Ali v Luton Borough Council: the protection of personal data and what this judgment means for local authorities
The recent outcome of the case of Ali v Luton Borough Council will be a welcome relief to many Local Authorities, particularly those with concerns around employee access to particularly sensitive personal information and the Authority's role in ensuring that remains protected. We take a look at the case and what it means for Local Authorities.
What was the dispute about?
The dispute centred on the Claimant's concerns around the use of her personal data, and the personal data of her children, by an employee of Luton Borough Council. Prior to her separation from her husband, the Claimant had made reports to the Police about his conduct, which had subsequently led to a Multi Agency Referral being made to social services, regarding the welfare of the Claimant and her children. Those reports and associated information were stored on the Council's IT systems.
The Claimant's husband was romantically involved with a Ms Begum, who worked for the social services department of the Council. Ms Begum had accessed private reports containing information about the Claimant and her children and passed it on to the Claimant's husband. It transpired that Ms Begum had accessed a total of 10 reports relating to the Claimant and that 3 of those reports contained data of a highly sensitive nature which was capable of putting the family at risk.
When the Council became aware of the breach, it dismissed Ms Begum. She was also charged with one offence of unauthorised access to computer material, contrary to section 1 of the Computer Misuse Act 1990. She pleaded guilty to that charge and was sentenced to 3 months imprisonment, suspended for 12 months, together with 150 hours of unpaid community service.
There was no dispute that Ms Begum had breached the rights of the Claimant (and her two children) by accessing and disclosing to the Claimant's husband information on the Council's IT systems. However, the Claimant still brought a claim against the Council in respect of Ms Begum's conduct and alleged that the Council was vicariously liable for Ms Begum's wrongful acts as her employer. The Claimant sought the sum of £6,250 in compensation from the Council.
Had the Council acted inappropriately?
The court heard witness evidence around the access to the information by Ms Begum, and importantly, the policies and procedures that the Council had in place to safeguard the information held by the Children's Services teams, which by its very nature could be extremely sensitive. The Court considered how the information in question had been stored, and then ultimately accessed by Ms Begum.
All of the information relating to the Claimant and her children was compiled and stored on a case management system known as "Liquid Logic", which was a fairly common system found within local authorities.
In terms of access to the computer records, the Council confirmed that:
1. Permission to view Liquid Logic was on the basis of job role, not individual name.
2. Due to Ms Begum's role, she required unrestricted access to the system to ensure that she could review/obtain the information she needed without delay or in the event of a colleague being off sick or unable to attend a meeting.
3. Ms Begum's level of access to the documentation was in accordance with standard practice, given her role within Social Services.
4. The Council was also able to show that it had procedures in place for employees to report any personal connection to any of the clients on the system and that Ms Begum had received regular data protection training.
Whilst Ms Begum required unrestricted access to the system, in this instance she had accessed records when she had no need to do so, which was unlawful and which she knew to be unlawful.
Was the Council liable for the wrongdoing?
The Court considered the recent judgment of the Supreme Court in Claimants v Wm Morrison Supermarkets PLC and the test for establishing vicarious liability when making its decision. Specifically, it considered whether there was a close connection between what the employee is asked to do as part of her employment and the wrongful act committed. The Judge concluded that there was no evidence that when accessing and disclosing the relevant data, Ms Begum was engaged in furthering the business of the Council as her employer, and on that basis, Ms Begum was on a 'frolic of her own'.
It is simply not enough to establish vicarious liability for an employer to simply present the wrongdoer with the opportunity to abuse their position. In this instance, whilst Ms Begum had opportunity to access to the records, she had no reason to access them or process them in any way, as she had no professional connection/relationship to the Claimant or her children.
The judgment concludes that '… Ms Begum's wrongful conduct was not so closely connected with acts which she was authorised to do that, for the purposes of the Defendant's liability to third parties, it can fairly and properly be regarded as done by her while acting in the ordinary course of her employment.' The claim was dismissed.
Local Authorities process a range of sensitive personal data, stored on central IT systems and to which many employees have access. Whilst local authorities must keep access rights to such information under review and provide access only to those who need it in accordance with the data protection legislation, this judgment is clear that this has to be seen in context.
Local authorities will be pleased to see that in this case, it was entirely appropriate given the nature of Ms Begum's role for her to have access to a wide range of sensitive information, even if she did not need access to specific parts of it, including that relating to the Claimant and her children. The information did not need to be restricted on a case by case or worker by worker basis and it would be impractical, ineffective and potentially damaging to do so. Ultimately, the evidence suggested that the Council could not have done anything differently or included anything within its systems to have prevented the incident.
The judgment is clear in its message and is consistent with the approach adopted by Lord Reed in the Morrisons case. Local Authorities are likely to welcome this judgment and the further stability that it has given in relation to claims for vicarious liability in instances where a 'bad apple' employee is not furthering the business of its employer but engaging in conduct that was 'deliberate, planned and goes against every professional code of conduct we adhere to'.