The Supreme Court considered the question of whether or not a company is vicariously liable for data breaches as a result of illegal acts by employees. It was before Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, and Lord Lloyd-Jones. It was a unanimous decision that overturned the Court of Appeal decision that had found Morrisons liable.
The questions for the Supreme Court were as follows:
- Whether Morrisons is vicariously liable for the employee’s conduct.
- Whether the Data Protection Act 1998 (“DPA”) excludes the imposition of vicarious liability for statutory torts committed by an employee data controller, and for misuse of private information and breach of confidence.
The cases and legislation mentioned in this podcast are:
Mohamud v William Morrison Supermarket Plc  UKSC 11
The Data Protection Directive 95/46/EC
The General Data Protection Regulation (EU) 2016/679
Majrowski v Guy’s and St. Thomas’s NHS Trust  3 WLR 125
Barclays Bank plc (Appellant) v Various Claimants (Respondents)  UKSC 13
The Catholic Child Welfare Society & Ors v Various Claimants  UKSC 56
Armes v Nottinghamshire County Council  UKSC 60;  AC 355