data breach cases currently awaiting a hearing and the Supreme Court’s ruling related primarily to the facts of the case before them. Employers could still find themselves vicariously liable for the damage caused by data breaches. Given that many employees now work from home, due to the Coronavirus pandemic, the opportunity for breaches to occur has dramatically increased.
Unfortunately for employers and employees, we may see a wave of data breach claims cases over the next few years.
BDBF is a leading firm of employment law specialists advising experienced employees, partners and directors in the insurance, academic, medical, legal, and financial services sectors. Contact us on 020 3828 0350 for employment law advice.