When an employer provides its employees with access to the personal data of other individuals, should it be liable for the actions of an employee who uses that access for their own reasons and, in so doing, acts unlawfully?
In many sectors, providing employees with the means to process personal data is essential in order for organisations to undertake their business. For example, health care providers need to enable their clinicians to access the medical records of their patients in order to provide care to them, local authorities need to provide their employees with access to the data of local residents in relation to housing applications, and police forces need access to the records of individuals accused of criminal offences.
Once those organisations have provided appropriate training to their employees on the circumstances in which they are permitted to access the records of individuals, should they then be vicariously liable for the actions of an employee who accesses their records for unauthorised reasons?
On 10 April 2026, His Honour Judge Bird, sitting as a High Court Judge, considered this question in the context of an application for summary judgment by the defendant in JXK and Bamford v The Chief Constable of Greater Manchester.
A police officer had accessed and misused personal data relating to the claimants and then disclosed it to third parties. He was convicted on a guilty plea of 31 offences under the Data Protection and Computer Misuse Legislation. A claim was brought by the claimants against the Chief Constable for damages.
It was not disputed that the relevant data were held by the police, that the data were only accessible to him because of his position as a police officer, and that his actions were unauthorised, contrary to his training and the instructions given to him by the defendant, and a frolic of his own. The computer system gave a warning on the login page that the data contained in the system could only be used for authorised purposes.
The circumstances of this claim are similar to those in which clinicians access the medical records of their relatives or ex-partners, or local authority employees access the records of their neighbours without a business reason to do so.
In considering this matter, His Honour Judge Bird considered the judgment in Ali v Luton Borough Council, which in turn considered Various Claimants v Wm Morrison Supermarkets plc, and the following four principles:
- There must be a close connection between the wrongful conduct and the acts the employee was authorised to do. The close connection must be such that the wrongful conduct may "fairly and properly" (having regard to guidance provided in decided cases) be regarded as having been done in the course of employment.
- The mere fact that the wrongdoer's employment gave them the opportunity to commit the wrongful act would in itself be insufficient to meet the close connection test.
- Closely connected to the above, the mere performance of acts "of the class which the wrongdoer was authorised or employed to do may so clearly depart from the scope of his employment that their employer will not be liable for their wrongful acts".
- The wrongdoer must be acting in "the course of their employment". If they are not engaged in that way but rather are "pursuing their own interests" (or on a frolic of their own), no vicarious liability arises.
In JXK, His Honour Judge Bird concluded that the wrongful accessing and dissemination of information that had been lawfully accessed were expressly forbidden by the defendant with obvious good reason. The data was sensitive, obviously private and collected for very limited and specific police-related purposes. To access and disseminate the data in these circumstances (or simply to disseminate data that had been lawfully accessed) was a pursuit of the police officer's own "interests" and wholly and obviously divorced from the course of his employment.
The only arguable connection between the wrongdoing and the police officer's "employment" was that the employment afforded the police officer the means to do the wrong. Such a connection is not "close". Put it in a different way: the actions which gave rise to the claim (accessing data and disseminating them) may, if a broad view is taken, be viewed as being within "the class" (or type) of actions the wrongdoer was authorised or employed to do. However, the actions of the police officer "so clearly depart from the scope of his employment" that the defendant cannot, on any sensible view, be held responsible.
The extent of departure from the scope of authorised activity could not be clearer. The actions were criminal, contrary to policy and would be seen by any impartial observer as wholly divorced from the functions of a constable. The second claimant's pleaded case was that the police officer's intention was to "manipulate and intimidate". The first claimant's pleaded case was that her personal data was accessed and used to create a forged letter purporting to come from her.
Given the above, His Honour Judge Bird concluded that the claimants' case had no reasonable prospects of success, entering summary judgment in favour of the defendant and dismissing the claim. Approaching the matter as if the police officer was employed, there was no relevant "close connection" between the officer's wrongdoings in respect of misfeasance or otherwise, and his duties as a police constable, sufficient to give rise to vicarious liability on the part of the defendant.
Whilst, in this case, the officer had pleaded guilty to criminal offences in relation to the accessing of personal data, the judgment will be of assistance in defending data breach claims relating to the unauthorised access of records.
