An employer can be liable for the acts of its employees, if they are carried out “in the course of employment”. In recent years, case law has dramatically expanded the scope of vicarious liability in the employment law landscape, causing despair and uncertainty amongst employers.
For employers to be liable for the acts committed by employees, there must be a sufficient connection between those wrongs and the employee’s employment that would deem it fair to hold the employer liable, irrespective of what the employer may or may not have done. This rule of law is policy driven. The courts have indicated that the financial loss arising from the wrongs which employees commit in the course of their employment can be spread more widely; by the employers’ liability insurance and raising their prices – rather than solely pursuing an employee with much less financial means.
The Supreme Court’s decision in Mohamud v W M Morrison Supermarkets , found that the employer was liable for the acts of an employee who assaulted a customer on a petrol station forecourt. The Court held that the connection between the employee acting in the course of his employment and the assault was sufficient for the employer to be liable. The Court indicated a two-stage rhetorical test: (a) what functions had been entrusted by the employer to the employee (which is a wide-test) and (b) whether there was a sufficient connection between the employees’ wrongful conduct and the position in which he was employed to make it right for the employer to be vicariously liable. Employers view this particularly vague, which is important why employers must train and supervise their employees correctly to limit, so far as is possible, a claim against them.
This broad outlook of vicarious liability has recently extended to the developing area of data protection law.
In yet another case involving Morrisons Supermarkets, a former employee purposely leaked the personal data, including the bank details, of nearly 100,000 employees. The Court of Appeal found that the supermarket employer was vicariously liable for the actions of the former employee. The Court held that the disclosure of personal data was a seamless and continuous sequence of events stemming from his position within the employer business, and to limit such penalties should entail the employer insuring against such losses; whether by a public liability policy or a bespoke cyber insurance policy.
It’s worth noting that the former employee was sentenced to 8 years in jail for securing unauthorised access to computer material and disclosing personal data – this is where the direct liability lies, so employees in the wrong won’t escape the consequences!
This recent development highlights the fundamental requirement for businesses to have sound, data protection compliant policies for their employees, and to train their employees in performing their duties appropriately and lawfully.