Vicarious Liability: Barclays and WM Morrison succeed on appeal
VICARIOUS LIABILITY: BARCLAYS BANK PLC V VARIOUS CLAIMANTS  UKSC AND WM MORRISON SUPERMARKETS PLC V VARIOUS CLAIMANTS  UKSC 20
In Barclays Bank plc v Various Claimants  UKSC 13, the Supreme Court had to determine whether Barclays Bank (“Barclays”) was vicariously liable for sexual assaults allegedly committed by the deceased Dr Gordon Bates, a self-employed medical practitioner who undertook pre-employment medical examinations of prospective Barclays employees.
In WM Morrison Supermarkets plc v Various Claimants  UKSC 20, the Supreme Court had to consider the circumstances in which an employer could be found vicariously liable for the wrongful acts of an employee and whether WM Morrison (“Morrisons”) was vicariously liable for an employee’s breaches of the Data Protection Act 1998 (“the 1998 Act”).
In this article, James Manning summaries the key findings in each case and comments on the future landscape of claims in which it is alleging that employers are vicariously liable for the wrongful acts committed by an independent contractor and a vindictive employee.
Barclays Bank plc v Various Claimants
Summary of Facts
Barclays engaged Dr Bates, a self-employed medical practitioner with a portfolio practice, to undertake pre-employment medical examinations of prospective Barclays employees to ensure that they were fit for work.
Barclays arranged the medical appointments with Dr Bates, advised the applicants that they needed to attend the appointments and supplied him with a proforma report, headed “Barclays Confidential Medical Report”, that he needed to be completed.
The medical appointments took place at Dr Bates’ home and a room at his house had been converted into a consulting room. The Claimants were always alone in the consulting room with Dr Bates when they were examined, with some attending on their own, while others were accompanied by members of their family.
All Claimants alleged that Dr Bates sexually assaulted them during the medical examinations.
First Instance and Court of Appeal
At first instance, Judge Nicola Davies held that Barclays was vicariously liable for any assault proved and the Court of Appeal dismissed Barclays’ appeal against her decision.
The key question before the Court was whether Dr Bates was carrying on business on his own account or whether he was in a relationship akin to employment with Barclays.
In certain circumstances, the Supreme Court found that the “five incidents” identified by Lord Phillips in Christian Brothers  UKSC 56 may be helpful in identifying a relationship that it is sufficiently analogous to employment to make it fair, just and reasonable to impose various liability and may be relevant to deciding if a worker that is self-employed or agency is effectively an employee. However, in circumstances where it was abundantly clear that the wrongdoer is an independent contractor it was not necessary to consider the “five incidents”.
It was held that Dr Bates was not at any time an employee of Barclays and could not be objectively viewed as an employee. Barclays did not pay Dr Bates a retainer and he was free to refuse Barclays’ referrals. He was in business on his own account as a medical practitioner and had a portfolio of patients and clients that included Barclays.
The Court was not prepared to align the statutory definition of “worker”, as defined by section 230(3) of the Employments Rights Act 1996, with the common law concept of vicarious liability in order to impose liability on Barclays.
Barclays was held not to be vicariously liable for the sexual assaults that Dr Bates allegedly committed during the medical examinations he carried out.
WM Morrison Supermarkets plc v Various Claimants
Summary of Facts
Mr Skelton was a Senior Auditor at Morrisons and in July 2013 he was disciplined for minor misconduct and given a verbal warning. In consequence of this, he held a grudge against Morrisons.
In November 2013 Morrisons’ auditors, KPMG, requested payroll data and Morrisons’ Head of Internal Audit delegated the task to Mr Skelton. In order to perform this task, Mr Skelton was granted access to the payroll data for the whole of Morrisons’ workforce. The payroll data consisted of the name, address, gender, date of birth, phone number, national insurance number, bank accounts details and salary for each member of staff.
Mr Skelton transferred Morrisons’ payroll data to a personal USB stick and then went to great lengths to conceal his digital identity in that he used his work computer to search for “Tor” (The Onion Router), a web browser that is designed to anonymise and encrypt a user’s Internet usage; acquired a pay-as-you-go mobile phone that could not be traced to him; and created a false email account in the name of a fellow employee, Mr Andrew Keynon, who he intended to frame for the data breach.
On 12 January 2014 Mr Skelton uploaded a file containing the data of 98,998 employees of Morrisons onto a publicly accessible file-sharing website with links to the data being posted on other websites. In March 2014 he sent CDs containing the file to three UK newspapers and pretended to be a concerned member of the public who discovered the payroll data on the file-sharing website.
One of the newspapers notified Morrisons of the data breach and, within hours, the payroll data was removed from the Internet; an internal investigation was launched; and the police were informed. Mr Skelton was arrested several days later and was subsequently convicted of several offences and sentenced to eight years’ imprisonment.
First Instance and Court of Appeal
At first instance Judge Langstaff held that Morrisons was vicariously liable for Mr Skelton’s breaches of the 1998 Act, his misuse of private information and his breach of duty of confidence.
Morrisons’ appeal to the Court of Appeal was dismissed with the appeal court concluding that there was nothing in the 1998 Act that excluded vicarious liability for Mr Skelton’s wrongful acts.
For the purposes of the appeal, it was agreed that the issues were:
(i) Whether Morrisons is vicariously liable for Mr Skelton’s conduct;
(ii) If the answer to (i) is “yes”:
(a) Whether the 1998 Act excludes the imposition of vicarious liability for statutory torts committed by an employee data controller; and
(b) Whether the 1998 Act excludes the imposition of vicarious liability for misuse of private information and breach of confidentiality.
On issue (i) the Court held that the first instance Judge and the Court of Appeal misunderstood the principles governing vicarious liability in that:
• Mr Skelton was not authorised to upload the payroll data onto the Internet;
• The “five incidents” in Christian Brothers  UKSC 56 were not material or relevant to the facts of this case;
• While there a link and chain of causation between Morrisons giving Mr Skelton access to the payroll data to transmit it to KPMG and him disclosing it on the Internet, it did not satisfy the close connection test; and
• Mr Skelton’s motive for disclosing the payroll data was highly material in determining whether Morrisons was vicariously liable for the wrongful disclosure.
The Court found that Mr Skelton was not engaged in furthering Morrisons’ business when he uploaded the payroll data onto the Internet. In fact, he was pursuing a “personal vendetta” and so his wrongful conduct was not so closely connection with the act that Morrisons authorised him to do, which was to transfer the payroll data to KPMG. Morrisons could not be held vicarious liable for Mr Skelton’s wrongdoing in these circumstances.
As to issue (ii), although the Court held that Morrison could not be vicariously liable for Mr Skelton’s malicious wrongful acts, it was decided that is would be appropriate to comment on this issue as it was a fully argued point.
The Court determined that since the 1998 Act is silent on the principle of vicarious liability, an employer could be held vicariously liable for wrongful acts of an employee who is a data controller in the course of his/her employment.
With Barclays, the Court’s decision is plain that an employer is not vicariously liable for the wrongful acts of a self-employed independent contractor, but would the outcome have been different if there was a retainer between Barclays and Dr Bates that imposed positive contractual obligations on Dr Bates to accept a specified number of referrals and prepare a corresponding number of medical reports?
As for Morrisons, while the Judgment illustrates that the Court would not impose vicariously liability on Morrisons for the wrongful disclosure of data by a malicious employee, the door is still wide open for an employer to be held vicariously liable for an employee data controller’s breaches of the 1998 Act.
Should you wish to discuss this article, please contact James Manning, Associate Director, Invicta Law on 03000 411656 or firstname.lastname@example.org
Disclaimer: The contents of this article are intended for general information purposes only and does not constitute, or deem to constitute, professional and/or legal advice. Invicta Law does not accept any responsibility for any loss, damage or expenses suffered as a result of acts or omissions taken in relation to this article.