The claimants, who were employees of the defendant supermarket, brought claims against it for, inter alia, breach of statutory duty under section 4(4) of the Data Protection Act 1998 as a result of the unauthorised publication on a file-sharing website, to which links were published elsewhere on the internet, of a file containing payroll data on a large number of employees including their names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salaries. The file was published by a senior IT internal auditor, one of a limited number of employees permitted access to the data on the defendant’s secure internal records, to whom the data had been transmitted for the purpose of passing it on to an external auditor but who had unlawfully copied it onto a personal USB memory stick. Issues arose as to whether the 1998 Act, interpreted in accordance with Parliament and Council Directive 95/46/EC on the protection of individuals with regard to the processing of personal data and on the free movement of such data, imposed primary liability on the defendant for its own acts or omissions, whether any such liability was strict or a qualified liability arising only if the defendant had failed to observe appropriate standards, and whether, if no primary liability were established, the defendant was none the less vicariously liable for the actions of its employee harming his fellow workers. The claimants contended that section 4(4) of the 1998 Act placed a duty on a data controller to comply with the data protection principles 1, 2, 3, 5 and 7 set out in Schedule 1 to the 1998 Act in relation to all personal data with respect to which it was data controller and that the defendant was at all times the data controller in respect of the payroll data which had been misused.
On the claims—
Held, claim based on vicarious liability allowed. (1) Neither Directive 95/46/EC nor the Data Protection Act 1998 imposed absolute or strict liability so as to require a data controller to be responsible even without fault for the subsequent disclosure by a third party of some of the information given to it. Although the Directive had as its principal purpose the safeguarding of the rights of data subjects, a person holding information relating to others as a data controller was not automatically liable for any disclosure by a person who was not acting on its behalf in making the disclosure. The 1998 Act did not impose liability on a data controller for breaches which it had neither facilitated nor authorised. The obligation to comply with the protection principles in Schedule 1 to the 1998 Act was placed on the “controller” of the data at the relevant time. The defendant had not itself breached data protection principles 1, 2, 3 and 5 in Schedule 1 to the Act since the acts said to breach those principles were those of a third party not those of the defendant. Accordingly, the defendant was not the data controller at the time of those breaches by the third party (paras 49, 50, 57, 62, 63, 64, 196).
(2) The defendant was however the data controller at the relevant time for the purposes of protection principle 7, concerning the taking of appropriate technical and organisational measures against unauthorised or unlawful processing of personal data. The duty was a qualified one and the mere fact of disclosure or loss of data was not sufficient for there to be a breach. The word “appropriate” set a minimum standard as to the security which was to be achieved, which was expressly subject to both the state of technological development and the cost of measures and which required a balance to be struck between the significance of the cost of preventative measures and the significance of the harm which might arise if they were not taken, which was itself a combination of the nature of the harm and the importance of the data to be safeguarded from that harm. Although the words “reasonable care” were not used, the common law approach to the tort of negligence was indicative of the applicable standard. The defendant had failed to provide adequate and appropriate controls in only one respect, in so far as it lacked an organised system for the deletion of data held for a time outside its usual secure repository, such as the payroll data which had been stored for a while on the IT internal auditor’s computer. However, the defendant’s failure to implement a system for checking that such data was deleted had not caused or contributed to the disclosure which had occurred, and had therefore caused no loss, since it was likely that the data would already have been copied by the time it became appropriate to perform any such check (paras 67–70, 79, 117–120, 196).
(3) A party could be held vicariously liable even for a breach of a statute for which that party could not itself be held liable. The principle of vicarious liability applied where an employee committed a breach of statutory obligations, even where they rested on him alone, while acting in the course of his employment, unless the statute expressly or impliedly indicated otherwise. The 1998 Act contained no such express or implied indication and the common law remedy of vicarious liability was not incompatible with the statutory scheme. Therefore, consistently with the purpose of the Directive and the 1998 Act of providing greater protection for the rights of data subjects, the fact that the IT internal auditor became data controller of the information he was later to disclose did not exclude vicarious liability for his breaches of statutory duty under the 1998 Act in respect of that information. The test of liability was whether the employee’s wrongful conduct was so closely connected with acts that the employee was authorised to do that, for the purpose of the liability of the employer, the wrongful conduct could fairly and properly be regarded as done while the employee was acting in the ordinary course of his employment. There was a sufficient connection between the position in which the IT internal auditor was employed and his wrongful conduct to make it right that the defendant be held vicariously liable, given that: (i) there was an unbroken thread which linked the IT internal auditor’s work to the disclosure and what happened was a seamless and continuous sequence of events; (ii) the defendant had deliberately entrusted the IT internal auditor with the payroll data; (iii) his role in respect of the payroll data had been to receive and store it, and to disclose it to a third party, such that his unauthorised disclosure was closely related to what he had been authorised to do; and (iv) when he had received the data, although covertly intending to copy it for misuse, he had been acting as an employee (paras 49, 130, 133, 137, 141, 143, 153, 154, 155, 159, 160, 183–186, 194, 197).
Jonathan Barnes and Victoria Jolliffe (instructed by JMW Solicitors, Manchester) for the claimants.
Anya Proops QC and Rupert Paines (instructed by DWF llp, Manchester) for the defendant.