Corporate briefing: employers and insurers can breathe more freely as two Supreme Court decisions rein in the limits of the key principle of vicarious liability

The Supreme Court provided two judgments on 1 April 2020 clarifying the law in relation to vicarious liability, WM Morrison Supermarkets v Various Claimants [2020] UKSC 12 and Barclays Bank v Various Claimants [2020] UKSC 13. Perhaps the key learning tip is to read both judgments given they, particularly the Morrisons decision, give us both (1) an entertaining history of the concept (including why having an affair with the partner of an armed police officer is not the smartest move you can make), but also (2) some clear 21st century limiters on the potential for employers to find themselves on the hook for an employee, in the language of Joel v Morison (1834) 6 C & P 501 at 503, “going on
a frolic of his own”.

As Lady Hale notes in Barclays, there are two requirements before vicarious liability can be established. “The first is a relationship between the two persons which makes it proper for the law to make the one pay for the fault of the other. Historically, and leaving aside relationships such as agency and partnership, that was limited to the relationship between employer and employee, but that has now been somewhat broadened. That is the subject matter of this case. The second is the connection between that relationship and the tortfeasor’s wrongdoing. Historically, the tort had to be committed in the course or within the scope of... employment, but that too has now been somewhat broadened. That is the subject matter of the Morrisons case.”


An earlier briefing (Journal, December 2018, 29) covered the earlier rulings in the Morrisons case which found the employers liable for data breaches deliberately committed by a disgruntled employee. The Supreme Court has not only overturned the earlier rulings but, in doing so, has also provided guidance in relation to the second aspect of vicarious liability.

In short, the public disclosure of the data was not so closely connected with the task of transmitting the payroll data to the auditors that it could properly and fairly be regarded as made while acting in the ordinary course of employment. A personal vendetta perpetrated by an employee would not normally entail vicarious liability for the employer. Furthermore, the “close connection” test
(Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366) was not satisfied.

The ruling is also of particular note in relation to how, if at all, the common law concept of vicarious liability might be affected by statutory data protection and data breaches where employees, and contractors, act as independent data controllers. The court did not have to rule on the detail here (because it had already decided there was no vicarious liability) but, usefully, indicated that imposing statutory liability on a data controller such as the employee was not inconsistent with the co-existence of vicarious liability under common law. The court concluded it was irrelevant that a data controller’s statutory liability under the DPA concerns, in essence, a lack of reasonable care, while vicarious liability for the conduct of an employee requires no proof of fault.


The case involved a group litigation against the bank in relation to numerous allegations of sexual assault perpetrated by a (now deceased) self-employed general medical practitioner who, at the house where he was operating his own business, assessed and examined prospective Barclays employees. In a unanimous decision, Lady Hale delivered the lead judgment and overturned the Court of Appeal’s decision.

The key issue was whether or not the doctor’s business was being carried on “on his own account” or whether there was a relationship “akin to employment”. If the doctor was carrying on his own independent business then it was unnecessary to consider the five tests detailed in previous case law (see Various Claimants v Catholic Child Welfare Society [2012] UKSC 56).

Here, the facts demonstrated the doctor had been in business in his own account. Consequently the bank was not vicariously liable for his assaults. The court recognised the allegations of very serious harm having been caused but, in these particular circumstances, considered the doctor not to be an employee. Amongst other factors the bank paid a fee for each report (there was no retainer arrangement), the doctor had his own insurance, could refuse to do a requested examination if he chose, and conducted examinations for a range of other clients.

As an aside, Lady Hale also gave helpful guidance in relation to the concept of “independent contractors” and s 230(3) of the Employment Rights Act 1996 (and the definition of a “worker”). In short, although the s 230(3) definition could be useful in relation to ascertaining who is a true independent contractor from an employment point of view, it is not helpful in relation to ascertaining vicarious liability because of the differing reasons behind the development of the two concepts.

The Author

Stephen Cotton, partner, Wright, Johnston & Mackenzie LLP

Share this article
Add To Favorites