Subscribe to news digests

News Search

Industry News

Company not liable for employee's malicious disclosures after all, says UK Supreme Court

Thursday, 2 April, 2020

In a reversal of earlier decisions in the England and Wales courts, the UK Supreme Court has ruled that Morrisons Supermarkets was not vicariously liable for the actions of an employee who maliciously copied and published the company's entire workforce payroll data.

The employee, Andrew Skelton, was a member of the company's internal audit team who bore a grudge because he had been disciplined for minor misconduct. In early 2014, having made a copy of the payroll, he uploaded it to a publicly accessible filesharing website, and also sent it anonymously to three UK newspapers, one of which warned Morrisons about it. Morrisons immediately had the data taken down and reported the incident to the police. Skelton has since been jailed.

More than 5,000 of the company's 100,000 employees then claimed damages against it personally and on the basis of vicarious liability for Skelton's acts, alleging breach of statutory duty under the Data Protection Act 2018, misuse of private information and breach of confidence.

In December 2017, the England and Wales High Court (EWHC) agreed with the claimants that Skelton had acted in the course of his employment and that Morrisons was thereby vicariously liable, although not directly so.

Morrisons appealed to the England and Wales Court of Appeal (EWCA), arguing that to impose vicarious liability on the company in these circumstances would render the court an accessory in furthering Skelton's criminal aims. However, the EWCA dismissed its appeal, noting that if Morrisons' arguments were correct, any of its employees who had suffered loss from the data breach, for example fraud by impersonation, would have no remedy except against Skelton personally.

The case has now been heard in the UK Supreme Court (UKSC), which overturned both the EWHC and EWCA’s rulings and excluded Morrisons from any liability. The EWHC judge and the EWCA misunderstood the principles governing vicarious liability in a number of respects, said Lord Reed in the written judgment. Online disclosure of the data was not part of Skelton's field of activities, as he was not authorised to do it. The lower courts had taken into account irrelevant factors from other cases where the wrongdoer was not an employee of the defendant company. Moreover, the usual 'close connection' test was not satisfied, and it was, in fact, ‘highly material’ whether Skelton was acting on his employer's business or for purely personal reasons.

The UKSC duly allowed the appeal, although Lord Reed did not rule out the possibility that vicarious liability could apply to a data protection breach under common law in other circumstances (Morrisons v Various Claimants, 2020 UKSC 12).

The decision restores normality to the previously established position on vicarious liability, said employment barrister Mark Thomas of 5 Essex Court. He added that employers who adopt conscientious and careful data control and protection measures can be relatively sure that they are protected against the legal consequences of vindictive data breaches.

'Employers will welcome this decision and will be reassured that they won't usually be responsible for the actions of any member of staff who deliberately inflicts harm on it or their staff', commented Glen Hayes of law firm Irwin Mitchell. 'For a while, it had looked as though the scope of vicarious liability was becoming enormously (and dangerously) wide.'