UK: Morrisons not liable for employee’s criminal data protection breach
In a keenly-awaited landmark ruling, the UK Supreme Court has ruled supermarket chain Morrisons is not liable for the conduct of an employee who leaked payroll data for over 100,000 workers and was subsequently jailed.
The appeal concerned the circumstances in which an employer is vicariously liable for wrongs committed by its employees, and also whether vicarious liability may arise for breaches by an employee of duties imposed by the Data Protection Act 1998.
Morrisons employee Andrew Skelton, part of the supermarket chain’s internal audit team, was tasked in November 2013 with transmitting payroll data for its entire workforce to its external auditors, as he had done the previous year.
Skelton did so but also made and kept a personal copy of the data, which he uploaded to a publicly accessible filesharing website in early 2014 and later sent anonymously to three UK newspapers, who alerted the supermarket chain.
Morrisons took immediate steps to remove the data from the internet and alerted police, leading to Skelton’s arrest and subsequent prosecution and imprisonment.
A number of affected employees then took proceedings against Morrisons personally and on the basis of its vicarious liability for Skelton’s acts. Their claims were for breach of statutory duty under the DPA, misuse of private information, and breach of confidence.
At trial, the judge concluded that the appellant bore no primary responsibility but was vicariously liable on each basis claimed. The judge rejected the appellant’s argument that vicarious liability was inapplicable given the DPA’s content and its foundation in an EU Directive. The judge also held that Skelton had acted in the course of his employment, on the basis of Lord Toulson’s judgment in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11.
The supermarket chain, represented by global legal business DWF, subsequently appealed unsuccessfully to the Court of Appeal in 2018 before bringing the case to the Supreme Court, which unanimously allowed the appeal.
Lord Reed, delivering the judgment, concluded that the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects. Considering the question afresh, no vicarious liability arises in the present case.
Skelton’s wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability.
An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta. The “close connection” test elucidated by Lord Nicholls in Dubai Aluminium, in light of the cases that have applied it and on the particular facts of the present appeal, was not satisfied.
However, the court also found that Morrisons’ argument that the DPA excludes imposition of vicarious liability for either statutory or common law wrongs is wrong.
Kirsty Rogers, head of employment at DWF, said: “We are delighted to report that our client Morrisons has been successful in the landmark case in the Supreme Court concerning the criminal data breach committed by an employee which saw the personal data of employees put onto the internet.
“The court had already found that Morrisons had no fault-based liability and the Supreme Court has now ruled that Morrisons also has no no-fault vicarious liability for the malicious actions of its employee.”