There is no denying that the pandemic has permanently altered the ways in which organisations have to manage their workforces, with a large proportion of the Australian workforce continuing to ‘WFH’ even as most states and territories come out of the stricter lockdown restrictions. Whilst not always (and perhaps rarely) representative of the wider workforce, a recent survey of legal professionals found that 41 per cent of respondents were not sure when they will return to the office full-time.

Within this context, and considering the fact that most data breaches are the result of human error or involve internal actors, the principle of vicarious liability applied indiscriminately to a distributed workforce raises concerns. However, recent case law has shown that vicarious liability is certainly not a blanket principle and its application is not always clear.

Under the doctrine of ‘vicarious liability’, one party may be held personally liable for the conduct of another party. This typically applies to the employer-employee relationship where an employer may be held liable for an employee’s breach of the law. A finding of vicarious liability under Australian law generally requires that:

  • there is an employment relationship between the two parties; and
  • the employee’s conduct or wrongdoing occurred in the course of employment.

But the line between what is and what isn’t in the course of employment is more likely to be blurred when employees are working remotely.  

When not in the course of employment – a frolic of one’s own

This principle, which is substantially similar in the UK, was recently tested in a UK Supreme Court decision, WM Morrison Supermarkets plc v Various Claimants (Morrison Case).

Morrison Supermarkets employed Andrew Skelton in its internal audit team. In 2013, Mr Skelton received a verbal warning following disciplinary proceedings for minor misconduct. Later that year, Mr Skelton was tasked with transmitting payroll data for Morrison Supermarkets’ entire workforce to its external auditors. In completing the data transfer, Mr Skelton also secretly made a personal copy of the data-set, which contained details of nearly 100,000 employees including their salary, bank account, national insurance and address data. Mr Skelton subsequently uploaded (incidentally whilst at home) the dataset to a publicly accessible filesharing website and alerted several news outlets to the existence of the online data set.

A class action of some 9000 of the affected Morrison Supermarkets employees was brought against Morrison Supermarkets in its personal capacity on the basis of vicarious liability for Mr Skelton’s acts. On appeal to the Supreme Court, the decisions of the trial judge and Court of Appeal were overturned, the Supreme Court holding that Morrison Supermarkets was not vicariously liable for Mr Skelton’s conduct.

The Supreme Court considered arguments that Mr Skelton’s conduct was carried out in the course of his employment as he was only in a position to make the unlawful disclosure as a result of his employment duties. However, it clarified that there is a distinction between cases where an “…employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own' ". The Supreme Court found that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question, but rather was pursuing a “personal vendetta…seeking vengeance”.

When possibly in the course of employment – opportunity and occasion

In some ways, the Morrison Case is aligned with the Australian position in the High Court decision in Prince Alfred College Inc v ADC (PAC Case). This case involved a determination as to whether the sexual abuse of a student and boarder at Prince Alfred College by a boarding master employed by the College was committed in the course of the boarding master’s employment.

Like the UK Supreme Court, the High Court recognised that the fact that employment provides an opportunity for the commission of a wrongdoing - whilst a necessary element - is not, of itself, a sufficient basis to find vicarious liability. However, it is in the characterisation of the second element, occasion, where the two decisions may differ.

The High Court held that in cases of vicarious liability, the ‘relevant approach’ is to consider any special role that the employer has assigned to the employee and the position in which the employee is thereby placed vis-à-vis the victim. In determining whether the apparent performance of such a role may be said to give the ‘occasion’ for the wrongful act, particular features may be taken into account. They include authority, power, trust and control.

On application of the ‘relevant approach’ in the PAC Case to the facts of the Morrison Case, Mr Skelton’s role arguably meets the criteria of providing both opportunity and occasion. Mr Skelton was given the task of accessing and copying highly sensitive employee data. This gave him a level of power, authority, trust and control over the victims of the data breach. On this interpretation, it is feasible that Morrison Supermarkets could be held vicariously liable under Australian law for Mr Skelton’s unauthorised disclosure.

Clearly distinguishing the rogue - training is critical

Similar to the result in the Morrison Case, the ‘rogue employee’ defence has had some weight in the New South Wales privacy jurisdiction to ensure that New South Wales government agencies have rarely been found vicariously liable in relation to privacy and data breaches carried out by agency employees. The rogue employee defence asserts that an employee’s misuse or unauthorised disclosure of personal information must be for a purpose extraneous to the purposes of the government agency and therefore the agency itself should not be liable for breach of relevant privacy law. In these circumstances, the employee may be criminally charged, while the agency is not held to account.

A relatively recent NCAT decision, CJU v SafeWork NSW (CJU Case), cast doubt on the rogue employee defence’s continued efficacy. In the CJU Case, the respondent’s employee disclosed to the Crown Solicitor’s Office information about a complaint the applicant had made to SafeWork NSW regarding her employment conditions. The respondent admitted its employee’s disclosure was unauthorised under relevant privacy legislation. However, it was argued and accepted that the disclosure was made due to the employee’s ignorance as to the agency’s regulatory obligations, rather than out of malice. This prevented the respondent from running the rogue employee defence.  

One of the distinguishing features of the CJU Case was NCAT’s characterisation and assessment of the respondent’s employee training program. NCAT found that the training that had been implemented by the respondent was inadequate to convey to staff their responsibilities whilst exercising the functions and powers of the respondent. The effect of the CJU Case was essentially that adequate training (as outlined below) will plug the hole in the rogue employee defence: agency employees will not breach privacy legislation because they are educated on their operation and application or, in circumstances where they are implicated in breaches, it is open to the agency to argue that the employee knows (due to adequate training) the use or disclosure of the information is extraneous to the agency’s purposes and is therefore the act of a rogue employee.

Indicators of appropriate training

The CJU Case discussed several improvements made by the respondent to their employee training modules in light of the unauthorised disclosure. NCAT considered the new training measures were ‘inadequate’ and that there remained ‘a sufficient risk of a future breach’. The improvements included:

  • an overview of relevant privacy legislation;
  • outlining good practice in relation to the collection, storage, use and disclosure of personal information;
  • inform all staff of their legal responsibilities and obligations under relevant privacy legislation;
  • examples of hypothetical privacy related situations and suggested answers; and
  • an assessment component, with a 70% set minimum pass mark.

With myriad forms of a distributed workforce here to stay, it is not entirely clear how the principles of vicarious liability will interpret, and adapt to, that changing workforce. However, in respect of data breaches and data security, implementing a robust and constant training programme for employees working in a distributed manner will go a long way to support an argument that the actions of an employee were rogue and outside the course of employment, and therefore outside the boundaries of vicarious liability.


Authors: Melissa Fai and Jack Corcoran