Supreme Court rules on vicarious liability for data breach

The Supreme Court has ruled unanimously that supermarket chain Morrisons was not liable for the actions of employee who published staff salary data.

In WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 it said the lower courts had been wrong to rule that Morrisons was vicariously liable for the man’s actions. 

In November 2013, an employee named Andrew Skelton downloaded payroll data he used in his work and took this home on a USB stick.

He had a grudge against Morrisons over another incident and uploaded the data onto a file-sharing website and later sent it to newspapers.

Mr Skelton was convicted and sentenced to eight years’ imprisonment but following the data breach more than 5,500 affected employees issued a claim against Morrisons for breach of the Data Protection Act, misuse of private information and breach of confidence.

The Supreme Court said the issues in Morrisons’ appeal were whether the Data Protection Act 1988 excluded the application of vicarious liability to a breach of it, or for misuse of private information or breach of confidence, and whether the Court of Appeal erred in concluding that the disclosure of data occurred in the course of Mr Skelton’s employment, for which the appellant should be held vicariously liable.

At the original hearing the judge had held that Morrisons bore no primary responsibility but was vicariously liable and that Skelton had acted in the course of his employment.

Morrisons’ subsequent appeal to the Court of Appeal was dismissed.

In the Supreme Court Lord Reed gave the only judgment, with which Lady Hale, Lord Kerr, Lord Hodge and Lord Lloyd-Jones agreed.

The ruling said: “The court concludes that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number for aspects.

“The online disclosure of the data was not part of Skelton’s ‘field of activities’, as it was not an act which he was authorised to do.”

Judges said a temporal or causal connection alone “does not satisfy the ‘close connection’ test” for vicarious liability and that it was “highly material whether Skelton was acting on his employer’s business or for purely personal reasons”.

They found: “No vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.

“On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability.

“An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.”

The Supreme Court ruled though that the Data Protection Act did not exclude imposition of vicarious liability for either statutory or common law wrongs.

It said: “Imposing statutory liability on a data controller like Skelton is not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller’s employer.”

Mark Smulian