In Ali v Luton Borough Council [2022] EWHC 132 (QB) it was found that Luton Borough Council was not vicariously liable for a breach of the claimant's data protection rights by one of its employees. By doing so the Court adopted the approach of the Supreme Court in WM Morrison Supermarkets v Various Claimants [2020] UKSC 12 where it was determined that Morrisons was not vicariously liable for its employee's disclosure of personal information when he uploaded data to a file sharing website.

The claim in Ali concerned the disclosure of information about the claimant to her ex-husband (with whom the employee was in a relationship). The employee was a contact assessment worker and had access to the Council's "Liquid Logic" system which held information about the claimant. The Council was able to establish that ten reports relating to the claimant had been accessed by the employee and that three contained highly sensitive information which was capable of placing the family at risk. The employee concerned was dismissed and subsequently pleaded guilty to an offence under Section 1 of the Computer Misuse Act 1990, for which she was sentenced to three months' imprisonment, suspended for 12 months.

The employee's actions were contrary to her professional code of conduct and she was aware that she should only access records as required and that she should notify her line manager if she had a person connection with any client on the system. She would also have received data protection training. Nonetheless, she accessed records which she had no need to access and knew that what she was doing was wrong (as shown by her guilty plea).

The judge broadly accepted submissions by the Council that in Morrisons the Supreme Court had said that:

  1. In a case concerning vicarious liability arising out of an employment relationship, the test was whether the wrongful conduct was so closely connected with acts that the employee was authorised to do that, for the purposes of the liability of the employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.
  2. Cases involving sexual abuse had followed a different path and focus on different factors (such as misuse or abuse of authority over the victims over whom the perpetrator had some element of responsibility or trust).
  3. Applying 1 above, the crucial distinction was between cases where the employee was engaged, however misguidedly, in furthering his employer's business and cases where the employee was engaged solely in pursuing his own interests on a "frolic of his own".
  4. The motive of the wrongdoer was highly relevant. If they were acting for "personal" reasons, this was a strong indication that they were not purporting, even misguidedly, to further their employer's business.
  5. The fact that employment provided the wrongdoer with the opportunity (for example, in terms of access to the information) to commit the wrongful act was never sufficient to establish vicarious liability. The focus should not be on the fact that there was a close relationship in time or cause between the work and the wrongdoing (as it was almost always true that the wrongdoing had occurred against the backdrop of the employment and whilst the employee was "at work").

The judge concluded that the employee was in no way engaged, whether misguidedly or not, in furthering the business of the Council. Although the employee gained the opportunity to access and process data relating to the claimant and her children by reason of her unrestricted access to the Liquid Logic system (which she needed in order to perform her role), accessing or processing these particular records formed no part of any work which she was engaged by the Council to do. Indeed, had the employee disclosed her connection with the claimant's ex-husband (as she ought to have done), her access to those records would have been restricted by the Council.

The judge concluded that, in doing what she did, the employee was engaged solely in pursuing her own agenda (divulging information to the claimant's ex-husband). In the circumstances, the judge concluded that this was a classic case of the employee being "on a frolic of her own".

This is a helpful judgment for businesses and their insurers who are dealing with situations where an employee has deliberately misused data. It is good to see Morrisons being applied, especially where, historically, businesses and their insurers have found it very difficult to successfully argue that they are not vicariously liable for the actions of their employees.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.