Menu Search through site content What are you looking for?

Morrisons' Supreme Court appeal successful on vicarious liability for data theft by an employee

  • Legal Development 01 April 2020 01 April 2020
  • UK & Europe

The Supreme Court has found that the supermarket chain Morrisons was not vicariously liable for the actions of a rogue employee who, driven by a grudge against the company, took payroll data relating to 100,000 employees and published it online.

Morrisons' Supreme Court appeal successful on vicarious liability for data theft by an employee


Mr Skelton, a disgruntled employee of Morrisons, leaked the personal details (including bank account details) of almost 100,000 employees on the internet. He was a senior IT auditor and had been motivated by a grudge against Morrisons. The High Court concluded that Morrisons was not directly liable for the breach, which it had not authorised or required, and it was not the "data controller" at the time of the breach. It said that Morrisons had put in place adequate and appropriate controls and there was no indication that Mr Skelton, although upset by recent disciplinary action, could not be trusted to do his job. There was no appeal from that decision. However, the judge found that Morrisons was vicariously liable for the breach - and they appealed against that decision.

The Court of Appeal dismissed their appeal. It agreed that, on the facts, the High Court was correct to find that there had been a "seamless and continuous sequence" of events between the breach and the employment relationship. Dealing with the employees' data was a task specifically assigned to Mr Skelton. Nor did it make any difference that the breach took place away from the workplace, using the employee's own computer on a Sunday.

The Court of Appeal also agreed with the High Court that it is possible for an employer to be held vicariously liable for breaches by an employee of the data protection legislation.

Supreme Court decision

There were two key issues for the Supreme Court to decide:

  1. Was Morrisons vicariously liable for the employee's conduct?
  2. Was vicarious liability excluded under the data protection legislation?

On the first issue, the Supreme Court allowed the appeal. It said that the Court of Appeal had misunderstood the principles of vicarious liability, and in particular the "close connection" test.

The "close connection" test can be broken down into two questions:

  1. What was the function or field of activities that the employer had entrusted to the employee?
  2. Was there sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice?

The Supreme Court clarified the following points:

  1. Field of activities: uploading personal data online was not part of the employee's "field of activities", as Mr Skelton was not authorised to do so
  2. Sufficient connection: a causal connection alone does not satisfy the close connection test
  3. It is highly relevant whether an employee is acting on their employer's business, or if it is for purely personal reasons

The Supreme Court held that no vicarious liability arose because Mr Skelton was authorised to transmit payroll data to the auditors, and not to upload the personal date online. His online disclosure was not so closely connected to that task that it could be regarded as having been made in the course of his employment. 

As the Supreme Court allowed the appeal on the basis that Morrisons was not vicariously liable for their employee's conduct, it was not necessary to consider the second issue, whether data protection legislation excludes vicarious liability. But the Court did express the view that the argument that vicarious liability was excluded under data protection law was unconvincing.

What this decision means for employers

This decision has significant implications for employers who feared that this case would set a precedent for future class actions arising out of data breaches by rogue employees. It offers some reassurance to employers, that although employment may provide an opportunity to commit a wrongful act, this is not of itself sufficient to make an employer vicariously liable for such an act. Employers will not normally be vicariously liable where an employee is not engaged with furthering the employer's business and commits a wrongful act while pursuing a personal vendetta.  

Employers should also note that they may be vicariously liable under data protection laws for the acts of their employees, in circumstances where the "close connection" test is satisfied - but this will depend on the particular circumstances.

WM Morrisons Supermarkets plc v Various Claimants


Stay up to date with Clyde & Co

Sign up to receive email updates straight to your inbox!