The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

No vicarious liability for deliberate wrongful disclosure of personal information

23 February 2022

Ali v Luton Borough Council [2022] EWHC 132 (QB)

This was a first instance application of the Supreme Court’s decision on vicarious liability in data protection claims, Various Claimants v Wm Morrison Supermarkets [2020] AC 989.

In this case, the Defendant local authority held information about the Claimant and her family in its capacity as a social services department. Following difficulties in the Claimant’s marriage, it transpired that an employee of the Defendant had breached the rights of the Claimant by accessing and disclosing to the Claimant’s husband information about the Claimant and their children which was stored on the Defendant’s IT system. The employee was dismissed and convicted of a Computer Misuse Act 1990 offence. There was no dispute that her accessing and disclosure of information about the Claimant was wholly unjustified and unlawful.

It is not entirely clear from the judgment what the cause of action was, other than that it was based purely on vicarious liability: it may have been misuse of private information, breach of confidence and/or a breach of GDPR. The trial went ahead without oral evidence, since neither side was challenging any factual points. The judge applied Morrison, rejecting arguments based on other examples of vicarious liability, particularly from cases relating to sexual abuse. Rather, the critical distinction in cases of this nature is whether the employee was engaged, however misguidedly, in furthering her employer’s business, or whether she was engaged solely in pursuing her own interests. Her motive is a highly relevant one: if acting for personal reasons, this is a strong indicator that they fall into the latter category. The fact that employment provides the opportunity for the wrongdoing is not sufficient, without more, to give rise to vicarious liability.

In this case, the judge held that the employee was plainly engaged in pursuing her own agenda. It did not matter that the agenda was different from in Morrison. This case was clearer than Morrison, because the access to the Claimant’s data was unauthorised, while in Morrison the employee had legitimate access but used the information for an improper purpose.

This is likely to be a helpful decision for employers dealing with deliberate wrongdoing relating to information by their employees: in most cases, it will be possible to run an argument based on an absence of vicarious liability. But of course that does not permit laxness: in this case (and in Morrison), there were no causative breaches of any duty owed directly. If the right systems and training and supervision around data handling are not in place, the outcomes would probably have been different.

Further reading

Ali v Luton Borough Council [2022] EWHC 132 (QB)

The Data Brief

A monthly data protection bulletin from the barristers at 5 Essex Chambers

The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.

Visit the Information Law, Data Protection and AI area

Search The Data Brief

Portfolio Builder

Select the practice areas that you would like to download or add to the portfolio

Download    Add to portfolio   
Title Type CV Email

Remove All


Click here to share this shortlist.
(It will expire after 30 days.)