Overview
Cases
Nowak
(Approximation of laws Approximation of laws Data protection) [2017] EUECJ C-434/16 (20 December 2017)
[2017] EUECJ C-434/16, [2018] WLR(D) 8, EU:C:2017:994, ECLI:EU:C:2017:994
Judgment
1 This request for a preliminary ruling concerns the interpretation of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (OJ 1995 L 281, p. 31).
2 The request has been made in proceedings between Mr Peter Nowak and the Data Protection Commissioner (Ireland) concerning the latter’s refusal to give Mr Nowak access to a corrected script of an examination at which he was a candidate, on the ground that the information contained therein did not constitute personal data.
Legal context
European Union law
Directive 95/46
3 Recitals 25, 26 and 41 of Directive 95/46, the object of which is stated in Article 1 thereof to be the protection of the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data, and the elimination of obstacles to the free flow of such data, state:
‘(25) … the principles of protection must be reflected, on the one hand, in the obligations imposed on persons … responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances;
(26) … the principles of protection must apply to any information concerning an identified or identifiable person; whereas, to determine whether a person is identifiable, account should be taken of all the means likely reasonably to be used either by the controller or by any other person to identify the said person; … the principles of protection shall not apply to data rendered anonymous in such a way that the data subject is no longer identifiable; …
…
(41) … any person must be able to exercise the right of access to data relating to him which are being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing;’
4 The concept of ‘personal data’ is defined in Article 2(a) of that directive as being ‘any information relating to an identified or identifiable natural person (“data subject”); an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.
5 Article 6 of that directive, within Section I of Chapter II of that directive, that section being headed ‘Principles relating to data quality’, is worded as follows:
‘1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.’
6 Article 7 of Directive 95/46, within Section II of Chapter II of that directive, that section being headed ‘Criteria for making data processing legitimate’, provides:
‘Member States shall provide that personal data may be processed only if:
(a) the data subject has unambiguously given his consent; or
…
(c) processing is necessary for compliance with a legal obligation to which the controller is subject; or
…
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller or in a third party to whom the data are disclosed; or
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by the third party or parties to whom the data are disclosed, except where such interests are overridden by the interests for fundamental rights and freedoms of the data subject which require protection under Article 1(1).’
7 Article 12 of that directive, headed ‘Right of access’, states:
‘Member States shall guarantee every data subject the right to obtain from the controller:
(a) without constraint at reasonable intervals and without excessive delay or expense:
– confirmation as to whether or not data relating to him are being processed and information at least as to the purposes of the processing, the categories of data concerned, and the recipients or categories of recipients to whom the data are disclosed,
– communication to him in an intelligible form of the data undergoing processing and of any available information as to their source,
…
(b) as appropriate the rectification, erasure or blocking of data the processing of which does not comply with the provisions of this Directive, in particular because of the incomplete or inaccurate nature of the data;
(c) notification to third parties to whom the data have been disclosed of any rectification, erasure or blocking carried out in compliance with (b), unless this proves impossible or involves a disproportionate effort.’
8 Article 13 of that directive, headed ‘Exemptions and restrictions’, provides:
‘1. Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in Articles 6(1), 10, 11(1), 12 and 21 when such a restriction constitutes a necessary measure to safeguard:
…
(g) the protection of the data subject or of the rights and freedoms of others.
…’
9 Article 14 of Directive 95/46, headed ‘The data subject’s right to object’, provides:
‘Member States shall grant the data subject the right:
(a) at least in the cases referred to in Article 7(e) and (f), to object at any time on compelling legitimate grounds relating to his particular situation to the processing of data relating to him, save where otherwise provided by national legislation. Where there is a justified objection, the processing instigated by the controller may no longer involve those data;
…’
10 Article 28 of that directive, headed ‘Supervisory authority’, states:
‘1. Each Member State shall provide that one or more public authorities are responsible for monitoring the application within its territory of the provisions adopted by the Member States pursuant to this Directive.
…
3. Each authority shall in particular be endowed with:
– investigative powers, such as powers of access to data forming the subject matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties;
– effective powers of intervention, such as, for example, that … of ordering the blocking, erasure or destruction of data, of imposing a temporary or definitive ban on processing …
…
Decisions by the supervisory authority, which give rise to complaints, may be appealed against through the courts.
4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.
…’
Regulation (EU) 2016/679
11 Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (OJ 2016 L 119, p. 1) is applicable, pursuant to Article 99(2) thereof, as from 25 May 2018. Article 94(1) of that regulation provides that Directive 95/46 is repealed with effect from that date.
12 Article 15 of that regulation, headed ‘Right of access by the data subject’, provides:
‘1. The data subject shall have the right to obtain from the controller confirmation as to whether or not personal data concerning him or her are being processed, and, where that is the case, access to the personal data …
…
3. The controller shall provide a copy of the personal data undergoing processing …
4. The right to obtain a copy referred to in paragraph 3 shall not adversely affect the rights and freedoms of others.’
13 Article 23 of Regulation 2016/679, headed ‘Restrictions’, states:
‘1. Union or Member State law to which the data controller or processor is subject may restrict by way of a legislative measure the scope of the obligations and rights provided for in Articles 12 to 22 …, when such a restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure in a democratic society to safeguard:
…
(e) other important objectives of general public interest of the Union or of a Member State, in particular an important economic or financial interest of the Union or of a Member State, including monetary, budgetary and taxation matters, public health and social security;
…
(i) the protection of the data subject or of the rights and freedoms of others.
…’
Irish law
14 The Data Protection Act 1988, as amended by the Data Protection (Amendment) Act 2003 (‘the data protection legislation’) is designed to transpose Directive 95/46 into the Irish legal system. Section 1(1) of that Act defines the concept of ‘personal data’ as follows:
‘Data relating to a living individual who is or can be identified either from the data or from data in conjunction with other information that is in, or is likely to come into, the possession of the Data Controller’.
15 The right of access is governed by Section 4 of the data protection legislation; Section 4(6), which relates specifically to requests for access to the results of examinations, is worded as follows:
‘(a) A request by an individual under subsection (1) of this section in relation to the results of an examination at which he was a candidate shall be deemed, for the purposes of this section, to be made on
(i) the date of the first publication of the results of the examination, or
ii) the date of the request,
whichever is the later; …
(b) In this subsection “examination” means any process for determining the knowledge, intelligence, skill or ability of a person by reference to his performance in any test, work or other activity.’
16 Article 6 of the data protection legislation establishes the right to rectification and erasure of personal data the processing of which does not comply with that legislation.
17 Article 10(1)(b)(i) of the data protection legislation requires the Data Protection Commissioner to investigate a complaint ‘unless he is of the opinion that it is frivolous or vexatious’.
The dispute in the main proceedings and the questions referred for a preliminary ruling
18 Mr Nowak was a trainee accountant who passed first level accountancy examinations and three second level examinations set by the Institute of Chartered Accountants of Ireland (‘the CAI’). However, Mr Nowak failed the Strategic Finance and Management Accounting examination, which allowed candidates to make use of documents (an open book examination).
19 After he had failed that examination for the fourth time, in the autumn of 2009, Mr Nowak initially submitted a challenge to the result of that examination. After that challenge was rejected in March 2010, he submitted, in May 2010, a data access request, under Section 4 of the data protection legislation, seeking all the personal data relating to him held by the CAI.
20 By letter of 1 June 2010, the CAI sent 17 documents to Mr Nowak, but refused to send to him his examination script, on the ground that it did not contain personal data, within the meaning of the data protection legislation.
21 Mr Nowak then contacted the Data Protection Commissioner with a view to challenging the reason given for the refusal to disclose his examination script. In June 2010 the Data Protection Commissioner replied to him by email to state, inter alia, that ‘exam scripts do not generally fall to be considered [for data protection purposes] … because this material would not generally constitute personal data’.
22 That reply from the Data Protection Commissioner was followed by correspondence between Mr Nowak and the Commissioner which culminated, on 1 July 2010, in Mr Nowak submitting a formal complaint.
23 By letter of 21 July 2010, the Data Protection Commissioner informed Mr Nowak that, after consideration of the case, he had identified no substantive contravention of [the data protection legislation] and that, in accordance with Section 10(1)(b)(i) of that legislation, which covers frivolous or vexatious complaints, there would be no investigation of the complaint. The letter stated, further, that the material over which Mr Nowak sought to exercise ‘a right of correction is not personal data to which Section 6 of the [data protection legislation] applies’.
24 Mr Nowak brought an action against that decision before the Circuit Court. That court held that the action was inadmissible on the ground that, since the Data Protection Commissioner had not initiated an investigation of a complaint, there was no decision against which legal proceedings could be brought. In the alternative, that court held that the action was unfounded, since the examination script did not constitute personal data.
25 Mr Nowak brought an appeal against the judgment of that court before the High Court, which however upheld the decision. The judgment of the High Court was, in its turn, upheld by the Court of Appeal. The Supreme Court, which allowed an appeal against the judgment of the Court of Appeal, held that the action brought by Mr Nowak against the decision of the Data Protection Commissioner was admissible.
26 However, the Supreme Court is uncertain whether an examination script can constitute personal data, within the meaning of Directive 95/46, and therefore decided to stay the proceedings and to refer to the Court the following questions for a preliminary ruling:
‘(1) Is information recorded in/as answers given by a candidate during a professional examination capable of being personal data, within the meaning of Directive 95/46?
(2) If the answer to Question 1 is that all or some of such information may be personal data within the meaning of the Directive, what factors are relevant in determining whether in any given case such script is personal data, and what weight should be given to such factors?’
Consideration of the questions referred
27 By its questions, which can be examined together, the referring court seeks, in essence, to ascertain whether Article 2(a) of Directive 95/46 must be interpreted as meaning that, in circumstances such as those at issue in the main proceedings, the written answers submitted by a candidate at a professional examination and any examiner’s comments with respect to those answers constitute personal data, within the meaning of that provision.
28 In that regard, it must be recalled that Article 2(a) of Directive 95/46 defines personal data as meaning ‘any information relating to an identified or identifiable natural person’. Under the same provision, ‘an identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identification number or to one or more factors specific to his physical, physiological, mental, economic, cultural or social identity’.
29 It is not disputed that a candidate at a professional examination is a natural person who can be identified, either directly, through his name, or indirectly, through an identification number, these being placed either on the examination script itself or on its cover sheet.
30 Contrary to what the Data Protection Commissioner appears to argue, it is of no relevance, in that context, whether the examiner can or cannot identify the candidate at the time when he/she is correcting and marking the examination script.
31 For information to be treated as ‘personal data’ within the meaning of Article 2(a) of Directive 95/46, there is no requirement that all the information enabling the identification of the data subject must be in the hands of one person (judgment of 19 October 2016, Breyer, C-582/14, EU:C:2016:779, paragraph 43). It is also undisputed that, in the event that the examiner does not know the identity of the candidate when he/she is marking the answers submitted by that candidate in an examination, the body that set the examination, in this case the CAI, does, however, have available to it the information needed to enable it easily and infallibly to identify that candidate through his identification number, placed on the examination script or its cover sheet, and thereby to ascribe the answers to that candidate.
32 It is however necessary to determine whether the written answers provided by a candidate at a professional examination and any comments made by an examiner with respect to those answers constitute information relating to that candidate, within the meaning of Article 2(a) of Directive 95/46.
33 As the Court has held previously, the scope of Directive 95/46 is very wide and the personal data covered by that directive is varied (judgment of 7 May 2009, Rijkeboer, C-553/07, EU:C:2009:293, paragraph 59 and the case-law cited).
34 The use of the expression ‘any information’ in the definition of the concept of ‘personal data’, within Article 2(a) of Directive 95/46, reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject.
35 As regards the latter condition, it is satisfied where the information, by reason of its content, purpose or effect, is linked to a particular person.
36 As is argued, in essence, by Mr Nowak, the Czech, Greek, Hungarian, Austrian and Portuguese governments and also by the European Commission, the written answers submitted by a candidate at a professional examination constitute information that is linked to him or her as a person.
37 First, the content of those answers reflects the extent of the candidate’s knowledge and competence in a given field and, in some cases, his intellect, thought processes, and judgment. In the case of a handwritten script, the answers contain, in addition, information as to his handwriting.
38 Second, the purpose of collecting those answers is to evaluate the candidate’s professional abilities and his suitability to practice the profession concerned.
39 Last, the use of that information, one consequence of that use being the candidate’s success or failure at the examination concerned, is liable to have an effect on his or her rights and interests, in that it may determine or influence, for example, the chance of entering the profession aspired to or of obtaining the post sought.
40 It is, moreover, equally true that the written answers submitted by a candidate at a professional examination constitute information that relates to that candidate by reason of its content, purpose or effect, where the examination is, as in this case, an open book examination.
41 As is stated by the Advocate General in point 24 of her Opinion, the aim of any examination is to determine and establish the individual performance of a specific person, namely the candidate, and not, unlike, for example, a representative survey, to obtain information that is independent of that person.
42 As regards the comments of an examiner with respect to the candidate’s answers, it is clear that they, no less than the answers submitted by the candidate at the examination, constitute information relating to that candidate.
43 The content of those comments reflects the opinion or the assessment of the examiner of the individual performance of the candidate in the examination, particularly of his or her knowledge and competences in the field concerned. The purpose of those comments is, moreover, precisely to record the evaluation by the examiner of the candidate’s performance, and those comments are liable to have effects for the candidate, as stated in paragraph 39 of this judgment.
44 The finding that the comments of the examiner with respect to the answers submitted by the candidate at the examination constitute information which, by reason of its content, purpose or effect, is linked to that candidate is not called into question by the fact that those comments also constitute information relating to the examiner.
45 The same information may relate to a number of individuals and may constitute for each of them, provided that those persons are identified or identifiable, personal data, within the meaning of Article 2(a) of Directive 95/46.
46 Further, the question whether written answers submitted by a candidate at a professional examination and any comments made by the examiner with respect to those answers should be classified as personal data cannot be affected, contrary to what is argued by the Data Protection Commissioner and the Irish government, by the fact that the consequence of that classification is, in principle, that the candidate has rights of access and rectification, pursuant to Article 12(a) and (b) of Directive 95/46.
47 In that regard, it must, first, be recalled, as argued by the Commission at the hearing, that a number of principles and safeguards, provided for by Directive 95/46, are attached to that classification and follow from that classification.
48 It is stated in recital 25 of Directive 95/46 that the principles of protection provided for by that directive are reflected, on the one hand, in the obligations imposed on those responsible for processing data, obligations which concern in particular data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the rights conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances.
49 Accordingly, if information relating to a candidate, contained in his or her answers submitted at a professional examination and in the comments made by the examiner with respect to those answers, were not to be classified as ‘personal data’, that would have the effect of entirely excluding that information from the obligation to comply not only with the principles and safeguards that must be observed in the area of personal data protection, and, in particular, the principles relating to the quality of such data and the criteria for making data processing legitimate, established in Articles 6 and 7 of Directive 95/46, but also with the rights of access, rectification and objection of the data subject, provided for in Articles 12 and 14 of that directive, and with the supervision exercised by the supervisory authority under Article 28 of that directive.
50 As stated by the Advocate General in point 26 of her Opinion, it is undisputed that an examination candidate has, inter alia, a legitimate interest, based on the protection of his private life, in being able to object to the processing of the answers submitted by him at that examination and of the examiner’s comments with respect to those answers outside the examination procedure and, in particular, to their being sent to third parties, or published, without his permission. Equally, the body setting the examination, as the data controller, is obliged to ensure that those answers and comments are stored in such a way as to ensure that third parties do not have unlawful access to them.
51 Further, it is clear that the rights of access and rectification, provided for in Article 12(a) and (b) of Directive 95/46, may also be asserted in relation to the written answers submitted by a candidate at a professional examination and to any comments made by an examiner with respect to those answers.
52 Of course, the right of rectification provided for in Article 12(b) of Directive 95/46 cannot enable a candidate to ‘correct’, a posteriori, answers that are ‘incorrect’.
53 It is apparent from Article 6(1)(d) of Directive 95/46 that the assessment of whether personal data is accurate and complete must be made in the light of the purpose for which that data was collected. That purpose consists, as far as the answers submitted by an examination candidate are concerned, in being able to evaluate the level of knowledge and competence of that candidate at the time of the examination. That level is revealed precisely by any errors in those answers. Consequently, such errors do not represent inaccuracy, within the meaning of Directive 95/46, which would give rise to a right of rectification under Article 12(b) of that directive.
54 On the other hand, it is possible that there might be situations where the answers of an examination candidate and the examiner’s comments with respect to those answers prove to be inaccurate, within the meaning of Article 6(1)(d) of Directive 95/46, for example due to the fact that, by mistake, the examination scripts were mixed up in such a way that the answers of another candidate were ascribed to the candidate concerned, or that some of the cover sheets containing the answers of that candidate are lost, so that those answers are incomplete, or that any comments made by an examiner do not accurately record the examiner’s evaluation of the answers of the candidate concerned.
55 Moreover, as stated by the Advocate General in point 37 of her Opinion, it cannot be ruled out that a candidate may, under Article 12(b) of Directive 95/46, have the right to ask the data controller to ensure that his examination answers and the examiner’s comments with respect to them are, after a certain period of time, erased, that is to say, destroyed. Pursuant to Article 6(1)(e) of that directive, personal data is to be kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data was collected or for which it is subsequently processed. Taking into consideration the purpose of the answers submitted by an examination candidate and of the examiner’s comments with respect to those answers, their retention in a form permitting the identification of the candidate is, a priori, no longer necessary as soon as the examination procedure is finally closed and can no longer be challenged, so that those answers and comments have lost any probative value.
56 In so far as the written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers are therefore liable to be checked for, in particular, their accuracy and the need for their retention, within the meaning of Article 6(1)(d) and (e) of Directive 95/46, and may be subject to rectification or erasure, under Article 12(b) of the directive, the Court must hold that to give a candidate a right of access to those answers and to those comments, under Article 12(a) of that directive, serves the purpose of that directive of guaranteeing the protection of that candidate’s right to privacy with regard to the processing of data relating to him (see, a contrario, judgment of 17 July 2014, YS and Others, C-141/12 and C-372/12, EU:C:2014:2081, paragraphs 45 and 46), irrespective of whether that candidate does or does not also have such a right of access under the national legislation applicable to the examination procedure.
57 In that context, it must be recalled that the protection of the fundamental right to respect for private life means, inter alia, that any individual may be certain that the personal data relating to him is correct and that it is processed in a lawful manner. As is apparent from recital 41 of Directive 95/46, it is in order to be in a position to carry out the necessary checks that the data subject has, under Article 12(a) of the directive, a right of access to the data relating to him which is being processed. That right of access is necessary, inter alia, to enable the data subject to obtain, depending on the circumstances, the rectification, erasure or blocking of his data by the data controller and consequently to exercise the right set out in Article 12(b) of that directive (judgment of 17 July 2014, YS and Others, C-141/12 and C-372/12, EU:C:2014:2081, paragraph 44 and the case-law cited).
58 Last, it must be said, first, that the rights of access and rectification, under Article 12(a) and (b) of Directive 95/46, do not extend to the examination questions, which do not as such constitute the candidate’s personal data.
59 Second, Directive 95/46 and Regulation 2016/679 which replaces the directive both provide for certain restrictions on those rights.
60 Thus, under Article 13(1)(g) of Directive 95/46, Member States may adopt legislative measures to restrict the scope of the obligations and rights provided for in, inter alia, Article 6(1) and Article 12 of that directive, when such a restriction constitutes a necessary measure to safeguard the rights and freedoms of others.
61 Article 23(1)(e) of Regulation 2016/679 extends the list of grounds justifying restrictions, currently laid down in Article 13(1) of Directive 95/46, to ‘other important objectives of general public interest of the Union or of a Member State’. Further, Article 15(4) of Regulation 2016/679, that article relating to the data subject’s right of access, provides that the right to obtain a copy of personal data must not adversely affect the rights and freedoms of others.
62 In the light of all the foregoing, the answer to the questions referred is that Article 2(a) of Directive 95/46 must be interpreted as meaning that, in circumstances such as those of the main proceedings, the written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers constitute personal data, within the meaning of that provision.
Costs
63 Since these proceedings are, for the parties to the main proceedings, a step in the action pending before the national court, the decision on costs is a matter for that court. Costs incurred in submitting observations to the Court, other than the costs of those parties, are not recoverable.
On those grounds, the Court (Second Chamber) hereby rules:
Article 2(a) of Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data must be interpreted as meaning that, in circumstances such as those of the main proceedings, the written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers constitute personal data, within the meaning of that provision.
Ilešic
Rosas
Toader
Prechal
Jarašiunas
Delivered in open court in Luxembourg on 20 December 2017.
A. Calot Escobar
M. Ilešic
Registrar
President of the Second Chamber
* Language of the case: English.
Nowak v The Data Protection Commissioner
(Approved) [2020] IECA 202 (27 July 2020)
Costs Judgment of Mr. Justice Robert Haughton delivered on the 27th day of July, 2020
Introduction
1. These two matters originated in the Circuit Court (Deery J) and resulted in appeals on different points of law to the High Court (Coffey J), and in turn further appeals on points of law to this court, which appeals were heard consecutively on 5 May 2020. In the first appeal Binchy J delivered a written judgment on 1 July 2020 dismissing the appeal, and Haughton and Ni Raifeartaigh JJ agreed. In the second appeal I delivered a written judgment on 1 July 2020 dismissing the appeal, and Binchy and Ni Raifeartaigh JJ agreed. This judgment addresses the costs in each of these cases in turn, and should be read with the principal judgments in each case. The court has considered written submissions from all concerned parties. No party has sought an oral hearing on the costs issues and I do not consider that it is necessary to reconvene to hear further submissions.
Appeal 2018/139
2. This appeal related to the appellant Mr. Nowak’s claim before the respondent (“the DPC”) to be entitled to disclosure under the data protection regime of a Memorandum constituting a submission made by the Notice Party to the Chartered Accountants Regulatory Board (“CARB”) in response to a complaint by the appellant about the Notice Party’s accounting practices. Mr. Nowak argued unsuccessfully in all courts that the Memorandum constituted personal data.
3. The first costs issue that needs to be noted relates to the DPC’s cross-appeal against the costs order made in the High Court in which the trial judge vacated the order of Circuit Court granting costs to the DPC and Notice party against Mr. Nowak, and ordered that there be no order as to costs in the High Court and the Circuit Court.
4. In his principal Judgment in para.68 Binchy J addressed the DPC’s cross appeal thus:
“64. As far as costs are concerned, it is first necessary to consider the costs incurred in the Circuit Court and High Court appeals, which are the subject of the respondent’s cross appeal. I can see no reason to depart from the normal rule that costs should follow the event in those proceedings. To that extent only therefore, I would overturn the decision of Coffey J. in the court below and order that the appellant shall discharge all of the costs incurred by the respondent in the Circuit Court and in the High Court, when taxed and ascertained.”
Accordingly this court has already decided to vacate the High Court order in relation to the costs of the DPC before it and the Circuit Court, and to order that the DPC is entitled to those costs against Mr. Nowak.
5. The Notice Party also cross-appealed in respect of the trial judge’s ‘no order as to costs’ ruling, and in its submission now seeks a similar order to that made in favour of the DPC. The Notice Party was properly joined as a notice party to the proceedings and successfully defended its interests in the Circuit Court and the High Court. This was necessary as Mr. Nowak made some allegations – including a suggestion that the DPC had never inspected the Memorandum submitted by the Notice Party to CARB – that required affidavit evidence from the Notice Party in order to rebut them, and clearly it had a strong interest in supporting the legal argument that the Memorandum did not come within the definition of ‘personal data’. It also had to address a submission to this court by Mr. Nowak that the Notice Party was an illegal entity. The Notice Party was an active participant in the Circuit Court, High Court and this court. As in the case of the DPC, the starting point is that as the Notice Party was entirely successful the normal rule that costs should follow the event should apply. The onus is on Mr. Nowak to persuade the court not to apply the normal rule, but nothing has been advanced by him in his submissions to suggest that there are any special or unusual circumstances that would justify the court in departing from ‘the normal rule’.
6. In a reply submission by Mr. Nowak by email of 23 July 2020 he responds specifically to the Notice Party’s submissions on costs and contests its claims by repeating his assertion that “it is an illegal entity and does not exist in law”, and further asserting that directors and partners of the Notice Party hold “invalid qualifications and auditing certificates” and that their work is “legally invalid and of a criminal nature”. These were not points pleaded, or supported by any evidence, or argued by Mr. Nowak, before the Circuit Court or the High Court, and so far as this court is concerned they appeared for the first time in his written submissions to this court in support of his appeal. In the course of the hearing as presiding judge I made it clear to Mr. Nowak that he could not pursue these points, and this is referred to at paragraph 15 of the judgment of Binchy J as follows:
“15. In his written submissions dated 29th June, 2018, the appellant purports to expand on those grounds of appeal by adding thereto a claim that the notice party is an illegal entity and as a consequence the Memoranda relate to illegal and invalid audit work. He made additional submissions arising out of this argument, but at the outset of the hearing of this appeal, Haughton J. presiding, informed the appellant that it was not open to him to raise this ground of appeal, for the first time, by way of submissions to this Court, and ruled that the appellant would not be allowed to address the Court in relation to this new ground of appeal, or to rely upon it in any way.”
It is equally impermissible for Mr. Nowak to pursue these matters, upon which there cannot be any adjudication in this appeal, in support of his submission on costs, and his attempt to do so is at this stage scandalous and an abuse of the process. These remarks apply equally to the second issue which I address below.
7. I would therefore vacate the order of the High Court and order that the Notice Party is entitled to its costs in the Circuit Court and in the High Court against Mr. Nowak.
8. The second issue that falls to be determined is that the DPC and the Notice Party seek their costs of the appeal before this court.
9. The normal rule that costs should follow the event is now enshrined in section 169(1) of the Legal Services Regulation Act, 2015 which came into effect on 7 October 2019 by virtue of S.I. no.400/2019 and applies to this appeal. It provides –
“169. (1) A party who is entirely successful in civil proceedings is entitled to an award of costs against a party who is not successful in those proceedings, unless the court orders otherwise, having regard to the particular nature and circumstances of the case, and the conduct of the proceedings by the parties, including—
(a) conduct before and during the proceedings,
(b) whether it was reasonable for a party to raise, pursue or contest one or more issues in the proceedings,
(c) the manner in which the parties conducted all or any part of their cases,
(d) whether a successful party exaggerated his or her claim,
(e) whether a party made a payment into court and the date of that payment,
(f) whether a party made an offer to settle the matter the subject of the proceedings, and if so, the date, terms and circumstances of that offer, and
(g) where the parties were invited by the court to settle the claim (whether by mediation or otherwise) and the court considers that one or more than one of the parties was or were unreasonable in refusing to engage in the settlement discussions or in refusing to engage in the settlement discussions or in mediation.”
10. The DPC and Notice Party were “entirely successful” in this appeal. Mr. Nowak in his first emailed submission (6 July 2020) suggests that he brought the proceedings in the public interest. However his desire to obtain the Memorandum was clearly motivated by private interest, against a background that he had been ‘let go’ as a trainee accountant by the Notice Party after failing an accountancy exam, and had lodged a complaint with CARB in relation to the Notice Party’s accountancy practices. In the balance of his email, the content of which I will mention briefly later, Mr. Nowak does not point to any aspect of the nature or circumstances of the case, or any matter concerning the conduct of the proceedings by the DPC or Notice Party, or any matter coming with (a)-(g) in s.169(1), that might lead the court to do anything other than award them their costs. Furthermore I consider that it was necessary for the Notice Party to make written and oral submissions on the appeal, particularly in light of Mr. Nowak’s ill-advised attempt to introduce in his submissions and pursue a claim that had not been pleaded and was not properly before the court that the Notice Party was ‘not a legal accountancy firm’.
11. I would therefore order that the DPC and the Notice Party are entitled to their costs of the appeal as against Mr. Nowak.
Appeal 2018/140
12. This appeal related to Mr. Nowak’s claim under the data protection regime to be entitled to his original accountancy exam scripts held by Institute of Chartered Accountants in Ireland (“ICAI”). First it should be recalled that although the ICAI was a notice party in these proceedings it did not make submissions or appear on the appeal to this court. I addressed this at paragraph 80 of my principal judgment stating –
“…. I would therefore affirm the order of the High Court in respect of ICAI’s costs (i.e. no order as to its costs in the Circuit Court and the High Court).”
13. Secondly, in the High Court the trial judge again vacated the costs order in favour of the DPC made in the Circuit Court, and substituted it with ‘no order as to costs’ in both the Circuit Court and High Court. The DPC cross-appealed this order, seeking its costs in the Circuit Court and High Court.
14. Although argument was not addressed to the cross-appeal in written or oral submissions, the DPC reserved the right to do so in due course, and in my principal judgment I did address the issue at some length in paragraphs 71-78 and expressed a provisional view subject to considering further submissions. The costs/outlay issue facing the High Court was not straightforward, and fell to be determined against a back-drop, elaborated on in my principal judgment, that Mr Nowak had been successful on certain issues before the CJEU and the Supreme Court. I concluded my treatment of the issue with the following:
“78. … The trial judge would have been entitled in the exercise of his discretion to have awarded all or the substantial part of his outlays in the Circuit Court to Mr. Nowak; equally he would have been entitled to award the costs of the appeal pursued on the third issue to the Respondent. It may well have been – although I readily accept that this is speculation on my part – that the trial judge decided instead that justice would best be met by simply making no order as to the costs/outlays in the Circuit Court, and no order as to the costs of the appeal that he did hear and determine, notwithstanding that Mr. Nowak lost that appeal. This is the type of balancing exercise that is not infrequently carried out by courts when addressing costs. Whatever the reasoning that was adopted by the trial judge, the outcome was one reached by him in the exercise of his discretion, and in my view it would be difficult to say that he erred in principle or that this court should interfere with the exercise of his discretion. This court has often expressed the view that deference is due to a trial judge in the exercise of their discretion, and that it will be slow to interfere. My preliminary view, unless persuaded otherwise, is that this court should not interfere with the costs orders made by the trial judge.”
15. In their written Submission on costs the DPC position is stated thus:
“5. The DPC has indicated her willingness to accept the preliminary view expressed by the Court in the Judgment (§78) and will not pursue the cross-appeal in respect of the Costs Order of the High Court.”
16. Accordingly for the reasons given my principal judgment I would dismiss the cross-appeal and affirm the order of the High Court making no order as to the DPC’s costs in the Circuit Court and in the High Court.
17. Thirdly the DPC seeks its costs of this appeal pursuant to s.169(1) because it was “entirely successful” and there is no basis within the considerations mentioned in the section for the court to decide otherwise. This accords with the preliminary view that I expressed in paragraph 79 of my principal judgment:
“Mr. Nowak decided to pursue the appeal, and he has lost it and the respondent was “entirely successful”. The arguments that Mr. Nowak raised were substantially the same as those that were rejected in the High Court. None of the considerations listed in (a)-(g) would seem to have any application. In my view the costs of the appeal should follow the event, and therefore the respondent should be entitled to its costs. This is reinforced by the fact that ICAI offered sight of the original scripts, but Mr. Nowak did not take up the offer. This is my preliminary view, unless persuaded otherwise.”
18. Mr. Nowak in his emailed submissions raises a number of matters that prompt him to request that no order as to costs be made “at this juncture”. He makes one submission that deserves to be addressed (the others will be mentioned briefly in a moment). He submits that–
“(h) The proceedings were brought in the public interest and substantial amount of my valuable time and resources was spent on these proceedings”.
19. As in Appeal 2018/139, I do not accept Mr. Nowak’s assertion that he brought these proceedings in the public interest. He brought them originally because he failed an accountancy exam and he wished to examine the scripts which he said contained personal data. This was to further his own interests, not the public interest. Along the way the DPC ruled his claim to be ill-founded in law and he successfully persuaded the Supreme Court that he was nevertheless entitled to pursue a statutory appeal. He then had to convince the CJEU (as he did) that the scripts contained ‘personal data’. But the fact that he had to go through these hoops, with results that may be of benefit to other persons, does not convert his private interest into a public one. The benefit to other persons is incidental. The outcome of many statutory appeals or judicial review proceedings brought for private benefit, to correct a wrong, may benefit other individuals, but this incidental public element does not mean that the proceedings were brought in the public interest – or that, if they fail, the unsuccessful litigant should escape the costs consequences. Mr. Nowak chose to pursue this appeal, first to the High Court then to this court, seeking the actual exam scripts, in circumstances where he believed, without any credible basis for such belief, that the original scripts had been destroyed by ICAI. This had nothing to do with public interest. In his submissions to this court on the appeal he sought to pursue an argument, not raised in his Notice of Appeal and entirely unsupported by evidence, that –
“24. … Access to the originals of personal data would be specifically desirable if there are suspicions of manipulation, re-engineering of copies provided or fraud.”
That argument was self-serving and had nothing to do with public interest and everything to do with Mr. Nowak’s groundless suspicions, and was held by this court to be outside the scope of the appeal. Mr. Nowak has not therefore established a basis upon which he could assert that this was public interest litigation.
20. In his first email Mr. Nowak raises other matters: he asserts that this court’s judgment was “wrong/misconceived or frivolous”; he asks that the issue of costs “for now be put on hold (a stay on costs) until this case is heard in the Supreme Court”; he says he will not accept or adhere “to an order of a court that has no basic knowledge of the data protection law”; he argues that the DPC could have avoided a significant amount of costs if the legal work was done internally and she was represented by an in-house lawyer; and he makes other intemperate comments directed at this court. None of his submissions raise any matters of the sort contemplated by s.169(1) or sub-clauses (a)-(g) or are such as to persuade me to depart from the normal rule where a party that is successful is entitled to their costs against a party who is not successful.
21. Accordingly I would award the DPC the costs of the appeal against Mr. Nowak.
Stay – costs orders in both appeals
22. As just mentioned in his emailed submissions on costs Mr. Nowak states –
“b) the issue of costs should, for now be put on hold (a stay on costs), until this case is heard by the Supreme Court…”
23. Clearly Mr. Nowak intends to seek the leave of the Supreme Court to further appeal both cases, and I treat this to be his request for a stay on the costs orders made against him pending any such application(s).
24. I would grant Mr. Nowak a stay on execution only in respect of the costs orders now made in each case for 21 days from the date of perfection of the orders, and in the event that he applies for leave to appeal then the stay on execution in the relevant case will continue pending the determination of the relevant leave application by the Supreme Court, and in the event that leave is granted execution of the costs order in the relevant case will be further stayed pending further order of that court.
Summary
25. In summary I would make the following orders:
Appeal 2018/139
1) Dismiss appeal.
2) Vacate the order of the High Court making no order as to the costs of the DPC and the Notice Party in the Circuit Court and the High Court, and substitute therefore an order that the DPC and the Notice Party be entitled to their costs of the Circuit Court and the High Court to be paid by Mr. Nowak, such costs to be taxed in default of agreement.
3) Order that the DPC and the Notice Party be entitled to their costs of the appeal to this court to be paid by Mr. Nowak, such costs to be taxed in default of agreement.
4) A stay on execution only in respect of all costs so ordered to be paid by Mr. Nowak for 21 days from the date of perfection of this order and in the event the Mr. Nowak applies for leave to appeal a further stay pending the determination of that application by the Supreme Court and in the event that leave to appeal is granted a further stay pending further order the Supreme Court.
Appeal 2018/140
1) Dismiss the appeal.
2) Affirm the order of the High Court making no order as to the costs of ICAI in the Circuit Court and High Court.
3) Dismiss the cross-appeal and affirm the order of the High Court vacating the order of the Circuit Court (which awarded costs to the DPC against Mr. Nowak) and making no order as to the costs of the DPC in the Circuit Court and the High Court.
4) Order that the DPC be entitled to the costs of the appeal in this court to be paid by Mr. Nowak such costs to be taxed in default of agreement.
5) A stay on execution only in respect of the costs so ordered to be paid by Mr. Nowak for 21 days from the date of perfection of this order and in the event the Mr. Nowak applies for leave to appeal a further stay pending the determination of that application by the Supreme Court and in the event that leave to appeal is granted a further stay pending further order of the Supreme Court.
Since this decision is being delivered electronically, Ní Raifeartaigh and Binchy JJ. have authorised me to record their agreement with the terms of this judgment.
Shatter -v- Data Protection Commissioner & anor
JUDGMENT of Mr. Justice Meenan delivered on the 9th day of November, 2017
Background
1. On 16th May, 2013, both the appellant and the notice party appeared on the RTE television programme “Prime Time”. Both were interviewed concerning controversy over the penalty points system. The notice party claimed that it was unlawful for members of An Garda Siochana to exercise any discretion in relation to the issuing of fixed charge notices for certain road traffic offences. The appellant expressed the view that it was entirely appropriate for members of An Garda Siochana to exercise such a discretion and stated:-
“Deputy Wallace himself was stopped with a mobile, on a mobile phone last May by members of An Garda Siochana and he was advised by the guard who stopped him that a fixed ticket charge could issue and he could be given penalty points. But the garda apparently, as I am advised…used his discretion and warned him not to do it again…”
2. Political controversy followed.
3. On 21st May, 2013 the appellant said the following in Dáil Éireann: –
“I am grateful for the opportunity to address issues arising from last Thursday’s Prime Time programme. I regret that comments made by me have inadvertently resulted in concerns being expressed that I am prepared to use confidential Garda information to damage a political opponent. Nothing could be further from the truth, but I am happy to offer reassurances to deputies on this point. I give a solemn assurance to the house that I am not in the business of receiving, seeking or maintaining confidential, sensitive information from An Garda Siochana on members of this house, Seanad, anyone in political life, nor are Gardai in the business of providing it…”
4. The appellant further stated:-
“The manner in which I acquired the information was quite straightforward and there is nothing sinister about it. I have taken the allegations made about the integrity of the fixed notice charge system and the controversy that arose with great seriousness. In the circumstances, I asked that the allegations made be fully investigated and was briefed on the matter by the Garda Commissioner. During the course of one of our conversations in which a number of matters relating to the reports on the fixed notice charge issues were discussed, including circumstances in which Gardaà exercised their discretion on traffic offences, the incident involving Deputy Wallace was mentioned by the Garda Commissioner…”
5. In the meanwhile, the notice party submitted a complaint to the respondent concerning what the appellant had said on the “Prime Time” programme. The respondent commenced an investigation into the complaint and notified the appellant of that fact by letter dated 21st May, 2013. In the course of this letter, Mr. Tony Delany, Assistant Commissioner, on behalf of the respondent stated :-
“Section 2 of the Data Protection Acts sets down the requirements which apply to the processing of personal data by data controllers. The Commissioner is satisfied the personal data of Deputy Wallace was processed by you in the incident complained of. This investigation will seek to determine whether that data processing was carried out in compliance with the requirements of s. 2 of the Data Protection Acts…”
I will return to this paragraph later in the judgment in the context of dealing with one of the issues of the appeal.
6. Under s. 10.1(b)(ii) of the Data Protection Acts 1988-2003 (the “Acts”) the respondent may attempt to arrange an “amicable resolution” of the complaint. However, such a resolution was not achieved and so by letter dated 20th December, 2013, on behalf of the respondent, the appellant was informed under s. 10 of the Acts that the respondent was going to carry out an investigation as to whether or not the Acts had been breached in the manner complained of. The letter also posed a number of questions for the appellant to answer concerning, inter alia, the circumstances under which the appellant acquired the information upon which he based his comments on the RTE programme.
7. By letter of 17th February, 2014, the respondent sought answers to the questions set out in the letter of 20th December, 2013. In the course of a reply to that letter, dated 25th February, 2014, the appellant stated:-
“As I have indicated previously to you, I am anxious not unduly to delay your investigation and the work of the DataProtection Commissioner in this matter and I look forward to providing you with a full response to the questions which were set out previously.
In advance of doing so, however, there is a legal point which has arisen in my analysis of the issues and which I believe requires to be addressed first. In your letter to me of 21st May, 2013, you stated that “the Commissioner is satisfied that the personal data of Deputy Wallace was processed by you in the incident complained of”, that is to say, of course the remarks made by me in the course of the discussion on the Prime Time programme of 16th May 2013”.
It appears to me that there may be grounds to question the conclusion that the disclosure of information regarding Deputy Wallace by me in the particular and peculiar circumstances of the Prime Time programme qualifies as the processing of personal data as this would be normally comprehended by the terms of the Data Protection Acts.
It may be helpful to reiterate to you that the information about Deputy Wallace in question was not in my possession or in my department’s possession in any documentary form – it was information conveyed verbally and directly to me by the Garda Commissioner in the course of a discussion at which no other persons were present. The information resided thereafter in my mind. I did not make a written record of it, nor was a written record of it made in my department.
I would have a concern about the extent to which the provisions of the Data Protection Acts could be taken to apply to or could be used to regulate information or the processing of information that is held in a person’s” mind.
As you well know, the provisions of the Data Protection Acts deal with manual data or automated data as they are defined in the Acts. In the light of the way in which data is so defined, the Acts then set out a range of provisions dealing with the processing and disclosure of such data, the rights of data subjects and also the roles and responsibilities of data controllers and the Data Protection Commissioner…”
8. The respondent replied to this letter on 4th March, 2014, stating, inter alia:
“The contents of your letter have been noted and considered. We note in particular your assertion that the information about Deputy Wallace was not in your possession or in the possession of your department in any documentary form as it was information which was conveyed verbally and directly to you by the Garda Commissioner in the course of a discussion where no other persons were present. Notwithstanding that, the Data Protection Commissioner must take account of the fact that the information about Deputy Wallace was, as the Data Protection Commissioner understands, kept in a written record in An Garda Siochana. For that reason, the Data Protection Commissioner is satisfied that the information concerned is covered in by the Data Protection Acts 1988 and 2003…”
9. The reference in this letter to “a written record in An Garda Siochana” is important in the context of the interaction between the respondent and An Garda Siochana. In the course of an affidavit in the proceedings sworn on 24th July, 2014, the respondent states: –
“25. On the 12th March 2014, I attended a meeting with Assistant Garda Commissioner Nolan (along with other officials from this office) to discuss a number of different data protection matters including, but not limited to, Deputy Wallace’s complaint. At that meeting, Assistant Commissioner Nolan confirmed to me that the Gardaà held a written record of the incident in which Deputy Wallace was allegedly cautioned by a member of the Gardai in relation to the use of a mobile phone while driving.”
and:-
“28. By an email dated 4th April 2014, this office asked the Gardai to formally confirm in writing that they held a written record of the incident in which Deputy Mick Wallace was allegedly cautioned by a member of the Gardaà in relation to the use of a mobile phone whilst driving.”
10. The respondent exhibited to his affidavit this email of 4th April, 2014 which stated inter alia: –
“… on the basis of those inquiries, the formal decision will record that An Garda Siochana held a written record in respect of the incident in which Deputy Wallace was cautioned by a member of An Garda Siochana and that the former Garda Commissioner orally briefed Minister Shatter on the contents of that written record. Please confirm that this is correct.”
It would therefore seem that at this stage of the investigation the respondent had neither seen nor considered the ‘written record’.
11. By letter dated 8th April, 2014 the appellant responded. With regard to the paragraph in the respondent’s letter of 21st May, 2013 that I set out at para. 5 above, it continued:-
“In the context of the current refinement addressed to controlling rather than processing of the earlier view, the view expressed in the letter of 21st May 2013 gives rise to an impression that the outcome of any subsequent investigation into the matter might have been in some way predetermined. Moreover, this coincides with the public statement of the Data Protection Commissioner on the RTE news the previous day 20th May 2013, that “the key issue is that it is the personal data of Deputy Wallace, it was disclosed by Minister Shatter, so it is for Minister Shatter to justify the basis and the justification for disclosing data that came into his possession as Minister for Justice”. This is a matter for considerable concern”.
12. On 17th April, 2014, the appellant was furnished with a copy of a “draft decision” by the respondent of the notice parties’ complaint. Observations were invited.
13. In giving his observations on 2nd May, 2014, the appellant contended, as he had done before, that what was involved in the complaint was not “data” for the purposes of the Acts nor was he, the appellant, a “joint controller” for the purposes of the Acts.
14. Notwithstanding the appellant’s observations, the respondent issued his decision dated 6th May, 2014. The decision sets out in detail the background to the complaint and the exchange of correspondence. The respondent concluded that the appellant was a “data controller” for the purposes of the Acts, and that:-
“I understand from An Garda Siochana that the incident involving Deputy Wallace was not recorded on the central Garda IT system, PULSE, but that it was recorded as a written note, the contents of which were disclosed orally to the Garda Commissioner in the course of a briefing session with senior Garda officers. I consider that the information thus processed by An Garda Siochana falls within the definition of “personal data” for which the Garda Commissioner is the “data controller”.”
15. The decision further states:-
“The Minister contends that since the disclosure of the “personal data” about Deputy Wallace was made orally to him by the Garda Commissioner as was his statement on RTE, he should not be considered a “data controller” in respect of this information in view of the definition of “personal data” in the Data Protection Acts.
I acknowledge that the Minister raises a legitimate point of interpretation which could be the subject of detailed legal argument. I am not, on balance, disposed to accept the Minister’s contention in context of this case. In reaching this conclusion, I have had regard, inter alia, to the following considerations.
It is not disputed that Minister Shatter disclosed information about Deputy Wallace in the course of the Prime Time programme. In circumstances where the information about Deputy Wallace was “personal data” held by An Garda Siochana and where an otherwise unlawful disclosure of this “personal data” the Minister is legitimate solely because of the Minister’s duties under the Garda Siochana Act 2005, I consider that the Minister, on receipt of the “personal data” in these circumstances was bound by the same obligations of nondisclosure under the terms of the Data Protection Acts as was the Commissioner. I consider that the Minister in these circumstances, became a joint controller with the Garda Commissioner of the “personal data” of Deputy Wallace and he could not therefore disclose it other than in accordance with the Data Protection Acts. Bearing in mind the definition of “data controller” cited above, it is clear that the use of the personal data on Prime Time was determined by the Minister”
16. In conclusion, the respondent decided:-
“I am of the opinion following the investigation of the complaints submitted to this office by Deputy Mick Wallace T.D. against Mr. Alan Shatter T.D. Minister for Justice and Equality, that Mr. Alan Shatter T.D. Minister for Justice and Equality, contravened the Data Protection Acts 1988 and 2003 as follows:
• Section 2(1)(c)(ii) by further processing Deputy Mick Wallace’s personal data in a manner incompatible with the purpose of which that personal data was obtained…”
17. On the same date of the decision, 6th May, 2014, in his affidavit the respondent states the following:-
“At a meeting I attended (along with other officials from this office) on 6th May, 2014, Assistant Garda Commissioner Nolan produced a copy of an email dated 11th January, 2013, internal to An Garda Siochana, setting out details of an incident said to have occurred in or around May 2012, whereby a member of An Garda Siochana had cautioned Deputy Mick Wallace in relation to the alleged use of a mobile phone by him whilst driving. A copy of the email in question was not handed over to me at the meeting. Assistant Commissioner Nolan did, however, confirm that he would formally reply to the email issued by this office on 4th April, 2014”.
18. There is no reference to any of this in the respondent’s decision of 6th May, 2014. Further, it turns out that the “written note” referred to in both correspondence and the decision was an email “internal to An Garda Siochana”. The email was not “handed over” to the respondent. He was simply “shown” it as was deposed to at para. 44 of the respondent’s affidavit.
19. The decision of the respondent was appealed to the Circuit Court and the matter was heard on 21st January, 2015.
The Circuit Court Appeal
20. Her Honour Judge Jacqueline Linnane delivered a written judgment on 21st January, 2015.
21. At the hearing of the appeal, the respondent maintained that the appellant had no standing to bring the appeal by reason of the fact that the office of the Minister for Justice and Equality is a separate legal personality from the appellant as an individual citizen. As such, the appellant cannot appeal against a decision that relates to the office the Minister. At this stage, the appellant was no longer the Minister for Justice and Equality. Further, the respondent stood over both his decision and the procedures he followed in reaching such decision.
22. The Circuit Judge dismissed the appeal:-
“In my view this objection regarding the standing of the appellant to bring this appeal is well founded and on this ground alone I would dismiss the appeal. However, as I have also heard submissions and arguments from both the appellant and the respondent on the merits of the appeal and in case I am incorrect on this standing point, I have considered those arguments.”
and:-
“The onus rests with the appellant here. In my view, the Data Protection Commissioner considered the matter fully and at length in the course of his investigation. He took into account the arguments put forward by Mr. Shatter, fair procedures were followed and reasons given for the conclusion and decision reached. Applying the test referred to above, I do not consider that it has been shown that the decision made was vitiated by any serious or significant error or series of such errors. Accordingly, even if the standing of the appellant to bring this appeal had not been raised, I would dismiss this appeal.”
23. The appellant now appeals the decision of the Circuit Court to this Court pursuant to s. 26(3)(b) of the Acts and to set aside the decision made by the respondent of 6th May, 2014, and relying on, inter alia, the following grounds:-
(i) The learned trial judge erred in law in holding that the appellant did not have standing to bring an appeal pursuant to s. 26(1) of the Data Protection Act 1988, as amended, against the decision.
(ii) That the learned trial judge erred in law in holding that the respondent was correct in determining that personal data had been received by the appellant on the basis that the gardaà had a note in writing regarding the incident involving the notice party and that the respondent saw the note (in writing) during the course of his investigation in circumstances where:
– no evidence of such note in writing was before the court or was set out in the decision
– in fact, the evidence before the court was to the effect that the respondent had sight of an email relating to the incident
– there was no evidence in the decision or before the court as to the contents of the email such as to allow the conclusion that it constituted personal data to be drawn and the respondent failed to set out the basis for any such conclusion in the decision
(iii) The learned trial judge erred in law insofar as she held that the appellant disclosed personal data in circumstances where he retained the information given to him by the Garda Commissioner neither in automated form nor as manual data.
(iv) The learned trial judge erred in law in holding that the appellant was a data controller or a joint data controller or that the appellant processed personal data.
(v) The learned trial judge erred in law in holding that the respondent took into account the arguments put forward by the appellant, that fair procedures were followed and that reasons were given for the decision.
Legal Principles to be Applied in this Appeal
24. There was agreement between the parties as to the test to be applied on an appeal such as this. I refer to Ulster Bank Investment Funds Ltd. v. Financial Services Ombudsman [2006] IEHC 323 where Finnegan P. stated:-
“To succeed on this appeal the Plaintiff must establish as a matter of probability that, taking the adjudicative process as a whole, the decision reached was vitiated by a serious and significant error or a series of such errors. In applying the test, the Court will have regard to the degree of expertise and specialist knowledge of the Defendant. The deferential standard is that applied by Keane C.J. in Orange v The Director of Telecommunications Regulation & Anor and not that in The State (Keegan) v Stardust Compensation Tribunal.”
25. The first issue that has to be addressed on this appeal is the appellant’s standing.
The Appellant’s Standing
26. The respondent submitted that the appellant, in his capacity as a private citizen, does not have standing to institute and maintain the appeal pursuant to s. 26 of the Acts. This is because the decision of the respondent was not made against the appellant in his personal capacity but rather in his capacity as Minister for Justice and Equality. Further, as the appellant stated in his affidavit, when he appeared on the television programme on 16th May, 2013, he did so in his capacity as Minister for Justice and Equality.
27. On this submission, it would follow that the only person with standing to institute and maintain the appeal is the individual who currently occupies the post of Minister for Justice and Equality.
28. A similar submission was made in Shatter v. Guerin [2016] IECA 318. This was an appeal by the applicant/appellant against the dismissal by the High Court of an application for judicial review of a report to An Taoiseach concerning the handling of allegations of Garda misconduct made by Sergeant Morris McCabe. The applicant, at the time of the inquiry he sought to impugn, held the post of Minister for Justice and Equality. The respondent argued that the only person with standing to institute and maintain the proceedings was the person then currently occupying the post of Minister for Justice and Equality.
29. In the course of his judgment, Ryan P. stated:-
“94. A Minister has an official position as a member of the Government which means that he has collective responsibility. In his official capacity the Minister for Justice and Equality had legal status as a corporation sole. However, in the inquiry with which we are concerned, it was not the Minister in his disembodied capacity as a persona designata such that it did not matter who occupied the office whose conduct was in issue. The question here concerned a particular Minister or rather a particular person, namely, Mr. Alan Shatter, TD. And although his name is not actually mentioned in the report in the challenged conclusions section, it was his personal and individual conduct in relation to the complaints made by Sergeant McCabe that was actually in issue.”
30. Also dealing with this issue, Finlay Geoghegan J. stated:-
“19. Objection was made to the locus standi of the appellant as a private citizen or natural person to complain of alleged damage to his good name or reputation by reason of alleged criticism in the Report of the Minister in respect of acts done or not done while he was the holder of the office. That objection is not sustainable. The Minister, a corporation sole, is a legal person with perpetual succession and hence in that sense a distinct person from the appellant. Nevertheless the appellant personally is identified as the Minister for so long as he holds office. Hence it appears to me that criticism in respect of acts done or not done by the Minister while the appellant was the holder of the office can only be objectively viewed as criticism of him personally with the potential to damage his good name and reputation. Hence I am satisfied the appellant, albeit no longer Minister, has locus standi to pursue this claim.”
31. It can hardly be disputed that in pursuing this appeal, the applicant is seeking to reverse potential damage to his good name and reputation that arises from the decision of the respondent. I, therefore, reject the submissions of the respondent on this and find that the appellant has standing both to bring and maintain the appeal herein.
The Appeal
32. There are essentially two aspects to the appellant’s appeal. Firstly, the issue of constitutional/natural justice and, secondly, issues concerning the interpretation by the respondent of certain provisions of the Acts. I will address these separately.
Constitutional/Natural Justice
33. There are two issues under this heading, firstly pre-determination and secondly, the procedures followed by the respondent in reaching his decision of 6th May, 2014.
34. The submission that the respondent was guilty of “pre-determination” is based on firstly, the letter of 21st May, 2013 entitled “Notification of the Commencement of an Investigation” sent on behalf of the respondent which states:-
“Section 2 of the Data Protection Acts sets down the requirements which apply to the processing of personal data by data controllers. The Commissioner is satisfied that the personal data of Deputy Wallace was processed by you in the incident complained of. This investigation will seek to determine whether that data processing was carried out in compliance with the requirements of s. 2 of the Data Protection Acts.”
Secondly, a public statement of the respondent on RTE News on 20th May, 2013, that ‘the key issue is that it is the personal data of Deputy Wallace, it was disclosed by Minister Shatter, so its for Minister Shatter to justify the basis and the justification for disclosing data that came into his possession as Minister for Justice’.”
35. The foregoing statements have to be seen in the context of matters set out in correspondence from the appellant to the respondent. In para. 7 above, I set out in detail the extracts from the appellant’s correspondence wherein he is expressly contesting whether the provisions of the Acts apply to the circumstances of the complaint at all. This was clearly an issue being raised by the appellant in dealing with the complaint but, notwithstanding this, it would appear from the foregoing that the respondent had already decided the matter.
36. Issues concerning “bias” and “pre-determination” have been considered in a number of cases. I refer to the decision of Clarke J. (as he then was) in A.P. v. His Honour Judge McDonagh & Anor [2009] IEHC 316, (unreported, High Court, Clarke J., 10th July, 2009) where, having reviewed the authorities, states:-
“7.1 There was no real dispute between the parties as to the test to be applied in assessing whether bias had been established. The test is as to whether a reasonable and properly informed person (that is to say someone who is well informed as to the process engaged in and issues to be tried), would have had a reasonable apprehension that one of the parties would not have a fair hearing from an impartial judge.”
and:-
“7.4 However, it seems to me that there is another form of pre-judgment which arises where the adjudicator indicates that the adjudicator has reached a conclusion on a question in controversy between the parties, at a time prior to it being proper for such adjudicator to reach such a decision (indeed it might well be more accurate to describe such a situation as premature judgment rather than pre-judgment). It can hardly be said that a reasonable and objective and well informed person would be any the less concerned that a party to proceedings was not going to get a fair adjudication if, at an early stage of the hearing, comments were made by the adjudicator which made it clear that the adjudicator had reached a decision on some important point in the case at a time when no reasonable adjudicator could have, while complying with the principles of natural justice, reached such a conclusion…”
37. Given that the appellant was contesting from the outset that he did not accept that the Acts applied to the circumstances of the complaint, the statements made both in the correspondence referred to and the national media cannot, in my view, be seen as anything other than pre-judgment of a central issue. Indeed, it is noteworthy that this issue was not adequately addressed in the lengthy written decision of 6th May, 2014.
38. However, notwithstanding this pre-judgment, the appellant remained engaged in the complaint procedure which, therefore, raises the issue of “acquiescence”.
39. Such an issue was considered in Corrigan v. Irish Land Commission [1977] I.R. 317, where Henchy J. stated:-
“I consider it to be settled law that, whatever may be the effect of the complaining party’s conduct after the impugned decision has been given, if, with full knowledge of the facts alleged to constitute disqualification of a member of the tribunal, he expressly or by implication acquiesces at the time in that member taking part in the hearing and in the decision, he will be held to have waived the objection on the ground of disqualification which he might otherwise have had…”
40. In applying the foregoing to the circumstances of the instant case, it is my view that, the respondent was guilty of pre-determination of an important issue in the complaint. The appellant, nonetheless, did not take any steps to have the respondent recuse himself. Therefore, the appellant cannot rely on this particular aspect of his appeal.
41. A further issue arises on the procedures adopted by the respondent in considering the complaint. Very clearly, central of the complaint was the “data” involved. In the course of correspondence, the draft decision and the final decision the respondent referred to a “written note”. It was only on the 6th May, 2014, the date of the decision, that it transpired that the “written note” was, in fact an email dated 11th January, 2013. All that the respondent knew about this email was that it was “internal to An Garda Siochana”. There was no information provided as to who was the sender or the recipient of this email.
42. As was stated in the affidavit of the respondent, the respondent was never furnished with a copy of this email. In his own words, the respondent was “shown” it.
43. Fair procedures would require that, at least, a copy of this document would also be shown to the appellant. This was not done. As a result, the appellant was deprived of an opportunity to make any observations or submissions concerning this central piece of evidence in the complaint.
44. In my view, this represented a fundamental flaw in the procedures followed by the respondent and thus amounted to a “significant error” as per Ulster Bank v. Financial Services Ombudsman which, of itself, requires the court to reverse the decision made by the Circuit Court in upholding the decision of the respondent of 6th May, 2014.
45. The second aspect of the appeal concerns the interpretation by the respondent of certain provisions of the Acts.
46. A starting point is to examine whether “data” as is defined in the Acts covers an email “internal to An Garda Siochana”, that was shown but not handed over to the respondent.
47. Section 1(1) of the Acts define “data” as “means automated data and manual data”.
48. “Automated data” means information that–
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose, or
(b) is recorded with the intention that it should be processed by means of such equipment.”
49. “Manual data” means information that is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system.
50. Applying the foregoing definitions to the instant case, it would seem to me that there is no evidence to suggest that the email in question was being “processed by means of equipment operating automatically”. Nor was there evidence that it was “recorded with the intention that it should be processed by means of such equipment”. Therefore it does not fit the statutory definition of “automated data”.
51. In fact, the decision of the respondent clearly states that the email in question “was not recorded on the Central Garda IT System, PULSE”.
52. Equally, there was no evidence on which the respondent could conclude that the email was “recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system”. Thus, in my view, the email was not “manual data” for the purposes of the Acts.
53. The next matter that must be looked at is whether the appellant was a “data controller” for the purposes of the Acts. Section 1(1) defines “data controller” as:-
“a person who, either alone or with others, controls the contents and use of personal data.”
54. In his decision, the respondent found that the appellant came within the said definition of “data controller” at a time when it would appear that the respondent himself was not aware as to what the nature of the data was. I have already referred to the fact that there is no mention in the decision of the email he was shown.
55. Looking at the definition of “data controller” in the context of an email “internal to An Garda Siochana”, it is difficult to see how the appellant could control the “contents” of such an email as is required by the statutory definition. It would follow from this that the appellant cannot be a joint controller with the Garda Commissioner of such data.
56. Further, it seems to me that the error of the respondent in finding that the appellant was a “data controller” is underlined by the provisions of s. 10 of the Acts. Under s. 10(3)(a) the respondent, having found that a person is in breach of a provision of the Acts may require such person to:-
“(a) to block, rectify, erase or destroy any of the data concerned …”
It is difficult to see how the appellant could comply with such a request.
57. In light of the foregoing, I am of the view that the respondent made “a serious and significant error or a series of such errors”, as per Ulster Bank v. Financial Services Ombudsman in applying the said definitions in the Acts to the appellant in the circumstance that gave rise to the complaint.
58. I should that add in the course of the hearing counsel for the appellant, Ms. Eileen Barrington S.C. and for the respondent Mr. Paul Anthony McDermott S.C. also made submissions in respect of other definitions in the Acts. However, in light of my findings I do not consider it necessary to consider these.
Conclusion
59. By reason of the foregoing, I find that the Circuit Court judge erred in law as follows:-
(i) in holding that the appellant did not have standing to bring and maintain the appeal;
(ii) in finding that the respondent followed fair procedures in reaching his decision of 6th May, 2014;
(iii) in the application of the provisions the Data Protection Acts 1988-2003 (the “Acts”) to the circumstances of the complaint made by the notice party herein.
I would allow the appeal.
Martin -v- The Data Protection Commissioner
Neutral Citation:
[2016] IEHC 479
JUDGMENT of Mr. Justice Haughton delivered on the 10th day of August, 2016
Introduction
1. In this application for judicial review the applicant seeks a number of declaratory and injunctive reliefs against the Data Protection Commissioner (“the respondent” or “the Commissioner”) arising from a letter dated 16th February, 2015 from the respondent’s investigating officer Mr. Frank Bergin (“Mr. Bergin”) to the applicant’s solicitors wherein the respondent’s office refused to further investigate the applicant’s data protection complaint by means of an oral hearing to enable the respondent to form its own view on an unresolved conflict of evidence, namely whether the alleged breach of the applicant’s data protection rights had occurred.
2. The applicant seeks:-
i) a declaration that the decision of the respondent contained in the 16th February, 2015 letter outlined above breached the applicant’s constitutional right to fair procedures;
ii) an order of certiorari quashing the decision of the respondent;
iii) an order of mandamus directing the respondent to conduct an oral hearing in relation to the applicant’s complaint to enable it to form a view on the unresolved conflict of evidence to enable it to determine whether a breach of the applicant’s data protection rights had occurred;
iv) an order of mandamus directing the respondent to make a formal decision on the applicant’s data protection complaint; and
v) damages and costs.
3. While a number of issues are raised in the Statement of Opposition, including whether the proceedings are moot, the substantive issue is whether the respondent is empowered by law to conduct an oral hearing to resolve a relevant conflict of interest arising on investigation of a complaint of contravention of the Data Protection Act, 1988 and 2003 (“the Acts”, which term includes the Data Protection Act, 1988, as amended).
Factual Background
4. The Acts are intended to provide for the protection of individuals with regard to the control and processing of personal data. The respondent is required pursuant to s. 10 of the Acts to investigate, or cause to be investigated, whether any of the provisions of the Acts have been, or are being, or are likely to be, contravened in relation to an individual either where the individual complains to it or it is otherwise of the opinion that there may be such a contravention.
5. By way of a letter dated 20th December, 2012, solicitors acting on behalf of the applicant submitted a complaint to the respondent alleging that his data protection rights had been breached and asking that the respondent conduct an investigation into the alleged breach.
6. The circumstances of the complaint are as follows. The applicant is a member of St. Raphael’s Credit Union, 1-2 Fox & Geese, Naas Road, Dublin 22 (“the Credit Union”) since 2004. On or about January, 2012, the applicant received a letter from the Credit Union asking him to contact a named representative in relation to his loan account. The applicant is said to have attempted on a number of occasions to contact the representative but was unsuccessful. The Credit Union again wrote to the applicant in February, 2012 requesting him to contact the same representative regarding his loan account. It is averred that the applicant again attempted to contact the named representative but was unsuccessful.
7. On 5th March, 2012, the applicant emailed the named representative seeking to set up an appointment with the Credit Union and indicating his availability to meet. This is stated in the affidavit of the applicant dated 20th March, 2015 to be the last time the Credit Union contacted him before the events which were the subject of the data protection complaint.
8. In his affidavit dated 20th March, 2015, the applicant avers that he was contacted by his father on 17th November, 2012 by way of a telephone call during which he indicated that a Mr. Frank McGrath came to his home claiming to be from the Credit Union. The details of the telephone call and the complaint were outlined as follows in a letter dated 16th August, 2013 from the respondent to solicitors for the applicant:-
“In correspondence received by this Office from your firm, Mr Martin outlines his version of events surrounding Mr. McGrath’s visit to the home of his father :
“On the day that Mr McGrath called to Greendale road, I received a phone call from my father, he informed me that a man had called to the house claiming to be from the credit union, he said his name was Frank; had had no identification on view and did not offer any. He informed my father that he was from St Raphael’s Garda credit union and that he was looking for Kevin Martin. My father told him that I did not live at that address and that I hadn’t for many years. My father invited him into the house in order to give him my phone number. Mr. McGrath informed my father that I “had substantial loans with the credit union that were in difficulty” and that I was avoiding contact and not responding to correspondence. He was also in possession of documents which my father described as “looking like accounts statements and having St Raphael’s credit union header” Mr McGrath did not leave any contact details, calling card etc””
9. The applicant further states at para. 7 of his affidavit dated 20th March, 2015 that Mr. McGrath “proceeded to show my father a folder containing my private and confidential financial statements. The man stated that my loans had been restructured and discussed my repayment schedule.”
10. The applicant then issued the letter of 20th December, 2012 to the respondent detailing his complaint. He then received a letter dated 9th January, 2013 in which the respondent indicated that the Commissioner under s. 10 of the Acts would “investigate your complaint using our full legal powers if necessary to resolve the matter…”. The investigation was carried out by Mr. Bergin, investigating officer, on behalf of the respondent.
11. By way of a further letter dated 31st January, 2013, the respondent informed the applicant’s solicitors, Lawlor Partner Solicitors, that it had contacted the Credit Union as part of its investigations which acknowledged that its representative had gone to the applicant’s father’s house but denied that he had discussed or disclosed any sensitive or personal information.
12. The investigation continued, Mr. Bergin sent letters dated 12th June, 2013 and 12th July, 2013, requesting responses from the Credit Union, who replied by letters dated, inter alia, 28th June, 2013 and 6th August, 2013. From these responses it emerged that the Credit Union had no electronic record of the meeting between Mr. McGrath and Mr. Martin Snr., and only had Mr. McGrath’s record of the outcome of the visit entered on their Credit Control System as of 30th November, 2012. This records the date of their meeting as being 24th November, 2012 as opposed to the applicant’s assertion that it was on 17th November, 2012.
13. The letter of 16th August, 2013 provides details of the Credit Union’s “version of events surrounding Mr McGrath’s visit to Mr Martin Senior’s home” as follows:-
“I have spoken to Mr McGrath concerning the visit and he had informed me that he has a clear and accurate recollection of his discussion with Mr Martin’s father. He has informed me that on the date in question he identified himself to Mr Martin Senior as an officer of St Raphael’s Garda Credit Union Limited.
He was invited into the gentleman’s home. He informs me that the conversation was limited to inquiring as to the whereabouts and telephone number of Mr Kevin Martin. He recalls that he had attempted to telephone Mr Kevin Martin on the number provided to him by Mr Martin Senior immediately after he left the house. As the number provided by Mr Martin Senior appeared to be incorrect, he had to trouble Mr Martin once again in an effort to recheck the number. Mr McGrath is adamant that he did not at any time discuss with Mr Martin Senior, the reason for his visit or for requesting the current address and telephone number of Mr Kevin Martin. Mr McGrath has informed me that Mr Martin Senior was quite happy to convey this information without question.”
14. Mr. Bergin then informed the solicitors for the applicant by letter dated 16th August, 2013, of the Credit Unions responses, and he then stated:-
“It is not possible for this Office to form a definitive opinion on a complaint that concerns an allegation of verbal disclosure with one party stating one thing and the other party another. In the absence of documentary evidence, it would be impossible to prove that your client, Mr. Kevin Martin’s personal information was unfairly disclosed in accordance with the terms of Data Protection Acts 1988 and 2003 by St. Raphael’s Credit Union, as alleged in your client’s complaint.
However, if you have further information that was not previously presented to this Office and you feel may assist in our consideration of this matter, please do not hesitate to provide it to us.
Yours sincerely
Frank J. Bergin
Investigations Office
[This letter is not a legal notice or a decision of the Data Protection Commissioner to which s. 26 of the Data Protection Acts 1988 & 2003 applies].”
15. A shorter letter dated 8th October, 2013, was sent by Mr. Bergin to the Credit Union stating in similar terms that the respondent could not form “a definitive opinion”, and adding that:-
“Therefore, this Office now considers the matter of Mr. Martin’s complaint to be finalised.”
This letter also contained the same statement in parenthesis to the effect that the letter was not a legal notice or a decision of the respondent.
16. There was then no correspondence for a period of some eleven months. On 11th July, 2014, the applicant’s solicitors wrote to Mr. Bergin indicating dissatisfaction with the position taken in the letter of 16th August, 2013, stating their client’s belief that he had made contact with Credit Union staff immediately after Mr. McGrath called to his parents’ home and that there may be an audio recording, and requesting interview of the complainant and requesting an oral hearing.
17. At this point, Mr. Bergin reopened the investigation, asking the Credit Union to search for any record or audio recording of any such call by Mr. Martin on 17th or 18th November, 2012. He wrote to the applicant’s solicitors on 11th November, 2014, indicating that the Credit Union had searched its telephone audio recordings on request but had informed Mr. Bergin that it had been unable to discover any recording or telephone call between the applicant and Mr. McGrath on 17th or 18th November, 2012. In this letter, Mr. Bergin stated:-
“Having reviewed the correspondence received from both parties, it is not possible for this Office to form a definitive opinion on a complaint that concerns an allegation of verbal disclosure with one party stating one thing and the other party another. In the absence of documentary evidence, it would be impossible to prove that your client, Mr. Kevin Martin’s personal information was unfairly disclosed in accordance with the terms of the Data Protection Acts 1988 and 2003 by St. Raphael’s Credit Union, as alleged in your client’s complaint.
I note that in your letter dated 30th September, 2014, it is stated that:-
‘We would be obliged for a decision as soon as is practicable.’
If you are requesting a formal decision of the Data Protection Commissioner, the procedure is that the Commissioner would review the file and the most likely outcome will be that the Commissioner will be unable to determine that a breach of the Data Protection Acts occurred in this instance. On this basis, I would be grateful if you would inform me if you wished to proceed with a formal decision in this case.”
18. This is met with a response dated 27th November, 2014, from the applicant’s solicitors asserting that the respondent had a duty to conduct an oral hearing, and again requesting an oral hearing. Similar requests were repeated in letters of 10th December, 2014 and 15th January, 2015. In the meantime, Mr. Bergin continued the investigation seeking details from the Credit Union of its procedures for house visits by staff, the training of staff and the training of Mr. McGrath, in particular, and details of “other complaints of this nature”. The Credit Union replied to these requests on 13th January, 2015.
19. Mr. Bergin ultimately replied to Mr. Martin’s solicitors by letter dated 16th February, 2015, in which he repeated the position as set out in his letter dated 16th August, 2013 (see above), and he then stated:-
“In regard to your request for an oral hearing on this complaint, the position of this Office is that we have investigated the matter fully, based on the information provided by you and St. Raphael’s Credit Union. We do not consider that any further discussion on the matter will result in us coming to a different conclusion. In addition, there is no provision or obligation in s. 10 of the Data Protection Act 1998 [sic, 1988] and 2003, which provides for the investigation by complaints submitted to the Data Protection Commissioner for the holding of an oral hearing such as you have requested.
Our position on this matter is as outlined to you previously i.e. it is not possible for this Office to form a definitive opinion on a complaint that concerns an allegation of verbal disclosure with one party stating one thing and the other party another. Accordingly, in the absence of documentary evidence, it would be impossible for us to conclude that your client, Mr. Kevin Martin’s personal information was disclosed with a third party by a representative of St. Raphael’s Credit Union, as alleged in your client’s complaint.”
This is the decision in respect of which the applicant seeks certiorari.
Leave to Seek Judicial Review – 23rd March, 2015
20. The applicant applied by way of an ex parte application for leave to apply for judicial review on 23rd March, 2015, and leave was granted by Noonan J. on that day.
21. The reliefs which the applicant was granted leave to seek are already outlined above in this judgment. The Statement of Grounds having set out the factual background asserts that:-
“11. The respondent has still not made a formal decision in relation to the Applicant’s data protection complaint.”
The Grounds assert that the respondent failed to carry out a full and proper investigation pursuant to s. 10 of the Acts in accordance with the requirements of constitutional and natural justice, and that these required the respondent to conduct an oral hearing to resolve a disputed issue of fact.
Formal Decision of the Commissioner dated 23rd March, 2015
22. As it happens, also on 23rd March, 2015, under the hand of the Commissioner, the respondent issued her “formal statutory decision” in relation to the complaint. This comprehensive seven page document details the “Complaint”, “Investigations” and “Findings” and “Decision”. The respondent on p. 6 makes the following findings:-
“The issue for consideration in this case is whether the Data Protection Acts were contravened by the Credit Union during the conduct of the home visit by the alleged disclosure of Mr. Kevin Martin’s personal information to his father without his consent.
During the course of our investigation, the Credit Union stated repeatedly that its Director who conducted the home visit did not disclose any of Mr. Kevin Martin’s financial details to his father during that home visit. It also provided this Office with confirmation that its Director had participated in a training seminar for volunteer directors undertaking home visits. Furthermore, it also has a guidance document in place outlining the procedural steps to be followed in respect of such home visits. On that basis, I am satisfied that the Credit Union had taken appropriate steps to ensure that its volunteers who conduct home visits were trained and that procedural steps were in place at the Credit Union in respect of the conduct of home visits.
The disclosure which is alleged in this case was a verbal one. It was not witnessed. While the complaint alleges in a clear manner that a disclosure of personal data occurred during the home visit, the only evidence of this is the word of the complainant’s father. On the other hand, the response of the Credit Union and its Director, Mr. McGrath, is that no such disclosure took place.
If the Credit Union Director did disclose personal data relating to Mr. Kevin Martin’s financial situation to Mr. Kevin Martin’s father, as is alleged, that would constitute a contravention of s. 2(1)(c)(ii) of the Data Protection Act.
In this case, I have an allegation by a data subject of a verbal disclosure by a data controller, a denial of that allegation by the data controller and no proof of either the allegation or the denial, nor have I the means to obtain any proof of either in circumstances where the alleged verbal disclosure was not witnessed or recorded by means of video or audio equipment. I am satisfied that my Office has fully investigated this complaint. Despite that full and lengthy investigation, there is no means by which proof of the alleged breach can ever be established. It should not, however, be construed from the absence of proof, that I disbelieve the allegation of the verbal disclosure or the denial of the alleged verbal disclosure. In summary, having conducted a full investigation, I am unable to form a conclusion in relation to the alleged disclosure of personal data.”
23. The remainder of that letter reads:-
“Decision
I am of the opinion, following the investigation of the complaint submitted by you on behalf of your client, Mr. Kevin Martin, that there is no proof in existence of the alleged verbal disclosure of Mr. Kevin Martin’s personal data to his father by St. Raphael’s Garda Credit Union Limited. Accordingly, in the absence of such proof, I am unable to uphold the complainant’s assertion that a breach of the Data Protection Acts did occur.
Notice of Right of Appeal
You are hereby informed that you are entitled, if aggrieved by this decision in relation to your complaint against St. Raphael’s Garda Credit Union Limited to appeal it to the Circuit Court under s. 26 of the Acts within 21 days of receipt of this notification.
Section 7 of the Data Protection Acts
Data Controllers may be liable under s. 7 of the Data Protections Act 1988 and 2003 to an individual for damages if they fail to meet the duty of care they owe in relation to personal data in their possession. It is a matter for any individual who feels s/he may have suffered damage from a contravention by a data controller of its data protection responsibilities to take legal advice as appropriate. This Office has no function in relation to the taking of any such proceedings under this Section or in the giving of any such legal advice.
Yours sincerely
Helen Dixon
Data Protection Commissioner”
The Subsequent Process
24. The applicant failed to serve an originating notice of motion within seven days from the date of perfection of the order of 24th March, 2015, granting leave. Accordingly, the applicant applied on an ex parte basis to the High Court on 13th April, 2015 extending the time for service of the notice of motion, which was granted. The notice of motion was then filed in the Central Office of the High Court on 15th April, 2015. The matter came on before this court on 11th July, 2016, during a sitting of the High Court in Cork. In circumstances where there is no challenge in the Statement of Grounds to the “formal statutory decision” dated 23rd March, 2015, and there has been no application for an amendment, the Statement of Opposition raises an issue that the proceedings are moot.
25. In the Statement of Opposition, the respondent asserts:-
(i) That the reliefs sought are misconceived and/or moot in circumstances where the final decision was made by the respondent on 24th (was in fact 23rd) March, 2015.
(ii) That the decision of 23rd March, 2015 is final and cannot be the subject of collateral attack which does not challenge its merits.
(iii) That the applicant has available an alternative, more appropriate remedy, namely appeal to the Circuit Court pursuant to s. 26 of the Acts.
(iv) That the court should exercise its discretion to refuse relief on the basis that when seeking an extension of time to service the notice of motion, the grounding affidavit did not advert to the fact that a final decision was made on 23rd March, 2015, and that the reliefs the subject matter of the leave application were now moot.
(v) Delay issues also are raised arising out of the lapse of eleven months from Mr. Bergin’s letter of 16th August, 2013, and the applicant’s solicitors’ letter of 11th July, 2014, which first sought an oral hearing.
Mootness
26. The first issue that the court must determine is whether the proceedings are moot. In submissions, counsel for the respondent submitted that the applicant is strictly confined to the case on which he sought and obtained leave, and reliance is placed on A.P. v. DPP [2011] IESC 2. It was submitted that even if the applicant was successful in his challenge to the decision made on 16th February, 2015, the final decision of 23rd March, 2015 would still stand, thus infringing the principle that the courts will not make an order by way of judicial review that is futile.
27. Counsel for the applicant responded that the mootness argument was misconceived because the proceedings commenced prior to the leave decision being made and argued that the challenge being pursued is to the decision-making process, and the refusal to conduct an oral hearing. Material non-disclosure at the time of seeking an extension of time for service of the notice of motion was denied on the basis that all that was sought on 13th April, 2015 was an extension of time to serve the notice of motion, and even if there was an omission it was not deliberate or material.
Discussion
28. I have come to the conclusion that the applicant’s challenge to the “decision of the Respondent contained in the letter dated 16th February, 2015” is indeed moot, and that these proceedings cannot be maintained. There are a number of reasons for this.
29. Under s. 10(1) of the Acts, the respondent has the duty to investigate complaints of contravention by a data controller or data processor, and under s. 10(1)(b)(ii), it is provided:-
“(ii) if he or she [the Commissioner] is unable to arrange, within a reasonable time, for the amicable resolution by the parties concerned of the matter the subject of the complaint, notify in writing the individual who made the complaint of his or her decision in relation to it and that the individual may, if aggrieved by the decision, appeal against it to the [Circuit] Court under section 26 of this Act within 21 days from the receipt by him or her of the notification.”
Accordingly, the decision must be that of the Commissioner, not of a member of her staff, and it is from that decision only that there is a right of appeal to the Circuit Court.
30. The letter of 16th February, 2015, was from Mr. Bergin, the Investigations Officer, and not from the Commissioner, albeit that it was sent on behalf of the Office of the Commissioner. In its own terms it is not a decision on the complaint. Mr. Bergin states:-
“Our position on this matter is as outlined to you previously i.e. it is not possible for this Office to form a definitive opinion on a complaint that concerns an allegation of verbal disclosure with one party stating one thing and the other party another…”
31. I fully accept that the decision of the respondent communicated in the letter of 23rd March, 2015, was not to hand – and had, as a matter of probability, not been made or completed – at the time that the application for leave to seek judicial review was moved on that day before Noonan J. However, that letter of notification was addressed to the applicant’s solicitors and the court was informed that it came to the notice of the applicant/his solicitors late on 23rd March, 2015.
32. The letter of 23rd March, 2015, is a “formal statutory decision” of the respondent made pursuant to the Acts, and is expressly made “under section 10”. It is very comprehensive; it recites the complaint, and the lengthy investigation and it makes findings which have been quoted earlier in this decision. It decides that the respondent is “…unable to form a conclusion in relation to the alleged disclosure of personal data”, and that in the absence of proof of the existence of the alleged verbal disclosure “I am unable to uphold the complainant’s assertion and that a breach of the Data Protection Acts did occur”.
33. I am satisfied that the decision of the respondent dated 23rd March, 2015 was made within jurisdiction, as it is a “decision in relation to” the complaint, as contemplated by s.10(1)(b) of the Acts made after “such investigations as [the Commissioner] considers appropriate…to identify any contravention…” as provided for in s.10(1A).
34. The applicant and his legal advisers were aware of the decision of 23rd March, 2015 at the time that the applicant’s counsel applied on 13th April, 2015 to Noonan J. for an extension of time to serve the notice of motion. Leaving aside the question of whether there should be any criticism of the failure to bring to the court’s attention the fact that the respondent made and notified a formal statutory decision on 23rd March, 2015, it is a fact that no application was made at that time, or on any subsequent occasion, to amend the Statement of Grounds to challenge the decision dated 23rd March, 2015 – whether on the basis that the respondent failed to conduct an oral hearing to resolve disputes of fact, or on any other ground. Thus, the plea at para. 11 that the “Respondent has still not made a formal decision in relation to the Applicant’s data protection complaint”, which is repeated at para. 20, was allowed to stand uncorrected.
35. As no amendment application or fresh application for leave to seek judicial review of the decision of 23rd March, 2015 was brought at any time, the three month period within which leave might have been sought has long since expired. No application has been made before this court to amend the Statement of Grounds. It is fair to assume that at this remove in order to obtain an extension of time the applicant would face insuperable difficulties in satisfying the requirements of O. 84, r. 21(3) of the Rules of the Superior Courts under which he would have to show (1) good and sufficient reason for the delay since June, 2015, and (2) that the circumstances resulting in the failure to seek leave within the three month period were outside his control or could not reasonably have been anticipated by him.
36. The court is left in a situation where, if it was disposed to grant the reliefs sought and direct the respondent to conduct an oral hearing, this would be of no avail because a formal statutory decision has already been taken. The applicant tries to circumvent this by emphasising that the challenge is to the decision making process. But this is no answer because the ‘process’ before the respondent ended with her decision of 23rd March, 2015 after she was satisfied that the complaint had been “fully investigated” by her office, and it was concluded without an oral hearing. Accordingly, I must find that this application for judicial review is moot.
37. In making this decision, I do not take into account the delay of some eleven months that took place between Mr. Bergin’s letter of 16th August, 2013 and the applicant’s solicitors’ first request for an oral hearing on 11th July, 2014. The reason for this is that Mr. Bergin, thereafter, as a matter of fact, reopened the investigation and pursued it until his letter of 16th February, 2015. Moreover during that period of further investigation the applicant’s solicitors consistently requested an oral hearing on a number of occasions.
38. I also do not decide this case on the basis of the suggested material non-disclosure on 13th April, 2015, when the applicant sought an extension of time to serve a notice of motion. While, undoubtedly, there is a duty of disclosure when making a leave application, and arguably that extended into the application for an extension of time, I am not satisfied that this was deliberate or intended to deceive the court, or that it was anything other than an oversight.
39. While later in this judgment I consider the issue of ‘alternative remedy’, this is not a factor I take into account in determining that the proceedings are moot.
The Substantive Issue – Is the Data Protection Commissioner empowered to conduct an oral hearing?
40. In case I am incorrect in the foregoing, and in deference to the extensive submissions, written and oral, of counsel, it is appropriate to express the court’s view in relation to the substantive issue, which is whether under the Data Protections Acts 1988 and 2003, or under EU Law, the respondent has a power to conduct an oral hearing.
Party Arguments
41. The parties made a number of legal submissions. In summary the applicant argued that the respondent failed to protect his right to fair procedures in conducting the investigation into his complaint. In particular, the applicant asserted that fair procedures and natural justice require the respondent to conduct an oral hearing into his complaint in the circumstances where there is a conflict as to fact which the respondent accepted she was unable to resolve upon an examination of the materials before her.
42. Counsel for the applicant referred to Directive 95/46/EC of 24th October, 1995 “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. Recital 63 of the Directive states:-
“Whereas such authorities must have the necessary means to perform their duties, including powers of investigation and intervention, particularly in cases of complaints from individuals, and powers to engage in legal proceedings; whereas such authorities must help to ensure transparency of processing in the Member States within whose jurisdiction they fall.”
Counsel submitted that “necessary means” includes the power to hold an oral hearing.
43. Furthermore, Chapter VI headed “Supervisory Authority and Working Party on the Protection of Individuals with regard to the Processing of Personal Data” contains certain provisions upon which the applicant relied:-
Article 28.3 provides, so far as relevant:-
“3. Each authority shall in particular be endowed with:
– Investigative powers, such as powers of access to data forming the subject-matter of processing operations and powers to collect all the information necessary for the performance of its supervisory duties”
Article 28.4 provides:-
“4. Each supervisory authority shall hear claims lodged by any person, or by an association representing that person, concerning the protection of his rights and freedoms in regard to the processing of personal data. The person concerned shall be informed of the outcome of the claim.
Each supervisory authority shall, in particular, hear claims for checks on the lawfulness of data processing lodged by any person when the national provisions adopted pursuant to Article 13 of this Directive apply. The person shall at any rate be informed that a check has taken place.”
Counsel relied on the use of the word “hear” in respect of claims in support of the contention that the respondent should in appropriate circumstances be entitled to hold an oral hearing.
44. It should be noted in passing that counsel for the respondent relied on Art. 22 headed “Remedies” which provides:-
“Without prejudice to any administrative remedy for which provision may be made, inter alia before the supervisory authority referred to in Article 28, prior to referral to the judicial authority, Member States shall provide for the right of every person to a judicial remedy for any breach of the rights guaranteed to him by the national law applicable to the processing in question.”
It was argued that s. 26 of the Acts in providing for an appeal to the Circuit Court (and a further appeal to the High Court on a point of law) supports their contention that the Commissioner is not empowered to hold oral hearings.
45. Counsel for the applicant submitted in legal submissions that in investigating complaints the respondent has a broad discretion arising from legislation as to the form and conduct of the investigations arising under s. 10(1A) which provides:-
“The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof.”
46. Reliance was also placed on s. 24(2) of the Acts which gives authorised officers of the respondent powers to require the production of data material and information.
47. While acknowledging that the Acts were silent on the issue of oral hearings, counsel argued that the courts have in the past imposed obligations beyond the scope of relevant statutory regimes in order to satisfy the requirements of fair procedures. Particular reliance was placed on The State (Boyle) v. The General Medical Services (Payment) Board & Ors. [1981] I.L.R.M. 14. In that case the applicant medical doctor sought to challenge the decision of the respondent seeking to reduce his remuneration. Neither the agreements governing the Free General Medical Scheme nor the Health Services Regulations 1972 provided for an oral hearing before the appeal committee – although there was a right of appeal. Keane J. stated:-
“Neither the agreement nor the regulations under consideration in the present case expressly provide for an oral hearing before the Appeal Committee. That is not to say, nor is it contended on behalf of the Respondents, that an Appellant can never be entitled to an oral hearing, in the sense of a hearing at which viva voce evidence is adduced and tested on cross-examination. No doubt, a case could arise in which the reliability or accuracy of material before the committee on which it proposed to act was challenged in such a manner as to make it imperative to have oral evidence in relation to it and to afford the Appellant an opportunity of cross-examining the witness or witnesses.”
48. In further support of this approach counsel relied upon Mooney v. An Post [1998] 4 I.R. 288 and Greenstar Ltd. v. Dublin City Council and others [2013] 3 I.R. 510. Counsel also drew comparisons between the role of the Commissioner and the Financial Services Ombudsman (“the FSO”) on the basis of the breadth of the respondent’s discretion under s. 10 and the powers of investigation conferred on her authorised officers by s. 24 of the Acts. Counsel also relied upon Davy v. Financial Services Ombudsman [2010] 3 I.R. 324 and Lyons & Murray v. Financial Services Ombudsman and Bank of Scotland Plc. [2011] IEHC 454 which he submitted established that an oral hearing will be required where there are unresolved conflicts of fact in respect of any matter material to a ruling. Counsel asserted that there are two requirements, firstly that there be conflict of fact, and secondly that it be material to the resolution of the complaint. He asserted that both these criteria were satisfied in the present case from an analysis of the correspondence, and that it was not possible for the respondent to form a definitive opinion on the complaint of an allegation of verbal disclosure absent an oral hearing.
49. The respondent argued that the statutory framework governing the Commissioner and her office, and the statutory complaints resolution scheme operated by the respondent, do not provide for or contemplate an oral hearing. In reliance on Private Residential Tenancies Board v. Judge Linnane [2010] IEHC 476 counsel argued that the court can not amend a statute, by way of interpretation or otherwise, to provide for what the Oireachtas has not provided. It was argued that the respondent does not have any inherent power to hold an oral hearing, and that the provisions of the Directive and the Acts relied upon by the applicant cannot be broadly interpreted to permit an oral hearing as they only relate to “investigation” and the production of “data” and “information” to the investigating officer.
50. Counsel sought to distinguish the case law relied upon by the applicant. It was argued that the Acts do not give the respondent the power to administer an oath, compel the production of documents or compel the attendance of witnesses, unlike the statutory provisions relating to the FSO. Counsel also relied upon the fact, deposed by the respondent, that she does not provide for, nor have the facilities to conduct, an oral hearing, and that there is no established practice to conduct oral hearings amongst the data protection authorities of EU member states.
Discussion
51. I have come to the conclusion that neither the Directive nor the Acts, expressly or by implication, require or empower the respondent to conduct an oral hearing in relation to complaints made under the Acts. I also conclude that the requirements of natural and constitutional justice do not confer an inherent power on the respondent to conduct an oral hearing even in circumstances where there is a dispute of fact as to the existence or extent of an allegation of disclosure in contravention of the Acts. My reasons for this are as follows.
52. While Recital 63 of the Directive indicated that the “supervisory authority” was to have “the necessary means to perform their duties, including powers of investigation and intervention”, I do not consider that this is sufficient to indicate an intention on the part of the European Parliament and Council that such authorities have the power to conduct oral hearings. Further, I do not consider that Art. 28.4 in using the phrase “hear claims” was intended to mean that each Member State must set up a supervisory body that has the power to conduct oral hearings in relation to complaints. The phrase is used in Art. 28.4 in the context of a general reference to receiving and handling claims in relation to the processing of personal data. Had the Directive intended that its provisions would impose an obligation to hold oral hearings this would have been expressly stated. It is also noteworthy that there is no claim in these proceedings that the State has failed to properly transpose the Directive into domestic law by promulgating the Acts, and in particular the amending Act of 2003.
53. Article 28.3 is concerned with ensuring that each supervisory authority is endowed with appropriate “investigative powers”. This obligation is fulfilled by s. 24 of the Acts which grants to the respondent’s “authorised officers” the power to enter premises and to inspect and examine data (s. 24(2)(a)), to require a data controller or data processor to disclose/produce data in their power or control (subpara. (b)) to inspect and copy extracts from such data (subpara. (c)), and to require a data controller or data processor:-
“to give to the officer such information as he may reasonably require in regard to the procedures employed for complying with the provisions of this Act, the sources from which such data are obtained, the purposes for which they are kept, the persons to whom they are disclosed and the data equipment in the premises.” (subpara. (d))
54. It cannot be inferred from s. 24, or from s. 10(1)(a) of the Acts, which imposes on the respondent the duty to investigate and make a decision in relation to a complaint, that the respondent has the power to conduct an oral hearing.
55. Furthermore, s. 10(1A) provides:-
“The Commissioner may carry out or cause to be carried out such investigations as he or she considers appropriate in order to ensure compliance with the provisions of this Act and to identify any contravention thereof.”
It is notable that this subsection is worded in a way that gives the Commissioner discretion as to the manner in which she considers it appropriate to carry out the investigation, both for the purpose of ensuring compliance with the Acts, and to “identify any contravention”. On the facts of the present case the respondent carried out the investigations that she (and Mr. Bergin) considered appropriate, and her conclusion was that she was unable to identify any contravention (“there is no proof in existence of the alleged verbal disclosure…in the absence of such proof I am unable to uphold the complainant’s assertion”).
56. In the absence of an express power, the court should be slow to find that there was an inherent power to hold an oral hearing. In Director of Consumer Affairs v. Bank of Ireland [2003] 2 I.R. 217, in considering the powers of the Director of Consumer Affairs pursuant to s. 149 of the Consumer Credit Act 1995, Kelly J. (as he then was) at pp. 237-238 stated:-
“The purpose of statutory interpretation is to ascertain the intention of the legislature as expressed in the statute, considering it as a whole and in its context. The intention, and therefore the meaning of the statute, is primarily to be sought in the words used in it.
The plaintiff is a statutory officer and is therefore strictly confined to the functions and powers conferred upon her under the Act. She has no inherent power. But she may have powers which, although not expressly conferred, may be regarded as incidental to or consequential upon those which the legislature has expressly authorised.”
The power to hold an oral hearing is a significant one and in applying the dictum of Kelly J. (as he then was) I have come to the view that it could not be said to be incidental to the powers of investigation conferred on the respondent and her staff by the Acts.
57. Had the Oireachtas intended that the respondent should have the power to hold oral hearings this would necessarily have been accompanied by ancillary powers and protections which are entirely absent from the Acts. Singularly absent are:-
(1) any powers to take evidence on oath or under affirmation, or even to administer an oath/affirmation;
(2) a general power to compel discovery of records (apart from the power conferred by s. 24 on investigating officers to gather data and information), and in the event of non-compliance to apply to a court of law for an appropriate order compelling discovery;
(3) a power to summons a person to attend to give evidence, or to issue a subpoena, or to apply, in default of attendance at an oral hearing, to a court of law to compel attendance;
(4) a power providing for a full right of cross-examination of witnesses, and to call evidence in defence and reply;
(5) a provision granting witnesses immunity from prosecution in criminal proceedings in respect of answers to questions given at an oral hearing;
(6) a provision creating offences in respect of failure to answer a question, or failure to provide information, or giving an answer on oath amounting to perjury; or
(7) any provisions creating an offence in the event that a witness or other party conducted themselves such that, if the respondent were a court of law, they would be in contempt of court.
58. In this respect it is useful to compare the office of the Commissioner with the position of the FSO established under s. 16 of the Central Bank and Financial Services Authority of Ireland Act, 2004. Under s. 57CG of that Act the FSO may receive information provided orally. Under s. 57CG(4) the FSO has the power to summons an officer, member, agent or employee of a financial services provider and may examine them on oath. Under subs. (5) the FSO “has the same powers that a judge of the High Court has” in hearing civil proceedings in relation to the examination of witnesses, and subs. (6) gives the witness the same “rights and privileges as a witness appearing in civil proceedings in the High Court”. Under subs. (7) information provided by a witness is not admissible as evidence against him or her in criminal proceedings. Under s. 57CG(1) the FSO can apply to the Circuit Court for a compliance order if a person has failed to comply with the FSO’s requirements, or has failed to comply with a summons or otherwise obstructed the FSO, and obstruction/failure to attend etc. are criminal offences (section 57CH).
59. Because of these provisions, I do not find reliance by counsel for the applicant on case law concerning the FSO to be persuasive.
60. The applicant relied on Davy v. Financial Services Ombudsman, where the FSO had refused to hold an oral hearing to resolve essential conflicts of fact, contending that whether or not to hold an oral hearing was a matter within his discretion and that he was entitled to have regard to the requirement that complaints be dealt with in an informal and expeditious manner. In the Supreme Court Finnegan J. observed that there was a conflict in relation to the oral advice given by the applicant to the notice party, a credit union, and then quoted Costello P. in Galvin v. Chief Appeals Officer [1997] 3 I.R. 240 at p. 251:
“(c) There are no hard and fast rules to guide the appeals officer or, on an application for judicial review, this Court, as to when the dictates of fairness require the holding of an oral hearing. The case (like others) must be decided on the circumstances pertaining, the nature of the inquiry being undertaken by the decision-maker, the rules under which the decision-maker is acting, and the subject matter with which he is dealing and account should also be taken as to whether an oral hearing was requested. In this case there is no doubt that an important right was in issue (that is the applicant’s right to a pension for life). The statute gives an express power to hold an oral hearing and to examine witnesses under oath; a request for an oral hearing was made. What I have to decide is (as Keane, J. had to decide, in The State (Boyle) v. The General Medical Services (Payments) Board [1981] I.L.R.M. 14) is whether the dispute between the parties as to (a) the reliability of the evidence before the appeals officer, of the applicant and Mr. Higgins on the one hand and (b) the accuracy of the departmental records on the other, made it imperative that the witnesses be examined (and if necessary cross-examined) under oath before the appeals officer.
(d) I have come to the conclusion that without an oral hearing it would be extremely difficult if not impossible to arrive at a true judgment on the issues which arose in this case.”
61. In the case before him Finnegan J. agreed with the conclusion of the High Court in relation to the requirement of holding an oral hearing in that case and stated:-
“I am satisfied that s. 57CE(5) empowers the respondent to proceed by way of examination and cross-examination of witnesses where that is appropriate. The respondent may of course restrict cross-examination to those issues on which there is a conflict. Central to the respondent’s decision was his finding on the expertise of the members of the investment committee of the notice party. He formed this finding on the basis of witness statements which were not made available to the applicant. Fair procedures required that those officers of the notice party to whom the applicant gave oral advice should be produced for cross-examination. Likewise in relation to the nature and suitability of the bonds, the expert who reported to the notice party and whose reports were before the respondent, although not furnished to the applicant, should be made available for cross-examination”.
This decision however must be considered in the context of the particular statutory provisions in detailing the FSO’s functions and powers. Moreover, the FSO is confined to dealing with complaints linked to financial services providers whereas the Commissioner has a much wider remit.
62. The other FSO case relied upon by the applicant is Lyons & Murray v. Financial Services Ombudsman. In that case Hogan J. held that the FSO acted in breach of fair procedures in rejecting the necessity for an oral hearing to determine certain factual issues between the parties. At para. 39 he stated:-
“In any event, none of this could take from this Court’s bounden duty to uphold the constitutional rights of the appellants and to provide them with an effective remedy where (as here) such a right has been infringed …”
63. I was informed that that decision was appealed by the FSO, but the appeal was settled after the appellants and the notice party, the Bank of Scotland Plc., resolved their differences. In any event in his decision Hogan J. emphasises in his decision the importance of the FSO’s decisions in that they are binding and can give rise to issue estoppel foreclosing litigation on the same points before a court of law. After quoting at para. 19 the finding of Charleton J. in O’Hara v. ACC Bank Plc. [2011] IEHC 367, where the learned judge stated:-
“It would be contrary to the statutory scheme and it would also be unfair for parties to a complaint before the Financial Services Ombudsman to be later subjected to very similar litigation.”
Hogan J. stated:-
“20. It follows, therefore, that an adverse finding by the FSO rejecting a complaint can, in some circumstances at least, create a form of issue estoppel preventing the re-litigation of these issues in subsequent litigation, precisely because the adjudication on many such complaints is effectively replicating in one shape or another that which would be the staple diet of the judicial system. This in itself must have consequences for the Ombudsman’s adjudicatory system.”
At para. 38 Hogan J. concluded:-
“Once, however, the Ombudsman proceeds to adjudication, a legal Rubicon is thereby crossed, not least having regard to the potential legal consequences of such an adjudicatory decision identified by Charleton J. in O’Hara. As agent of the State, the Ombudsman is thereby bound to uphold the constitutional right to fair procedures: see generally, Dellway Investments Ltd. v. National Asset Management Agency [2011] IESC 14.”
64. The possible effect of an adjudication of the FSO by way of estoppel on core proceedings is a further point of distinction between that FSO’s powers and functions, and those of the Commissioner. I refer later to s. 7 of the Acts which imposes an actionable duty of care on date controllers/processors. This new right of action makes it at least doubtful that a finding by the Commissioner that is adverse to a complainant is intended to estop any claim to damages under section 7. However, the principle distinction remains the specific statutory framework which in the case of the FSO expressly contemplates examination of witnesses under oath, and which is designed to accommodate an adversarial process.
65. Moreover, the courts have been quite prepared to require an oral hearing in those cases where there are express statutory provisions conferring powers to hold such hearings. This was the case in Galvin v. Chief Appeals Officer, where the statute gave an expressed power to hold an oral hearing and to examine witnesses under oath.
66. Neither am I persuaded by the further case law cited by the applicant in support of his contention. As I have observed counsel placed much reliance on the dictum of Keane J in The State (Boyle) v. The General Medical Services (Payment) Board quoted supra. In Boyle the applicant appealed to the General Medical Services Board appeal committee and also sought “an oral hearing at a venue which might be suitable to hear evidence of the patients I attended”. Keane J. noted that it was not:-
“… contended on behalf of the respondents, that an appellant can never be entitled to an oral hearing…No doubt, a case could arise in which the reliability or accuracy of material before the committee on which it proposed to act was challenged in such a manner as to make it imperative to have oral evidence in relation to it and to afford the appellant an opportunity of cross-examining the witness or witnesses”.
However, this was obiter and on the facts he rejected the claim on the basis that cross-examination was not necessary or appropriate. Moreover, he was there concerned with an appeal committee constituted on an ad hoc basis. By comparison the present case deals with complaints not appeals, and has a separate provision – s. 26 – which establishes the right to bring an appeal from the Commissioner’s decision to the Circuit Court.
67. In Greenstar the applicant claimed that the respondents had breached fair procedures and Art. 6 of the European Convention on Human Rights by not having an oral hearing prior to making its decision to vary the Waste Management Plan for the Dublin Region 2005 – 2010. There was no requirement in the applicable legislation that there be an oral hearing. At para. 30 McKechnie J. stated:-
“30. In this case I am satisfied that the procedure under consideration is not such as to require an oral hearing to uphold natural justice and fair procedures. The variation, or any variation, may affect personal rights, but it could not be said that determinations were being made on an individual basis, such that the affected parties might be entitled to have an oral hearing. I feel that the statutory requirements obliging the decision maker to consider the submitted materials are more than sufficient in this particular area, which is largely a matter of policy. Further it is clear that the decisions of the respondents are reviewable by way of judicial review, and indeed in such proceedings this court has held that the variation was vitiated for being biased, prejudged and contrary to competition law.”
68. The judgment does not record argument on the question of whether it was compatible with the separation of powers to read into the Waste Management Act, 1996 a power or duty to hold an oral hearing in the absence of any expressed power in the legislation. The emphasis on the decision there being “largely a matter of policy” is also a point of distinction. Moreover, in the present case no argument was pursued that the failure to afford the applicant an oral hearing constitutes a breach of Article 6.
69. The decision in Mooney was based on very different facts. There the plaintiff had been employed by the defendant as a postman. Following complaints and investigations, criminal charges were preferred against the plaintiff, of which he was acquitted. Following his acquittal the plaintiff failed to answer certain queries raised by the defendant. He then sought an oral inquiry into the allegations made against him which was refused, and he was later dismissed. He contended that he was entitled to rely upon his acquittal in the criminal case to defeat the civil complaint against him, and argued that the dismissal was in breach of fair procedures as he was entitled to an oral hearing. The Supreme Court held that his acquittal on the criminal charges did not debar his employer from an attempt to establish the same proposition on the balance of probabilities. In a passage cited by the applicant in this case, Barrington J. stated at p. 298:-
“If the contract or the statute governing a person’s employment contains a procedure whereby the employment may be terminated, it usually will be sufficient for the employer to show that he has complied with this procedure. If the contract or the statute contains a provision whereby an employee is entitled to a hearing before an independent board or arbitrator before he can be dismissed then clearly that independent board or arbitrator must conduct the relevant proceedings with due respect to the principles of natural and constitutional justice. If however the contract (or the statute) provides that the employee may be dismissed for misconduct without specifying any procedure to be followed, the position may be more difficult.”
70. In the present case the procedure which the respondent is mandated to follow in s.10(1)(a) is to “investigate” complaints and come to a decision. There is nothing stated in s. 9 (which establishes the office of the Commissioner and sets out her functions), or in s. 10 (concerning investigation of complaints and enforcement in cases of contravention), in relation to oral hearings. In Mooney Barrington J. at p. 299 held that the plaintiff was not entitled in the circumstances of the case to a hearing before the board of An Post or even to see the report of the investigating officer. At p. 300 he observed:-
“To attempt to introduce the procedures of a criminal trial into an essentially civil proceeding serves only to create confusion.
It is necessary also to consider the position of the defendant. It was not in a position to set up an independent tribunal with power to subpoena witnesses even had it wished to do so. At the same time it had received serious complaints from members of the public touching the integrity of the postal services. The defendant could not responsibly ignore these complaints even though the members of the public did not wish to become involved before any court or tribunal.”
71. This passage serves to emphasis the difference between Mooney and the present case, but also points to the conclusion that the Commissioner is not in a position to set up a quasi-tribunal to conduct an oral hearing with sworn witnesses and cross-examination in the absence of appropriate express powers.
72. It must be accepted that the respondent’s function under s. 10(1)(a) is to investigate possible contraventions of the Data Protection Acts. I also accept that Recital (63) of the Directive recites that the supervisory authority “must have the necessary means to perform their duties, including powers of investigation and intervention, particularly in cases of complaints from individuals…”. However, no authority was cited for the proposition that the word “investigation” should be given a broad meaning to include the power to hold oral hearings.
73. Counsel for the respondent brought to my attention Graham v. Albert [1985] RTR 352 where May L.J. had occasion to consider the true construction of “investigation”. At p. 357 he stated:-
“The point which Mrs. Barnett makes, drawing a distinction between the present legislation and that which called so much trouble in earlier days, is that the use of the word ‘investigation’ in section 8 of the Road Traffic Act 1972 contemplates something much more formal than took place on this occasion. It contemplates, for instance, particularly in relation to a potential offence under section 5, calling a doctor to examine the condition of the alleged offender. For my part, with respect, I cannot construe that word in section 8 as requiring any such greater formality than the ordinary plain meaning of the word ‘investigation’ would normally involve. What the station officer was doing on this occasion was investigating – inquiring into – whether the defendant had committed an offence under section 6 of the Act.”
74. It seems to me that the natural and ordinary meaning of the word “investigate” is to carry out an inquiry into something so as to establish or attempt to establish the truth. I can not see any good reason for a very broad construction of the word “investigation”, and indeed the construction contended for by the applicant is strained.
75. The Oireachtas has also seen fit to promulgate very detailed provisions regarding the holding of oral hearings in other legislative frameworks. Section 33BA of the Central Bank Act, 1942 relates to the holding of oral hearings in the context of an Administrative Sanctions Procedure and provides that the Central Bank may:-
“(1) Summons a person to attend to give evidence and to produce specified documents;
(2) Require the person to attend from day to day unless excused;
(3) Require a witness to take an oath and administer an oath to the witness;
(4) Require a witness to answer a question or produce a document;
(5) Tender a small statement instead of giving evidence.”
The Central Bank is also given all the powers of a High Court judge with respect to examining witnesses and the witnesses are given the same rights and privileges of a witness before the High Court.
76. Similarly under s. 65(3) of the Medical Practitioners Act, 2007 it is provided:-
“(3) At the hearing of a complaint before the Fitness to Practise Committee—
(a) the chief executive officer, or any other person with leave of the Committee, shall present the evidence in support of the complaint,
(b) the testimony of witnesses attending the hearing shall be given on oath, and
(c) there shall be a full right to cross-examine witnesses and call evidence in defence and reply.”
77. Another example cited to me is an inquiry under the Pharmacy Act, 2007. Under s. 43(7) various offences are created whereby a person who is summonsed fails to attend, or without reasonable excuse fails to take an oath or affirmation, or produce or allow inspection of records or documents, or refuses to answer a question that he or she is lawfully required to answer, or there is anything that would be the equivalent of a contempt of court.
78. These are all examples of the kind of legislative provisions that may reasonably be expected to feature in modern legislation if the Oireachtas intends that an administrative body is to have the power to hold effective oral hearings – and which are absent in the present case.
79. In this context it is notable that s. 24(6) of the Acts provides:-
“(6) A person who obstructs or impedes an authorised officer in the exercise of a power, or, without reasonable excuse, does not comply with a requirement, under this section or who in purported compliance with such a requirement gives information to an authorised officer that he knows to be false or misleading in a material respect shall be guilty of an offence.”
There is no similar provision creating any criminal offence in relation to a failure to attend for a hearing, or a failure to answer a question. It would be entirely inconsistent for there to be a right to an oral hearing before the Commissioner, with no sanction for failure to attend or answer a reasonable question, or comply with discovery, while a criminal offence is created in relation to obstructing or impeding the respondent’s authorised officer in undertaking the investigation.
80. Section 26(1)(d) provides that a decision of the Commissioner in relation to a complaint under s.10(1)(a) may be appealed to the Circuit Court within 21 days of service on the person concerned of the relevant notice. Clearly either the complainant or the data controller/processor could appeal a decision. Nothing in s. 26 restricts the manner in which the Circuit Court can hear such an appeal, and specifically there is nothing in the statute preventing an oral hearing on such appeal.
81. It is instructive to consider O. 60 of the Circuit Court Rules which sets out the procedures to be followed in relation to an appeal under the Acts. Under O. 60, r. 2 all appeals are made “by way of Motion on Notice grounded upon Affidavits sworn by the appellant …”. This must exhibit the relevant decision of the Commissioner and the notification of same, and under rule 3 the appeal can be brought in the county where the appellant ordinary resides or carries on any profession or business or occupation, or at the option of the appellant in Dublin. Under rule 4 notice of the appeal must be given to the Commissioner. Order 60 then provides:-
“5. All appeals under Section 26 of the Act shall be heard upon Affidavit evidence only, save where the Court shall otherwise direct.
6. The Court may, upon application to it by any party to an appeal, direct that such other person or persons be joined as Notice Party(ies) to the appeal as the Court shall deem fit upon such terms as the Court shall direct.”[Emphasis added]
82. Accordingly, there is nothing in O. 60 that prevents the Circuit Court firstly permitting the joinder of a data controller or data processor as a notice party to an appeal by a complainant. Secondly, there is nothing in O. 60 that prevents the court from hearing oral evidence. Indeed O. 60 r. 5 clearly contemplates the court directing that there be oral evidence, or at least limited oral evidence, or perhaps cross-examination on a party’s affidavit.
83. Such a process could be followed in any case where a verbal contravention of the Acts is alleged and disputed, or indeed where any other relevant dispute on fact relative to an alleged contravention arises. Given that such a procedure can be followed in appropriate cases, and that a complainant can thereby secure an oral hearing – or at least a limited oral hearing – on appeal, I am strongly disinclined to hold that there is any entitlement to an oral hearing at the first stage investigation before the respondent.
84. Also significant is s. 7 of the Acts, which provides, so far as relevant:-
“(7) For the purposes of the law of torts and to the extent that that law does not so provide, a person, being a data controller or a data processor, shall, so far as regards the collection by him of personal data or information intended for inclusion in such data or his dealing with such data, owe a duty of care to the data subject concerned…”
85. This creates a new actionable duty of care; there is no need to show defamatory publication, breach of privacy, breach of confidence, or misfeasance in public office where mala fides might have to be established. A person who is aggrieved and has suffered loss or damage consequent on a contravention of the Acts by a data controller or data processor can now sue for damages. In that context a court hearing the claim will receive oral evidence, and be in a position to determine any dispute of fact.
86. This additional right opens up a new right of action that could reasonably be pursued by a person in the applicant’s position if they have suffered loss or damage. It further persuades the court that the Acts did not intend and should not be construed as meaning that an oral hearing can be held before the Commissioner. In so finding it should be stated that I do not decide this case on the basis that the applicant has an ‘alternative remedy’ under section 7. What s. 7 does is confer on a complainant who has suffered damage an additional right to the right to have the respondent investigate the complaint of contravention. Rather, s. 7 is a further factor that leads to my conclusion on the substantive issue.
Appeal Remedy
87. I have already indicated that the right of appeal from the Commissioner provided by s. 26 provides an avenue for an oral hearing in an appropriate case. Thus, if the applicant had appealed the respondent’s decision of 23rd March, 2015 application could in due course have been made to join the Credit Union as a notice party, and application could have been made to the court for oral evidence to be given by the applicant’s father and Mr. McGrath as the main protagonists, and for the purpose of resolving the disputed facts in relation to the alleged disclosure. This is the process allowed for by the legislative framework. Had the applicant availed of it the dispute of fact could have been resolved, one way or another. I am satisfied that this is the remedy that the applicant could, and should, have pursued in this case.
Conclusion
(1) The applicant’s claims for reliefs arising out of the letter dated 16th February, 2015 was rendered moot by the issuance of the respondent’s formal statutory decision dated 23rd March, 2015, which decision was made within jurisdiction.
(2) The respondent is not empowered under the Data Protection Acts, 1988 and 2003 to hold an oral hearing in relation to disputed facts arising on investigation of a complaint, nor does the respondent have any inherent power to hold an oral hearing, and the applicant therefore had no entitlement to an oral hearing before the Commissioner.
(3) The applicant could have appealed the Commissioner’s decision dated 23rd March, 2015 to the Circuit Court, and that court could have joined the Credit Union as a notice party and determined the dispute after hearing oral evidence. That process would have afforded the applicant an oral hearing and would have resolved the factual dispute in relation to disclosure of personal data.
88. Accordingly, it is not necessary to consider the applicant’s further claims, and these proceedings are dismissed.
Various Claimants v WM Morrisons Supermarket Plc
Vicarious Liability
(Rev 1) [2017] EWHC 3113 (QB) (01 December 2017)
MR JUSTICE LANGSTAFF :
This group action raises the question whether an employer is liable, directly or vicariously, for the criminal actions of a rogue employee in disclosing personal information of co-employees on the web, whether under the Data Protection Act 1998, an action for breach of confidence, or in an action for misuse of private information.
On 12th January 2014 a file containing personal details of 99,998 employees of the Defendant (“Morrisons”) was posted on a file sharing website. Shortly after that, links to the website were also placed elsewhere on the web. The data consisted of the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and the salary which the employee in question was being paid. On 13th March 2014, a CD containing a copy of the data was received by three newspapers in the UK, one of which was the Bradford Telegraph and Argus, a newspaper local to Bradford where Morrisons has its head office, The person sending the CD did so anonymously, purporting to be a concerned person who had worryingly discovered that payroll data relating to almost 100,000 Morrisons employees was available on the web. It gave a link to the file-sharing site.
The information was not published by any of the newspapers concerned. Instead, the Bradford Telegraph and Argus told Morrisons of it. There was immediate concern. Morrisons’ annual financial reports were about to be announced. The revelation of this data, with its implication that Morrisons could not be trusted to keep data secure, had serious implications for the share value of Morrisons. Much more important, though, was the immediate concern of the most senior managers within Morrisons that the information might be used by outsiders to access the bank accounts of individual employees (though they were assured by banks over the next 2 or 3 days this could not happen, without yet more information being disclosed) or used to aid identity theft. It could enable intending fraudsters to phish for the additional information to enable dishonest access to the employees’ bank accounts, take out loans, or make purchases under an assumed identity. This was a serious risk.
Morrisons’ head management was alerted to the disclosure on 13th March 2014. Within a few hours, they had taken steps to ensure that the website had been taken down. Such links as there were to the file sharing website from other sites were then no longer effective in helping a searcher to discover any personal data. Morrisons also alerted the police. It was rapidly established that the data, in the quantity and style in which it was presented, had almost certainly been derived from data held centrally by Morrisons in relation to its employees, both present and, in some cases, past. Only a limited number of employees had been permitted access to the whole of this data, which was held in a supposedly secure internal environment created by proprietary software known as “PeopleSoft”. It was possible to tell when the data had been extracted by comparing the disclosed material with the database: the times that entries were made into the database or deletions made from it were automatically logged. Thus, where data now on the database was not amongst that disclosed, this suggested the disclosed data had been extracted beforehand.
It was possible by this process to show that the data held in PeopleSoft had been copied during the afternoon of 14th November 2013. It was then also possible to show that at that time one of the “super users” (the name for people who had access to the whole of the PeopleSoft database, as opposed to having access only to that part which related to them personally or, in some cases, to those employees under their line management) had extracted data corresponding to that disclosed by means of an SQL (structured language query) within the time period during which the data containing the information disclosed must have been copied. This person was Michael Leighton. He was arrested on 17th March 2014.
Another employee – an investigator – was also identified as a suspect. This was because his initials and date of birth appeared in the user name adopted for the account which had been used in January 2014 to post the data file onto the internet.
It very quickly emerged that Michael Leighton was not responsible for disclosing the file to the web, and that where the initials and date of birth of the investigator had been used this was in a deliberate attempt to frame him. He too was completely innocent.
On 19th March, Andrew Skelton, a Senior IT Auditor in Morrisons’ employment, was arrested. He was charged with an offence under the Computer Misuse Act 1990 both of fraud and under Section 55 of the Data Protection Act 1998, tried at Bradford Crown Court in July 2015, and convicted. He was sentenced by the Honorary Recorder of Bradford to a term of 8 years imprisonment, which he still serves.
The Claim
5,518 employees of Morrisons whose data was disclosed by the actions of Skelton on 12th January and 13th March 2014 claim compensation both for breach of statutory duty (under Section 4(4) of the Data Protection Act 1998) and at common law (the tort of misuse of private information, and equitable claim for breach of confidence). The claims are put on the basis that Morrisons has both primary liability for their own acts or omissions, and secondary (vicarious) liability for the actions of one of their employees harming his fellow workers. In respect of the Data Protection Act, primary liability is said to be absolute or strict, rather than a qualified liability only arising if Morrisons failed to observe appropriate standards: but if it should be held that the Act does not impose an absolute liability, it is asserted that in any event Morrisons failed to observe those standards and is liable on that alternative basis.
The trial has been concerned only with liability. If the court should find in favour of the Claimants in respect any of their heads of claim, quantum is to be assessed later. Similarly, although in their pleadings the Claimants sought an injunction to prevent Morrisons further disclosing the private and confidential information of the Claimants, and an order under Section 14(4) of the Data Protection Act 1998 blocking each Claimant’s personal data, neither was pursued before me. Accordingly, since most of the facts were not in dispute (having been clarified by the criminal trial and conviction of Skelton) the hearing before me proceeded without any of the Claimants being called to give evidence: they knew little if anything as to how or why the disclosure happened about which they were in a position to give first-hand evidence. That information lay in the hands of Morrisons, and the force of any criticism of what happened, supportive of a case that Morrisons failed to observe applicable standards, depended on evidence called by Morrisons. Accordingly, Morrisons called evidence from five members of senior management of Morrisons (the evidence of a sixth, Ms Crossland, was taken as read).
The parties have agreed that there are 14 issues of fact and law to determine, and set them out in writing. Many of these are themselves subdivided into sub-issues.
The Central Facts
I shall first set out an overview of the facts which set the scene for the determination of those issues. Mr. Barnes, with whom Ms Victoria Jolliffe appears for the Claimants, argues that in a number of respects Morrisons fell short of a proper standard (whether under the Data Protection Act or common law): I shall deal with my more detailed findings of fact when I consider each of those arguments later in this judgment.
There is a statutory obligation resting on Morrisons to have their accounts audited externally. At the times relevant to this action, the external auditor was KPMG. In order to perform the audit, KPMG would, each year, request data so that it could test the accuracy and reliability of the information produced to it. In 2012 (and probably earlier) it asked to have a copy of Morrisons’ payroll data so that the integrity of the data could be assessed: payroll expenses are a significant part of Morrisons’ accounts. In 2012, amongst various other requests for information KPMG asked for a copy of the “payroll data” being the data from which the data in the file disclosed were copied. This was not the only data requested by KPMG. It was, however, the only data to come from the PeopleSoft system.
Morrisons had an internal audit team. At the time of the disclosure, Mr Chowdhery was its head. It had within it an IT audit section. That team was headed up by Graham Daniels, who gave evidence before me. Two or three IT auditors, specifically recruited for the purpose by Mr Daniels, reported to him. One of those was Andrew Skelton (“Skelton”).
Skelton was a senior IT internal auditor. As such, his role involved speaking to fellow employees about their work and processes, and obtaining sight of relevant documents concerning them. Some of those whose work he had to audit would be more senior than he was. He was given the responsibility and authority to speak to many colleagues and request sight of their documents. He had to exercise diplomacy and sensitivity, and would frequently be expected to gain access to and use information that was sensitive, not only in a business sense, in that it was strictly confidential for internal use only, but also potentially sensitive so far as the colleagues providing the information were concerned. Colleagues had to feel that he was both reliable and trustworthy.
As a senior IT auditor, he was highly IT literate, with a good technical understanding of IT security issues, operating systems, user access and cryptography.
Unknown at the time to his employers, Skelton operated a sideline in dealing with a slimming drug. He bought quantities, probably in kilograms, from a wholesaler, and re-packaged these in smaller quantities which he offered for sale on e-Bay. He did this in his own time, as a personal business. It has not been suggested that this was in conflict with the business of Morrisons. He did not use Morrisons’ facilities, except on those occasions when, if he had not posted a package to a customer from a post box or office local to his home, he would put the package through Morrisons’ post room. When he did so, it had already been appropriately stamped by him. No dishonesty was involved: there was no direct cost to Morrisons.
The drug was Phenylalanine, a close analogue to Amphetamine. Whereas Amphetamine is a class B drug, the supply of which is unlawful, the supply of Phenylalanine is not.
On 20th May 2013, an envelope he had posted in this way came open in the post room at Morrisons. It contained white powder. This caused immediate alarm to those in the post room, who did not know what the powder was, and who had a protocol for dealing with such incidents. The incident might easily have led to the closure of the post room in accordance with the protocol. The police were called. They suspected the drug might be Amphetamine. A field test at the local police station was indicative of this. Since there was no attempt to hide the identity of the sender, which was mentioned in documents within the package, it was clear that Skelton had sent it. He was arrested and escorted from the premises of Morrisons. He was suspended from work, pending a definitive laboratory analysis of the powder. It took just over a month before the results of that were notified. They showed that the drug was not illegal. Accordingly Skelton, who had been on suspension throughout this period, was permitted to return to work. He did so on 3rd July 2013.
However, Morrisons decided to discipline him for the incident, which had caused considerable concern, and might well have led to the closing down of the post room for a day with serious implications for the business. On 9th July 2013 he faced a disciplinary hearing, following which, on 18th July, he was given a formal verbal warning. Though this was described in witness evidence as the lowest level of sanction within the disciplinary procedures, this is not quite so. Morrisons’ disciplinary code provided that where after a hearing it was concluded there had been misconduct, possible outcomes began with informal action which is plainly meant to be less serious. It is, however, correct to say that formal actions available to the employer began with a verbal warning, followed by a first written warning, a final written warning, then dismissal on notice for the more serious cases, and summary dismissal for the most serious. It is worth noting for what follows that it is only in the case of dismissal that the code provides for an alternative, lesser, sanction, that of demotion to a lesser position or transfer to an alternative role or department. Though described as a “verbal” warning, the essence of the warning was recorded in writing in a letter written formally to Skelton, as was the practice. It was to stay on his file for six months.
Skelton was unhappy that he had been given a formal, albeit “verbal”, warning, and said as much to his line manager Graham Daniels. Mr Daniels thought that Skelton had been irritated by the fact he was given such a low level of sanction, since this reinforced his (Skelton’s) view that Morrisons’ initial reaction to the incident had been excessive, even though he (Skelton) understood that a disciplinary process had been warranted. He thought the sanction disproportionate, and exercised his right to appeal. The appeal came before Ms Joanna (“Jo”) Goff on 15th. August 2013 and was rejected. The disciplinary decision recited that Skelton’s actions had not been in accordance with Morrisons’ values. Those values are set out in a handbook given to all employees. There are 6 of them: “Can Do”; “One Team”; “Bringing the Best out of our People”; “Great Selling and Service”; “Great Shopkeeping”; and “Fresh Thinking”.
At his trial Mr Skelton denied being responsible for the data disclosure. He did not advance any reason for having acted as he did. However, the Recorder of Bradford had no doubt that it was the white powder incident which caused Skelton to do as he did. When sentencing Skelton on 17th July 2015 he said:
“[the white powder incident]… was concluded against you, not that in fact there was anything particular that happened by way of discipline of you. One would think that any sensible, reasonable person would have just put that behind them and got on with life and got on with their job. That was not your reaction. Your reaction was to harbour a very considerable grudge and harbour very considerable bad feelings towards Morrisons. That much is evident if nothing else, from the resignation letter that you drafted in November of that year, a few months after the incident and disciplinary proceedings had been concluded. It was rankling very deeply and nastily with you.
Your reaction was to set about, in October or November, doing Morrisons some real damage, and you achieved that of course. Over a period of months at the end of the year you set about getting sensitive information from Morrisons – it came legitimately into your hands, trusted as you were in that IT department – the pay roll details and personal details of all the employees at Morrisons, who of course number over 100,000. Having got hold of that material legitimately at work you took it away from work electronically and you, in November and December – so over a period of weeks, not just on the spur of the moment – started to set up what you put into effect in 2014. You created a false email account, you got a pay as you go mobile telephone that could not [be] traced back to you, you started to use the TOR system which we heard about which is a way of seeking and achieving anonymity in terms of what you were to do on the internet. …it was cold and calculating and designed, no doubt, to do as much damage to Morrisons as could be achieved.”
Not only did His Honour Judge Thomas QC, the Honorary Recorder, have the benefit of hearing the evidence in the criminal trial which included that of Skelton himself, such that I would in any event pay great respect to his conclusions, but these findings are also entirely consistent with the documentation before me.
On 9th October 2013, unknown to Morrisons, Skelton made a search for “TOR” on his work computer. The acronym stands for “The Onion Router”: software which is capable of disguising the individual identity of a computer which has accessed the internet.
On 1st. November, the external auditor, KPMG, requested a number of categories of data from Morrisons. This was held in different places. It was convenient that the data be collated before transmission to KPMG. The request came to Mr Daniels. In previous years Mr Daniels had been charged by Mr Chowdhery, head of the team, with arranging for the transmission of such data to the external auditor. Mr Daniels delegated the task in 2013 to Skelton, one of the two or three internal auditors who reported to him, just as he had delegated an identical task to Skelton (I find) in 2012. Skelton in turn sent an email request to Dan Moore of the HR department, who had super-user access to PeopleSoft. He in turn delegated the task of extracting a copy of the data, by means of an appropriate SQL query, to Michael Leighton. On 14th November, Michael Leighton obtained an electronic copy of the data. This was in the late afternoon. He attempted to email the data internally to Skelton. I find that the transfer would have been secure if the internal email system had been able to cope with the transfer of a data file of that size. It was not. So, although Michael Leighton completed documentation suggestive that the transfer had been effective on 14th November 2013, in fact the email “bounced back” to Michael Leighton’s computer. Accordingly, the next day Michael Leighton copied the data from his computer onto a USB stick. Insofar as it is in issue I find that the USB was encrypted (personal USB sticks were not to be used; a limited number of USB sticks were made available to senior employees, obviously for the transfer of data, and all were encrypted; the overwhelming probability is that Michael Leighton used one of these, and there is no reason to suppose otherwise). He took the USB stick personally to Skelton at his laptop computer, which was itself encrypted. He was present while the data was downloaded from the stick onto the computer and he then returned with the USB stick to the (nearby) desk from which he had come.
Skelton was supplied with a separate USB stick, from KPMG, encrypted by it, onto which he later copied the data. He had the task of collating the payroll data and other data which had been requested by KPMG, which was not itself held on the PeopleSoft system. For that reason, the payroll data was not sent immediately to KPMG, but remained stored for the time being on Skelton’s computer. The precise date on which Skelton provided the pay roll data to KPMG on a KPMG USB (together, I assume, with the other data he had collated) is not known. It must, however, have fallen between the 15th November (when he, Skelton, was supplied by Leighton with the data) and 21st November.
On 18th. November 2013 it is agreed by the parties that an unknown USB device was inserted into Skelton’s work laptop. Various files which included the pay roll data and the file later uploaded to the file sharing website (which was termed the “FTSE 100” file) were deleted from the same USB on the 12th. March 2014, using Skelton’s personal computer to do so. From this, limited, material, coupled with the knowledge (it is agreed as fact) that on 14th November Skelton obtained the mobile phone he was later to use to facilitate the offending data disclosures, I infer that Skelton copied the payroll data onto a personal USB at work on 18th. November 2013, and that this was a step in his criminal conduct. Given that in December the phone was registered with an email address implicating the innocent investigator, and that it was not used until the 12th. January when uploading data to the web, I infer that Skelton – who would have known from his previous year’s experience what type of data he would be dealing with – had it in mind from before the 14th. November to misuse that data.
The next incident of note before the uploading of the data to the file-sharing website was on 16th. December 2013. Skelton attempted to access the TOR website from his work laptop. This was unknown to Morrisons until after it had come to light that the employee details had been placed in a file on a file sharing website and copied to national and local newspapers, on respectively 12th. January and 13th. March 2014.
No point arises for decision in respect of Morrisons’ reaction to the disclosures once it knew of them.
Each employee had supplied the information later disclosed because it was required by Morrisons upon that employee taking employment with them.
The Claimants’ Case
So far as direct, primary, liability is concerned, the Claimants made claims under the Data Protection Act 1998, under common law for misuse of private information, and in equity, for breach of confidence. If Morrisons were not held primarily liable, the Claimants submitted they were liable vicariously, under each of the three heads. I shall deal with each of the claims in turn, beginning with the claims of primary liability.
Ms Proops argued that there could be no primary liability for breach of confidence, for Morrisons itself did not breach the confidence.
Data Protection Act 1998
The Data Protection Act (the “DPA”) provides, so far as material as follows: By section 1 (headed “Basic interpretative provisions”):
“(1) In this Act, unless the context otherwise requires—
“data” means information which—
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system,
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68; ….
“data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
“data subject” means an individual who is the subject of personal data
“personal data” means data which relate to a living individual who
can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
“processing”, in relation to information or data, means obtaining,
recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;
(2) In this Act, unless the context otherwise requires—
(a) “obtaining” or “recording”, in relation to personal data, includes obtaining or recording the information to be contained in the data, and
(b) “using” or “disclosing”, in relation to personal data, includes using or disclosing the information contained in the data.
(3) In determining for the purposes of this Act whether any information is recorded with the intention—
(a) that it should be processed by means of equipment operating automatically in response to instructions given for that purpose, or
(b) that it should form part of a relevant filing system,
it is immaterial that it is intended to be so processed or to form part of such a system only after being transferred to a country or territory outside the European Economic Area.
……………………”
By section 4 is provided, under the heading: “The data protection principles”
“4.—.
(1) References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.
(2) Those principles are to be interpreted in accordance with Part II of Schedule 1.
(3) ………..
(4) Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.”
Part I of Schedule 1 states, so far as relevant:
“SCHEDULE 1
The data protection principles
PART I
The principles
1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a) at least one of the conditions in Schedule 2 is met, and
(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and, where necessary, kept up to date.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Personal data shall be processed in accordance with the rights of data subjects under this Act.
7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.”
The data protection principles are expanded by Part II of Schedule 1 as follows (again, so far as material):
“The first principle
1.—
(1) In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.
………
2.—
(1) Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless—
(a) in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and
(b) in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).
……………
(3) The information referred to in sub-paragraph (1) is as follows, namely—
(a) the identity of the data controller,
(b) if he has nominated a representative for the purposes of this Act, the identity of that representative,
(c) the purpose or purposes for which the data are intended to be processed, and
(d) any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
………….
The second principle
5.
The purpose or purposes for which personal data are obtained may in particular be specified—
(a) in a notice given for the purposes of paragraph 2 by the data controller to the data subject, or
(b) in a notification given to the Commissioner under Part III of this Act.
6.
In determining whether any disclosure of personal data is compatible with the purpose or purposes for which the data were obtained, regard is to be had to the purpose or purposes for which the personal data are intended to be processed by any person to whom they are disclosed.
…………
The seventh principle
9.
Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a) the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b) the nature of the data to be protected.”
As to the consequence of any breach of the duty to observe these principles, section 13 provides:
“13.— Compensation for failure to comply with certain requirements.
(1) An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
…………..
(3) In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care, as in all the circumstances, was reasonably required to comply with the requirement concerned.”
Of relevance to the present claim is that data is “information”: it is plain that a principal thrust of the Act concerns data electronically held, as was the information in respect of the employees’ identities as set out above. What is important for what follows are the definitions of “data controller”, “data processor” as set out above, and Section 1(2) which provides that unless the context otherwise requires “disclosing” in relation to personal data, includes disclosing the information contained in the data.
The Claimants argue that Section 4(4) places a duty on a data controller to comply with the data protection principles in relation to all personal data with respect to which he is data controller. Here, the Claimants say Morrisons were at all relevant times the data controller in respect of the payroll data abstracted from PeopleSoft by Michael Leighton and transferred to Skelton. They assert that Morrisons did not comply with data protection principles 1, 2, 3, 5 and 7.
For DPP1 to be satisfied certain conditions are to be met before the data may be regarded as being processed fairly and lawfully. The first of those conditions, to be found in DPA schedule 2, is that the data subject has given his consent to the processing. That did not happen, because none of the Claimants consented to Skelton processing the data by copying it, processing the original data so as to produce an extract of the information of which the original data consisted, and then sending that extract to the file sharing website.
They claim, too, that DPP2 was not complied with because the data was processed not only for administration, payroll and audit purposes, but for the criminal purposes known only to Skelton. They assert that what happened was thus processing in a manner incompatible with the purposes for which the data was obtained from them.
DPP3 requires that “personal data are not excessive”. Beyond complaining that this principle was broken, the Claimants’ argument in court did not further amplify the way in which the data they provided to Morrisons was “excessive”: on the face of it, it was exactly the sort of payroll information which almost any employer is likely to require, and then to hold. Only a little more was said as to the claim in respect of DPP5 – that personal data are not to be kept for longer than necessary for the purpose or purposes for which they have been obtained. Insofar as Morrisons were concerned, it was thought necessary to keep the information in the hands of Skelton, as Morrisons thought securely, for a short period after transfer to KPMG: there might need to be queries raised, which it would be easier and more efficient for Skelton to answer from the material stored on his work laptop rather than have once again to request a superuser to conduct an SQL request to identify the data again, and transfer it once more to him. I accept the Defendant’s evidence that if the system had required such requests and answers it would have incurred the additional risk inherent in any transfer of data out of the secure environment of PeopleSoft to a laptop, even if encrypted. I find that to do as was done was thus, if marginally, the safer option.
Although Section 13 of the Act provides that it will be a defence (the burden of proving which rests upon the Defendant) to show that all reasonable care was taken by the Defendant to satisfy the data protection principles, the Defendants have not relied upon this defence. In the absence of their doing so, there could be no defence to a claim if it were shown that any of DPP1, 2, 3 or 5 were broken. As to DPP7, there would be a breach if there were a failure to apply appropriate technological or organisational measures to prevent the disclosure or loss in question. It is thus necessary to determine what the scope of “appropriate” measures are, an inquiry necessarily related to the particular facts of the particular case.
Ms Proops QC, who appears with Mr Paines for Morrisons, makes a case that they do not need to avail themselves of the defence in section 13 to avoid primary liability. This is because the structure of the Act places the responsibilities created by DPP1-8 upon the data controller, as defined. She argues that data is not the same as “property”. It consists of information: information is not the same as property. If information is seen and copied, it is not sensible to talk of the information as having been “stolen”: unless it is deleted at the same time as it is copied it remains on the database from which the information was extracted. At any one time there may be many sets of data containing precisely the same information. In Your Response Ltd v Data Team Business Media Ltd [2014] EWCA Civ 281, it was held that the concept of possession in the conventional sense had no meaning in relation to intangible property, and it was thus not possible for a lien to exist over an electronic database. At paragraph 42 of the judgment Floyd LJ noted that although information may give rise to intellectual property rights the law has been reluctant to treat information itself as property. The court declined to do so in the case before it; in the words of Moore-Bick LJ (paragraph 19) the process of entering information into an electronic data storage system:-
“…does not in my view render the information itself a physical object capable of possession independently of the medium in which it is held and in the electronic world the distinction is of some importance because of the ease of making and transmitting intangible copies.”
This conceptual understanding of information as being distinct from tangible property helps to explain the way in which the Data Protection Act 1998 is structured. The duties under section 4, and generally within the Act, are imposed upon a data controller, even if a third party may be guilty of a criminal offence under section 55 of the Act as was Skelton here. In Ittihadieh v 5-11 Cheyne Gardens RTM Company Ltd [2017] EWCA Civ 121, in the course of considering a case which centred upon the law relating to subject access requests under the DPA, the court had to decide (as an issue) the scope of the definition of “personal data” in Section 1 of the DPA, and the question who was a “data controller” (see paragraph 1(i) and (ii) of the judgment). In a judgment with which Lloyd-Jones and McCombe L.JJ agreed Lewison LJ said at paragraph 70 and 71, under the heading “who is a data controller?” as follows:
“70. A data controller is a person who makes decisions about how and why personal data are processed. It is clear from the terms of section 7(1)(a) that the data controller is responsible for persons who process data on his behalf. Thus it follows that a person who processes data as agent for a data controller is not himself a data controller in respect of those data. Even where decisions about data are taken by natural persons, they will not themselves be data controllers if those decisions are made as agents of a company of which they are directors: Re Southern Pacific Personal Loans Ltd [2013] EWHC 2485 (Ch);
71. On the other hand, if they are processing personal data on their own behalves they will be data controllers as regards that processing and those data. The question may then arise whether they are entitled to one or more exemptions under the DPA.”
Mr Barnes, appearing with Ms Jolliffe for the Claimants, said expressly in closing that he took no issue with the general terms in which those two paragraphs are expressed. Moreover, since the reasoning concerned one of the issues in the case, the view expressed binds me. In any event, I consider it flows from the way in which the Act is structured, and if it had mattered I would independently have been of the same view as the Court.
In closing, Mr Barnes thus accepted that if Company A copied data which it held as data controller, and transmitted that copy to Company B, then if Company B did not handle that data in accordance with any one of the data protection principles, Company B would be liable. It would be liable alone, unless it were to process the data for Company A, for it would now be the data controller in respect of the data copied to it: Company A would not. The fact that Company A would remain data controller of the data from which the copy was made would be beside the point. Bringing the example more closely to the facts of the present case, when Skelton transferred a copy of the data he had been given by Leighton from his work laptop onto the USB stick given him by KPMG, and that data was taken to KPMG, KPMG alone were the data controller in respect of the information contained on that data set. Of course, Morrisons remained the data controller in respect of precisely the same information on their own equipment. Mr Barnes accepted that for the purpose of the case in relation to vicarious liability which he sought to advance, he could only do so under the DPA if Skelton were a data controller, in respect of the data eventually disclosed on to the web, for only as such would Skelton owe any duty himself which might result in Morrisons having secondary liability for his wrongs. Yet for him to be data controller in respect of that data would put him in no different a position, in my view, from the position occupied respectively by Company B or KPMG in the two examples just given.
Ms Proops’ submissions are entirely in line with this approach. She submits that Morrisons owed duties under Section 4(4) DPA only while data controller, and only qua data controller. Skelton became data controller in respect of that information once he put himself in the position of determining the purposes for which and the manner in which the personal data he was about to copy from his laptop was to be handled. When he decided to settle his grudge against Morrisons by means of disclosing it, eventually, on the internet, he was acting just for himself. He was in the same position as the hypothetical individual considered in paragraph 71 of Ittihadieh.
Mr Barnes argues that if a data controller may only be held liable if it has contravened its statutory obligations under the DPA, Ms Proops’ analysis would have a data controller complying with the DPA through the actions of its employees, but never being in breach of its obligations should an employee misuse data. He submits this would make a nonsense of the statutory scheme, for a data controller could simply disown any act of its employee which if attributed to it would put it in breach of statutory duty. Instead, to be effective the statutory scheme itself should impute to a non-natural data controller the data processing actions (good or bad) of its employees.
I cannot accept this. Not only do I see no reason why, if it is sound, the principle should not apply to natural persons as well as corporate bodies, for both may have employees, and both may act through them, but at its heart is the contention that upon its true construction the Act imposes liability on a data controller not only for those breaches it has authorised or facilitated (acting, if a corporation, by individuals to do so) but also for those it has neither facilitated nor authorised. Indeed, it may have taken great pains to avoid doing so. If a corporation (or individual) is to be liable for breaches which it is in no sense responsible for either authorising or requiring, but which are committed by employees acting in contravention of its wishes, that liability may be established vicariously – but not directly.
Untrammelled by the question whether the European origins of the DPA require me to interpret the Statute to hold that when Skelton copied the data unlawfully onto a personal USB stick Morrisons remained primarily liable for this. I would reject the Claimants’ case in respect of direct liability under the DPA. I would hold the wording of the Statute, interpreted as it was in Ittihadieh, to be such that Morrisons (a) were not the data controller at the time of any breach of DPP1, 2, 3 and 5 in respect of the information later disclosed on the web, and that (b) since they were not the data controller in relation to it owed no duty to the Claimants in respect of which they were in breach, unless it were the duty to comply with DPP7.
Although little was said about it during the trial, the fact that the DPA was enacted in order to implement a European Directive nonetheless cannot be ignored. A Directive obliges Member States to whom it is addressed to achieve the results it directs. The obligation resting upon a domestic court when interpreting national legislation which implements a Directive is thus to achieve a conforming interpretation: to interpret it “as far as possible” in the light of the wording and purpose of the directive to achieve the result sought by the latter: see Marleasing v LA Comercial Internacional de Alimentación SA (1992) 1 CMLR 305, and Pfeiffer v Deutscher Rotes Kreuz Kreisverband Waldshut eV [2005] ICR 1307. Accordingly I have to ask whether it requires an interpretation other than that I have already indicated. The linguistic features of the legislation are not conclusive. The effect of interpretation may be to change the meaning of legislation in order to correspond with the purpose of the European law concerned. But the court is not a legislator. There is a critical difference between interpretation on the one hand and legislation on the other. Thus in Ghaidan v Godin-Mendoza [2004] 2 AC 557 HL it was accepted that the interpretation chosen by a court must “go with the grain of the legislation” for this would be consistent with the legislative purpose, whereas going against that grain would constitute the court a law maker. Lord Nicholls, Lord Steyn and Lord Rodger all accepted that there would be occasions when the courts could not adopt a conforming interpretation because that would involve making policy choices which the court was not equipped to make. (Though Ghaidan concerned the European Convention of Human Rights, it is now well recognised that the principles relating to interpretation in conformity with a Directive are not materially different.)
The scope of the Directive, with a view to determining whether section 13 of the DPA was in conformity with it, came for consideration before the Court of Appeal in Vidal-Hall v Google inc [2015] EWCA Civ 311, [2016] QB 1003. In the joint judgment of Lord Dyson MR and Sharpe LJ, with which McFarlane LJ agreed, the court rejected an appeal against a decision of Tugendhat J at first instance. There were two issues – the first whether the cause of action for misuse of private information is a tort (to which I shall return later in this judgment for other purposes) and, the second the meaning of “damage” in Section 13 of the DPA. As for the second issue, the court had necessarily to decide whether the DPA could be interpreted such that “damage” included non-pecuniary loss, such as stress.
The Court noted that the DPA was intended to implement Directive 95/46/EC of 24th October 1995, a Directive “on the protection of individuals with regard to the processing of personal data and on the free movement of such data”. At paragraph 56 Dyson MR and Sharpe LJ said:
“The Directive as a whole is aimed at safe-guarding privacy rights in the context of data management. This is repeatedly emphasised in the recitals:
“(2) Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals;…”
…(7) Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute on obstacle to the pursuit to a number of economic activities at Community level, distort competition and impede authorities in discharge of their responsibilities under Community law; whether this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions…
…(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognised both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms o mom the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;..
…(11) Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained within this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data…
Article 1 provides for the object of the Directive
“1. In accordance with this Directive Member States shall protect the fundamental rights and freedoms of natural persons and in particular their right to privacy with respect to the processing of personal data.” “
The Court held that from this material it emerged that the purpose of the DPA was to “provide a high level of protection to the right of privacy in respect of the management of personal data by data controllers”. To achieve that purpose, the court considered that Section 13(2) of the Act should be disapplied: the Marleasing principle did not permit an interpretation of “damage” which would be consistent with it: a restriction to pecuniary loss, which the use of that word conveyed, was an important element of the compensation provisions that Parliament had enacted. The importance to the scheme of the Act as a whole of the provisions for compensation, in the event of any contravention by a data controller, within the limits set by Parliament to the right to compensation, made them a fundamental feature of the legislation. Yet given the purpose and meaning of the Directive it could only properly be implemented if “damage” permitted non-pecuniary harm, such as distress and loss of autonomy over personal data, to be the subject of compensation.
Just as was the case in Vidal-Hall where the court had to ask whether it was necessary to interpret the legislative provisions to achieve the purpose of the Directive it had identified and, if they could not be so interpreted, to disapply them, I have to ask in the present case whether it is contrary to the purpose of the Directive to hold that the processing of employee data in a manner unauthorised by those employees is something for which Morrisons is not liable. If it is, I should either find a way of interpreting the DPA to fulfil the purpose, or must disapply the relevant provisions. This is so even if, upon a literal reading of the Act it were to be held that the natural reading of the Act excluded liability where the processing concerned was by the act of a third party, contrary to the desires of Morrisons, nor authorised by it nor by any of its employees in authority.
The effect of so holding would, as Ms Proops points out, amount to absolute or strict liability dependent only upon the fact that information supplied to Morrisons had been disclosed subsequently on the internet.
I accept both that where an Act of Parliament is the domestic implementation of an E.U. Directive a court should take a purposive approach to the interpretation of that legislation, and that the purpose is that to be found in the Directive. I accept too (it is in any event binding upon me) that the purpose is as described in Vidal-Hall. I cannot, however, construe either the Directive or the Act as requiring a data controller to be responsible even without fault for the subsequent disclosure by a third party of some of the information given to it. This is because although the directive has as its principal purpose the safe-guarding of the rights of data subjects, the recitals do not suggest that once a person holds information relating to others as a data controller that person is automatically to be liable for any disclosure by a person who is not acting on behalf of the data controller in making it.
Recital 25 to the Directive provides that:
“Whereas the principles of protection must be reflected, on the one hand, in the obligations imposed on persons, public authorities, enterprises, agencies or other bodies responsible for processing, in particular regarding data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the right conferred on individuals, the data on whom are the subject of processing to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances…”
Recital 46 reads:
“Whereas the protection of rights and freedoms of data subjects with regard to the processing of personal data requires that appropriate technical and organisational measures are taken, both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby prevent any unauthorised processing; whereas it is incumbent on the Member States to ensure that controllers comply with these measures; whereas these measures must ensure an appropriate level of security, taking into account the state of the art and the costs of their implementation in relation to the risks inherent in the processing and the nature of the data to be protected”;
And Recital 55 says:
“Whereas, if the controller fails to protect the rights of data subjects, national legislation must provide for a judicial remedy; whereas any damage that a person may suffer as a result of unlawful processing must be compensated for by the controller, who may be exempted from liability if he proves that he is not responsible for the damage, in particular in cases where he establishes fault on the part of the data subject or in case of force majeure; whereas sanctions must be imposed on any person, whether governed by private or public law, who fails to comply with the national measures taken under this Directive…”
These recitals recognise the differing levels of protection in Member States; the possibility of force majeure, as it is termed, causing problems for data security; and the risks inherent in data processing. They do not speak of a need absolutely to prevent unlawful processing (which would have been all too easy to prescribe if it had been intended) but rather to take “appropriate” measures against it.
The definition of “controller” in the Articles of the Directive is effectively that adopted by the 1998 Act. A “third party” is defined as (Article 2f)
“Any natural or legal person public authority, agency or any other body other than the data subject, the controller, the processor and the person who, under the direct authority of the controller or the processor, are authorised to process the data”
In Article 6(1), under “General Rules and the Lawfulness of the Processing of Personal Data” are specified 5 data principles corresponding to data protection principles 1-5 in the 1998 Act, it being provided by Article 6(2) that “it shall be for the controller to ensure that paragraph 1 [i.e. Article 6(1)] is complied with” (emphasis added).
Article 17, headed “Security of Processing”, which relates most directly to the risk of unauthorised disclosure by the actions of someone who is not acting on behalf of the specific authority of the controller, reads:
“Member States shall provide that the controller must implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction or against accidental loss or alteration unauthorised disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.”
These recitals and provisions demonstrate that the obligation is placed by the Directive upon the “controller”, and that absolute liability for a disclosure was not contemplated by the Directive itself. Counsel between them can point to no case in which it has been held that the DPA imposes obligations which result in absolute or strict liability.
Such authority as there is also supports an approach which would deny absolute liability. In Swinney v Chief Constable of Northumbria (1999) 11 Admin L.R. 811 a claim was brought under the Data Protection Act 1984 – and for breach of confidence – when a briefcase containing information relating to a murder enquiry was stolen from a police car, even though the car had been locked and the brief case placed under the driver’s seat, at a time when the officers concerned were investigating another matter. Jackson J, as he then was, held that the phrase “reasonable care” properly limited the extent of the duty. Though the 1984 Statute was a predecessor of the 1998 Act, and the latter must be construed independently of its 1984 predecessor since the origin of the 1998 Act is in the Directive, Mr Barnes conspicuously did not argue that in “Swinney-type circumstances” a data controller would be liable. He attempted to draw a distinction between actions such as hacking, a Swinney-type loss of data, or unlawful copying of data by an intruder to the premises where it was kept, on the one hand (where, on his submissions, the data controller would not be held liable provided adequate technological and organisational measures had been taken to safeguard against them) and circumstances such as those in the present case on the other, by arguing that in those examples the third party was an outsider. It was different, he submitted, where the person acting unlawfully and without authority was an insider. Ms Proops QC correctly argues that this is an unprincipled distinction. Insofar as an “insider” (such as an employee of the data controller) processes data unlawfully because that is what he has been told by the data controller to do, or where because he is lawfully authorised to do so by the data controller, his actions are not those of a third party at all. They are in law the actions of the data controller itself. I agree. If there is to be liability for the actions for an “insider” of this type, rather than an “outsider”, this liability must in my view rest upon the principles of vicarious liability to which I shall turn later in this judgment.
The short answer therefore, to the claim that Morrisons are liable under the Data Protection Act for having broken the data protection principles (other than DPP7) is that they did not, as data controller, themselves offend against those principles. The acts said to break those principles were those of a third party, and not their own.
Similarly, the assertion that there is direct liability in respect of breach of confidence or misuse of private information also fails: it was not Morrisons that disclosed the information or misused it: it was Skelton, acting without authority and criminally.
DPP7, however, raises different issues, to which I now turn.
DPP7
The seventh principle does not impose a duty to take “reasonable care” as such. Those words do not appear in the Statute. This might suggest that the draftsman was aiming at a rather different target when he required that “appropriate” measures be taken. This word comes from the Directive: it is likely therefore to bear an autonomous meaning, which will apply in each Member State of the EU to whom it is addressed. However, it is clear that the principle is a qualified one. The mere fact of disclosure or loss of data is not sufficient for there to be a breach. Rather, “appropriate” sets a minimum standard as to the security which is to be achieved. This is expressly subject to both the state of technological development and the cost of measures. Thus, the fact that a degree of security may technologically be achievable, which has not been implemented, does not of itself amount to failure to reach an appropriate standard: an example might be if particular security measures might be introduced which are very costly at the present stage of development, whereas after a few more years the cost might reduce significantly, as is the case with many new technologies. However, the following words in DPP7 indicate that a balance has to be struck between the significance of the cost of preventative measures and the significance of the harm that might arise if they are not taken. This is itself intended to be a combination of the nature of the harm in itself and the importance of the data to be safeguarded from that harm.
Though, as I have pointed out, the words “reasonable care” are not employed, there is a resonance here of the common law approach to the tort of negligence, where the standard of reasonable care is to be judged by balancing the magnitude of the risk of the activity in question (itself a combination of the likelihood of injury and the severity of it should it occur) against the availability and cost of measures to prevent the risk materialising, and the importance of the object to be achieved by performing those actions. That approach is accordingly indicative of the standard which should apply here, whilst remaining mindful that it is being applied in the field of data protection and it is, in general terms, of considerable importance that data be kept secure.
Mr Barnes was at pains in closing to remind me that the claim was not a collective one, but rather the claims of several individuals, each of whom uniquely had suffered distress and loss of control over their data. In terms of applying the principle, however, I have to bear in mind that a breach in respect of any one was likely to give rise not only to the loss or disclosure of that individual’s own data, but also of personal information relating to many more. In short, I would expect a higher standard to be observed as to the measures appropriate to protect data relating to 100,000 employees than I would expect in respect of a small enterprise employing 6 or 7 workers. Indeed, with economies of scale, measures that might be prohibitively expensive if analysed per head of a small workforce may seem relatively insignificant if spread over the headcount of a large corporate employer. The magnitude of the risk is greater; the cost per head of guarding against it is less.
Applying DPP7 to the Facts
DPP7 stands apart from DPP1, 2, 3 and 5 in that Morrisons were undoubtedly the data controller in respect of the relevant information at the time when the duty fell to be discharged. If appropriate technical and organisational measures were not taken by Morrisons against unauthorised or unlawful processing of personal data then provided that the Claimants could show that that breach of that duty had caused the disclosure which is central to their complaints liability would be made out.
The Claimants’ case is set out in paragraph 25 of the Particulars of Claim. Mr Barnes submits centrally that it was inappropriate to entrust Mr Skelton with the task of acting as the “middle man” between the sources of information internal to Morrisons required for audit, and KPMG to whom the information was to be submitted. This was not a submission that it was inappropriate to have a trusted human being occupying the role which Skelton did: a matter confirmed by agreed fact 20, that “…it would have been unobjectionable for the Defendant to have used what they refer to as a “trusted employee” to assist with the process of conveying data to KPMG so far as necessary.” The reason why Skelton was inappropriate on the Claimants’ case was that he had not yet been rehabilitated from very recent disciplinary sanction and was, to the knowledge of the Defendants, unhappy with the way in which the Defendant had dealt with the investigation and disciplinary process. Secondly, the Claimants aver that inadequate steps were taken to ensure that the data, stored for the purpose of copying and onward transmission to KPMG on Skelton’s laptop, was deleted from it within a short time after that transfer.
Allied to those two central points, the Claimants questioned the manner of transmission of the data to Skelton. It was provided on what was said to be an “…openly readable and transportable USB memory stick as opposed to, for example by secure password protected email.” (Particulars of Claim paragraph 25.1.1); there was no adequate management or mentoring of Skelton following the disciplinary process such that he was likely to bear a grudge against the Defendant and his co-workers (25.1.4), Morrisons ought to have discovered that he “subsequently” researched the TOR network on his work laptop; Morrisons failed to supervise, mentor or monitor him so as to prevent his dealing with the information and ultimately disclosing it; and that Morrisons’ system should have detected the attempt to send a large file by email from Leighton to Skelton on 14th November 2013. If it had done, “competent investigations would inevitably have identified the obvious risk in exposing the Claimants said information to Mr Skelton” (25.2.2).
These contentions became six issues: whether Morrisons fell short of their obligations under DPP7 by:-
a) failing to manage/mentor Skelton “to prevent a grudge developing”;
b) failing to monitor the email “quarantine” area so as to identify that the data was being transferred to Skelton;
c) failing to identify that Skelton was researching the “TOR” network;
d) failing to deny Skelton access to the data;
e) providing the data to Skelton via USB stick which it was alleged was not encrypted; and
f) failing to ensure that Skelton deleted the payroll data (in the particulars of claim, the Claimants asserted it ought to have been effective on or about 21st November).
There is no other respect in which it is contended that Morrisons fell short of their obligations in respect of DPP7.
The System Generally
The payroll data was held on the PeopleSoft system. Any individual had access to their own personal details; managers had access to their own personal details and those of the employees who reported directly to them. No one apart from the approximately 22 “super users” had unfettered access to the data. The existence of any one super user inevitably posed a risk that that person might deliberately or inadvertently disclose data unlawfully. Nonetheless, the Claimants did not criticise this provision, and it is difficult to see how a large commercial organisation such as Morrisons could function without permitting a number of individuals to have access to significant personal data such as that on a payroll file. The case proceeded on the basis that because access was limited, and in any event any use of that access could be tracked (as proved to be the case when Michael Leighton was identified as the individual who had run an SQL query to identify data which was then transmitted to Skelton) the system was appropriately secure.
Simon Langley, Chief Information Security Officer told me in evidence that it is impossible for any sizeable data controller completely to exclude the risk that data may be compromised, for example as a result of a criminal hack of its IT systems or the criminal misuse of data by its own employees. In his witness statement (paragraph 14) he said “there is in truth no impregnable system of information security, and even the most intensive state-run security systems are always going to be vulnerable to criminal intrusion or criminal exploitation by insiders as has been shown by data loss at the NSA and intrusions into the systems of the FBI.” He saw his role as to assist the data controller (Morrisons) to manage such risks in its operations through the application of appropriate and otherwise proportionate controls. He recognised that the hardest vulnerability to guard against was that of a person with authorised access behaving in a criminal manner.
Much of the content of the witness statements of the witnesses called by the Defendant – Daniel Moore, currently “people manager – systems and analytics”, who was HR systems manager at the time relevant to the claim; Gordon Graham Daniels, an internal IT auditor to whom Skelton reported; Jo Goff, Group financial controller who was interim financial controller at the relevant time and who heard Skelton’s appeal against his disciplinary sanction; and Alison Charnock, Senior legal officer – expressed their personal views as to the merits of aspects of the claims. Yet no order was made or sought, prior to or at trial, in respect of expert evidence. Insofar as the evidence is of opinion I have therefore disregarded it, save where the fact that a witness was of that opinion is a material fact in understanding or explaining their relevant actions. I have thus relied upon their witness statements for evidence of fact, including those occasions when their view of matters at the relevant time amounts to a fact – for instance, Mr Daniels’ view of the reliability of Skelton and Ms Goff’s view as to the merits of the appeal. The statement of Lindsey Claire Crossland, director of risk and internal audit was unchallenged, and before me on paper only. She was not appointed to full-time service in Morrisons until after the trial and conviction of Skelton. However, she tells me at paragraph 35 that it would not have occurred to her to subject Mr Skelton to overt or covert monitoring of his IT usage. Nor would she have considered it appropriate. Being unchallenged, I have accepted that evidence.
In general, I accept that each of the witnesses did their best to give me an honest and considered account. Mr Daniels was the only witness whose credibility Mr Barnes challenged in closing. I shall deal with that below: in the event, the criticism was more of his reliability of recollection than the credibility of his account.
In summary, in any system which permits human access to data there are inevitably risks that that data might be mis-processed, mishandled, or even disclosed without authority. The evidence is that Morrisons took precautions to prevent that so far as they could by limiting access to a few trusted employees only. I am satisfied that the data was protected by restrictions on access, and there were sufficient internal checks available to see which of the few authorised super users had access to the data any more generally than to inquire about their own particulars.
The process which led to the disclosure by Skelton involved the transfer to him of data. I accept the evidence of Mr Langley that to extract data from the PeopleSoft database, and store it temporarily on the work laptop of an internal auditor (leave aside, for the moment, the identity of that person) left that data no less secure than it had been while held in PeopleSoft. That is because such a laptop was itself encrypted, and in addition accessible only to one person – he or she who held the encryption key. In setting out the background facts at the start of this judgment, I have already determined that in this case the transfer from Michael Leighton to Skelton was secure: the USB was encrypted, and Mr Leighton took the USB away with him after transfer, which he saw taking place. Moreover, even if the method of transfer had been insecure there is nothing in this case to suggest that that in any way caused the unauthorised disclosure of information contained in the data onto the web in January 2014. I accept that storing the data upon a collator’s individual computer, whilst all the data subject to the request from the various sources was collated there, was a sensible system and necessary to provide for an effective audit, enabling the auditors at KPMG to raise queries as to any of the data, and to channel them through one contact. The data so held would, on an encrypted work laptop, be secure. The transfer from a collator of information by downloading it onto a USB stick provided by KPMG and encrypted by them equally gave rise to a risk of data corruption or leak which was merely minimal.
As to the deletion thereafter, I accept that data had to remain on the work laptop of the collator for a sufficient period to enable any potential requests for further information from the external auditor to be serviced. Since the work of audit was likely to be completed by early December I would not have considered it unreasonable for that data to have remained on the laptop of the collator concerned until then.
It follows that, seen in broad overview, and save for two matters, namely the identity of Skelton himself as the recipient of the information, and the question of whether in his case deletion from his computer should have been more carefully checked, there was no failure of Morrisons to provide adequate and appropriate controls. I shall deal with these specific issues below.
Should Morrisons Have Entrusted Skelton with the Data?
It is in dispute between the parties whether Morrisons knew or ought reasonably have known that Mr Skelton posed a real risk to the security of the payroll data transmitted to him.
Mr Daniels interviewed Mr Skelton before he took up his post with Morrisons in the beginning of November 2010. He thought him able, competent and suitable for the post of a senior IT internal auditor, used to dealing with the complexity of infrastructure and systems of a large corporate organisation. It is probable that Mr Skelton was interviewed also by Mr Chowdhery. He underwent psychometric testing. The results were unexceptionable. Mr Daniels found nothing to make him doubt the trustworthiness of Skelton. He was generally quiet and private. In short, his appointment to the post of Senior IT Auditor, with all the handling of personal data and confidential information that might involve, was entirely appropriate.
As to his work, he would regularly be assigned audits which he had to undertake on his own. He was expected to operate with a significant degree of autonomy. His handling of the payroll data central to this case must also be seen in context: apart from that data he regularly had to handle information which colloquially would be termed sensitive or confidential. In doing so, he never gave Morrisons cause before 2014 to doubt his trustworthiness.
As to the white powder incident, Mr Daniels recalled Skelton being somewhat frustrated, a frustration he displayed as annoyance but “nothing greater”, and that he had been irritated by the level of sanction he received. Skelton did not think that legally posting a legal substance should have resulted in a formal sanction. After that incident he did not display signs to Mr Daniels of being “overly aggrieved” but got on with his job. There was however a change in his apparent motivation. As Mr Daniels put it: “he was a bit up and down and lacked drive and enthusiasm”.
In summary, in his witness statement, Mr Daniels told me that he thought Mr Skelton had been upset by what had happened but not to the point where he could not be trusted to do the job. His performance had become a bit lacklustre, and Mr Daniels plainly thought he might move on to a company other than Morrisons, but he was still doing good work. Mr Daniels saw what had happened as being a minor incident, in respect of which Mr Skelton had received an appropriate sanction: he viewed the formal verbal warning as a “rap across the knuckles”.
Although the Claimants criticised the choice of Skelton as the recipient of the payroll data for transmission to KPMG, no questions were asked of the witnesses as to the identity of those who might have been alternative choices. Ultimately though, the question for me is whether it was a breach of DPP7 to allocate the work to Skelton. I assume in doing so that the other one or two internal IT auditors who reported to Mr Daniels appeared competent and trustworthy (since if they did not they would have been excluded from the work) but no more so than Skelton appeared to be, at least before the white powder incident. It is therefore only if there is something about the events which gave rise to the disciplinary proceedings or to Skelton’s apparent reaction to them which casts doubt on either his competence or trustworthiness that it can be said that Morrison should have chosen another to be part of the chain of transfer to KPMG.
Mr Barnes relies heavily upon a finding at the disciplinary hearing that Mr Skelton had breached the mail room policy and failed to live up to “Morrisons’ values”. He submits that the censure was not trivial: it led to formal sanction and the report leading to the discipline suggested that Skelton’s actions and behaviour viewed on their own could amount to gross misconduct irrespective of the nature of the white powder. By failing to live up to “Morrisons’ Values”, Mr Barnes said that Morrisons had stigmatised Skelton’s behaviour as irreconcilable with the manner in which the Defendant wished to conduct its business. He said this showed that he had failed to live up to the expectations of trust, integrity, teamwork, consideration for others, the sharing of joint objectives and such like stated in the fuller exposition of those Values in the Employee Handbook. The 6 month period during which the warning remained effective indicated that a minimum period of rehabilitation was recognised as necessary. The fact that Skelton appealed showed he lacked insight into his wrongdoing: rather than accept the sanction he chose to challenge the Defendant. Nothing, or nothing much, was done to address his plain disenchantment afterwards. The decision to entrust him with payroll data could not reflect an appropriate approach to the security of that data.
In my view, these submissions overstate the significance of what happened. Disciplinary codes such as those adopted by Morrisons in the present case are familiar territory in employment practices. Though Morrisons was perhaps unusual amongst employers in formalising a first verbal warning by recording it in writing (despite the description “verbal”) this level represented the very least level of formal sanction. The fact that an informal warning ranked lower does not mean that this warning was of any great seriousness in the eyes of the employer. There was nothing about the incident itself which suggested that Skelton could not be trusted. Indeed, though Mr Barnes spent some time seeking to establish the “Morrisons value” in play was “One Team” , amplified by the explanation–
“We work together to reach a common goal. It’s about keeping our promises, building trust and respect, and valuing each other’s contributions”
Jo Goff, who decided the disciplinary appeal, did not accept so far as she was concerned that trust was involved. Though “One Team” was certainly one of the values, the value she had in mind when rejecting the appeal was that of “Great Shopkeeping”, which involved the setting of high standards and taking care of details, and in any event the elements of “One Team” centred on working together. In essence, her view was that in an isolated incident Skelton did not pay sufficient care and attention to the potential impact of his actions on fellow colleagues.
In my view, the reaction of Morrisons to what occurred in the white powder incident and afterwards was appropriate. The incident was a minor one, of thoughtlessness: it did not demonstrate any intent to defraud, nor to prejudice colleagues, nor to have Morrisons pay for postage to which he was not entitled in respect of his private business. Many employees have codes which provide for verbal warnings as to particular aspects of their conduct. It cannot sensibly be suggested that employees so warned cannot then be trusted to do their job or require to be supervised. If supervised (the Claimant’s suggestion is “mentored”) that would almost inevitably be seen by the employee as demeaning, and would in general give grounds for the employee concerned to claim he had been constructively dismissed. There were no grounds for dismissal. There was no basis for supposing that the incident showed that Skelton could not be trusted. It did show that he was on one occasion thoughtless in not anticipating what might happen if those in the post room realised that there was an unknown white powder being sent through their facilities, but no more. I think it was appropriate to regard it, as Mr Daniels did, as a rap across the knuckles.
To restrict Skelton’s handling confidential data as a result would have been to take an action for which there was, at the time, no obvious logical basis, and if applied consistently would have had to extend to restricting his dealings with other confidential information which it was necessary for him to handle in the course of his employment. He was not just and only concerned with transmitting the payroll data. In effect, as Ms Proops submits, if Morrisons had taken the approach suggested by the Claimants it is difficult to see how he could have done his job. Yet what he did in no way merited dismissal. The sanction imposed fell far short of that. Morrisons could not properly treat it as tantamount in effect to dismissal in Skelton’s case.
I accept that there was nothing in his lack of motivation to suggest that he had decided criminally to disclose data entrusted to him, harming both his colleagues, to whom the data principally related, and Morrisons, his employer. If Morrisons were to restrict Skelton’s access to confidential information upon the basis of the white powder incident their approach in doing so required to be replicated for others who might be human links in a data transmission chain. If a thoughtless action on one occasion could give rise a real risk, which could be prevented only by disallowing an individual, who otherwise had not displayed thoughtlessness, access to data, a similar approach would have to be taken in respect of any employee handling data who might have been transiently thoughtless of others: this would include superusers, auditors, senior managers and so forth. It is not difficult to see that the degree of enquiry to find out if employees had behaved in this way would be intrusive. To institute enquiries of such a nature would be disproportionate to the risk posed. When considering whether Morrisons were in breach of DPP7 on the basis of the white powder incident the balance falls decisively on the “appropriate” side of the line.
The evidence showed that the transfer of data from PeopleSoft to KPMG relied critically upon trust being placed in individuals. There was no failsafe system. But the Claimants do not suggest that there should have been. (For instance, I do not know if a double key system, analogous to that used for security deposit boxes in bank vaults, could have been introduced under which data could be accessed on a work laptop only if separate codes were input by each of two individuals who separately held their own codes and whether if so it would have been viable or would have minimised the risk: it was never suggested and never explored in evidence, and I therefore discount it.) Ultimately therefore the question as to permitting Skelton access to the data comes down to whether it was inappropriate to trust him. The only reason not to do so was the white powder incident, taken together with the hints of disenchantment with work which followed. For the reasons I have given however, the incident itself did not suggest that Skelton was not to be trusted. A lack of motivation does not equate to a positive criminal desire to harm the employer. Taking the two together, the balance still falls on the appropriate side of the line. In short, in permitting Skelton to have the data Morrisons were not in breach of DPP7.
Since the incident, procedures have changed a little. Had the revised procedures now utilised been in operation in 2013, it would not have been necessary for an internal auditor who was not a superuser to have handled the relevant payroll data. However, the system as revised still critically depends upon the trustworthiness of human agency. DPP7 is directed towards systems. The risk of human default remains, despite the understandable concerns of Morrisons to guard against it as best they can. The technological and organisational measures current in 2013 and 2014 at their best could not altogether prevent the risk posed by a rogue employee who was trusted and had given no real reason to doubt his trustworthiness.
Monitoring and Mentoring
Save in respect of deletion of the data, I can deal with the other control issues shortly. No-one in employment at Morrisons knew, nor ought they have known, that Skelton bore a grudge against the Defendant, and was not to be trusted with data. Suggestion that he should have been managed and mentored within the “rehabilitation period” of 6 months is unrealistic, and mischaracterises the 6 month life of the warning as a “rehabilitation period”, as though the employee would have to prove himself within that time. The purpose of expiry after 6 months of a warning is simply that when considering any issue of conduct later arising the employer would not be expected after 6 months to take into account the circumstances giving rise to the former warning. The fact that within the 6 months they might do so acts as a disincentive to an employee to engage again in such conduct, and that represents the control mechanism inherent in a standard disciplinary policy. Beyond saying to Mr Skelton that his conduct in posting a package containing white powder was not acceptable, and explaining why that was (a matter which on the evidence, I find Mr Daniels thought Skelton appreciated, even if Skelton thought it did not merit the reaction of Morrisons to it) it is difficult to see what Morrisons could be expected to do. The “rap across the knuckles” administered was, viewed sensibly, all that was required.
E-mail Quarantine
The email sent by Leighton to Skelton, attaching the payroll data, “bounced back” and was held in what could be called quarantine. If the system had been interrogated by a senior manager, it could have been seen that this had happened. If it had been, then the Claimants suggested that this should have alerted the Defendants to the risk which Skelton posed to the data. This is unrealistic. The “bounce-back” involved no action by Skelton himself. There is nothing about it which would indicate that Skelton was any more or less a risk than the risk implicit in the original decision (which I have found not to be inappropriate) to use Skelton as a human conduit in transmission of data from PeopleSoft to KPMG. In truth, all it would have revealed to any observer was that Leighton had attempted to send too large a quantity of data by email to Skelton. That carries no implications for the subsequent security of the data, especially in a case where, as here, there were encrypted USB sticks available to transfer the data by another means.
Accessing the TOR Network
It was suggested in the claim that the Defendant should have been aware that Skelton was attempting to research the TOR network.
Mr Langley described that Morrisons have an external facing firewall which is connected directly to the internet. This is known as the “red side”. A second firewall protects Morrisons’ internal network (the “green” side). Between the two is what is known as a “demilitarised zone” or “DMZ”, which can be accessed from the internet but which has very limited access to Morrisons’ internal systems, which are protected by the second firewall. An intrusion detection system detects patterns of activity which might indicate a potential attack from the red side. Morrisons also operate a Bluecoat server which is a proprietary web filtering proxy. This both reduces the volume of external internet traffic by storing commonly accessed web pages, so that when two or more members of staff request the same web page only one copy needs to be obtained, and also restricts the sites which staff may access. It captures all requests for internet sites made by someone logged on to the internal Morrisons network, and at the same time maintains a list of restricted websites by reference to categories (e.g. pornographic material). If a request is made for access to a restricted site, the system effectively blocks that access.
Morrisons maintain a huge list of restricted sites and update this regularly. One restricted category is “proxy avoidance”. This concerns access to those sites which enable individuals to by-pass the restrictions imposed by Bluecoat by accessing the internet by a website proxy. The TOR network is one such proxy avoidance site, and is listed on Bluecoat as such. Accordingly, Mr Langley did not believe it would have been possible for Skelton to access the TOR website itself from which to download software needed to run the TOR network from his work laptop. Even if he were able to do so by some other means Mr Langley’s evidence was that he would not have had sufficient administrator access rights to enable him to install that software on his laptop. That would have needed an administrator only password. Only an authorised IT administrator (which Skelton was not) could (and can) install such software on a work laptop.
This evidence was not challenged in cross-examination. I accept it.
As to whether Morrisons ought to have detected that he had researched or attempted to research the TOR network using Morrisons systems, there was no system enabling Morrisons automatically to detect when employees might be using the system to research the TOR. Nor do Morrisons have such a system in place today.
The Bluecoat server keeps a record of every website request made by the end user. Thus, if an authorised person wishes to know what an individual employee has attempted to look at on the internet at work, it is technically possible to get Bluecoat to provide a list. This is not done routinely, but only ever if there is an issue with a particular employee such that the business feels it to be necessary and appropriate to review that employee’s internet usage. Nor would it be common practice in organisations similar to Morrisons routinely to scrutinise employees’ web access requests: Mr Langley said he had never in his career come across an organisation which carried out on-going active monitoring of internet searches in order to flag up search material which might be regarded as suspect. In any event, it would be necessary to identify what term was to be subject of the search. To search for such as “TOR” is hopelessly unspecific, for the sequence of 3 letters constituting the acronym appears in a vast number of entirely innocuous longer words – examples were given in his witness statement by Mr Langley of such as “history” or “factory” but it is easily possible to think of many more, particularly since it often forms the last 3 letters of a noun – such as “navigator”, “actor”, “factor”.
I find that: –
i) active monitoring of internet searches by employees is not conducted at Morrisons; and this is consistent with the practice adopted by other large companies;
ii) it would be impracticable to do this on a routine basis, in particular because it would involve searching against individuals’ usage by reference to a number of terms, and in respect of “TOR” could have produced a plethora of results which would be entirely innocuous;
iii) even if the research had identified that Skelton had searched for information about the TOR network, it would not in itself indicate his unsuitability to be a recipient of payroll data for onward transmission: rather, as an internal IT auditor it might be thought to be a legitimate part of his role, or merely curiosity;
iv) with 3,500 employees based at Hillmore House as was Skelton the resources which would have to be expended to conduct routine active monitoring of the type I have described would simply be disproportionate, if indeed practicable at all (which I conclude it would not have been);
v) in any event, for practical purposes any such arrangement was unnecessary since the firewalls between them blocked undesirable material, and access to dubious websites was considerably restricted by an automatic filter in any event;
vi) Finally, most companies – and I was told Morrisons was no exception – permit employees to access the internet for personal reasons, within reason, and provided this does not conflict with their duties.
Moreover, routine monitoring would almost undoubtedly be seen as invasive, and would require a justification on an individual basis before it could properly be conducted. Indeed, in Barbulescu v Romania (application 61496/08) [2017] ECHR 754, 5th September 2017) the Grand Chamber of the European Court of Human Rights considered the compatibility of intrusive surveillance conducted by an employer on the electronic communications of an employee. Over 8 days in July 2007 the employer in that case recorded an employee’s Yahoo messenger communications in real time, and on 13th July summoned him to explain the extent of his usage. When the employee said that the usage was for work purposes he was shown a transcript of 45 pages of the messages which he had exchanged with his brother and his fiancée during the period of monitoring. They were all personal, and some were intimate. When he told the employer in writing that he thought the employer had criminally breached the secrecy of his correspondence his contract of employment was terminated. The domestic courts upheld the dismissal.
The Grand Chamber decided that they had failed to determine whether the applicant had received prior notice from his employer of the possibility that his communications on Yahoo messenger might be monitored, had paid no regard to the fact that he had not been informed of the nature or extent of that monitoring or of the degree of intrusion into his private life and correspondence. Nor were there specific reasons justifying the introduction of the monitoring measures. The domestic courts should have considered whether the employer could have used measures which intruded less into the employee’s private life and correspondence. Accordingly, no fair balance had been struck between article 8 of the Convention, which requires a state to pay respect to private and family life, and the aims and methods of the employer. This case is thus high authority supporting a view that any attempt to institute surveillance of the intensity suggested by the Claimants in the present case would be fraught with the risk of being held unlawful.
In the present case, Morrisons had alerted employees through the Morrisons Employee Handbook that it monitored the use of all systems and equipment:
“to ensure our business is conducted appropriately, including:-
to establish facts where the content of the communication is disputed
to investigate and detect usage in breach of our policies
for training purposes
for preventing and detecting crime
to ensure the effective operation of our systems
we will not read all your correspondence, however if an anomaly of concern is found we will investigate this thoroughly.”
Nonetheless, to introduce the type of monitoring which could have detected the precise nature of websites being accessed would be a step beyond the sort of supervision indicated by that handbook.
Accordingly, even if the implementation of a system that could proactively have detected that Skelton was researching the TOR network when he did was, contrary to my findings, feasible, sensible and practicable, and even if, contrary to my findings, the effort and expense involved in doing it would have been proportionate, it is likely if introduced to have been difficult to justify since it would most probably amount to an unlawful interference with employees’ rights to privacy and family life, with little by way of balancing factor to suggest otherwise.
Finally, the particulars of claim refer to Skelton’s attempt to access the TOR network as having occurred subsequent to his involvement with the data transfer. Since I am of the view that he most probably copied the payroll data to his personal USB on 18th November 2013, it is unlikely that detecting that he had done so at a later stage could have prevented the disclosure of that in 2014. It might perhaps have deterred him from effecting the disclosure, but I consider it more realistic to think that given the careful planning that Skelton had devoted himself to even prior to receiving the data (demonstrated by his searching for TOR on 9th. October, and purchasing a phone for later use, coupled with copying data on to his personal USB on 18th. November, and his devious conduct in using his skills in IT to throw blame onto another), I conclude that on balance, if there had, contrary to my findings, have been a failure to monitor employees’ internet search usage it is unlikely that it would have prevented the data disclosure which occurred.
The USB Stick
I have already concluded that the USB stick used to convey the payroll data to Skelton was encrypted. Irrespective of whether or not it was encrypted, once the information it contained was copied to his computer it was inevitably accessible by him (just as would have been the case had it come by secure email): he could not otherwise have transferred it from his computer to KPMG. There was no breach of DPP7 in using this means, nor did the use of it cause or contribute to the disclosure which later occurred. It caused no relevant harm.
Though there was much cross-examination about Morrisons’ policies in respect of data transfer (broadly, disallowing the general use of USB sticks) this was beside the point when considering this specific case. If there was a breach of those policies, it did not constitute a relevant breach of DPP7; but in any event I find the use of the USB in this case was not in breach, since it was specifically understood that for Michael Leighton’s purposes in transmitting a large quantity of data internally from one secure site to another an encrypted USB stick would be available for him to use, and he could permissibly use it.
Data Deletion
It is probable that Skelton deleted the data a short while after transfer to KPMG, and did so at the conclusion of what would have been a reasonable period of time in which to anticipate requests for further information generated by the audit process KPMG were undertaking (say, until mid-December). Since it is probable that the payroll data was copied to Skelton’s personal USB stick on 18th November 2013, and it is to be inferred that this was with a view to the later commission of the crime consisting of disclosure of the data, he would have had no reason to retain the data for longer in any event. It is likely he did delete the data, if only to give the appearance to anyone who looked that it had been removed.
I do not consider that Mr Daniels, or any member of Morrisons management, could properly be criticised for not asking Skelton before mid December that the data had been deleted, or checking that it had been. This is because it would have been appreciated that there was a need to keep a copy of the information on Skelton’s work laptop and, indeed, as I have already accepted, this was preferable to the alternative (of dipping in and out of the Peoplesoft system) because that would have involved some risk, albeit small, in the additional transmission of data which that would have necessitated. It therefore follows, too, that there was no breach of the data protection principle of DPP7 if there were indeed a failure to ask or check prior to mid December 2013. Accordingly, since the data had by then probably already been copied the request for evidence of deletion, whether made or not after that time, would have been ineffective to prevent Skelton’s subsequent criminal misuse of the data.
I consider it likely that Skelton did delete the payroll data from his work laptop. It is known that at some time he removed the data leaving just the template into which that data had been inserted: in March 2014 he showed that empty template (albeit with the headings still complete) to Daniels when he then checked.
As to whether Daniels checked prior to that the evidence is mixed. In his witness statement Daniels said:
“60. It would not have been necessary for Mr Skelton to retain the payroll data for long after it had been passed to KPMG. He might retain it for a relatively short while in case any queries arose, for example, completeness of the data. After that, I would have expected him to delete it, and in his capacity as an IT internal auditor, he would know professionally that it should be deleted. Senior auditors are expected to manage data responsibly.
61. In fact, I recall discussing with Mr Skelton the retention of the file structure and headings and the deletion of the contents and, later on, asked if he had deleted it and he confirmed to me that he had. My best recollection is that I asked Mr Skelton if the data had been deleted relatively shortly after it had been provided to KPMG because in the normal course and working closely with Mr Skelton that is a conversation he and I would naturally have. I would normally ask this where any sensitive data has been provided to my team and not merely payroll data. I would not have asked to see Mr Skelton’s computer to verify this fact, although later on (I do not recall when) I did see the headings that had been left after the data had been deleted from the spreadsheet. I would not, though, usually ask whether a member of my team had deleted data because I would trust them to do it.”
This passage is muddled. It appears to suggest that he actually remembered having a conversation, then goes on to say only that it is one which he “would naturally have had”. It ends with the statement that he would not usually ask whether a member of his team had deleted data, having just said that asking Mr Skelton was a conversation that he would naturally have had. When taxed with this in the course of his evidence, it became clear to me that he had no actual memory of having spoken to Skelton prior to the news of the disclosure of data coming to light. I find that he was struggling to recollect what he actually did, and that his usual practice was not so entrenched as a matter of course that I can be satisfied that he did in fact ask before March 2014. Indeed, as the last sentence of paragraph 61 of his witness statement suggests he did not generally see the need to ask since he operated on trust. He did have a recollection of seeing the file structure and headings with the data deleted: this, in my view, was most probably around the time that enquiries were being made as to the source of the data leak which had occurred – hence my conclusion that it was most probably March 2014.
It follows from this that I find there was no organised system for the deletion of data such as the payroll data stored for a brief while on Skelton’s computer. There was no failsafe system in respect of it. To this extent, in my view, Morrisons fell short of the requirements of DPP7: where data is held outside the usual secure repository used for it (in the case of the payroll data, within the Peoplesoft system) there is an unnecessary risk of proliferation and of inadvertent disclosure (let alone deliberate action by an employee) revealing some of that data. Morrisons took this risk, and did not need to do so. Organisational measures which would have been neither too difficult nor too onerous to implement could have been adopted to minimise it.
I had the strong sense that within Morrisons’ head office systems as they operated in 2013 it would have been regarded as indicating a lack of trust in an employee if a manager were specifically to check that he had performed a process such as deletion. It is right that such checking could in some circumstances be capable of justifying an employee in thinking that his employer lacked the trust in him which was requisite for their employment relationship to continue. However, this does not apply where there is a clear understanding amongst employees, created by management, that it is expected of their managers that they will check to see that files have been deleted, at least where the information they may contain is of sufficient sensitivity. If a culture is developed in which employees expect that as a matter of routine managers will check to see that there has been deletion of data, which has been held outside its usual secure repository, by those with whom it has for the time being been deposited, no employee could be justified in thinking that checking the deletion displayed any lack of trust: it would merely be the employer instituting, maintaining and operating safe and proper systems of checking as normal.
I note Mr Langley’s view that it was neither realistic nor proportionate to impose an obligation to the effect that managers had to oversee directly and immediately the deletion of data by senior trusted employees, all the more so where the employees’ role essentially consisted of the routine processing of significant quantities of sensitive data. However, I do not agree that it would be onerous to institute a system of checking, to be expected within a changed culture such as I have described.
I do accept, however, that the risk which primarily would be mitigated by such a system would be that of inadvertent retention of information, and that this on its own could not have prevented an individual determined to do so from copying sensitive data held on his work laptop to some other medium. In the particular circumstances of this case, by the time it would have been appropriate to conduct any such check on deletion, the probability is that the information had already been copied. Thus, notwithstanding that I consider Morrisons in this respect to have failed to discharge their duty to take appropriate organisational measures to guard against unlawful disclosure and/or data loss, to the extent that Morrisons fell short of DPP7 in this respect, this failure neither caused nor contributed to the disclosure which occurred.
Burden of Proof
Morrisons maintain that it is for the Claimant to prove breach of any of the Data Protection Principles which they suggest may have been broken, and that the event in respect of which they claim was caused by that breach. The Claimants maintain that the burden is on the Defendant to prove that its arrangements were appropriate. Interesting though this debate is, it is not necessary for me to resolve it in this case. I have had sufficient evidence, to find relevant facts, and to draw conclusions as to the probabilities. I have not had to depend upon the burden of proof. I have not had to resolve any of the issues by reference to it, but rather I have been able to make positive findings in all material respects.
The Inadequate Controls Claim: Conclusions
In summary, for the reasons I have given I find that Morrisons did not know nor ought they reasonably to have known that Skelton posed a threat to the employee database; that, save in one respect, there were no control mechanisms which the Defendant ought to have applied in respect of Skelton which were not appropriately applied; that one respect was in relation to the deletion of data but in that case, if appropriate measures had been applied, any reasonable measure that might have been implemented of which I had any evidence or submission would not have prevented Skelton’s criminal misuse of the employee data.
Primary Liability at Common Law and Equity
Morrisons did not directly misuse any information personal to the data subjects. Nor did they authorise its misuse, nor permit it by any carelessness on their part. If Morrisons are liable it must be vicariously or not at all.
It was not in contention that of the elements necessary for a breach of confidence action to succeed, there was information given to Morrisons, and that it was confidential. It was disclosed. However, it was not disclosed by Morrisons either directly or by an agent. In such circumstances, no primary liability attaches to Morrisons for this disclosure. It was a criminal act which was not Morrisons’ doing, which was not facilitated by Morrisons, nor authorised by it. It was contrary to what Morrisons would have wished. If Morrisons are liable it must be vicariously or not at all.
It follows that there is no primary liability resting on Morrisons under any of the DPA, the common law of misuse of private information, or an equitable action for breach of confidence. There remains the question whether Morrisons are liable as a secondary party for any of the wrongs of which Skelton himself was undoubtedly guilty.
Vicarious Liability
Auld LJ in Majrowski v Guy’s and St Thomas’ NHS Trust [2005] EWCA Civ 251, [2005] QB 848 said (at paragraphs 28-29):
“…vicarious liability is legal responsibility imposed on an employer, although he is himself free from blame for a tort committed by his employee in the course of his employment. Fleming, in The Law of Torts 9th ed. (1998), pp 409-410, observed that this formula represents:
“A compromise between two conflicting policies: on one hand, the social interest in furnishing an innocent tort victim with recourse against a financially responsible defendant; on the other, a hesitation to foist any undue burden on a business enterprise”.
Second, it has traditionally been regarded as taking two forms: first liability for an authorised or negligently permitted unlawful act of an employee in the course of employment; and, second, liability for an employee’s unauthorised or not negligently permitted unlawful mode of doing an authorised act in the course of employment. Only the latter is truly vicarious liability; the former is primary liability.”
Although his judgment was appealed to the House of Lords (where it was affirmed) those passages do not appear to have been contentious.
I am concerned here with that which Auld LJ called “truly vicarious liability”. The liability is one in which one party without personal fault is held responsible in law for wrongs committed by another. The most common relationship between the person at fault, and the person who, though not at fault is also to be held liable in law in addition to the party at fault, is that of employment, as it is here.
The origins of vicarious liability may be unclear: perhaps lying in the rapid growth in the number of employees, and sizes of workforce of enterprises during and after the industrial revolution, and perhaps lying originally in an extension of agency principles. It is unnecessary to say more since the possibilities and history are comprehensively set out in the judgment of Lord Toulson JSC in Mohamud v William Morrison Supermarkets plc [2016] UKSC11 at paragraphs 10 – 24.
Recent cases have concerned one of two main matters. First is that of the relationships which might render one party to them responsible in law for the wrongs of the other party, since a restriction to those relationships being employment or agency might in some cases be unjust. A notable example is that of Armes v Nottinghamshire County Council [2017] UKSC 60 where the judgment of the Supreme Court as to whether a Council might be liable for wrongs done by a foster-parent to whom it had entrusted the care of a child was reported during the closing stages of the hearing before me. This is not, however, a case in which there can be any doubt that the relationship between Morrisons and Skelton was such that vicarious liability might apply. By the end of the 19th century, it had been recognised that an employer might be liable for a wrongful act done by a servant in the course of his employment. The second main consideration in recent caselaw has been the proper approach to “the course of employment”. Given that Skelton was an employee of Morrisons at the material time, it is this to which I now turn.
The precise scope of “course of employment” which could bring secondary liability upon an employer for a wrongful act was defined by Salmond in the first (1907) edition of his text book on the law of torts, Salmond on Torts, as “either (a) a wrongful act authorised by the master or (b) an unauthorised mode of doing some act authorised by the master” adding that a master was liable for acts which he had not authorised if they were “so connected with the acts which he has authorised that they may rightly be regarded as modes – although improper modes – of doing them” (pp 83-84). As Lord Toulson noted in Mohamud (paragraph 26) there might be difficulties in the application of this formula in cases of injury to persons or property caused by an employee’s deliberate act of misconduct. In Bazley v Curry (1999) 174 DLR (4th) 45, in considering the question whether, and to what extent, an employer might be liable for an employee’s criminal conduct, contrary to the desires and policies of the employer, MacLachlan CJ saw liability as arising out of twin principles, first that it was just that an enterprise which created risk by its operations should pay if those risks materialised (“enterprise risk”), and second that it was a matter of policy to encourage the employer to exercise the power of control inherent in and essential to a contract of employment so as to minimise any potential harm so arising (“deterrence”). These principles were better served by taking a broad approach to the scope and meaning in this context of “course of employment”, and were a significant factor in persuading the House of Lords in Lister v Hesley Hall Ltd [2002] AC 215, HL that the test of “sufficiently close connection with the employment” should take those two policy considerations into account, effecting a “compromise between two conflicting policies: on the one hand the social interest in furnishing an innocent tort victim with recourse against a financially responsible defendant; on the other a hesitation to foist any undue burden on a business enterprise.”
There are differences of policy emphasis in the speeches in Lister. Lord Clyde’s approach (paragraphs 37-42) was to gauge the sufficiency of the connection by asking whether the wrongful acts, in a broad sense, should be regarded as within the sphere or scope of the employment so as to be ways of carrying out the work authorised by the employer; Lord Millett’s approach was broader still. He regarded vicarious liability as a species of strict liability, best understood as a “loss distribution device.” This echoed the policy concept that he who has the deeper pockets should suffer the impact of a loss where it might fall on more than one party. Lord Hobhouse of Woodborough however focussed on the notion of delegation or entrustment, namely that an employer was vicariously liable for the wrongful act of its employee where it had “entrusted” a duty to an employee who, by his wrongful act, had failed to perform it.
Lister represented something of a watershed moment in the recent development of vicarious liability so far as concerns liability for the criminal actions of employees contrary to the wishes of their employer. Lord Toulson recognised in Mohamud (at para. 40) that the concept of “enterprise risk” has been prominent in cases since Lister as the social underpinning of the doctrine of vicarious liability, but added:
“…the court is not required in each case to conduct a retrospective assessment of the degree to which the employee would have been considered to present a risk. As Immanuel Kant wrote: “out of the crooked timber of humanity, no straight thing was ever made.” The risk of an employee abusing his position is one of life’s unavoidable facts.”
“In Dubai Aluminium Co. Ltd. v Salaam [2003] 2AC 366, Lord Nichols of Birkenhead (with whom Lords Slynn and Hutton agreed) said (at paragraph 22) “…it is a fact of life, and therefore to be expected by those who carry on businesses, that sometimes their agents may exceed the bounds of their authority or even defy express instructions. It is fair to allocate risk of losses thus arising to the businesses rather than leave those wronged with a sole remedy, of doubtful value, against the individual employee who committed the wrong. To this end, the law has given the concept of “ordinary course of employment” an extended scope.
23. If, then, authority is not the touchstone, what is?… Perhaps the best general answer is that the wrongful conduct must be so closely connected with acts … the employee was authorised to do that, for the purpose of the liability of the firm or the employer of third parties, the wrongful conduct may fairly and properly be regarded as done by the partner while acting in the ordinary course of the firm’s business or the employee’s employment… (original emphasis)
………..
25. This “close connection” test focuses attention in the right direction. But it affords no guidance on the type or degree of connection which would normally be regarded as sufficiently close to prompt the legal conclusion that the risk of the wrongful act occurring, and any loss flowing from the wrongful act, should fall on the firm or employer rather than the third party who was wronged…
26. This lack of precision is inevitable given the infinite range of circumstances where the issue arises. The crucial feature or features, either producing or negating vicarious liability, vary widely from one case or type of case to the next. Essentially the court makes an evaluative judgment in each case, having regard to all the circumstances and, importantly, having regard also to the assistance provided by previous court decisions.”
Lord Toulson’s judgment continues with an observation that the test of “close connection” might tell nothing about the nature of that connection, but that in Lister the court had been mindful of a risk of over-concentrating on a particular form of terminology, and there was a risk in attempting to over refine or lay down a list of criteria for determining what precisely amounted to a sufficiently close connection to make it just for the employer to be held vicariously liable. He said “simplification of the essence is more desirable”. As to that he said, under the heading “The Present Law”, as follows:-
“44. In the simplest terms, the court has to consider all matters. The first question is what functions or “field of activities” have been entrusted by the employer to the employee, or, in everyday language, what was the nature of his job. As has been emphasised in several cases, this question must be addressed broadly…”
45… Secondly, the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ. To try to measure the closeness of connection, as it were, on a scale of 1 – 10, would be a forlorn exercise and, what is more, it would miss the point. The cases in which the necessary connection has been found for Holt CJ’s principle to be applied are cases in which the employee used or misused the position entrusted to him in a way which injured the third party. Lloyd v Grace Smith and Co. [1912] AC716, Pettersson v Royal Oak Hotel Ltd [1948] NZLR 136 and Lister v Hesley Hall Ltd were all cases in which the employee misused his position in a way which injured the claimant, and that is the reason why it was just that the employer who selected him and put him in that position should be held responsible. By contrast, in Warren v Henlys Ltd [1948] 2 All ER 935 any misbehaviour by the petrol pump attendant, qua petrol pump attendant, was past history by the time that he assaulted the claimant…”
Mohamud was a case in which the Claimant, having stopped at a petrol station at one of Morrisons Supermarkets, went into the sales kiosk and asked the Defendant’s employee serving there if it would be possible to print off some documents which the Claimant had stored on a USB stick. The employee refused the request in an offensive manner, and in the exchange of words which followed he used racist, abusive and violent language towards the Claimant and ordered him to leave. He then followed the Claimant as he walked back to his car and, having told him never to return, subjected him to a serious physical attack. In an action by the Claimant for damages against Morrisons on the grounds that it was vicariously liable for the assault the judge at first instance found that the employee had indeed assaulted the Claimant, but dismissed the claim against Morrisons since the employee’s actions had been purely for reasons of his own and beyond the scope of his employment such that there was an insufficiently close connection between the two. The Court of Appeal dismissed the appeal. The Supreme Court allowed it. Applying the principles which he had set out (summarised above) Lord Toulson regarded the employee’s job as being to attend to customers and to respond to their enquiries, such that the offensive way in which he answered the Claimant’s request and ordered him to leave, though inexcusable, was within the field of activities assigned to him, and what happened afterwards was an unbroken sequence of events. Although what he did was a gross abuse of his position, it was in connection with the business in which he was employed to serve customers, a position which his employers had entrusted to him, making it just that as between them and the Claimant they should be held responsible for the employee’s abuse of it. He thought the employee’s motive was irrelevant: “it looks obvious that he was motivated by personal racism rather than a desire to benefit his employer’s business, but that is neither here nor there.”
The other members of the court all agreed with Lord Toulson JSC; Lord Dyson added a short judgment of his own emphasising that the second limb of the Salmond test was not effective for determining the circumstances in which it was just to hold an employer vicariously liable for committing an act not authorised by the employer. A close connection test remedied the shortcoming and incorporated the concept of justice into the close connection test. He thought however, that it was difficult to see how that test might be further refined.
I adopt the approach as set out in Mohamud. Since that case was decided the approach has been applied on a number of occasions. I was referred in particular to Bellman v Northampton Recruitment Ltd [2016] EWHC 3104, QB; [2017] ICR 543. After a Christmas Party organised by the Defendant about half of those who had been present adjourned to a local hotel, where they sat talking in the hotel lobby, consuming more alcohol. Early in the morning of the next day conversation turned to work. The managing director, who was in overall charge of the company, became annoyed by the discussion and at about 3am assaulted the Claimant employee. The Claimant sought damages against the Defendant company for the actions of its employee, the manager. His claim was dismissed because the judge concluded that, in applying the two stage test, while consideration of the time and place in which the relevant act occurred would always be relevant there had to be some greater connection than the mere opportunity to commit the act offered by the chance of place and time; the assault had been committed after, and not during, an organised work social event; there was not only a temporal but a substantive difference between the Christmas party and the discussion over drinks at the hotel; and the fact that the discussion had turned to work did not turn what was a recreational activity into something which was to be viewed as the course of employment such that there would be a sufficient connection to make it right to hold the company liable.
In Various Claimants v Barclays Bank plc [2017] EWHC 1929 (QB) 126 the Claimants sought damages against Barclays Bank in respect of sexual assaults to which they alleged they were subjected by a doctor examining them for the purposes of employment by the Bank.
Each claimant was required to attend the home of a doctor engaged by the Bank, where he had a consulting room. It was said that in the course of his examination on behalf of the bank he sexually assaulted them. Of the two stage test applicable when considering if the wrongful acts of the doctor had been committed in the course of his employment by the Bank, the principal thrust of the judgment was concerned whether the doctor had a sufficient relationship with the bank for it to be liable for his wrongdoing. Nicola Davies J held that he was an employee. As to the second stage – close connection – she held what he did to be sufficiently closely connected with his employment:
“46. The alleged sexual assault occurred during the course of a medical examination which the defendant required the claimants to undergo in respect of present and future employment. The task of carrying out the medical examination was entrusted to Dr. Bates by the defendant. The task assigned to Dr. Bates put him in a position to deal with the claimants. On the alleged facts he abused that position. It is difficult to see how it can sensibly be argued that his acts did not fall within the activity tasked to him… on the facts I find that alleged sexual abuse was inextricably interwoven with the carrying out by the doctor of his duties pursuant to his engagement by the bank. In the circumstances I find the tort is so closely connected with that employment or engagement to satisfy the second stage. “
Two Preliminary Points on Vicarious Liability
Before turning to the application of these common law principles, as set out in Mohamud and illustrated by the decisions in Bellman and VC v Barclays Bank there are two preliminary matters with which I have to deal, raised by Ms Proops QC. The first is whether the Data Protection Act by its terms excludes any possibility of vicarious liability. Her argument centres on DPP7. She submits first that the DPA does not recognise any form of vicarious liability for the unauthorised acts of employees, and DPP7 confirms this. Second, she submits that the DPA is such that only data controllers are subject to civil obligations and consequent liability under the Act: neither attaches to any person processing data qua employee or agent of the data controller. In her opening written case, she argued that there was accordingly no statutory civil liability which attaches to a person processing data qua employee and accordingly no civil liability for which a data controller can be held vicariously liable.
In my view, this submission in her opening misunderstands the nature of vicarious liability. A party may be held liable vicariously even for a breach of a Statute for which that party could not itself be held liable. Thus where, under the statutory provisions relating to shot firing in mines a duty was placed on the shot firer (but not upon the mine owner or manager), the mine owner or manager might nonetheless be held liable even though neither it nor he could have committed the tort in question. Lord McDermott in Harrison v National Coal Board [1951] AC 639, at 671 dealt with the point in a passage which, while strictly obiter, was fully considered.
“[Counsel for the Coal Board] advanced a further alternative argument to the effect that, the duty in question having been placed on Spence [the shot firer] exclusively, the Respondents could not be made responsible for his breach thereof even if the doctrine of common employment did not apply. In other words, the maxim respondeat superior had no applicability in the case of a statutory duty so laid on a servant. My Lords on the views already expressed it is not strictly necessary to deal with this submission. but it was debated at sufficient length at the Bar to lead me to think that to reserve it for consideration at some future occasion might give it more encouragement than it deserves. It comes to saying that (apart, of course, from the doctrine of common employment) a master is not vicariously liable in respect of his servant’s statutory negligence. To my mind this, as a general proposition, finds no support in principle or authority. Vicarious liability is not confined to common law negligence. It arises from the servant’s tortious acts in the scope of his employment and there can now be no doubt that Spence in breaking the shot firing regulations committed a tort.”
This approach was clearly endorsed in Majrowski in the speech of Lord Nichols of Birkenhead paragraphs 10 – 17. In summary, at paragraph 17 he concluded: “unless the Statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of his statutory obligations sounding in damages while acting in the course of his employment.” In the same case, Lord Hope (paragraph 42) noted that Counsel for the employer accepted that he could not succeed in an appeal against the decision of the Court of Appeal below that in general an employer may be vicariously liable for a breach of statutory duty imposed on an employee which is committed in the course of his employment, and that an employer may be vicariously liable for a breach of statutory duty imposed only upon the employee. Accordingly, I reject the submission that – if indeed it can be said that direct liability for his acts as data controller in respect of the relevant information was cast by Statute on Skelton alone – this has the consequence that vicarious liability for his breach of the relevant statutory duty was excluded.
Further, in Majrowski a submission by Counsel for the employer that there was no presumption either in favour or against the proposition that a statute encompassed vicarious liability was rejected: the House held that vicarious liability will apply unless the Statute providing for liability expressly or impliedly indicates otherwise.
Majrowski itself concerned vicarious liability for an act of harassment (incidentally, necessarily a criminal act under the Statute, since the same acts could either be prosecuted or be the subject of a civil suit) allegedly committed by a co-employee against the Claimant. The Act covered the UK as a whole. In respect of applicability of the Act in Scotland, the Statute expressly referred to the Defender as being the person responsible for the alleged harassment “…or the employer or principal of such person”. Had it not been for that provision four of their Lordships expressed the view that the decision would have been finely balanced as to whether the Act, interpreted as a whole but absent that provision, impliedly excluded an employer being held vicariously liable for an act of harassment committed by an employee. Though they expressed some uncertainty one, Lord Nicholls, appeared clear that it would certainly not have excluded this.
Central to the judgments was a sense that the Prevention from Harassment Act 1997, with which the case of Majrowski was concerned, was designed principally to prevent harassment and protect victims from it; and it had an intense focus on the perpetrator in getting him to stop (see per Baroness Hale at paragraph 68). There were “…indeed powerful reasons for thinking that Parliament intended liability and damages should be personal to the perpetrator of the harassment and that it should not be extended to his employer, if any, under the doctrine of vicarious liability…”.
Undeterred, Ms Proops argues that Majrowski has no realm of application in the present case because that decision was not concerned with legislation that plainly does not fix employees (as opposed to data controllers) with any civil liability whatsoever; the DPA is not concerned with the actions of servants acting in the course of their employment, but rather with the actions of autonomous, self-determining data controllers. The fact that the DPA does not attach liability to a person acting as an employee, as opposed to acting in a distinct, private capacity as an autonomous self-directing data controller, means that there is no statutory wrong committed by the employee on which the principle of vicarious liability could even arguably bite. The scheme is preoccupied exclusively with the direct, not secondary, liability of data controllers. The approach to liability of a data controller under the DPA is fault based, which leaves no room for the implication of no fault vicarious liability on a data controller: she notes that paragraph 10 of Schedule 1 to the DPA provides that the data controller must take reasonable steps to ensure the reliability of any employees who have access to the personal data, not to act as their insurer. Ms Proops submits that under section 13(3) of the DPA a data controller will have a defence if it can show that it took reasonable care to comply with the relevant requirement – in the case of an unreliable employee, that it took reasonable care to ensure that employee’s reliability. That provision provides the be all and end all of the responsibility of Morrisons for the defaults of any employee. To permit vicarious liability to run would render that requirement otiose: employers would have little incentive to comply with it if they were nonetheless to be held liable for the actions of their unreliable employees even where they had done their best to ensure that they were reliable. It is a nonsense to suggest that Morrisons, having fulfilled their own obligations qua data controller, can at one and the same time be held vicariously liable for the actions of another third party data controller, who by definition is acting as an autonomous, self-directing controller in respect of the relevant data. There are many good policy reasons why Parliament should have drawn the line as it did. Many, if not most, enterprises would have to process significant quantities of data. It is in the public interest that they should do so. It is very difficult to safeguard the data which such an enterprise processes against employee misuse, as the facts of the present case amply demonstrate. The ease with which employees are legitimately given access to such data gives rise to a risk of copying, extracting or otherwise misusing that data which it is very difficult if not impossible to control. If data controllers are to be held vicariously liable for the actions of their employees, in the absence of any culpable default on their part, that would potentially expose them, unjustly, to enormously burdensome group litigation and claims out of all proportion to the value of the claims of the individual data subjects concerned. Liability on such a scale is disproportionate, yet the legislation itself derives from a European Directive, in respect of the interpretation and application of which proportionality is a key concept. Parliament would have seen that imposing liability for the criminal actions of an individual employee could have a chilling effect on data processing operations across the board. It might introduce a culture of suspicion and indeed paranoia in the work place, for employers might prefer to err on the side of dismissal of disgruntled employees or of subjecting them to draconian invasive surveillance in the hope that that might help to insulate the employer from liability. There is a real risk that the financial viability of some enterprises might be compromised.
Before expressing my conclusions on these points, I shall set out the argument on the second point preliminary to considering whether Skelton’s actions were sufficiently closely connected to his discharge of the functions assigned to him. This is the submission by Ms Proops that the DPA was intended by Parliament to occupy the entirety of the field of liability for data as defined in the Act, leaving no space within which any, or any further, actions for misuse of information or breach of confidence could operate. She submits that it is not constitutionally permissible for the courts to enter the field and conclude that Parliament has not gone far enough, or that its legislative work is incomplete, such that further liability should be imposed as common law. Vicarious liability at common law or in equity thus cannot go beyond the liability imposed by Parliament under the DPA which is, in accordance with the first preliminary point (should it be answered in Morrisons’ favour), to the effect that liability rests upon Morrisons while acting as data controller alone and excludes liability for an employee separately in breach of his own obligations under that Act. If Ms Proops succeeds on this submission, vicarious liability arises only in respect of the DPA if at all: if it fails, then vicarious liability potentially arises in respect of each and all of the causes of action, subject to the disclosure having been in the course of Skelton’s employment by Morrisons.
In support of this submission, she referred to McKerr [2004] UKHL 12; [2004] 1 WLR 807 in which the question arose whether the courts could impose a common law obligation on the State corresponding to that in Article 2 of the European Convention on Human Rights in an area which had been regulated by legislation. The argument advanced to the House of Lords on behalf of Mr McKerr (whose father had been killed by the use of force by the Royal Ulster Constabulary) was that the Secretary of State was, or should be, subject to a common law obligation to arrange for an effective investigation into his father’s death. As to that, Lord Nicholls said at paragraph 32:-
“The effect of Counsel’s submission would be that the court would create an overriding common law obligation on the state, corresponding to article 2 of the Convention, in an area of the law for which Parliament has long legislated. The courts have always been slow to develop law by entering, or re-entering, a field regulated by legislation. Rightly so, because otherwise there would inevitably be the prospect of the common law shaping powers and duties and provisions inconsistent with those prescribed by Parliament….
33……The suggested new common law right is sought as a means of supplementing, or overriding, the statutory provisions relating to the holding of coroners’ inquests. That is not an appropriate role for the common law.
34. This view is confirmed by another feature of the case. As already emphasised, by enacting the 1998 Act Parliament created domestic law rights corresponding to rights arising under the Convention. When doing so Parliament chose not to give the legislation retroactive effect. In relation to article 2 the intention of Parliament, as interpreted above, was not to create an investigative right in respect of deaths occurring before the Act came into force. The common law right urged on behalf or Mr McKerr would accord ill with this legislative intention. The effect of the propounded right would be to impose positive human rights obligations on the state as a matter of domestic law in advance of the date on which a corresponding positive obligation arose under the 1998 Act.”
Similarly in Rottman v Commissioner of Police of the Metropolis [2002] UKHL 20, 2002 2 AC 692, the question before the House of Lords was whether at common law a police officer executing a warrant of arrest issued pursuant to Section 8 of the Extradition Act 1989 had power to search for and seize any goods or documents which he reasonably believed to be material evidence in relation to the extradition crime in respect of which the warrant was issued. On analysis of the legislation, the House of Lords concluded that there was nothing in it that operated to prevent the continued operation of common law doctrine which had pre-existed the Act. Lord Hoffman said (paragraph 75) “it is a well established principle that a rule of common law is not extinguished by a statute unless the statute makes this clear by express provision or by clear implication.” Though the Administrative Court, from which the certified question had come, had held that the Police and Criminal Evidence Act (“PACE”) had extinguished the common law power to search the Respondent’s house five years before the Extradition Act was passed, he could not see any saving provision in it for the common law power. However, the true question was not whether PACE had saved the common law power, but whether it had extinguished or abolished it. Only one provision in the Statute could have had that effect – Section 17(5), which provided that all the rules of common law under which a constable had power to enter premises without a warrant were thereby abolished. As to that, Lord Roger identified the very particular context within which Section 17(5) operated and commented, at paragraph 109:
“Since Section 17(5) occurs within this very particular context, it is plain that it was intended to abolish only the common law powers relating to entry for the purpose of arrest. The sub-section was not intended to affect the common law relating to searches for evidence carried out when someone has been arrested.”
Accordingly, since no provision of PACE abolished the common law powers of search and seizure on or after arrest, they continued to operate, and the search with which the House of Lords was concerned was held accordingly to be lawful.
In effect, Ms Proops contrasted the position in Rottman with that in McKerr: in Rottman the Act had not had the effect of legislating in the field which common law had previously covered.
In R (Child Poverty Action Group) v Secretary of State for Work and Pensions [2010] UKSC 54; [2011] 2 AC 15 the question was whether the Department for Work and Pensions could rely on the common law remedy of restitution to reclaim social security benefits paid in error. Section 71 of the 1992 Social Security Administration Act made provision for the Secretary of State to recover overpayments made where there had been misrepresentation or failure to disclose from the person who misrepresented the fact or failed to disclose it. The House agreed that Section 71 was intended to be an exhaustive code. In the speech of Lord Dyson JSC he said:
“33. If the two remedies cover the precisely the same ground and are inconsistent with each other, then the common law remedy will almost certainly have been excluded by necessary implication. To do otherwise would circumvent the intention of Parliament. A good example of this is Marcic, where a sewerage undertaker was subject to an elaborate scheme of statutory regulation which included an independent regulator with powers of enforcement whose decisions were subject to judicial review. The statutory scheme provided a procedure for making complaints to the regulator. The House of Lords held that a cause of action in nuisance would be inconsistent with the statutory scheme. It would run counter to the intention of Parliament.
34. The question is not whether there are any differences between the common law remedy and the statutory scheme. There may well be differences. The question is whether the differences are so substantial that they demonstrate that Parliament could not have intended the common law remedy to survive the introduction of the statutory scheme. The court should not be too ready to find that a common law remedy has been displaced by a statutory one, not least because it has always been open to Parliament to make the position clear by stating explicitly whether the Statute is intended to be exhaustive. The mere fact that there are some differences between the common law and the statutory positions is unlikely to be sufficient unless they are substantial. The fact that the House of Lords was divided in Total Network SL [2008] AC1174 shows how difficult it may sometimes be to decide on which side of the line a case falls. The question is whether looked at as a whole, a common law remedy would be incompatible with the statutory scheme and therefore could not have been intended to coexist with it.”
Conclusions on Preliminary Points on Vicarious Liability
As to the first of these two preliminary points as to vicarious liability, the fact that the Act does not provide expressly that there should be vicarious liability is of little assistance to Morrisons: the principle expressed in Majrowski is that the principle of vicarious liability is applicable where an employee commits a breach of statutory obligations, even where they rest on him alone, while acting in the course of his employment unless the Statute expressly or impliedly indicates otherwise. The House rejected the submission that the principle was neutral.
To argue, as Ms Proops does, that the Act imposes liability only on data controllers and that an employee is not a person for whose torts the Act contemplates his employer should be liable vicariously because the employer is not a relevant data controller when the employee processes data in his own right without authority, for his own purposes, and thereby as a data controller, and this is not therefore an “employee’s tort” for which the employer can have secondary liability, not only runs contrary to the views expressed in Harrison v National Coal Board by Lord McDermott, but also takes too narrow a view of the Act. The DPA must be seen in its full context: that it is the domestic implementation of a European Directive which describes itself in its title as a Directive “..on the protection of individuals with regard to the processing of personal data and on the free movement of such data.” The emphasis is on the protection of data subjects. I accept Mr Barnes’s submission that if, at the moment an employee decides to misuse data to which his employer has given him access the employer ceases to be under any further liability, on the basis that the employee thereafter will be data controller in respect of the misuse, this would tend to defeat the rights of data subjects in respect of that data rather than enhance them as is the apparent purpose of the Directive. What, to the contrary, is consistent with the greater security and protection of the data subject is to impose the obligations of data controller upon such an employee (making him liable personally as he would not otherwise be merely qua employee) whilst retaining his employer’s vicarious liability for his wrongdoings where it is appropriate to do so. Two parties are then potentially responsible in law.
I do not therefore conclude that because the Act has the effect that Skelton became data controller of the information he was later to disclose it, thereby excludes vicarious liability for his breaches of statutory duty under the DPA in respect of that information.
A similar point arises in respect of paragraph 10 of Part II of Schedule 1 to the DPA. Ms Proops suggests that by providing that a data controller must take reasonable steps to ensure the reliability of any employees of his the Act indicates that the draftsman intends to restrict the liability of a data controller for the acts of employees, such that an employer is liable only to take reasonable steps to ensure the reliability of an employee, and no further, and that this provision thus implies an exclusion of vicarious liability. Mr. Barnes argues to the contrary: consistent with the overall protective purposes of the Directive, the Act here articulates an explicit protection, which is intended to supplement, not exclude, what would otherwise be liability. In his submission this is strengthened by the fact that in the Directive itself the obligation to take care as to the nature of those to whom data is entrusted is mentioned in that part which relates to the security of data: the liabilities of the data controller are contained in a part of the Directive distinct from this. This, he suggests, shows that the draftsman did not intend the provision to be the sole ground on which an employer could be held liable for an employee, but rather intended to add a specific safeguard for data, which would not depend on there being any infringement by the employer concerned.
Ms Proops supports her submission that, upon a proper construction, the DPA impliedly excludes an employer being held liable for the wrongs of an employee of his, by reference to the significant costs of compliance with the data protection principles (see, for instance, Ittihadieh, paragraph 26 as to the costs of a single subject access request under the Act). She describes them as giving rise to “enormous and unavoidable up-front costs/burdens for data controllers”. To add vicarious liability to this would be to cause already large potential liabilities to be disproportionately crushing in their effect. It would be in addition to “(i) the costs which they incur in physically processing the data (ii) any liability burden to which they may be exposed if they breach their obligations under the DPA” (closing written submissions, paragraph 130(4)), yet Morrisons qua data controller are completely innocent. It is not, she submits, in the public interest for an “excessive liability” to be visited on an innocent data controller. The possibility of “eye-watering liability” may impose enormous pressure on a data controller to limit the presence of human agency, even where it plays an important role in an effective and efficient operation: to do so is not in the public interest, and the principle of vicarious liability should be designed to serve the public interest.
These in terrorem arguments are almost certainly overstated: I note that I have not been referred to a single case in which it is said that vicarious liability had overwhelmed a company. I have no doubt this is because many commercial entities will cover the potential losses by appropriate insurance within the ordinary course of trading. Further, since this is by agreement of both Counsel the first case in a period of very nearly 20 years since the Act came into force to raise the question whether there is vicarious liability at all under the Act for the actions of an employee in deliberately misusing the data with which he was entrusted, it seems unlikely that the Doomsday scenarios postulated by Morrisons will occur. This is without yet factoring in both an absence of such cases in respect of the 1984 statutory predecessor of the 1998 Act, and the likely relatively modest award of damages in the event of a finding of liability: I suspect that in many cases the liability may be within the means of an ordinary tortfeasor to satisfy, but, if not, though in a group action affecting a very large number of employees the total sum may certainly be significant, it seems unlikely that the amounts payable would equate, for instance, with those that might be contemplated in respect of a product liability claim asserted by a cohort of injured customers. I accept Mr Barnes’ argument on the first preliminary point.
There is more to be said for the argument that Parliament has legislated in the field, to leave no space for the common law tort of misuse of private data or the equitable action for breach of confidence. Part of the purpose of the Directive was to achieve a measure of harmonisation of the laws of the member states. It may be thought anomalous, in the field covered by the Directive, that there remain other potential liabilities which depend upon the application of different tests in different jurisdictions. However, it must be remembered that the purpose of the Directive, and therefore the Act, is to provide greater protection for the rights of data subjects. So viewed, additional liabilities in respect of data (insofar as the Data Protection Act creates them, over and above such liabilities as there would otherwise be in equity or at common law) add layers of protection. It is generally open to a member state to augment a minimum EU-wide standard of protection where protection is the aim. Accordingly, thus far, I cannot conclude that the DPA excludes common law and equitable actions in respect of the same data disclosure.
As for McKerr, the current case is not on all fours with it, for the Court is not being invited to develop the common law by holding that it should move beyond its current boundaries into an area currently regulated by legislation. Rather, the legislation was enacted at a time when the relevant common law duties and obligations were known to exist. In such circumstances, if the common law were intended no longer to operate, the expectation would be that Parliament would say so in terms. The principle Lord Hoffman thought to be well established in paragraph 75 of his speech in Rottman is that which is in play: that a rule of common law is not extinguished by a statute unless the statute makes it clear by express provision or by clear implication. There is no express provision here. Nor do I consider that an implication to that effect is clear. To the extent that the tort of misuse of private information, or an action for breach of confidence can apply in a field also regulated by the DPA is subject to the principles stated by Lord Dyson JSC in The Child Poverty Action Group case. The two pre-existing actions do not run counter to the tenor of the Act. Looking at the question as a whole, as Lord Dyson (paragraph 34, last sentence) invites the Court to do I could not hold the common law remedy to be incompatible with the statutory scheme. Both pre-existing forms of action seek to impose liabilities for data misuse or the disclosure of confidential information by both penalising it and making it possible for a court to grant injunctive relief against it. The actions are not so much incompatible as complementary.
Accordingly, I reject both the preliminary arguments advanced by Ms Proops QC.
Course of Employment
Ms Proops submits that the act central to liability is that of disclosure on the 12th. January 2014. This was not done from work, did not involve a work computer, and was far removed in time from the act of copying the data (which I have already found to have occurred on 18th. November). There was thus such a degree of geographical and temporal separation from Skelton’s employment that the act of disclosure could not be said to have arisen in its course. It was even done on a Sunday, when it was common ground Skelton was not at work. Decided cases all showed a much closer connection – in Rose v Plenty [1976] 1 WLR 141, CA the employee was on the job, delivering milk; in Century Insurance Co Ltd v Northern Ireland Road Transport Board [1942] AC 509 the employee’s act of lighting a cigarette by striking a match near flammable fuel came when he was transferring petrol from a delivery lorry to a tank, a job he was tasked to do. Although the cases established that the approach was a broad, evaluative one, such factors as these were of importance. So too was the question whether the act was for the benefit of the employer, although this was no longer a decisive test. Nonetheless, no case had gone quite so far as to hold an employer liable vicariously for an act which, far from being intended to benefit an employer was designed specifically to harm that employer: Lord Clyde in Lister at paragraph 44 had recognised, too, when reviewing a couple of cases in which an employee had assaulted another, that acts of passion, resentment or personal spite might fall outside the scope of employment. Here, if the court upheld a plea of vicarious liability by holding Morrisons liable to the co-employees whose personal information had been disclosed by Skelton, the court would be helping Skelton achieve what he criminally set out to do – harm Morrisons financially: it would become a “witting instrument of the criminal”.
Cases such as Mattis v Pollock [2003] EWCA Civ 887 may have involved findings of vicarious liability for assaults which were not committed at the workplace, nor even immediately proximate to it in time of place, but on proper analysis that case was one in which the person for whose acts the employer was held liable was employed specifically to be violent towards customers, as a bouncer, and the act of violence he performed by knifing someone with whom he had earlier been in dispute at the door of his employer’s night-club was a logical extension of his employment, tightly connected to his employer’s enterprise. Williams v Hemphill [1966] UKHL 3 may have been a case in which the driver of a lorry deviated from the route he was supposed to take, but that geographical excursion from the authorised course did not have the consequence that he ceased to be driving on his employer’s business – but even here it was acknowledged by Lord Pearce that this had to kept within sensible limits. To deviate by, for instance, driving from place to place in the home counties via Inverness would on any common-sense view be so well outside his employment as would mean the driver could no longer sensibly be regarded as being in the course of it.
Moreover, Ms Proops drew support from the reasoning in Credit Lyonnais v Export Credits Guarantee Department [2000] AC 486, in which the House of Lords held that an employer was not vicariously liable for acts of an employee committed in the course of his employment which were not in themselves tortious and only became so when linked to other acts outside the course of his employment. The issue had correctly been identified in the Court of Appeal as:
“Where A becomes liable to B as a joint tortfeasor with C in the tort of deceit practised by C on B on the basis that A and C have a common design to defraud B and A renders assistance to C pursuant to and in furtherance of the common design, does D, A’s employer, become vicariously liable to B, simply because the act of assistance, which is not itself the deceit, is in the course of A’s employment with D?”
In the case itself, Mr P (who worked for the Defendant) had been corrupted by bribes from a fraudster, Mr C. He authorised the issue of four guarantees which were an essential part of a fraud which, by the time it occurred, P knew C was committing on the Claimant bank. The issue of the guarantees had in itself no adverse consequences for the Claimant. It was not a tort. Thus P had committed no tort during the course of his employment; what he did, viewed on its own, did not amount to the commission of one.
Lord Woolf at 495 C-D said:
“The conduct for which the servant is responsible must constitute an actionable tort and to make the employer responsible for that tort the conduct necessary to establish the employee’s liability must have occurred within the course of the employment. If the tort is committed jointly, then it is conduct which is within the course of the employment sufficient to constitute the tort, irrespective of which tortfeasor performed the acts, which is necessary. As both tortfeasors are responsible for the tortious conduct as a whole in the case of joint torts it is not necessary to distinguish between the actions of the different tortfeasors. For vicarious liability what is critical, as long as one of the joint tortfeasors is an employee, is that the combined conduct of both tortfeasors is sufficient to constitute a tort in the course of the employee’s employment.
Were the position otherwise, you could have the extraordinary result that if an employee carried out all the acts complained of there would be no liability on the employer, but if the acts were carried out partly by the employee and partly by a non-employee, the employer would be liable. The obverse situation is the same. If an employer would be liable if the employee personally took the action complained of the situation is no different because some of the acts were done by some one who was not an employee as part of a joint enterprise with the employee.”
What Ms Proops drew from this was a submission that all the acts necessary for the tort complained of had to be committed by the employee in the course of employment. In the present case, the most that could be said would be that some were. That was not enough to make the employer liable on a secondary basis for those acts. Morrisons’ submission was that Skelton could not be acting in the course of his employment at a time when Morrisons itself owed no duties to the Claimants in respect of the data: Skelton alone was data controller in respect of that which he disclosed at the time he did so.
In an extended review of a number of the decisions which illustrate the way in which principles of vicarious liability have been applied, or a claim for such liability rejected, Ms Proops sought to draw a distinction between actions which pursued a personal, independent venture of the employee by contrast with those in which the employee, though acting contrary to his employer’s wishes, and often criminally, was nonetheless within the scope of his employment. The question was raised whether a tort committed against a third party (either a fellow employee or member of the public) whilst the allegedly tortious employee was at work fell on the personal, independent side of the line and not on the side of the “course of employment”. It was not difficult to see that if a personal grudge, arising outside the work place, manifested itself in a violent action inside it, where being at work was merely the occasion for an action which might as well have happened elsewhere, it might be expected that the court would hold the employee liable on his own, and that no secondary liability would attach to the employer.
In this regard, I was referred to Deatons v Flew [1949] 79 CLR 370 (High Court of Australia), and more significantly Irving v Post Office [1987] IRLR 289 and Weddall v Barchester Healthcare [2010] EWCA Civ 25, all cases in which the Claimants were held to have pursued a grievance of their own, and were held not to be acting in the course of their employment even though (in the first two cases) what they did was at their place of work, and during working hours.
In Deatons v Flew, a barmaid flung a glass at a troublesome customer, in a moment of retributive rage. In Irving, a postman lived next door to the claimant, with whom he fell out. The postman’s duties included the sorting of mail at his depot. Just before Christmas, whilst sorting mail, he saw an envelope addressed to the claimant and his wife. Though he did not himself have the duty of delivering the mail to the Irvings, he wrote on the back of the envelope “Go back to Jamaica sambo” (Mr Irving was black). He added a cartoon of a smiling mouth and eyes. When the card was in due course delivered, the Irvings were greatly upset by it. They claimed that there had been an act of discrimination against them contrary to s1(1) of the Race Relations Act 1976, for which the Post Office was (under that Act) vicariously liable. The Court of Appeal (Fox LJ, Sheldon J) applied the dictum of Dixon J in his judgment in the High Court of Australia when it decided that the act of the barmaid in Deatons was not an act in the course of her employment:
“The truth is that it was an act of passion and resentment done neither in furtherance of the master’s interests nor under his express and implied authority nor as an incident to or in consequence of anything the barmaid was employed to do. It was a spontaneous act of retributive justice. The occasion for administering it and the form it took may have arisen from the fact that she was a barmaid, but retribution was not within the scope of her employment as a barmaid.”
As to Weddall (on which Ms Proops placed most emphasis: the other two cases were both decided before the decision in Lister) the facts were that Weddall was the deputy manager of a care home. A senior health assistant, Marsh, worked under him. They did not get on particularly well. One of the nightshift employees called in sick on a September evening in 2006. In accordance with his duty to secure a replacement, Weddall phoned round to see if an employee could be found to fill the gap. He called Marsh at his home. Marsh was free either to accept or refuse the offer of a voluntary extra shift. He had had a bad day, because of a row at home, and by 6pm was very drunk. He did not react well to the call from Weddall, forming the impression that the latter was mocking him because of his drunken state. Shortly afterwards, he rang the home saying he wished to resign, rode to it on his bicycle, saw Weddall sitting in the garden at the front of the home, and subjected him to an unprovoked, very violent, attack. The first instance judge concluded that Marsh was acting personally for his own reasons, in his own context and on the basis of his own passions and feelings; that an employer was not to be held vicariously liable for every act that one person might commit against another occasioned by or growing from their employment, but not otherwise sufficiently specifically connected with it: it would be neither fair nor just to hold the employer of Marsh (and Weddall) vicariously liable for the acts Marsh had committed. The Court of Appeal had no difficulty in concluding that the judge had reached the right conclusion for the right reasons.
Here, Ms Proops submitted that Skelton’s act in posting employee data on the web was similar to the act of Weddall. It was a personal action, taken for his own reasons, by way of retribution.
In contrast, I was referred to cases which went the other way. In Bernard v Attorney General of Jamaica [2004] UKPC 47, a police constable had demanded the use of a telephone from the claimant, who had been in a queue and had just begun to make a call. It was within the scope of the police officer’s duty to demand the use of a telephone as a matter of urgency if necessity arose. When the claimant refused, an altercation broke out, ending when the police officer drew a gun and shot the claimant at point blank range, causing him severe injury. A judge in Jamaica upheld a claim against the police force. In turn, the latter’s appeal to the Court of Appeal in Jamaica was upheld. However, the Privy Council quashed the Court of Appeal’s decision and restored the judgment of the trial judge. It did so by applying the principle in Lister, which it plainly considered signalled a change of approach. The police officer had purportedly asserted police authority, immediately before the shooting incident, when seeking priority in the queue for the phone, and it was the fact that the plaintiff was not prepared to yield to this which led to the shooting. Evidence of the constable’s later actions in arresting the plaintiff in hospital for interfering with his duties supported this analysis. Moreover, the State had created the risks inherent in permitting constables to take loaded service revolvers home.
The Privy Council reached a further decision to much the same effect in Brown v Robinson [2004] UKPC 56, another case of a policeman using firearms in public, when at a football match he was trying to restrain an unruly crowd, when the deceased, Reid, assaulted him and ran off. The policeman then set off in hot pursuit down the road. He asked Reid if he wanted the policeman to shoot him; and, feeling he ought to be taught a lesson did just that and exacted swift retribution for Reid’s earlier behaviour. He was seeking to impose a general deterrence and his authority, so that thereafter good order would prevail. It was not a case where there was a private act of revenge unconnected with his employment.
In Fennelly v Connex Southeastern Limited [2000] EWCA Civ 5568 a ticket inspector assaulted a passenger. The passenger had passed through a ticket barrier where the inspector was checking tickets: as he went on, the inspector called after him “Where is your ticket?” but the claimant walked on further. The inspector followed, and a heated exchange took place. The ticket was snatched from the passenger by the inspector and returned: but immediately afterwards the inspector put the passenger in a headlock and dragged him down a couple of steps or two, that being the assault. A first instance decision on these facts rejecting the claim that there was no vicarious liability, because this act was outside the scope of employment, was reversed on appeal.
Mr Barnes also sought to rely on Axon v Ministry of Defence [2016] EWHC 787 (QB). The captain of a royal naval frigate was relieved of his command, following allegations against him of bullying behaviour. Three articles were published in the Sun about this, leading to further coverage in the wider media. The Sun disclosed that it had had a source within the Ministry of Defence (‘MOD’) who had been providing information for some 8 years and who had, over that time, received a total of about £100,000, who had given it the information. She was criminally charged, and sentenced to imprisonment as a result. In an action the Claimant asserted that he had a reasonable expectation of privacy and/or confidentiality in connection with the facts that members of his crew had complained about him, that an Equal Opportunities Investigation (EOI) had been carried out into his conduct, that he had been ordered to leave the Ship whilst it was in Gibraltar and to return to the UK, and as to the outcome of the EOI. Nicol J decided the case against the captain on the basis that he did not have any such reasonable expectation of privacy, but went on to consider the rival arguments whether – if he had found that there was liability – the Ministry would be vicariously liable for the acts of the source.
In determining this issue, he took the broad approach to the nature of the job of the primary tortfeasor as advocated in Mohamud The source had worked in a security sensitive environment. She had Developed Vetting clearance which allowed her to have access to information up to the Top Secret classification. With this came obligations. She:
“..had signed documentation which reminded her of her obligation to maintain confidentiality in information whose disclosure had not been authorised. For someone who occupied such a sensitive position it is in my judgment appropriate to view her job as including the task to preserve that confidentiality. ….. she must have learned of that information in the course of her work. I can see no other way that it could have reached her….Of course, for the purpose of examining this issue, I must assume (contrary to my earlier finding) that Ms Jordan-Barber’s disclosure to Mr Kay was actionable at the suit of the Claimant. It is only if she committed a tort against him that any issue of vicarious liability could arise. But if that was the case, there is a clear and obvious connection between that wrong and that part of her job which required her to keep such information confidential. If this was the case, then it would seem to me to be just to require the MOD to assume vicarious responsibility. This is not simply an example of the employment being the opportunity for the wrong to be committed. As part of her work, she needed to have access to security sensitive and confidential information. As part of her work she shared office space with the J9 Pol/Ops PJOBS team and was likely to learn other information in consequence. There is always an inherent risk that those entrusted with such information will abuse the trust reposed in them, but rather than this being a reason why vicarious liability should not be imposed, I think, on the contrary, it is a reason in its favour. True it is that Ms Jordan-Barber’s activity did nothing to further the MOD’s aims, it was carried on without their knowledge, and it received no encouragement from the MOD. What she did was prohibited. However, those features do not preclude vicarious liability (and [counsel for the Ministry] did not suggest they did). Notwithstanding them, if I had held that [the source] had committed a tort (contrary to my findings), I would have concluded that that hypothetical tort would have been sufficiently closely connected with her job for it to be just for the MOD to be vicariously liable.”
This was the only case to which I was referred in which vicarious liability for a breach of confidentiality/data leak had been considered. Ms Proops submitted that the obiter comments could not be relied on. They rested on a misconceived notion that merely because an employee received or gained access to data in the course of employment this automatically meant that their wrongful disclosure of that data had to be treated as undertaken in the course of their employment irrespective of the actual circumstances. She described this as a “reductionist, decontextualised approach to secondary liability” which was “impermissible in view of the multifactorial analysis which is required in the context of the application of the doctrine of secondary liability”.
Discussion
In summary, Ms Proops takes seven main points, as well as rejecting the approach taken by Nicol J in Axon. First, she submits that the act of posting the data to the web was temporally and physically disengaged from the time when the data was copied by Skelton, and was placed on the web at a time when Skelton was not at work. Second, she submits that at the time he did so, Morrisons were not data controllers within the meaning of the Data Protection Act in respect of the payroll data disclosed. They were not “on the field”. Similarly, third, adopting Credit Lyonnais, all the aspects of the tort had to be within the course of employment and here they were not. Fourth, the act was motivated by a grudge, and cases such as Deatons, Irving and Weddall showed that this was a significant factor to take into account. Fifth, in Bernard v Attorney General of Jamaica, the Privy Council had emphasised that because vicarious liability is strictly to be applied, it should not easily be extendable: to hold Morrisons liable here would be such an extension, and impermissible. Sixth, to find in favour of Morrisons would amount to the court facilitating a criminal’s objective in harming his employer, which the court should set its face against.
Seventh, she submits that if the principles articulated by Lord Phillips at paragraph 35 of his judgment in the Catholic Child Welfare Society case were considered, they indicated an answer favourable to Morrisons. He said:
“The relationship that gives rise to vicarious liability is in the vast majority of cases that of employer and employee under a contract of employment. The employer will be vicariously liable when the employee commits a tort in the course of his employment. There is no difficulty in identifying a number of policy reasons that usually make it fair, just and reasonable to impose vicarious liability on the employer when these criteria are satisfied: i) The employer is more likely to have the means to compensate the victim than the employee and can be expected to have insured against that liability; ii) The tort will have been committed as a result of activity being taken by the employee on behalf of the employer; iii) The employee’s activity is likely to be part of the business activity of the employer; iv) The employer, by employing the employee to carry on the activity will have created the risk of the tort committed by the employee; v) The employee will, to a greater or lesser degree, have been under the control of the employer.”
Ms Proops submitted that this was not a case of a single claimant, but of several who together mounted a considerable financial challenge, such that criterion (i) was of little weight – possibly all very well where risks were physical or material in nature, but far more wide-reaching when dealing with data, which was neither; criterion (ii) was inapplicable, since Skelton’s activity was not on behalf of his employer but the opposite; as to criterion (iii) Skelton’s actions were not part of Morrisons’ business activity – Morrisons had left the field; as to (iv) Morrisons did not employ Skelton to carry on that activity, which was not part of his core duties; and criterion (v) was of little weight these days.
These points have considerable weight. However, it is rightly agreed between the parties that my task is evaluative, giving such weight to the various factors identified in principle by the courts as the facts of the case require. Illustrative cases do not provide any more than indicative help: interesting as were the cases to which I was referred in respect of grievances, the decision in each was heavily fact-sensitive.
Four particular findings of fact are of importance.
First, I reject Ms Proops’ argument that the disclosure on the web of the payroll data was disconnected by time, place and nature from Skelton’s employment. I find, rather, that as Mr Barnes submitted there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events. My reasons for this are first that in October, prior to knowing he was again to be a conduit for payroll data between PeopleSoft and KPMG, Skelton showed signs of interest in the TOR network. When he knew (on 1st. November) that he was indeed to be the go-between, he obtained the mobile phone he was later to use just for making the criminal disclosures. He brought in a personal USB stick to work and copied payroll information to it in mid-November. Lying low for a while after that was necessary to create an appearance of separation and to avoid suspicion falling on him too readily. He again investigated TOR in December; adopted the user name and date of birth of a colleague to draw the blame onto him when setting up an account from which to upload the payroll data to the web; sent data to a web-sharing web-site in January, and either because that did not excite any great immediate interest, or because he had planned in advance to cause the maximum embarrassment to Morrisons immediately prior to the announcement of their financial results, sent the anonymous letters he did to three newspapers in March 2014. These actions were in my view all part of a plan, as the research and careful attempts to hide his tracks indicate. As I have already noted (para. 22 above) this is precisely the same view as that taken by HHJ Thomas QC when sentencing Skelton. This was no sequence of random events, but an unbroken chain beginning even before, but including, the first unlawful act of downloading data from his personal work computer to a personal USB stick.
Second, I find that Morrisons deliberately entrusted Skelton with the payroll data. It was not merely something to which work gave him access: dealing with the data was a task specifically assigned to him. Associated with this, I find that in his role with Morrisons, day in and day out, he was in receipt of information which was confidential or to have limited circulation only: and he was appointed on the basis that this would happen, and he could be trusted to deal with it safely. Morrisons took the risk they might be wrong in placing the trust in him.
Third, his role in respect of the payroll data was to receive and store it, and to disclose it to a third party. That in essence was his task, so far as the payroll data went: the fact that he chose to disclose it to others than KPMG was not authorised, but it was nonetheless closely related to what he was tasked to do.
Fourth, it follows from these findings that when Skelton received the data, though covertly intending to copy it for misuse, he was acting as an employee, and that the chain of events from then until disclosure was unbroken. The fact that the disclosures of 12th. January were made from home, by use of his personal equipment, on a Sunday did not disengage them from his employment.
The argument that Morrisons were not “on the field” since they were no longer data controller in respect of such data as was copied by Skelton is misplaced. In part it repeats the argument I have already rejected at paragraphs 153-155 above. The question is not whether Morrisons did wrong, but whether, when Skelton did, his acts were closely connected with his employment.
The argument based on Credit Lyonnais does not assist Morrisons either. First, it assumes that there was no unbroken sequence of events, but the converse. Second, the issue in that case was very different from the issue here. It was not whether the acts complained of fell within the course of employment but rather whether acts which were committed within the course of employment, which were not in themselves tortious, could be aggregated with acts of another party so as to render the employee a joint tortfeasor with that party, for whose joint acts the employer would be held vicariously liable.
As to the act being one of “retributive justice” as Dixon J. would have termed it, arising out of a grudge, it must be remembered that in Mohamud Lord Toulson noted that the motive of the employee was beside the point (paragraph 48). Quite apart from being of the highest authority, this must be right – for the criminal motive of the thieving employee in Morris v Martin, or the deliberate dishonesty of the clerk in Lloyd v Grace Smith did not convert an act from one in respect of which there would have been vicarious liability into one in respect of which there would not. Earlier in his judgment, too, and consistently with the broad view of course of employment which he espoused, Lord Toulson expressed considerable reservations as to the justice of the result in Deatons v Flew (see his paragraph 30). Viewed broadly, the significance of a personal grudge may be, as it were, to bring into the work environment factors which belong elsewhere, so as to make it clear that the only relationship between the tort and work is that the workplace happens to be where it is committed, when it might just as well have been elsewhere. That does not apply here where the grudge was work-related, the central relationship with which it was concerned was that of Skelton with his employer, and its commission was entirely dependent upon the field of activities assigned to him by that employer.
Ms Proops’ fifth point has limited purchase: though it is true that vicarious liability for the unlawful disclosure of data has only once been considered in any case to which I was referred (that of Axon) the principles do not depend centrally on the subject matter of the wrong: it is counter-intuitive to suppose that where the field of activity assigned to an employee concerned anything other than data, that employee would be said to be acting within the course of his employment where, in identical circumstances, save that the field of activity now concerned data, he would not.
Ms Proops’ sixth line of argument has more traction. Until relatively recently in the history of evolution of vicarious liability the fact that an act was done for the employer’s benefit, albeit not as the employer instructed or would have wished, was highly material to a conclusion that the act was within the course of employment. Employment brings with it a duty of loyalty on the servant’s part co-relative to the duty of good faith of the master’s side. Though benefit is no longer critical, it remains of importance in evaluating whether the relevant tortious act fell within the course of employment. The act here was taken deliberately to harm, rather than benefit, Morrisons. In contractual terms it was a repudiation of the contract of employment.
That said, Morrisons were not the only victims. The action here is brought not by Morrisons but by Skelton’s fellow employees. They claim not for the harm done to Morrisons, but that aimed at them. Trampling on their rights to the privacy (or confidentiality) of the data was a deliberate act by Skelton. A principal aim may have been to hurt Morrisons, but the method, and it may be an aim as well, was harming their interests. The cases show, too, that the actions of housemasters in abusing children they were employed to care for, of priests in attacking vulnerable victims, of solicitor’s clerks in defrauding clients of the firm, or apprentice cleaners in stealing customer’s clothing were also repudiatory, and always liable to do serious damage to their employers’ business, reputations, livelihood and continued viability, yet in each of these cases vicarious liability has been established. The issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall: the approach since Bazley v Curry and Lister as developed in Mohamud emphasises taking a broad view of the scope of employment, and it is notable that Lord Toulson explained those cases in which liability had been upheld as being those where the employee misused his position in a way which injured the claimant, and that it was just that the employer who selected him and put him in that position should be held responsible. He was putting great weight on “enterprise risk”. I would add to his exposition only that the employer, too, had at least the theoretical right to control. Though employers can hardly tell highly skilled workers the detail of how to do their jobs, it remains a necessary element in every contract of employment that the employer has “…lawful authority to command so far as there is scope for it. and there must always be some room for it, if only in incidental or collateral matters” (Zuijs v. Wirth Brothers Proprietary, Ltd (1955) 93 C.L.R. 561, 571, cited by McKenna J. in Ready-Mixed Concrete v Minister of Pensions and National Insurance [1968] 2 QB 497): nowadays perhaps best rendered as a directory power. An employer, in general, remains responsible for what work is done, where and when, under what systems and with what equipment, and who the clients or customers are to be. The employer could theoretically place a would-be tortfeasor who is an employee in a position where he could not so easily commit the tort, and design systems to prevent it occurring which the employee could be directed to observe.
The factors identified in Catholic Child Welfare Society are typically true of relationships of employee and employer, which was what was addressed in paragraph 35 of the judgment of Lord Phillips. They are true here too, where the context is not relationship but course of employment: Morrisons are more likely to have the means to compensate the victim than Skelton and can be expected to have insured against that liability, even if breaches of data security may not historically have been a mainstream risk; it follows from my finding above (ii) that the tort was committed as a result of activity being taken by the employee on behalf of the employer – in the sense of his being chosen to handle the data, with a view to the employer’s interests in completing an audit, such that Skelton’s employee activity – viewed broadly – can be seen as part of the business activity of the employee, even though he chose to abuse his position. As to (iv), the employer, by employing the employee to carry on the activity, created the risk of the tort committed by the employee; and v) Skelton was, to a greater or lesser degree, under the control of the employer, at least in the sense described in the last paragraph above.
Adopting the broad and evaluative approach encouraged by Lord Toulson in Mohamud, I have therefore come to the conclusion that there is a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable “under the principle of social justice which can be traced back to Holt CJ”. This conclusion would be the same irrespective of whether a breach of duty under the DPA, a misuse of private information, or a breach of the duty of confidence was concerned, for the essential actions constituting a legal wrong in each case were the same.
I am fortified in this conclusion by the views expressed by Nicol J in Axon: though insofar as he based his decision upon a view of the source’s jobas including the task to preserve confidentiality, since she had an obligation to keep matters confidential, I have doubts as to its correctness: where the issue is the identification of the field of activities of an employee, this is not necessarily to be answered by identifying the obligations that are an adjunct to those activities, and are not activities in themselves, which do not in themselves constitute duties specifically entrusted to the employee in question. Mr Barnes placed some emphasis, in his submissions, on the role of Skelton as being to preserve confidentiality: for the same reason as gives me doubt about this part of Nicol J’s judgment, I have placed no weight on this. His role was to handle the payroll data, receiving it, storing it for a while, transferring it to others and then deleting it. All bar the last he did: that is sufficient to draw a close link with his employment, within the principles set out in Mohamud and exemplified in case law, and although Morrisons were one target of his actions it is in my view just that they should be liable vicariously for the wrongs Skelton did to the claimants.
Conclusions: Summary
In conclusion, I hold that the DPA does not impose primary liability upon Morrisons; that Morrisons have not been proved to be at fault by breaking any of the data protection principles, save in one respect which was not causative of any loss; and that neither primary liability for misuse of private information nor breach of confidentiality can be established.
I reject, however, the arguments that the DPA upon a proper interpretation is such that no vicarious liability can be established, and that its terms are such as to exclude vicarious liability even in respect of actions for misuse of private information or breach of confidentiality. Having rejected them, I hold that, applying Mohamud principles, secondary (vicarious) liability is established.
The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering his criminal aims. I grant leave to Morrisons to appeal my conclusion as to vicarious liability, should they wish to do so, so that a higher court may consider it: but would not, without further persuasion, grant permission to cross-appeal my conclusions as to primary liability.
WM Morrison Supermarkets Plc v Various Claimants
[2018] EWCA Civ 2339 (22 October 2018)
Introduction
The central issue on this appeal is whether, on the facts, an employer is liable in damages to those of its current or former employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee, who had a grudge against the employer, in breach of the Data Protection Act 1998 (“the DPA”) and in breach of that employee’s obligation of confidence.
It is an appeal from the order of Langstaff J dated 1 November 2017 by which he ordered that the appellant, Wm Morrison Supermarkets plc (“Morrisons”), which is the defendant in the proceedings, is liable in damages to the claimants, who are over 5,000 employees or former employees of Morrisons, for the acts of disclosure of their personal information by a former employee, Andrew Skelton.
The appeal concerns whether the Judge was correct to hold that Morrisons is vicariously liable to the claimants for the actions of Mr Skelton.
The Judge himself gave permission to appeal.
Background
It is necessary to describe the factual background in some detail as vicarious liability is highly fact specific. The following, which we gratefully take from the judgment of the Judge, is not as full as the Judge’s account but is sufficient for the purposes of the appeal.
At the relevant time Mr Skelton was a senior IT internal auditor employed by Morrisons. Following a disciplinary hearing for an incident involving his unauthorised use of Morrisons’ postal facilities for his private purposes, he was given a formal verbal warning on 18 July 2013. Mr Skelton was annoyed by the disciplinary proceedings and the sanction. They left him with a grudge against Morrisons.
On 1 November 2013 KPMG, Morrisons’ external auditor, requested a number of categories of data from Morrisons in order to undertake the annual audit. That request included a copy of Morrisons’ payroll data. Michael Leighton, of the HR department, copied the data onto an encrypted USB stick. He took the USB stick personally to Mr Skelton, who downloaded the data from the stick onto his laptop computer, which was itself encrypted. Mr Skelton subsequently copied the data onto another encrypted USB stick, which had been supplied by KPMG, and which he returned to KPMG.
On 18 November Mr Skelton, when at work, copied the payroll data onto a personal USB with a view to the later commission of the crime consisting of disclosure of the data.
On 12 January 2014, using the payroll data that he had copied onto his personal USB, Mr Skelton posted a file containing the personal details of 99,998 employees of Morrisons on a file sharing website. He used the initials and date of birth of another employee in a deliberate attempt to frame him. Shortly afterwards, links to the website were also placed elsewhere on the web. The data consisted of the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and the salary which the employee in question was being paid.
On 13 March 2014 Mr Skelton, acting anonymously, sent a CD containing a copy of the data to three newspapers in the UK, one of which was the Bradford Telegraph and Argus, a newspaper local to Bradford where Morrisons has its head office. The anonymous sender purported to be a concerned person who had worryingly discovered that payroll data relating to almost 100,000 Morrisons’ employees was available on the web. The covering letter with the CD gave a link to the file-sharing site.
The information was not published by any of the newspapers concerned. The Bradford Telegraph and Argus told Morrisons of it. Morrisons was about to announce its annual financial reports. The revelation of the data leak had serious implications for the share value of Morrisons. There was also an immediate concern that the information might be used by outsiders to access the bank accounts of individual employees or used to aid identity theft.
Morrisons’ head management was alerted to the disclosure on 13 March 2014. Within a few hours they had taken steps to ensure that the website had been taken down. Morrisons also alerted the police.
Mr Skelton was arrested on 19 March 2014. He was charged with fraud, an offence under the Computer Misuse Act 1990 and under section 55 of the DPA. He was tried at Bradford Crown Court in July 2015, and was convicted. He was sentenced to a term of eight years imprisonment.
The DPA
The DPA was enacted pursuant to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”). Provisions in the Directive to which we were referred in the course of oral submissions are set out in Appendix 1 to this judgment.
Relevant provisions of the DPA are set out in Appendix 2 to this judgment.
The proceedings
Following a Group Litigation Order made by Senior Master Fontaine on 24 November 2015, these proceedings were commenced by 5,518 employees of Morisons on 8 December 2015 when a claim form was issued for damages and interest for misuse of private information, breach of confidence and breach of statutory duty owed under section 4(4) of the DPA. The claim form was accompanied by Particulars of Claim. The claimants claimed that Morrisons is primarily liable under those heads of claim but, if not, then Morrisons is liable vicariously for the wrongful conduct of Mr Skelton.
Morrisons served a Defence dated 3 February 2016 denying all liability.
Following directions for a split trial on liability and damages, the trial as to liability took place before the Judge between 9 and 19 October 2017.
The judgment
The Judge handed down a careful, comprehensive and lengthy written judgment on 1 December 2017. The following is a brief summary sufficient to provide a context for the present appeal.
The Judge held (at [51[1]] and [65]) that Morrisons was not the data controller at the time of any breach of Data Protection Principles (“DPP”) 1, 2, 3 and 5 in respect of the information later disclosed on the web, and accordingly Morrisons owed no duty to the claimants under the DPA in respect of which it was in breach, unless it were the duty to comply with DPP 7. Mr Skelton was the data controller in respect of that information.
The Judge further held (at [66]) that Morrisons was not directly liable in respect of any breach of confidence or misuse of private information since it was not Morrisons which disclosed the information or misused it. It was Mr Skelton, acting without authority and criminally.
The Judge identified (at [74]) the following six respects in which it was alleged that Morrisons fell short of its obligations under DPP 7 while it was the data controller: failing to manage/mentor Mr Skelton to prevent a grudge developing; failing to monitor Mr Skelton’s IT usage so as to identify that Mr Leighton’s initial attempt to send the data to Mr Skelton’s computer had bounced back (having been intercepted by Morrisons’ “quarantine” area, designed to divert for further attention emails that for some reason may be suspicious); failing to identify that Mr Skelton was researching the “TOR” (acronym for “The Onion Router”) network (for software which is capable of disguising the individual identity of a computer which has accessed the internet); failing to deny Mr Skelton access to the data; providing the data to Mr Skelton via a USB stick which was not encrypted; and failing to ensure that Mr Skelton deleted the data from his computer by about 21 November 2013.
The Judge held that, save in relation to the last item — data deletion — Morrisons had provided adequate and appropriate controls in relation to each of those matters. The Judge made the following particular findings, among others, on those particular matters. He said (at [95]) that the incident for which Mr Skelton was disciplined did not itself suggest that Mr Skelton was not to be trusted. The Judge found (at [96]) that the technological and organisational measures current in 2013 and 2014 at their best could not altogether prevent the risk posed by a rogue employee who was trusted and had given no reason to doubt his trustworthiness. The Judge said (at [97]) that no one in employment at Morrisons knew, nor ought they to have known, that Mr Skelton bore a grudge against Morrisons, and was not to be trusted with data. The Judge found (at [97]) that, even if a senior manager had been aware that the email sent by Mr Leighton to Mr Skelton, attaching the payroll data, had bounced back, it would not have alerted Morrisons to the risk which Mr Skelton posed to the data.
The Judge dismissed (at [99]-[110]) the allegation that Morrisons should have been aware that Mr Skelton was attempting to research the TOR network on the grounds that it was not feasible, sensible or practicable for Morrisons to have implemented a system that could proactively have detected that Mr Skelton was researching the TOR network when he did, and, moreover, any such system would probably have amounted to an unlawful interference with employees’ rights to privacy and family life. The Judge added (at [110]) that, even if there had been a failure to monitor employees’ internet search usage, it is unlikely that it would have prevented the data disclosure by Mr Skelton. The Judge found (at [111]) that the USB stick used to convey the payroll data to Mr Skelton was encrypted and its use was not a breach of DPP 7, nor did the use of it cause or contribute to the disclosure which later occurred.
So far as concerns data deletion, the Judge found (at [118]) that there was no organised system for the deletion of data such as the payroll data stored for a brief while on Mr Skelton’s computer. To the extent that there was no failsafe system in respect of it, the Judge concluded that Morrisons fell short of the requirements of DPP 7. He said that, where data is held outside the usual secure repository used for it, there is an unnecessary risk of proliferation and of inadvertent disclosure (let alone deliberate action by an employee) revealing some of that data. Morrisons took that risk and did not need to do so. Organisational measures which would have been neither too difficult nor too onerous to implement could have been adopted to minimise it. The Judge also found (at [121]), however, that in the particular circumstances of the present case, by the time it would have been appropriate to conduct any check on deletion, the probability was that the information had already been copied by Mr Skelton; and, accordingly, to the extent that Morrisons fell short of DPP 7 in its duty to take appropriate organisational measures to guard against unlawful disclosure and data loss, that failure neither caused nor contributed to the disclosure which occurred.
As Morrisons did not directly misuse or authorise or carelessly permit the misuse of any information personal to the employees, the Judge dismissed (at [124]-[126]) the claims against Morrisons in equity and at common law for primary liability for breach of confidence and misuse of personal information.
The Judge then addressed the issue of Morrisons’ vicarious liability. He rejected what he described as two preliminary points on vicarious liability advanced by Morrisons. The first was whether the DPA by its terms excludes any possibility of vicarious liability. The second was whether the effect of the DPA was to exclude any scope for vicarious liability under the common law tort of misuse of private information or the equitable action for breach of confidence.
The Judge, having cited Harrison v National Coal Board [1951] AC 639, Rottman v Commissioner of Police of the Metropolis [2002] UKHL 20, [2002] 2 AC 692, Re McKerr [2004] UKHL 12, [2004] 1 WLR 807, Majrowski v Guy’s and St Thomas’ NHS Trust [2005] EWCA Civ 251, [2005] QB 848, R (Child Poverty Action Group) v Secretary of State for Work and Pensions [2010] UKSC 54, [2011] 2 AC 15, Mohamud v William Morrison Supermarkets plc [2016] UKSC 11; [2016] AC 677, Bellman v Northampton Recruitment Ltd [2016] EWHC 3104, QB; [2017] ICR 543, and Various Claimants v Barclays Bank plc [2017] EWHC 1929 (QB) 126; [2017] IRLR 1103, rejected both points.
On the first point, he said (at [156]) that, merely because the DPA had the effect that Mr Skelton became data controller of the information did not exclude vicarious liability for his breaches of statutory duty under the DPA in respect of that information. He accepted the argument for the claimants that the DPA was intended to supplement, not exclude, what would otherwise be liability.
As to the second point, he said (at [160]) that the purpose of the Directive was to provide greater protection for the rights of data subjects and that it is generally open to a member state to augment a minimum EU-wide standard of protection where protection is the aim. Accordingly, he could not conclude that the DPA excludes common law and equitable actions in respect of the same data disclosure. He said (at [162]) that the tort of misuse of private information and the action for breach of confidence do not run counter to the tenor of the DPA and are not incompatible with the statutory scheme: they are complementary.
Turning to the principles of vicarious liability, the Judge referred to a large number of further authorities: Armes v Nottinghamshire County Council [2017] UKSC 60; [2018] AC 355, Bazley v Curry (1999) 174 DLR (4th) 45, Lister v Hesley Hall Ltd [2002] AC 215, Rose v Plenty [1976] 1 WLR 141, Century Insurance Co Ltd v Northern Ireland Road Transport Board [1942] AC 509, Mattis v Pollock [2003] EWCA Civ 887, Williams v Hemphill [1966] UKHL 3, Credit Lyonnais v Export Credits Guarantee Department [2000] AC 486, Deatons v Flew [1949] 79 CLR 370 (High Court of Australia), Irving v Post Office [1987] IRLR 289, Weddall v Barchester Healthcare [2012] EWCA Civ 25, Bernard v Attorney General of Jamaica [2004] UKPC 47, Brown v Robinson [2004] UKPC 56, Fennelly v Connex Southeastern Limited [2000] EWCA Civ 5568; [2001] IRLR 390, Axon v Ministry of Defence [2016] EWHC 787 (QB); [2016] EMLR 20, Zuijs v. Wirth Brothers Proprietary, Ltd (1955) 93 C.L.R. 561, 571, Ready-Mixed Concrete v Minister of Pensions and National Insurance [1968] 2 QB 497), and Various Claimants v Catholic Child Welfare Society and others [2012] UKSC 56, [2013] 2 AC 1. The Judge held (at [197) that, adopting the broad and evaluative approach encouraged by Lord Toulson in Mohamud, there was a sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons, to make it right for Morrisons to be held vicariously liable, whether for breach of duty under the DPA, a misuse of private information, or a breach of the duty of confidence. The findings of fact which led him to that conclusion are set out in [184] of the judgment, which we quote at [73] below.
The Judge concluded his judgment by saying that the point which most troubled him in reaching his conclusions was the submission that the wrongful acts of Mr Skelton were deliberately aimed at the party whom the claimants sought to hold responsible, such that to reach the conclusion he had might seem to render the court an accessory in furthering Mr Skelton’s criminal aims. It would appear that it was for that reason that he gave permission to appeal.
Grounds of appeal
There are three grounds of appeal. First, the Judge ought to have concluded that, on its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability. Second, the Judge ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same. Third, the Judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.
Respondent’s notice
The claimants have issued a respondent’s notice seeking to uphold the order of the Judge on the additional ground that, in evaluating whether there was a sufficient connection between Mr Skelton’s employment and his wrongful conduct to make it right for Morrisons to be held vicariously liable, the Judge ought to have taken into account that Mr Skelton’s job included the task or duty delegated to him by Morrisons of preserving confidentiality in the claimants’ payroll information.
It is important to observe that the claimants do not challenge on the appeal the Judge’s dismissal of the claims against Morrisons for breach of its statutory duties under the DPA; and neither side challenges the Judge’s finding that Mr Skelton, and not Morrisons, was the data controller under the DPA in respect of the data wrongfully copied by Mr Skelton onto his personal USB stick and subsequently disclosed by him on the internet (as to which, see Ittihadieh v 5-11 Cheyne Gardens RTM Co Ltd [2017] EWCA Civ 121, [2018] QB 256 at [70]-[71]).
Discussion
The first and second grounds of appeal
It is convenient to consider the first and second grounds of appeal together because, in substance, the first ground of appeal is merely a stepping stone for Morrisons’ contention that, in relation to the processing of personal data within the ambit of the DPA, it is a necessary implication of the DPA that there can be no vicarious liability for the common law tort of misuse of private information or for breach of the equitable duty of confidence.
There is no pleaded claim against Morrisons on the ground of vicarious liability for the statutory tort of breach of the DPA by Mr Skelton. The pleaded claim against Morrisons under the DPA is in respect of its primary liability for breach of its own direct statutory obligations imposed by the DPA. In the prayer to the Particulars of Claim damages are claimed pursuant to section 13 of the DPA for breach of Morrisons’ own statutory duties. The other two heads of claim in the prayer to the Particulars of Claim are for damages for misuse of private information and damages for breach of confidence. Morrisons’ vicarious liability arises, if at all, under those causes of action in respect of Mr Skelton’s wrongful acts.
The Judge, in accepting the claimants’ argument that an employer can be vicariously liable for the statutory tort of an employee data controller in breach of the DPA, did not refer to that pleading point. It does not matter, however, because, as we have said, from Morrisons’ perspective the issue is simply a plank in its argument that the DPA provides a comprehensive statutory code for the wrongful processing of personal data, and it expressly or impliedly excludes any scope for liability on an employer for the wrongful processing of personal data by an employee, whether the data controller is the employer or the employee.
Ms Anya Proops QC, for Morrisons, made extensive and elaborate submissions on the first and second grounds of appeal but the essence of her argument may be simply stated as follows.
The common law principle of vicarious liability is not confined to common law wrongs. It holds good for a wrong comprising a breach of statutory duty provided the statute does not expressly or impliedly indicate otherwise: Majrowski v Guy’s and St Thomas’s NHS Trust [2006] UKHL 34, [2007] 1 AC 224 at [10] Lord Nicholls). The DPA does indicate the contrary. Pursuant to the Directive, the DPA seeks to achieve a balance between the right to privacy and the free flow of personal data from one member state to another in the interests of economic and social progress. It imposes express obligations on the data controller, primarily the obligation under section 4(4) to comply with the DPP. In accordance with ordinary principles of EU jurisprudence, those obligations are to be interpreted as proportionate ones. They are in any event expressly qualified in important respects by reference to what is appropriate or reasonable. So, DPP 7 requires that “appropriate” technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
What is “appropriate” is related to the state of technological development and the cost of implementing any measures as well as the harm that might result from unauthorised or unlawful processing or accidental loss, destruction or damage, and the nature of the data to be protected: Schedule 1 Part II para. 9. Importantly, under DPP 7 the data controller must take “reasonable steps” to ensure the reliability of any employees of his who have access to the personal data: Schedule 1 Part II para. 10. The DPA, therefore, expressly recognises the potential liability of a data controller for the wrongful processing of data by his employees. Instead, however, of imposing a vicarious liability, which is a strict liability irrespective of the employer’s fault, it imposes a primary liability on the employer restricted to taking “reasonable steps” to ensure the reliability of the relevant employees. Further, section 13(3) provides that it is a defence to an action by an individual for compensation from the data controller for breach of any of the requirements of the DPA that the data controller has taken such care as in all the circumstances was reasonably required to comply with the requirement concerned. In effect, so far as concerns civil liability, the liability is based on fault or culpability: cf. criminal liability under section 55 of the DPA.
Ms Proops also submitted that there are public policy considerations supporting an interpretation of the DPA which avoids imposing a disproportionate burden on the employer, particularly bearing in mind the difficulty of securing something intangible like data, the potential cost of ensuring compliance and the potential exposure of even small entities to claims for compensation for distress (as recognised in Vidal-Hall v Google Inc [2015] EWCA Civ 311, [2016] QB 1003) by large numbers of victims (as in the present case), all of which might have a chilling effect on enterprise and efficiency. The DPA imposes no express liability whatsoever on an employer, who is not a data controller, for wrongful processing of data in breach of the DPA by an employee who is a data controller and so subject to all the obligations and liabilities of a data controller under the DPA. For all these reasons, on the proper interpretation of the DPA, there is no scope for the subsistence of vicarious liability under the common law on an employer for breach of the statutory duty of an employee data controller to comply with the DPA.
So far as concerns liability at common law for misuse of private information or in equity for breach of confidence, Ms Proops’ core submission was that the DPA is specialist legislation which was intended by Parliament to cover the entire field of liability of an employer for the wrongful processing of personal data by an employee. In that connection she emphasised that the DPA, the tort of misuse of private information and the cause of action in equity for breach of confidence all relate to the same subject matter – privacy. She also relied on both the decision of the Court of Justice of the European Union (“the CJEU”) in C-101/01 Criminal proceedings against Lindqvist [2004] QB 1014 and the judgment of Lord Dyson JSC in R (Child Poverty Action Group) v Secretary of State for Work and Pensions [2010] UKSC 54, [2011] 2 AC 15.
One of the questions referred to the CJEU in Lindqvist was whether it is permissible for member states to provide for greater protection for personal data or a wider scope than are required under the Directive. The CJEU’s reply was that member states could only do so in respect of areas not included within the scope of the Directive. The CJEU said as follows:
“96 The harmonisation of those national laws is therefore not limited to minimal harmonisation but amounts to harmonisation which is generally complete. It is on that view that Directive 95/46 is intended to ensure free movement of personal data while guaranteeing a high level of protection for the rights and interests of the individuals to whom such data relate.
97 It is true that Directive 95/46 allows the member states a margin for manoeuvre in certain areas and authorises them to maintain or introduce particular rules for specific situations, as a large number of its provisions demonstrate. However, such possibilities must be made use of in the manner provided for by Directive 95/46 and in accordance with its objective of maintaining a balance between the free movement of personal data and the protection of private life.
98 On the other hand, nothing prevents a member state from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included within the scope thereof, provided that no other provision of Community law precludes it.
99 In the light of those considerations, the answer to the seventh question must be that measures taken by the member states to ensure the protection of personal data must be consistent both with the provisions of Directive 95/46 and with its objective of maintaining a balance between freedom of movement of personal data and the protection of private life. However, nothing prevents a member state from extending the scope of the national legislation implementing the provisions of Directive 95/46 to areas not included in the scope thereof, provided that no other provision of Community law precludes it.”
In the Child Poverty Action Group case the issue was whether the right to recover overpaid Social Security benefits made pursuant to an erroneous award was restricted to the right conferred by section 71 of the Social Security Administration Act 1992, which applied only where there has been overpayment as a consequence of either misrepresentation or non-disclosure, or whether there could be recovery by way of a claim in restitution at common law for money paid by mistake of law or fact. The Supreme Court held that the Secretary of State could only reclaim overpayments of benefits made pursuant to incorrect awards under section 71 of the 1992 Act; that is to say that section 71 constituted a comprehensive and exclusive scheme for dealing with all overpayments of benefit made pursuant to awards. Ms Proops relied on the judgment of Lord Dyson, in which he said in obiter remarks, that the test is whether in all the circumstances Parliament must have intended a common law remedy to coexist with the statutory remedy.
He elaborated as follows.
“33 If the two remedies cover precisely the same ground and are inconsistent with each other, then the common law remedy will almost certainly have been excluded by necessary implication. To do otherwise would circumvent the intention of Parliament. A good example of this is Marcic, where a sewerage undertaker was subject to an elaborate scheme of statutory regulation which included an independent regulator with powers of enforcement whose decisions were subject to judicial review. The statutory scheme provided a procedure for making complaints to the regulator. The House of Lords held that a cause of action in nuisance would be inconsistent with the statutory scheme. It would run counter to the intention of Parliament.
34 The question is not whether there are any differences between the common law remedy and the statutory scheme. There may well be differences. The question is whether the differences are so substantial that they demonstrate that Parliament could not have intended the common law remedy to survive the introduction of the statutory scheme. The court should not be too ready to find that a common law remedy has been displaced by a statutory one, not least because it is always open to Parliament to make the position clear by stating explicitly whether the statute is intended to be exhaustive. The mere fact that there are some differences between the common law and the statutory positions is unlikely to be sufficient unless they are substantial. The fact that the House of Lords was divided in Total Network SL [2008] AC 1174 shows how difficult it may sometimes be to decide on which side of the line a case falls. The question is whether, looked at as a whole, a common law remedy would be incompatible with the statutory scheme and therefore could not have been intended by coexist with it.
Ms Proops submitted that it is clear that there are highly significant inconsistencies between the liabilities under the DPA of employers, whether they or their employees are data controllers, and the strict liability imposed at common law on principals by way of vicarious liability for the defaults of employees and others. As stated earlier, the requirements imposed on an employer under DPP 7 are qualified by concepts of appropriateness and reasonableness, and liability for compensation for contravention by a data controller of the requirements of the DPA is limited to cases where the data controller has failed to take reasonable care to comply with the requirement concerned. As also stated earlier, Morrisons contend that the terms of the DPA expressly or impliedly exclude the continued imposition of vicarious liability under the common law on an employer for breach of the statutory duty of an employee data controller to comply with the DPA.
That analysis was ably advanced by Ms Proops. We consider it is clear, however, that whatever the position on the first ground of appeal, the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by the DPA.
The applicable principle for determining that issue is clear. The question is whether, on the proper interpretation of the DPA, it is implicit that Parliament intended to exclude such vicarious liability. In her skeleton argument, Ms Proops criticised the Judge’s test of “necessary implication” but we consider that test to be entirely appropriate. If the statutory code covers precisely the same ground as vicarious liability at common law, and the two are inconsistent with each other in one or more substantial respects, then the common law remedy will almost certainly have been excluded by necessary implication. As Lord Dyson said in the Child Poverty Action Group case (at [34]) the question is whether, looked at as a whole, the common law remedy would be incompatible with the statutory scheme and therefore could not have been intended to coexist with it.
There are three major obstacles to Morrisons’ proposition in the present case that the DPA has by necessary implication excluded an employer’s vicarious liability at common law for an employee’s misuse of private information and breach of confidence.
The first, which is an obvious point, is that, if Parliament had intended such a substantial eradication of common law and equitable rights, it might have been expected to say so expressly. So far as concerns misuse of private information, Ms Proops submitted that the common law tort of misuse of private information was only established by Campbell v MGN Ltd [2004] UKHL 22, [2004] 2 AC 457, long after the DPA and, even more so, its statutory predecessor the Data Protection Act 1984. We doubt that is a correct analysis since, as Lord Nicholls observed in Campbell (at [14]), the courts had recognised long before the DPA that, irrespective of any confidential relationship, the law imposes a duty of confidence whenever a person receives information he or she knows or ought to know is fairly and reasonably to be regarded as confidential. The nomenclature “misuse of private information” may only have been coined in Campbell but the existence of the cause of action was known to exist well before the DPA.
Furthermore, as Mr Jonathan Barnes, counsel for the claimants, observed, the “processing” of data is defined so widely in section 1(1) of the DPA, that it is capable of embracing matters as varied as breach of copyright, defamation, harassment and negligence. If Parliament had intended to exclude the common law vicarious liability of an employer for the processing of information amounting to such a wide variety of non-statutory wrongs by an employee, who happened to be the data controller under the DPA, it is surprising that Parliament did not say so expressly.
Secondly, despite the wording of the second ground of appeal (“the DPA excludes the application of these judge-made causes of action and/or the imposition of vicarious liability for breaches of the same”) and some suggestions in Ms Proops’ opening oral submissions that the DPA impliedly excluded the entire tort of misuse of private information and the cause of action for breach of confidence in relation to the processing of personal data within the ambit of the DPA, she made it clear in her further oral submissions that only vicarious liability at common law and in equity was excluded. That is, of course, a necessary facet of the claimants’ position that Mr Skelton was not only in breach of the primary obligations laid on him by the DPA as data controller of the information disclosed by him but he was also primarily liable for the tort of misuse of private information and for breach of confidence in equity.
This is nevertheless an important concession. It is clear from the passages in the judgment of the CJEU quoted above that the Directive was intended to effect a complete harmonisation of the law affecting member states in order to achieve a balance between the free movement of personal data and the protection of private life, subject only to the right of member states to provide a different legal regime in national legislation for areas not included in the scope of the Directive and not otherwise contrary to EU law. There would therefore be some logic in an argument that, interpreted against that background, the DPA was intended to cover the entire field relating to the processing of data within the ambit of the DPA, to the exclusion of common law and equitable remedies. That would eliminate the possible difficulty of discrepancies between liability at common law or in equity, on the one hand, and liability under the DPA, on the other hand, due, for example, to the exemptions in Part IV of the DPA and the limitation of liability for compensation under section 13 of the DPA.
It is true that in Campbell, the courts at all stages – first instance, Court of Appeal and House of Lords – assumed that the cause of action for breach of confidence and (as characterised in the House of Lords) for misuse of private information – subsist alongside the DPA. Ms Proops observed that the contrary was not argued in that case. She has not, however, sought to argue the contrary before us.
Morrisons’ acceptance that the causes of action at common law and in equity operate in parallel with the DPA in respect of the primary liability of the wrongdoer for the wrongful processing of personal data while at the same time contending that vicarious liability for the same causes of action has been excluded by the DPA is, on the face of it, a difficult line to tread. That is not least because it may be said to present an inconsistency in the application of one of the principal objects of the Directive and of the DPA, namely the protection of privacy and the provision of an effective remedy for its infringement (including by an employee of limited means), rather than their curtailment.
Thirdly, the difficulty of treading that line becomes insuperable on the facts of the present case because, as was emphasised by Mr Barnes, the DPA says nothing at all about the liability of an employer, who is not a data controller, for breaches of the DPA by an employee who is a data controller. That is the situation here in respect of the payroll data disclosed by Mr Skelton. It is common ground on this appeal that he, and not Morrisons, was the data controller under the DPA in respect of that data. As Ms Proops herself repeatedly emphasised in her submissions, in terms of processing duties and liability, the DPA is only concerned with the primary liability and obligations of the data controller. It has nothing at all to say about the liability of someone else for wrongful processing by the data controller. Parliament has not entered that field at all.
That is quite different from the situation in the cases on which Ms Proops relied. In those cases the legislation expressly and specifically addressed the circumstances which, it was contended, also gave rise to a common law remedy, but there were substantial differences between the two of them. The court held, as a matter of statutory interpretation, that the statutory remedy was exclusive: see the Child Poverty Action Group case (the facts of which, and the decision on section 71 of the Social Security Administration Act 1992, are summarised above); R (Omar) v Secretary of State for Foreign and Commonwealth Affairs [2013] EWCA Civ 118, [2014] QB 112 (held: the regime set out in the Crime (International Co-operation) Act 2003 for the obtaining of evidence for use in foreign proceedings was an exclusive procedure, which precluded a remedy under the principles in Norwich Pharmacal Co v Customs and Excise Commissioners [1974] AC 133); Investment Trust Companies v Revenue and Customs Commissioners [2017] UKSC 29, [2018] AC 275 (held: sections 80 and 80A of the Value Added Tax Act 1994 and the Value Added Tax Regulations 1995 provided an exhaustive code for the repayment by the commissioners of overpaid VAT and excluded non-statutory claims by anyone against the commissioners for overpaid VAT, such as the common law cause of action for unjust enrichment).
Further, on the issue of inconsistency, the contrast between the fault based primary liability on an employer data controller under the DPA and the imposition of a strict vicarious liability on an employer for the defaults of an employee data controller is in truth no more of an anomaly than the position at common law. The common law imposes the same strict liability on an employer who is guilty of no fault. The legal policy which limits the imposition of that strict liability is the requirement of a sufficient connection between the default of the employee and the running of the employer’s enterprise.
In conclusion, the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.
The third ground of appeal
The submissions of Ms Proops in relation to the principles at common law for vicarious liability focused on the tests set out in the most recent decision of the Supreme Court on this issue, Mohamud v Wm Morrison Supermarkets plc [2016] AC 667. In that case, a petrol pump attendant (Mr Khan) assaulted a customer. Lord Toulson JSC, with whom all the other Justices agreed (though Lord Dyson MR gave a separate judgment) said at [40] that:-
“The risk of an employee misusing his position is one of life’s unavoidable facts.”
He continued at [44]-[46] and [48]:-
“44. In the simplest terms, the court has to consider two matters. The first question is what functions or “field of activities” have been entrusted by the employer to the employee, or, in everyday language, what was the nature of his job. As has been emphasised in several cases, this question must be addressed broadly……..
45. Secondly, the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ. To try to measure the closeness of connection, as it were, on a scale of 1 to 10, would be a forlorn exercise and, what is more, it would miss the point. The cases in which the necessary connection has been found for Holt CJ’s principle to be applied are cases in which the employee used or misused the position entrusted to him in a way which injured the third party. Lloyd v Grace, Smith & Co, Pettersson v Royal Oak Hotel Ltd and Lister v Hesley Hall Ltd were all cases in which the employee misused his position in a way which injured the claimant, and that is the reason why it was just that the employer who selected him and put him in that position should be held responsible. By contrast, in Warren v Henlys Ltd any misbehaviour by the petrol pump attendant, qua petrol pump attendant, was past history by the time that he assaulted the claimant. The claimant had in the meantime left the scene, and the context in which the assault occurred was that he had returned with the police officer to pursue a complaint against the attendant.
46. Contrary to the primary submission advanced on the claimant’s behalf, I am not persuaded that there is anything wrong with the Lister approach as such. It has been affirmed many times and I do not see that the law would now be improved by a change of vocabulary. Indeed, the more the argument developed, the less clear it became whether the claimant was advocating a different approach as a matter of substance and, if so, what the difference of substance was.
…
48. Mr Khan’s motive is irrelevant. It looks obvious that he was motivated by personal racism rather than a desire to benefit his employer’s business, but that is neither here nor there.”
The first question posed by Lord Toulson was answered in the present case by the Judge in his findings at [185]-[186] of his judgment in terms which we regard as plainly correct:-
“185. …….I find that Morrisons deliberately entrusted Skelton with the payroll data. It was not merely something to which work gave him access: dealing with the data was a task specifically assigned to him. Associated with this, I find that in his role with Morrisons, day in and day out, he was in receipt of information which was confidential or to have limited circulation only: and he was appointed on the basis that this would happen, and he could be trusted to deal with it safely. Morrisons took the risk they might be wrong in placing the trust in him.
186. …..[H]is role in respect of the payroll data was to receive and store it, and to disclose it to a third party. That in essence was his task, so far as the payroll data went: the fact that he chose to disclose it to others than KPMG was not authorised, but it was nonetheless closely related to what he was tasked to do.”
In relation to Lord Toulson’s second question (which is at the heart of the argument in the present case), Ms Proops submitted that the close connection test is not satisfied, since the tortious act which caused the harm was done by Mr Skelton at his home, using his own computer, on a Sunday, several weeks after he had downloaded the data at work onto his personal USB stick.
The first aspect of this submission is the argument that the online disclosure of the data in January 2014 was the act which caused the harm; and that even if, contrary to Morrisons’ submissions, the original copying in November 2013 was done in the course of employment, the disclosure was not. Ms Proops relied on Credit Lyonnais Bank Nederland NV v Export Credits Guarantee Department [2000] 1 AC 486 for the proposition that every necessary element of the tort which founds liability must occur within the course of employment if vicarious liability is to apply. Lord Woolf MR said at page 495:-
“[the] conduct for which the servant is responsible must constitute an actionable tort and to make the employer responsible for that tort the conduct necessary to establish the employee’s liability must have occurred within the course of employment. … Before these can be vicarious liability, all the features of the wrong which are necessary to make the employee liable have to have occurred in the course of the employment.”
In the present case the claimants’ causes of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. At that stage, had any of them been aware of what happened, they could as a matter of law have claimed at least nominal damages and sought an injunction to prevent dissemination of the data. We agree with the Judge that the issue in the Credit Lyonnais case was not whether the acts complained of fell within the course of employment but rather (as he said at [189]):-
“whether acts which were committed without the course of employment, which were not in themselves tortious, could be aggregated with acts of another party so as to render the employee a joint tortfeasor with that party, for whose joint acts the employer would be held vicariously liable.”
A case on very different facts on which Ms Proops strongly relied was Warren v Henlys [1948] 2 All ER 945: like Mohamud, a case of an assault by a petrol pump attendant on a customer. The reported judgment was only a ruling by a trial judge (Hilbery J) but since it was cited with approval by Lord Toulson in Mohamud its status has been somewhat enhanced. Ms Proops relies on the observation about Warren by Lord Toulson at [45] of Mohamud that “any misbehaviour by the petrol pump attendant qua petrol pump attendant was past history by the time he assaulted the Claimant”; and argues that what Mr Skelton had done at work in November was past history by the time he distributed the data from home in January.
In this context, it is important to look closely at the precise facts of Warren v Henlys. These were summarised by Lord Toulson at [31]-[32] as follows:-
“31. In Warren v Henlys Ltd [1948] 2 All ER 935 a customer at a petrol station had an angry confrontation with the petrol station attendant, who wrongly suspected him of trying to make off without payment. The customer became enraged at the manner in which he was spoken to by the attendant. After paying for the petrol, the customer saw a passing police car and drove off after it. He complained to the police officer about the attendant’s conduct and persuaded the officer to return with him to the petrol station. The officer listened to both men and indicated that he did not think that it was a police matter, whereupon the customer said that he would report the attendant to his employer. The officer was on the point of leaving, when the attendant punched the customer in the face, knocking him to the ground.
32. Hilbery J held that the assault was not committed in the course of the attendant’s employment, applying the Salmond formula. By the time that the assault happened the customer’s business with the petrol station had ended, the petrol had been paid for and the customer had left the premises. When he returned with the police officer it was for the purpose of making a personal complaint about the attendant. The attendant reacted violently to being told that the customer was going to report him to his employer, but there was no basis for holding the employer vicariously liable for that behaviour. The judge was right to dismiss the customer’s claim against the petrol company. At the time of the incident the relationship between the plaintiff and the attendant had changed from that of customer and representative of the petrol company to that of a person making a complaint to the police and the subject of the complaint. In Lister v Hesley Hall Ltd [2002] 1 AC 215 Lord Millett commented, at para 80, that “the better view may have been that the employer was not liable because it was no part of the duties of the pump attendant to keep order”, but there is no suggestion in the report of the case that there was any other employee in practical charge of the forecourt and cash desk area. If the attendant had punched the customer because he believed, rightly or wrongly, that the customer was leaving without payment, I would regard such conduct as occurring within the course of his employment.”
We agree with the analysis of Asplin LJ in the recent case of Bellman v Northampton Recruitment Ltd [2018] EWCA Civ 2214 that it was not so much the temporal gap between the attendant’s argument with the customer and the assault which was significant in Warren v Henlys but rather the change in the nature of the relationship. As Hilbery J said ([1948] 2 All ER 935 at 938E):-
“It seems to me that it was an act entirely of personal vengeance. He was personally inflicting punishment, and intentionally inflicting punishment, on the Plaintiff because the Plaintiff proposed to take a step which might affect Beaumont in his own personal affairs. It had no connection whatever with the discharge of any duty for the Defendants. The act of assault by Beaumont was done by him in relation to a personal matter affecting his personal interests and there is no evidence that it was otherwise.”
Ms Proops also submitted that the effect of the jurisprudence on vicarious liability is that the employer is only liable if the employee was “on the job” when the tort occurred. That is her phrase rather than a phrase found in the leading authorities, and we must bear in mind Lord Toulson’s observation in Mohamud that the law would not be improved by a change of vocabulary. The same applies to her submission that vicarious liability only applies if the employee is seen to be acting in a representative function: a formulation which was expressly rejected by Lord Dyson JSC in Mohamud at [53].
It is no doubt true that, as Lord Clyde said in Lister v Hesley Hall Ltd [2002] 1 AC 215 at 235, the time and place at which the act or acts occurred will always be relevant, though not conclusive. Nevertheless, there are numerous cases in which employers have been held vicariously liable for torts committed away from the workplace. An example is the recent case of Bellman v Northampton Recruitment Ltd, to which we have already referred above. Mr Bellman was a sales manager for the Respondent recruitment firm. Mr Major was the firm’s managing director. A Christmas party was organised. At its end, Mr Major arranged taxis to transport staff to a hotel where they continued drinking, with drinks mainly paid for by the company. After a couple of hours, an argument broke out about a new employee’s placement and terms. Mr Major got cross and summoned staff to give them a long lecture on his authority. When Mr Bellman questioned Mr Major’s decisions, he (Major) punched him (Bellman), causing brain damage. It was held by this Court, reversing the trial judge, that the defendant company was vicariously liable for the assault by the managing director.
In supplementary submissions on Bellman, the decision of this Court having been handed down the day after the hearing in the present case, Ms Proops argued that it supported her case that vicarious liability only applies if the employee was “on the job” when the tortious act was committed. We do not agree. The judgment of Asplin LJ does not use that phrase but rather refers at [24] to Lord Toulson, in Mohamud, having considered helpful the expression “within the field of activities assigned to the employee”. The tortious acts of Mr Skelton in sending the claimants’ data to third parties were in our view within the field of activities assigned to him by Morrisons.
We consider that the careful and detailed findings by the Judge at [184] of his judgment are a complete answer to this part of Ms Proops’ argument:
“… I reject Ms Proops’ argument that the disclosure on the web of the payroll data was disconnected by time, place and nature from Skelton’s employment. I find, rather, that as Mr Barnes submitted there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events. My reasons for this are first that in October, prior to knowing he was again to be a conduit for payroll data between PeopleSoft and KPMG, Skelton showed signs of interest in the TOR network. When he knew (on 1st. November) that he was indeed to be the go-between, he obtained the mobile phone he was later to use just for making the criminal disclosures. He brought in a personal USB stick to work and copied payroll information to it in mid-November. Lying low for a while after that was necessary to create an appearance of separation and to avoid suspicion falling on him too readily. He again investigated TOR in December; adopted the user name and date of birth of a colleague to draw the blame onto him when setting up an account from which to upload the payroll data to the web; sent data to a web-sharing web-site in January, and either because that did not excite any great immediate interest, or because he had planned in advance to cause the maximum embarrassment to Morrisons immediately prior to the announcement of their financial results, sent the anonymous letters he did to three newspapers in March 2014. These actions were in my view all part of a plan, as the research and careful attempts to hide his tracks indicate. As I have already noted (para. 22 above) this is precisely the same view as that taken by HHJ Thomas QC when sentencing Skelton. This was no sequence of random events, but an unbroken chain beginning even before, but including, the first unlawful act of downloading data from his personal work computer to a personal USB stick.”
The findings of primary fact in this paragraph are not in dispute. The Judge’s evaluation of them in the opening and closing sentences of the paragraph as constituting a “seamless and continuous sequence” or “unbroken chain” of events is one with which we entirely agree. It is therefore unnecessary to embark on a discussion of the nature of the review by an appellate court of evaluative findings of this kind. In so far as the Judge’s conclusions involved a value judgment (see Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366 per Lord Nicholls at [24]), it is one with which we agree.
Thus far, there is nothing unusual or novel in legal terms about this case, but there is one novel feature to it. We were not shown any other reported case in which the motive of the employee committing the wrongdoing was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party. Ms Proops submitted that to impose vicarious liability on Morrisons in these circumstances would render the court an accessory in furthering Mr Skelton’s criminal aims. As we said at [32] above, this was the point which troubled the Judge and which appears to have persuaded him to grant Morrisons permission to appeal.
Since the decision of the House of Lords in Lloyd and Grace, Smith and Co [1912] AC 716, which is the foundation of the modern law of vicarious liability, it has been clearly established that an employer may be vicariously liable for deliberate wrongdoing by an employee. In Lloyd v Grace Smith itself, the solicitor’s clerk dishonestly procured a conveyance in his own favour of the client’s property. His motive was greed. In the sexual abuse cases such as Lister v Hesley Hall Ltd and the Catholic Child Welfare Society case the motive for the tort was sexual gratification. In Mohamud the motive of the foul-mouthed petrol pump attendant was personal racism rather than a desire to benefit his employer’s business; but, said Lord Toulson, motive was irrelevant. Despite Ms Proops’ submissions on this point, we do not accept that there is an exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer.
Ms Proops submitted that, given that there are 5,518 employees who are claimants in the present case, and the total number of employees whose confidential information was wrongly made public by Mr Skelton was nearly 100,000, this illustrates how enormous a burden a finding of vicarious liability in the present case will place on Morrisons and could place on other innocent employers in future cases. These arguments are unconvincing. As it happens Mr Skelton’s nefarious activities involved the data of a very large number of employees although, so far as we are aware, none of them has suffered financial loss. But suppose he had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally. Yet this hypothetical claimant would, as it seems to us, be in essentially the same position as Mrs Lloyd in Lloyd v Grace, Smith.
There have been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might, depending on the facts, lead to a large number of claims against the relevant company for potentially ruinous amounts. The solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees. We have not been told what the insurance position is in the present case, and of course it cannot affect the result. The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by Ms Proops on behalf of Morrisons.
Conclusion
For these reasons we agree with the Judge that Morrisons was vicariously liable for the torts committed by Mr Skelton against the claimants. The appeal is dismissed.
…………………………………………………………………………………..
APPENDIX 1
THE DIRECTIVE
The following provisions of the Directive were mentioned in oral submissions before us.
Recitals
(2) Whereas data-processing systems are designed to serve man; whereas they must, whatever the nationality or residence of natural persons, respect their fundamental rights and freedoms, notably the right to privacy, and contribute to economic and social progress, trade expansion and the well-being of individuals;
(4) Whereas increasingly frequent recourse is being had in the Community to the processing of personal data in the various spheres of economic and social activity; whereas the progress made in information technology is making the processing and exchange of such data considerably easier;
(5) Whereas the economic and social integration resulting from the establishment and functioning of the internal market within the meaning of Article 7a of the Treaty will necessarily lead to a substantial increase in cross-border flows of personal data between all those involved in a private or public capacity in economic and social activity in the Member States; whereas the exchange of personal data between undertakings in different Member States is set to increase; whereas the national authorities in the various Member States are being called upon by virtue of Community law to collaborate and exchange personal data so as to be able to perform their duties or carry out tasks on behalf of an authority in another Member State within the context of the area without internal frontiers as constituted by the internal market;
(7) Whereas the difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the Member States may prevent the transmission of such data from the territory of one Member State to that of another Member State; whereas this difference may therefore constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the discharge of their responsibilities under Community law; whereas this difference in levels of protection is due to the existence of a wide variety of national laws, regulations and administrative provisions;
(8) Whereas, in order to remove the obstacles to flows of personal data, the level of protection of the rights and freedoms of individuals with regard to the processing of such data must be equivalent in all Member States; whereas this objective is vital to the internal market but cannot be achieved by the Member States alone, especially in view of the scale of the divergences which currently exist between the relevant laws in the Member States and the need to coordinate the laws of the Member States so as to ensure that the cross-border flow of personal data is regulated in a consistent manner that is in keeping with the objective of the internal market as provided for in Article 7a of the Treaty; whereas Community action to approximate those laws is therefore needed;
(10) Whereas the object of the national laws on the processing of personal data is to protect fundamental rights and freedoms, notably the right to privacy, which is recognized both in Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms and in the general principles of Community law; whereas, for that reason, the approximation of those laws must not result in any lessening of the protection they afford but must, on the contrary, seek to ensure a high level of protection in the Community;
(11) Whereas the principles of the protection of the rights and freedoms of individuals, notably the right to privacy, which are contained in this Directive, give substance to and amplify those contained in the Council of Europe Convention of 28 January 1981 for the Protection of Individuals with regard to Automatic Processing of Personal Data;
SECTION I
PRINCIPLES RELATING TO DATA QUALITY
Article 6
1. Member States shall provide that personal data must be:
(a) processed fairly and lawfully;
(b) collected for specified, explicit and legitimate purposes and not further processed in a way incompatible with those purposes. Further processing of data for historical, statistical or scientific purposes shall not be considered as incompatible provided that Member States provide appropriate safeguards;
(c) adequate, relevant and not excessive in relation to the purposes for which they are collected and/or further processed;
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that data which are inaccurate or incomplete, having regard to the purposes for which they were collected or for which they are further processed, are erased or rectified;
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the data were collected or for which they are further processed. Member States shall lay down appropriate safeguards for personal data stored for longer periods for historical, statistical or scientific use.
2. It shall be for the controller to ensure that paragraph 1 is complied with.
SECTION IV
INFORMATION TO BE GIVEN TO THE DATA SUBJECT
Article 10
Information in cases of collection of data from the data subject
Member States shall provide that the controller or his representative must provide a data subject from whom data relating to himself are collected with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing for which the data are intended;
(c) any further information such as
– the recipients or categories of recipients of the data,
– whether replies to the questions are obligatory or voluntary, as well as the possible consequences of failure to reply,
– the existence of the right of access to and the right to rectify the data concerning him
in so far as such further information is necessary, having regard to the specific circumstances in which the data are collected, to guarantee fair processing in respect of the data subject.
Article 11
Information where the data have not been obtained from the data subject
1. Where the data have not been obtained from the data subject, Member States shall provide that the controller or his representative must at the time of undertaking the recording of personal data or if a disclosure to a third party is envisaged, no later than the time when the data are first disclosed provide the data subject with at least the following information, except where he already has it:
(a) the identity of the controller and of his representative, if any;
(b) the purposes of the processing;
(c) any further information such as
– the categories of data concerned,
– the recipients or categories of recipients,
– the existence of the right of access to and the right to rectify the data concerning him
in so far as such further information is necessary, having regard to the specific circumstances in which the data are processed, to guarantee fair processing in respect of the data subject.
2. Paragraph 1 shall not apply where, in particular for processing for statistical purposes or for the purposes of historical or scientific research, the provision of such information proves impossible or would involve a disproportionate effort or if recording or disclosure is expressly laid down by law. In these cases Member States shall provide appropriate safeguards.
CONFIDENTIALITY AND SECURITY OF PROCESSING
Article 17
Security of processing
1. Member States shall provide that the controller must implement appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction or accidental loss, alteration, unauthorized disclosure or access, in particular where the processing involves the transmission of data over a network, and against all other unlawful forms of processing.
Having regard to the state of the art and the cost of their implementation, such measures shall ensure a level of security appropriate to the risks represented by the processing and the nature of the data to be protected.
2. The Member States shall provide that the controller must, where processing is carried out on his behalf, choose a processor providing sufficient guarantees in respect of the technical security measures and organizational measures governing the processing to be carried out, and must ensure compliance with those measures.
3. The carrying out of processing by way of a processor must be governed by a contract or legal act binding the processor to the controller and stipulating in particular that:
– the processor shall act only on instructions from the controller,
– the obligations set out in paragraph 1, as defined by the law of the Member State in which the processor is established, shall also be incumbent on the processor.
4. For the purposes of keeping proof, the parts of the contract or the legal act relating to data protection and the requirements relating to the measures referred to in paragraph 1 shall be in writing or in another equivalent form.
CHAPTER III JUDICIAL REMEDIES, LIABILITY AND SANCTIONS
Article 23
Liability
1. Member States shall provide that any person who has suffered damage as a result of an unlawful processing operation or of any act incompatible with the national provisions adopted pursuant to this Directive is entitled to receive compensation from the controller for the damage suffered.
2. The controller may be exempted from this liability, in whole or in part, if he proves that he is not responsible for the event giving rise to the damage.
…………………………………………………………………………………………
APPENDIX 2
THE DPA
1. Basic interpretative provisions
(1)In this Act, unless the context otherwise requires—
“data” means information which—
(a) is being processed by means of equipment operating automatically in response to instructions given for that purpose,
(b) is recorded with the intention that it should be processed by means of such equipment,
(c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system, or
(d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record as defined by section 68;
(e) is recorded information held by a public authority and does not fall within any of paragraphs (a) to (d);
“data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;
“data processor”, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller;
“data subject” means an individual who is the subject of personal data;
“personal data” means data which relate to a living individual who can be identified—
(a) from those data, or
(b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller,
and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual;
“processing”, in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including—
(a) organisation, adaptation or alteration of the information or data,
(b) retrieval, consultation or use of the information or data,
(c) disclosure of the information or data by transmission, dissemination or otherwise making available, or
(d) alignment, combination, blocking, erasure or destruction of the information or data;
(2)In this Act, unless the context otherwise requires—
(a)”obtaining” or “recording”, in relation to personal data, includes obtaining or recording the information to be contained in the data, and
(b)”using” or “disclosing”, in relation to personal data, includes using or disclosing the information contained in the data.
4. The data protection principles
(1)References in this Act to the data protection principles are to the principles set out in Part I of Schedule 1.
(2)Those principles are to be interpreted in accordance with Part II of Schedule 1.
(3) ….
(4)Subject to section 27(1), it shall be the duty of a data controller to comply with the data protection principles in relation to all personal data with respect to which he is the data controller.
13. Compensation for failure to comply with certain requirements
(1)An individual who suffers damage by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that damage.
(2)An individual who suffers distress by reason of any contravention by a data controller of any of the requirements of this Act is entitled to compensation from the data controller for that distress if—
(a)the individual also suffers damage by reason of the contravention, or
(b)the contravention relates to the processing of personal data for the special purposes.
(3)In proceedings brought against a person by virtue of this section it is a defence to prove that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned.
5 Unlawful obtaining etc. of personal data
(1)A person must not knowingly or recklessly, without the consent of the data controller—
(a)obtain or disclose personal data or the information contained in personal data, or
(b)procure the disclosure to another person of the information contained in personal data.
(2)Subsection (1) does not apply to a person who shows—
(a)that the obtaining, disclosing or procuring—
(i)was necessary for the purpose of preventing or detecting crime, or
(ii)was required or authorised by or under any enactment, by any rule of law or by the order of a court,
(b)that he acted in the reasonable belief that he had in law the right to obtain or disclose the data or information or, as the case may be, to procure the disclosure of the information to the other person,
(c)that he acted in the reasonable belief that he would have had the consent of the data controller if the data controller had known of the obtaining, disclosing or procuring and the circumstances of it, or
(d)that in the particular circumstances the obtaining, disclosing or procuring was justified as being in the public interest.
(3)A person who contravenes subsection (1) is guilty of an offence.
(4)A person who sells personal data is guilty of an offence if he has obtained the data in contravention of subsection (1).
(5)A person who offers to sell personal data is guilty of an offence if—
(a)he has obtained the data in contravention of subsection (1), or
(b)he subsequently obtains the data in contravention of that subsection.
(6)For the purposes of subsection (5), an advertisement indicating that personal data are or may be for sale is an offer to sell the data.
(7)Section 1(2) does not apply for the purposes of this section; and for the purposes of subsections (4) to (6), “personal data” includes information extracted from personal data.
(8)References in this section to personal data do not include references to personal data which by virtue of section 28 are exempt from this section.
SCHEDULE 1The data protection principles
Part I The principles
1Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless—
(a)at least one of the conditions in Schedule 2 is met, and
(b)in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2 Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3 Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.
4 Personal data shall be accurate and, where necessary, kept up to date.
5 Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6 Personal data shall be processed in accordance with the rights of data subjects under this Act.
7 Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8 Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.
Part II Interpretation of the principles in Part I
The first principle
1(1)In determining for the purposes of the first principle whether personal data are processed fairly, regard is to be had to the method by which they are obtained, including in particular whether any person from whom they are obtained is deceived or misled as to the purpose or purposes for which they are to be processed.
(2)Subject to paragraph 2, for the purposes of the first principle data are to be treated as obtained fairly if they consist of information obtained from a person who—
(a)is authorised by or under any enactment to supply it, or
(b)is required to supply it by or under any enactment or by any convention or other instrument imposing an international obligation on the United Kingdom.
2(1)Subject to paragraph 3, for the purposes of the first principle personal data are not to be treated as processed fairly unless—
(a)in the case of data obtained from the data subject, the data controller ensures so far as practicable that the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3), and
(b)in any other case, the data controller ensures so far as practicable that, before the relevant time or as soon as practicable after that time, the data subject has, is provided with, or has made readily available to him, the information specified in sub-paragraph (3).
(2)In sub-paragraph (1)(b) “the relevant time” means—
(a)the time when the data controller first processes the data, or
(b)in a case where at that time disclosure to a third party within a reasonable period is envisaged—
(i)if the data are in fact disclosed to such a person within that period, the time when the data are first disclosed,
(ii)if within that period the data controller becomes, or ought to become, aware that the data are unlikely to be disclosed to such a person within that period, the time when the data controller does become, or ought to become, so aware, or
(iii)in any other case, the end of that period.
(3)The information referred to in sub-paragraph (1) is as follows, namely—
(a)the identity of the data controller,
(b)if he has nominated a representative for the purposes of this Act, the identity of that representative,
(c)the purpose or purposes for which the data are intended to be processed, and
(d)any further information which is necessary, having regard to the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair.
The seventh principle
9Having regard to the state of technological development and the cost of implementing any measures, the measures must ensure a level of security appropriate to—
(a)the harm that might result from such unauthorised or unlawful processing or accidental loss, destruction or damage as are mentioned in the seventh principle, and
(b)the nature of the data to be protected.
10The data controller must take reasonable steps to ensure the reliability of any employees of his who have access to the personal data.
11Where processing of personal data is carried out by a data processor on behalf of a data controller, the data controller must in order to comply with the seventh principle—
(a)choose a data processor providing sufficient guarantees in respect of the technical and organisational security measures governing the processing to be carried out, and
(b)take reasonable steps to ensure compliance with those measures.