Vicarious Liability Of Employers & Data Breaches

“11. It is the evidence of Steven Scott, who is employed within the IT team of the Defendant, that on 9 May 2019 he received a request to undertake a full audit trail of the case records relating to the Claimant and the children to see how they had been accessed. That request followed earlier contact with the Defendant.

According to Mr Scott’s evidence, that contact included: two telephone calls on 29 April 2019 in which the Defendant was informed that the Claimant’s husband was saying that he had information which emanated from the Defendant and that he had a mistress working for Children’s Services within the Defendant; and an email from the Claimant dated 8 May 2019 in which she stated (among other things) that her husband had pictures of her information on file and quotes of conversations held by Social Services, and had been showing people her records.

Mr Scott completed his report on 14 May 2019. It showed, in summary: (i) that a total of 10 reports relating to the Claimant had been accessed on the Liquid Logic system on 26 April 2019 by Ms Begum, (ii) that 3 of those reports contained data of a highly sensitive nature which was capable of placing a family at risk; (iii) that Ms Begum had not accessed these records at any time prior to 26 April 2019, and was not shown to have printed anything on that date; and (iv) that Ms Begum had printed a 9-page document on 7 May 2019 which the Defendant suspects may have comprised information copied and pasted from the records into a blank Word document.

Mr Scott further states that it was “never established” whether Ms Begum had printed any documents from the system or if she prepared a Word document which contained information extracted from the records and that “It may well be that she took photographs of the information on her personal mobile phone”. Mr Scott based this last comment on the fact that Claimant had said in the course of her contact with the Defendant that her husband had pictures of her information. Finally, for reasons which he explains, involving encryption of USB drives and audit trails of the same, Ms Begum could not have downloaded information onto a USB drive.”    

“12. While these matters were being investigated, Ms Begum was denied access to the Defendant’s IT system. In light of what was discovered about her conduct, Ms Begum was dismissed, and, further, was arrested and charged with one offence of unauthorised access to computer material, contrary to section 1 of the Computer Misuse Act 1990. On 13 October 2020, following her conviction on her own plea of guilty, she was sentenced at Luton Crown Court to 3 months’ imprisonment, suspended for 12 months, together with 150 hours of unpaid community service. In passing sentence, Her Honour Judge Mensah referred to and endorsed the comments of Ms Begum’s line manager at the material time that her conduct was “deliberate, planned and goes against every professional code of conduct we adhere to and… put the family at risk of harm”.”

“33. Mr Harding submitted that the following principles can be distilled from Morrison:

(1) In a case concerned with vicarious liability arising out of a relationship of employment, the test is whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

(2) Cases involving sexual abuse have followed a different approach, and focus on different factors, such as misuse or abuse of authority over the victims, over whom the perpetrator has some element of responsibility or trust.

(3) Applying the test in (1) above, the critical distinction is between cases where, on the one hand, the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’.

(4) The motive of the tortfeasor is a highly relevant factor. If they are acting for

‘personal’ reasons this is a strong indication that they are not purporting, even misguidedly, to further their employer’s business.

(5) The fact that employment provided a tortfeasor with the opportunity (for example, in terms of access to the information) to commit the wrongful act is never sufficient to establish vicarious liability. The focus should not be on the fact that there is a close temporal or causal connection between the work and the wrongdoing. It will almost always be true that the wrongdoing has occurred against the background of the employment and whilst the employee is ‘at work’. However, it is a ‘fallacy’ to think that simply because the wrongdoing occurs whilst the employee is performing acts of ‘the class of which he was authorised’, it is thereby sufficiently closely connected to it. If the employee acts for personal reasons, rather than purporting to further the employee’s business, it may well be the case that they have so clearly departed from the scope of their employment that the employer will not be vicariously liable.”

“39. While I have every sympathy for the Claimant and the predicament in which she was placed by Ms Begum’s acts, I have little hesitation in holding that the claim based on vicarious liability is not made out, essentially for the reasons advanced by Mr Harding.

40. In this case, as was also true of the employee in Morrison, in carrying out the acts upon which the claim is based Ms Begum was in no way engaged, whether misguidedly or not, in furthering the business of her employer, the Defendant.

41. Although Ms Begum gained the opportunity to access and process data relating to the Claimant (and the children) by reason of the unrestricted access to the Liquid Logic system which she was required to be afforded in order to perform her role as a contact centre worker, it formed no part of any work which she was engaged by the Defendant to do to access or process those particular records. Indeed, if Ms Begum had disclosed her connection with the Claimant’s husband, as she ought to have done, her access to these records would have been restricted by the Defendant.

42. In doing what she did, Ms Begum was engaged solely in pursuing her own agenda, namely divulging information to the Claimant’s husband, with whom she had some relationship. Further, that was to the detriment of the Claimant (and the children) whose safety and interests as users of the Defendant’s services it formed part of Ms Begum’s core duties to further and protect.”

How can Nelsons help

Kevin Modiri is a Partner in our expert Dispute Resolution team.

Should you have any queries concerning the subjects outlined in this article, please do not hesitate to contact Kevin or another member of the team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.