The concept of vicarious liability (where an employer is lawfully responsible for the acts of its employees) is well established and employers liability insurance is a legal requirement. But how far does liability extend and does it include independent contractors?
Two recent cases involving Morrisons and Barclays Bank highlight how far liability extends.
Various Claimants v Wm Morrisons Supermarket plc, 22 October 2018
Andrew Skelton (‘AS’) was employed by Morrisons as a senior IT auditor. He also ran his own business selling a slimming drug online. In May 2013, a package containing the slimming drug burst in Morrisons’ post room and the police were called to establish the identity and legality of the powder inside. AS was suspended and ultimately given a verbal warning.
AS was extremely angry and felt his treatment was unjust. In January 2014, he uploaded the personal details of almost 100,000 employees, (including names, addresses, gender, date of birth, phone numbers, bank sort codes, bank account numbers and salaries), onto a file sharing website and subsequently sent the data to three newspapers. One contacted Morrisons and AS was arrested in March 2014 and imprisoned for 8 years.
5,500 affected employees brought claims against Morrisons for breach of statutory duty under the Data Protection Act 1998, misuse of private information and breach of confidence. They argued that Morrisons was vicariously liable for AS’ acts.
The court acknowledged that Morrisons was also a victim in this case and carefully dealt with each of the allegations raised. Although it rejected some claims, it ultimately held that Morrisons was vicariously liable and should compensation the victims accordingly. Morrisons’ appealed to the Court of Appeal which upheld the initial judgement. The supermarket has indicated that it will appeal to the Supreme Court. The financial implications of this case for Morrisons are huge, not just in terms of potential compensation for the victims of AS’ criminal act. At a recent costs hearing, the court concluded that if Morrisons’ appeal is unsuccessful the supermarket will also be liable for up to 40% of the claimants’ costs.
The above decision predates the GDPR but reinforces the need to assess the risks of data breaches, and the importance of keeping data safe and secure. Policies and procedures should be implemented and staff trained in handling data securely. Organisations should also revisit insurance policies to ensure they have adequate protection.
Barclays Bank plc v Various Claimants
Like many organisations, Barclays requires potential employees to undergo a medical examination as part of its recruitment process. It previously engaged Dr Bates to conduct such examinations at his home and to produce a detailed report on the individual’s health. The report was then used to decide whether nor not to offer employment to the individual.
Dr Bates died in 2009 but in 2016, 126 litigants brought claims against Barclays alleging that they had been sexually assaulted by Dr Bates and that Barclays was vicariously liable for his actions.
The Court of Appeal concluded that, although Dr Bates was not employed by Barclays, the examinations he had carried out had been conducted on Barclays behalf and Barclays had exercised sufficient control over the examinations (in terms of their content, time and location) that the process had formed part of Barclays’ business activities. On this basis, the Court held Barclays was vicariously liable for Dr Bates’ acts. A key factor in this decision was the control exercised by Barclays over Dr Bates.
This case highlights that organisations can be liable for the negligent and deliberate acts of independent contractors. Businesses should assess the risks of such appointments and take steps to mitigate these, including conducting background checks and recommendations, and ensuring that contractors have adequate insurance in place.