Employer's liability for employee’s data leak

The Claimant was disciplined by his employer, the MOD, following an investigation into his alleged bullying of other employees. In that same month, the Sun published articles about the incident. He subsequently resigned from his senior position.

Subsequently the Claimant discovered that the source for the article in the Sun had been another employee, (someone who had been prosecuted for leaking information to the newspaper about another matter). He issued claims for misuse of private information against his former employer arising out of the unauthorised disclosures of information about him that gave rise to the Sun’s coverage.

In a judgment given on 11 April 2016, these claims were dismissed. The judge

concluded that the Claimant did not have a reasonable expectation of privacy in respect of the information about the bullying complaints, the investigation and its aftermath. Essentially, this was because the Claimant had been in a “very public position” (due to the nature of his employment by the MOD).

However, a very interesting part of the judgment concerned vicarious liability.

The judge accepted that what the other employee did was without the knowledge of the employer, received no encouragement from the employer and indeed was prohibited, but “…those features do not preclude vicarious liability …” and:

 “There is always an inherent risk that those entrusted with such information will abuse the trust reposed in them, but rather than this being a reason why vicarious liability should not be imposed, I think, on the contrary, it is a reason in its favour

In this case the judge decided that the Claimant (due to his position) did not justifiably have a reasonable expectation of privacy and that this was fatal to his claim for misuse of private information. However, this would not apply to claims under the Data Protection Act 1998 (DPA) – and questions of vicarious liability arise relatively increasingly frequently in data breach cases.


This judgement means that there is a possibility that when personal information is sold, leaked or otherwise wrongly disclosed by an employee those individuals whose privacy has been compromised, (e.g. other employees, customers, etc.), can successfully bring claims for compensation against the employer/data controller under the DPA.

The case is Axon v Ministry of Defence [2016] EWHC 787 (QB).

Leave a Reply

Your email address will not be published. Required fields are marked *