Canada: When Employees Go Rogue: Are Employers Vicariously Liable For The Privacy Breaches Of Their Employees?

Last Updated: December 8 2017
Article by CyberLex Blog and Sara Babich

Most Read Contributor in Canada, September 2018

Although there has not yet been a definitive answer to this question in Canada, based on recent UK case law, it appears increasingly likely that, at least in some circumstances, the answer may be "yes".

In Various Claimants v WM Morrisons Supermarket Plc, (Rev 1) [2017] EWHC 3113 (QB) ("Morrisons"), the High Court said that the supermarket chain Morrisons was vicariously liable for the actions of an employee, who leaked the payroll data of nearly 100,000 employees. The case is the first successful class action for a data breach in the UK.

More and more, Canadian courts and adjudicators have been asked to grapple with similar privacy issues, particularly in light of the privacy torts that have gained traction in some Canadian jurisdictions. Thus far, Canadian courts have not opined directly on the issue of whether vicarious liability may be extended to employers in respect of the privacy breaches of their employees, but the case law to date is consistent with the recent UK decision which holds that the test for vicarious liability of an employer for the wrongful acts of its employees is the same as it is for any other wrongful act of an employee.

Current Canadian Law

In Ari v Insurance Corporation of British Columbia, 2015 BCCA 468 ("Ari") the BC Court of Appeal considered whether certain portions of a proposed class action ought to have been struck. In that case, the claimants alleged, among other things, that the employee's alleged breach of the Privacy Act, RSBC 1996, c 373, imported vicarious liability on to the employer.

The Court held that the Privacy Act did not exclude the imposition of vicarious liability on the employer and suggested that the principles of vicarious liability may be applied in the context of a breach of privacy by an employee just as they would to any other wrongful act of an employee.

However, since the Court in Ari was considering the test for striking out pleadings (specifically whether it was plain and obvious that there is no reasonable claim in breach of privacy against the Defendants), rather than evaluating the whole of the Action on its merits, the case is not a definitive answer to the question of whether and when an employer is vicariously liable for the privacy breaches of its employees.

In Hynes v Western Regional Integrated Health Authority, 2014 NLTD(G) 137, the Supreme Court of Newfoundland and Labrador considered whether the proposed class action for a breach of the Privacy Act, RSNL 1990 c P-22 and for the tort of intrusion upon seclusion should be granted, partly on the basis of whether the employer could be vicariously liable for an employee's wrongful breach of privacy.

The Court held that it was not plain and obvious that the assertion of vicarious liability would fail. The Court indicated that the issue of whether the employee's acts were so connected to authorized acts to justify the imposition of vicarious liability (the test for imposing vicarious liability) must be resolved at trial. Therefore, the Court's certification decision is not determinative of this issue.

In, Bigstone v St Pierre, 2011 SKCA 34 this issue was argued before the Chambers judge on an application to strike pleadings, but on appeal vicarious liability was not considered and the claim was struck on the basis that there were insufficient material facts pleaded to support the cause of action.

The Morrisons Case

Morrisons may provide an inkling as to how Canadian courts may approach the issue of vicarious liability of employers for privacy breaches committed by employees.

In Morrisons, a group of claimants brought an Action for breach of the Data Protection Act 1998 ("DPA"), as well as at common law for the tort of misuse of private information and an equitable claim for breach of confidence against Morrisons. The claimants were employees of Morrisons who had had their personal information taken and published online by a disgruntled employee, Mr. Skelton. Mr. Skelton had been a Senior IT Auditor who had obtained access to the private information of the claimants in the course of collating the data for transmission to Morrisons' auditors.

The claimants alleged both a direct breach of the DPA by Morrisons for failing to protect their data and that Morrisons was vicariously liable for the actions of its employee, Mr. Skelton.

Direct Liability

The Court held that Morrisons did not breach the DPA directly since it was not the "Data Controller" (as defined in the DPA) at the relevant time with respect to the data at issue. The specific acts complained of were those of a third party, Mr. Skelton, and not Morrisons.

The Court also considered whether Morrisons breached the DPA by failing to take appropriate measures to safeguard the data. Morrisons had put in place security systems which were generally considered by the Court to be adequate and appropriate.

The Court also assessed whether Morrisons ought to have done more to supervise Mr. Skelton. Although Morrisons could have taken additional measures to monitor Mr. Skelton and his work, the Court indicated that there is a level of additional supervision which is not only disproportionate to the risk but that may result in a claim by the employee being supervised that the measures are unfairly intrusive to his or her own rights.

Vicarious Liability

The Court then considered whether Morrisons was vicariously liable for the actions of Mr. Skelton. The Court held that vicarious liability was not excluded by the DPA and can be imposed where the circumstances so warrant. The Court found that the principles of vicarious liability of an employer for the acts of its employees do not change simply because the wrong complained of relates to a privacy breach as opposed to a different wrongful act of the employee.

Whether liability will be imposed depends on whether one of the two bases for liability in Bazley v Curry, [1999] 2 SCR 534 are met, specifically, whether (1) the employer has authorized the acts, or (2) the unauthorized acts are so connected with the authorized acts that they may be regarded as mode of doing an unauthorized act. The Court also considered the policy rationales behind imposing vicarious liability in the circumstances.

In Morrisons, the Court found that "there was an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events" even though the disclosure itself did not occur on a company computer or on company time. Dealing with sensitive confidential data was expressly part of Mr. Skelton's role. His job was to receive and pass on data to a third party. The fact that the actual third party recipient of the data was unauthorized did not disengage the act from his employment.

The Court noted that cases where vicarious liability has been upheld are those "where the employee misused his position in a way which injured the claimant" and "it was just that the employer who selected him and put him in that position should be held responsible." Further justification for imposing liability is that the employer has at least the theoretical right to control the employee's actions and has the ability to protect itself by insuring against the liability.

In the end result, Morrisons stands for the proposition that a company can be held liable to compensate affected individuals for loss (including non-pecuniary loss such as emotional distress) caused by a data breach, even when the breach was caused by an employee and there was no wrongdoing on the part of the company.

Importantly, the Court invited Morrisons to appeal the conclusion as to vicarious liability, considering that imposing liability in the circumstances may have served to render the Court an accessory to Mr. Skelton's criminal aims (namely punishing Morrisons for taking disciplinary action against Mr. Skelton).

What it Means for Employers

Although there remains no definitive answer in Canada yet, this case and the preceding Canadian case law suggests that companies must consider carefully who they place in trusted roles and, in addition to the systems they use to protect data, what measures they might take to guard against human risk, which the Court in Morrisons acknowledged can never be fully anticipated or prevented.

To view the full article, please click here

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

To print this article, all you need is to be registered on

Click to Login as an existing user or Register so you can print this article.

In association with
Related Topics
Related Articles
Related Video
Up-coming Events Search
Font Size:
Mondaq on Twitter
Register for Access and our Free Biweekly Alert for
This service is completely free. Access 250,000 archived articles from 100+ countries and get a personalised email twice a week covering developments (and yes, our lawyers like to think you’ve read our Disclaimer).
Email Address
Company Name
Confirm Password
Mondaq Topics -- Select your Interests
 Law Performance
 Law Practice
 Media & IT
 Real Estate
 Wealth Mgt
Asia Pacific
European Union
Latin America
Middle East
United States
Worldwide Updates
Registration (you must scroll down to set your data preferences)

Mondaq Ltd requires you to register and provide information that personally identifies you, including your content preferences, for three primary purposes (full details of Mondaq’s use of your personal data can be found in our Privacy and Cookies Notice):

  • To allow you to personalize the Mondaq websites you are visiting to show content ("Content") relevant to your interests.
  • To enable features such as password reminder, news alerts, email a colleague, and linking from Mondaq (and its affiliate sites) to your website.
  • To produce demographic feedback for our content providers ("Contributors") who contribute Content for free for your use.

Mondaq hopes that our registered users will support us in maintaining our free to view business model by consenting to our use of your personal data as described below.

Mondaq has a "free to view" business model. Our services are paid for by Contributors in exchange for Mondaq providing them with access to information about who accesses their content. Once personal data is transferred to our Contributors they become a data controller of this personal data. They use it to measure the response that their articles are receiving, as a form of market research. They may also use it to provide Mondaq users with information about their products and services.

Details of each Contributor to which your personal data will be transferred is clearly stated within the Content that you access. For full details of how this Contributor will use your personal data, you should review the Contributor’s own Privacy Notice.

Please indicate your preference below:

Yes, I am happy to support Mondaq in maintaining its free to view business model by agreeing to allow Mondaq to share my personal data with Contributors whose Content I access
No, I do not want Mondaq to share my personal data with Contributors

Also please let us know whether you are happy to receive communications promoting products and services offered by Mondaq:

Yes, I am happy to received promotional communications from Mondaq
No, please do not send me promotional communications from Mondaq
Terms & Conditions (the Website) is owned and managed by Mondaq Ltd (Mondaq). Mondaq grants you a non-exclusive, revocable licence to access the Website and associated services, such as the Mondaq News Alerts (Services), subject to and in consideration of your compliance with the following terms and conditions of use (Terms). Your use of the Website and/or Services constitutes your agreement to the Terms. Mondaq may terminate your use of the Website and Services if you are in breach of these Terms or if Mondaq decides to terminate the licence granted hereunder for any reason whatsoever.

Use of

To Use you must be: eighteen (18) years old or over; legally capable of entering into binding contracts; and not in any way prohibited by the applicable law to enter into these Terms in the jurisdiction which you are currently located.

You may use the Website as an unregistered user, however, you are required to register as a user if you wish to read the full text of the Content or to receive the Services.

You may not modify, publish, transmit, transfer or sell, reproduce, create derivative works from, distribute, perform, link, display, or in any way exploit any of the Content, in whole or in part, except as expressly permitted in these Terms or with the prior written consent of Mondaq. You may not use electronic or other means to extract details or information from the Content. Nor shall you extract information about users or Contributors in order to offer them any services or products.

In your use of the Website and/or Services you shall: comply with all applicable laws, regulations, directives and legislations which apply to your Use of the Website and/or Services in whatever country you are physically located including without limitation any and all consumer law, export control laws and regulations; provide to us true, correct and accurate information and promptly inform us in the event that any information that you have provided to us changes or becomes inaccurate; notify Mondaq immediately of any circumstances where you have reason to believe that any Intellectual Property Rights or any other rights of any third party may have been infringed; co-operate with reasonable security or other checks or requests for information made by Mondaq from time to time; and at all times be fully liable for the breach of any of these Terms by a third party using your login details to access the Website and/or Services

however, you shall not: do anything likely to impair, interfere with or damage or cause harm or distress to any persons, or the network; do anything that will infringe any Intellectual Property Rights or other rights of Mondaq or any third party; or use the Website, Services and/or Content otherwise than in accordance with these Terms; use any trade marks or service marks of Mondaq or the Contributors, or do anything which may be seen to take unfair advantage of the reputation and goodwill of Mondaq or the Contributors, or the Website, Services and/or Content.

Mondaq reserves the right, in its sole discretion, to take any action that it deems necessary and appropriate in the event it considers that there is a breach or threatened breach of the Terms.

Mondaq’s Rights and Obligations

Unless otherwise expressly set out to the contrary, nothing in these Terms shall serve to transfer from Mondaq to you, any Intellectual Property Rights owned by and/or licensed to Mondaq and all rights, title and interest in and to such Intellectual Property Rights will remain exclusively with Mondaq and/or its licensors.

Mondaq shall use its reasonable endeavours to make the Website and Services available to you at all times, but we cannot guarantee an uninterrupted and fault free service.

Mondaq reserves the right to make changes to the services and/or the Website or part thereof, from time to time, and we may add, remove, modify and/or vary any elements of features and functionalities of the Website or the services.

Mondaq also reserves the right from time to time to monitor your Use of the Website and/or services.


The Content is general information only. It is not intended to constitute legal advice or seek to be the complete and comprehensive statement of the law, nor is it intended to address your specific requirements or provide advice on which reliance should be placed. Mondaq and/or its Contributors and other suppliers make no representations about the suitability of the information contained in the Content for any purpose. All Content provided "as is" without warranty of any kind. Mondaq and/or its Contributors and other suppliers hereby exclude and disclaim all representations, warranties or guarantees with regard to the Content, including all implied warranties and conditions of merchantability, fitness for a particular purpose, title and non-infringement. To the maximum extent permitted by law, Mondaq expressly excludes all representations, warranties, obligations, and liabilities arising out of or in connection with all Content. In no event shall Mondaq and/or its respective suppliers be liable for any special, indirect or consequential damages or any damages whatsoever resulting from loss of use, data or profits, whether in an action of contract, negligence or other tortious action, arising out of or in connection with the use of the Content or performance of Mondaq’s Services.


Mondaq may alter or amend these Terms by amending them on the Website. By continuing to Use the Services and/or the Website after such amendment, you will be deemed to have accepted any amendment to these Terms.

These Terms shall be governed by and construed in accordance with the laws of England and Wales and you irrevocably submit to the exclusive jurisdiction of the courts of England and Wales to settle any dispute which may arise out of or in connection with these Terms. If you live outside the United Kingdom, English law shall apply only to the extent that English law shall not deprive you of any legal protection accorded in accordance with the law of the place where you are habitually resident ("Local Law"). In the event English law deprives you of any legal protection which is accorded to you under Local Law, then these terms shall be governed by Local Law and any dispute or claim arising out of or in connection with these Terms shall be subject to the non-exclusive jurisdiction of the courts where you are habitually resident.

You may print and keep a copy of these Terms, which form the entire agreement between you and Mondaq and supersede any other communications or advertising in respect of the Service and/or the Website.

No delay in exercising or non-exercise by you and/or Mondaq of any of its rights under or in connection with these Terms shall operate as a waiver or release of each of your or Mondaq’s right. Rather, any such waiver or release must be specifically granted in writing signed by the party granting it.

If any part of these Terms is held unenforceable, that part shall be enforced to the maximum extent permissible so as to give effect to the intent of the parties, and the Terms shall continue in full force and effect.

Mondaq shall not incur any liability to you on account of any loss or damage resulting from any delay or failure to perform all or any part of these Terms if such delay or failure is caused, in whole or in part, by events, occurrences, or causes beyond the control of Mondaq. Such events, occurrences or causes will include, without limitation, acts of God, strikes, lockouts, server and network failure, riots, acts of war, earthquakes, fire and explosions.

By clicking Register you state you have read and agree to our Terms and Conditions