Skip to main content
Legal case

Vicarious liability — the Supreme Court restores order

The Supreme Court has unanimously upheld the appeals of two defendant organisations against findings that they were vicariously liable for the…


The Supreme Court has unanimously upheld the appeals of two defendant organisations against findings that they were vicariously liable for the criminal acts of employees. In doing so, it has restored clarity and limits to a legal concept that had been stretched far beyond its intended scope.


It is four years since the Supreme Court delivered the dual vicarious liability judgments of Cox v Ministry of Justice [2016] UKSC 10 and Mohamud v WM Morrison Supermarkets [2016] UKSC 11. Today, it has handed down judgments in Barclays Bank plc v Various Claimants [2020] and WM Morrison Supermarkets v Various Claimants [2020]. Where does the law now stand?

The Barclays decision — stage one of the test for vicarious liability

Like Cox, which established the vicarious liability of the MoJ for the act of a working prisoner, the Barclays case primarily deals with stage one of the two-stage test for VL — is the relationship between the defendant and the tortfeasor one that is capable of giving rise to vicarious liability? The relationship under consideration in Barclays was between the bank and an independent doctor with no contract of employment, alleged to have sexually assaulted prospective employees in the course of occupational health assessments carried out at his home. Applying the five criteria relevant to the stage one test (as set out in Catholic Child Welfare Society v Various Claimants [2012] UKSC 56 — generally known as ‘Christian Brothers’), the Court of Appeal held that the relationship was akin to employment and therefore one to which vicarious liability could (and did) apply. The Supreme Court unanimously disagreed.

Whilst an organisation can be vicariously liable for acts of someone if the relationship is sufficiently akin to employment, this does not erode the distinction between employment/quasi-employment on the one hand and the relationship with an independent contractor on the other. Consideration of the five criteria in Christian Brothers may assist in considering whether a relationship is sufficiently analogous to employment, but this will not be necessary when it is clear that the tortfeasor is carrying on his own independent business. The doctor in this case was a classic independent contractor and the bank was not vicariously liable for the alleged assaults. The court noted the following features of the doctor’s work:

  • He was in business on his own as a medical practitioner.
  • He had his own portfolio of patients and clients.
  • He did work for Barclays in much the same way as an auditor or window cleaner.
  • He was not paid a retainer and was free to refuse to carry out examinations.
  • He will have carried his own medical liability insurance.

The Morrison decision — stage two of the test for VL

Like Mohamud, which established the liability of the supermarket for an employee’s racially motivated assault of a customer, the Morrison case deals with stage two of the test — is there a sufficiently “close connection” between the act of the tortfeasor and the relationship with the defendant for VL to attach? The act in question in Morrison was the intentional data breach perpetrated by a disgruntled employee (Skelton) with the specific aim of harming the organisation. After confirming that the Data Protection Act 1998 did not exclude the application of VL to a breach of that Act, the Court of Appeal held that the criminal act was within the scope of the relationship. Unanimously allowing Morrison’s appeal, the Supreme Court disagreed.

The court held that the trial judge had misunderstood and misapplied the relevant legal principles governing the “close connection” test. The court was required to consider (i) the “field of activities” entrusted by the employer to the employee, i.e. the acts the employee was authorised to do; and (ii) whether there was a sufficient connection between the employee’s authorised role and the wrongful conduct that it may fairly and properly be regarded as done in the ordinary course of employment. Applying these questions to the facts:

  • Disclosure of personal data online was not part of the employee’s field of activities; it was not an act he was authorised to do.
  • The Christian Brothers criteria were relevant to stage one of the test, not stage two.
  • Although there was a “close temporal link” between the provision of the data to the employee for onward transmission to auditors and his disclosure online, such a link or causal connection does not in itself satisfy the close connection test.
  • The employee was not engaged in furthering his employer’s business; he was “pursuing a personal vendetta”.
  • The wrongful conduct was therefore not so closely connected with his authorised acts that, for the purposes of vicarious liability, it could be fairly regarded as done in the course of his employment.


The Supreme Court took the opportunity to clarify any misunderstanding of Lord Toulson’s phrase “motive is irrelevant” from the Mohamud decision. The irrelevance of this in that case was simply that the judge had already concluded that the employee was (wrongly) going about his employer’s business rather than pursuing his private ends. This had supported the judge’s finding of the existence of a close connection between his field of activities and the commission of the tort. Having reached that conclusion, the reason why the employee had become so enraged as to assault the motorist could not make a material difference. By contrast, the reason Skelton acted wrongfully was “highly material” to the issue of whether he was acting on his employer’s business.

Whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA or for misuse of private information and breach of confidence

The second major issue before the court was whether the DPA excludes imposition of vicarious liability for the types of claim set out above. Although given the decision set out above the court did not need to determine this point they went on to consider it and confirmed their view that since the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability did apply to the breach of the obligations which it imposes. Therefore, if, in different circumstances, vicarious liability was established, the employer would be liable.


These decisions restore order to the concept of vicarious liability. The Barclays judgment reinforces previously understood principles that an organisation will not generally be vicariously liable for the acts of an independent contractor. The Morrison judgment sensibly limits the acts of employees that will be deemed to satisfy the “close connection” test and confirms that “vicarious liability for wrongdoing by an employee is not determined according to individual judges’ sense of social justice.”

It should however be noted that the Morrison judgment does not alter the previous case law relating to how the close connection test is applied in cases concerned with sexual abuse, the court confirming that “a more tailored version of the test is applied in such cases” that takes account of “the employer’s conferral of authority on the employee over the victims” (paragraphs 23 and 36).


It is also important not to overlook the position on insurance. Many will recall that the Court of Appeal in Morrison had said that the solution for organisations facing potentially ruinous liability for damages in the event of a data breach caused by the actions of a malicious employee would be to insure against such a catastrophe. The gravity of that message may not seem so significant now, given today’s finding. However, it is no less important. Whilst Morrisons may have escaped the consequences of Skelton’s conduct and no vicarious liability arises on the facts of its particular case, the Supreme Court’s confirmation that the principle of vicarious liability may nonetheless apply to breaches of data protection law in other circumstances is not only a significant milestone in the strengthening of individual rights to privacy but also a clear call to action for businesses to improve organisational and technical measures to keep personal data safe and enhance governance around how it is used, by whom and how that is monitored. It is also likely to galvanise claimant lawyers, with a consequent impact on how organisations ought now to assess their risk exposure and options for risk transfer, including the importance of adequate insurance.

If the content of this update raises any issues for you, or you would like to discuss, please liaise with Peter Wake, Partner at or Martin Forshaw, Partner at

Sectors and Services featured in this article