Morrisons is not vicariously liable for data breach…but the Supreme Court does not rule out the possibility in future cases

Emma Keeling

On 1 April 2020, the UK Supreme Court unanimously overturned a 2018 Court of Appeal ruling that had found WM Morrisons Supermarkets PLC (Morrisons) vicariously liable for its employee’s misuse of private information, breach of confidence and breach of statutory duty under the Data Protection Act 1998 (DPA). Although this case was brought by reference to the DPA, it is likely that the analysis would apply equally under the GDPR.

After examining the facts of this case, the Supreme Court found that Morrisons was not vicariously liable (in summary that is, not, as employer, liable for the tortious acts of its employee, carried out in the course of their employment). However, it was clear that it remains possible for an employer to be held vicariously liable for a data breach under the DPA, for misuse of private information or breach of confidence in other circumstances.

Back in 2014, a disgruntled Morrisons senior internal auditor, Andrew Skelton, leaked the payroll data of almost 100,000 Morrisons employees to an online file sharing site and subsequently to various newspapers.  Skelton was prosecuted and sentenced to 8 years in prison.

Separately, a group action was brought against Morrisons, with over 9000 current and former employees seeking damages for distress as a consequence of the leak of their personal data. Whilst the High Court, and subsequently the Court of Appeal, did not consider Morrisons to be directly liable for such damages, they did hold that Skelton was acting in the course of his employment and therefore Morrisons could be liable for misuse of private information, breach of confidence and breach of statutory duty under the DPA on a vicarious basis.

The Supreme Court disagreed, noting that the Court of Appeal had misunderstood the test of vicarious liability and that to consider Morrisons vicariously liable in this case would amount to a “major change in the law”.

The court confirmed that “Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment”. Whilst Skelton was legitimately given access to the payroll data for onward provision to Morrisons’ external auditor, his subsequent disclosure of the data online did not fall within his “field of activities”. The fact that there was a “close temporal link and an unbroken chain of causation” between his receipt of the payroll data and the unlawful disclosure was not, in itself, sufficient to meet the close connection test and establish vicarious liability. The Supreme Court also took account of the fact that Skelton was acting for personal reasons and not for Morrisons’ business.

Importantly however, although Morrisons was not held to be vicariously liable on the facts of this case, the Supreme Court did not consider that vicarious liability was excluded as a general principle in circumstances in which an employer was not in breach of the DPA.  It rejected the argument that because the DPA contemplates fault-based liability, common law should not impose additional no-fault strict liability on an employer of an employee who has become a data controller in their own right (just as in the case of Skelton). Given that the DPA was silent on this issue, the Supreme Court determined that when an employee is a data controller, it remained possible, depending on the facts, for an employer to be considered vicariously liable for their breach of the DPA, misuse of private information or breach of confidence.

The judgment and press summary can be read here.