Out-Law / Your Daily Need-To-Know

Morrisons wins landmark data case on vicarious liability

01 Apr 2020, 1:58 pm

Supermarket Morrisons is not vicariously liable for an employee's breach of data protection laws, the UK Supreme Court has ruled.

David Barker

Partner

The Supreme Court stopped short of finding that vicarious liability can never arise under data protection legislation

The Supreme Court said that while Skelton was authorised to transmit the payroll data to the auditors, the wrongful disclosure of the data "was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment".

The court confirmed, however, that it may be possible in other cases for employees to hold their employer vicariously liable for statutory breaches of data protection law, or for misuse of private information or a breach of confidence.

Data protection and cyber risk expert David Barker of Pinsent Masons said: "The Supreme Court’s headline finding is obviously great news for Morrisons and good news for data controllers generally. If the Court of Appeal’s judgment had been allowed to stand this would have left data controllers at risk of claims even where they had taken reasonable care of personal data. That said, the Supreme Court stopped short of finding that vicarious liability can never arise under data protection legislation. This means that each case will turn on its facts."

"In the Morrison’s case, the employee in question was acting maliciously and was convicted of a criminal offence carrying an eight year prison sentence. Other scenarios may not be so clear-cut," he said.

Employment law expert Anne Sammon of Pinsent Masons said employers would welcome the Supreme Court decision in the Morrison's case.

"The previous Court of Appeal decision had held that an organisation could be vicariously liable for data breaches caused by rogue employees, even where those organisations had taken appropriate measures to comply with their data protection obligations. This decision had potentially wide ranging impact, not only in the sphere of data protection compliance, but more generally, as potential claimants sought to rely on this decision to argue that employers were vicariously liable for the actions of rogue employees even where steps had been taken to prevent the particular conduct."