News & Events


Could your business be liable for the actions of a “rogue” employee?

An employer may be “vicariously liable” for the acts of an employee, even if the employer has done nothing wrong, if that employee’s acts are sufficiently closely connected with their employment.

In recent cases, employers have found themselves on the hook for situations relating to sexual abuse, assault, discrimination and horseplay/pranks that went wrong.

In one such current case involving Morrisons which may go the same way, a senior auditor was disciplined. Following his disciplinary, he leaked personal data (including bank account details and National Insurance numbers) relating to 99,998 Morrisons staff on to the internet and also to a local newspaper. This severe data protection breach led to his imprisonment for eight years.

However, 2,000 Morrisons staff are now pursuing a group claim against Morrisons on the grounds that Morrisons was vicariously liable for the auditor’s actions, as it failed to prevent the leak of their personal data and therefore exposed them to a risk of identity theft. Up to 10,000 employees may have claims.

Morrisons is arguing that it should not be liable for the acts of a “rogue individual”.

The success of the case is likely to hinge on whether Morrisons could or should have prevented the leak of personal data by the auditor, and its approach to data protection will be scrutinised.  

What does this mean for you or your business?

This case highlights the importance of a business:

  • Having proper policies and procedures in place which regulate employees’ behaviour and reduce the risk of employees “misbehaving”; and
  • Understanding its data protection obligations and having a policy and procedures in place to comply with these.

Such policies and procedures are also evidence, if employees “misbehave” or breach data protection policies, that the business has taken reasonable steps to prevent this. This should also reduce any compensation you have to pay if you were found vicariously liable for an employee’s actions. 

What do you need to be doing now?

  • Review what policies and procedures you have in place generally;
  • Check that you have a Data Protection Policy, and get one if you don’t;
  • Train employees on that policy;
  • Appoint someone within the business to ensure that your Data Protection Policy is kept up to date and to check the business is complying with it;
  • Make staff aware that data protection breaches could result their being criminally liable for those breaches;
  • Carry out and document a risk assessment of data protection systems; and
  • Make clear in your Disciplinary Procedure that breaches of your Data Protection Policy will constitute misconduct or gross misconduct (depending on the severity or recurrence of the breach).

These notes have been prepared for the purpose of articles only. They should not be regarded as a substitute for taking legal advice. 

Get in touch

Talk to us about your legal challenges and discover how our expert, pragmatic legal advice and broad commercial acumen can help.