Morrisons wins landmark data case on vicarious liability

Out-Law News | 01 Apr 2020 | 1:58 pm | 2 min. read

Supermarket Morrisons is not vicariously liable for an employee's breach of data protection laws, the UK Supreme Court has ruled.

The court ruled in Morrisons' favour after determining that the Court of Appeal had "misunderstood the principles governing vicarious liability in a number of relevant respects". It means that more than 9,000 current and former employees of the supermarket chain are not entitled to compensation from the company over the disclosure of their payroll data on the internet by a former staff member.

In a separate judgment, also issued on Wednesday morning, the Supreme Court dismissed claims that Barclays Bank was vicariously liable for sexual assaults allegedly carried out by a doctor on 126 people. The bank required new joiners to pass a medical examination with the doctor as part of its recruitment and employment procedures.

Litigation expert Craig Connal QC of Pinsent Masons, the law firm behind Out-Law, said: "The cases are a useful reminder of the two distinct elements of vicarious liability – is the relationship close enough to employment to justify imposing vicarious liability at all, and is the connection between the act and the functions of the employee such that it is fair to impose liability? Both cases attempted to extend what some had seen as a judicial trend to expand ever wider the net of liability. Both failed."

"In the case of Barclays, the doctor was nowhere near to being an employee so the case didn’t get off the ground under the first element. In the Morrisons case there was not a sufficient connection between what the employee did and his employment to avoid the view that the employer should not be liable where the employee was ‘pursuing a personal vendetta’," Connal said.

The Morrisons case concerned actions by a former senior auditor of the company, Andrew Skelton. Skelton was tasked by Morrisons with sharing payroll data with an external auditor, but copied the data he was given access to, which concerned approximately 126,000 Morrisons employees, onto a personal USB stick. He subsequently uploaded some of that data onto a file-sharing website and attempted to frame a fellow colleague for the breach.

Barker David

David Barker


The Supreme Court stopped short of finding that vicarious liability can never arise under data protection legislation

The Supreme Court said that while Skelton was authorised to transmit the payroll data to the auditors, the wrongful disclosure of the data "was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment".

The court confirmed, however, that it may be possible in other cases for employees to hold their employer vicariously liable for statutory breaches of data protection law, or for misuse of private information or a breach of confidence.

Data protection and cyber risk expert David Barker of Pinsent Masons said: "The Supreme Court’s headline finding is obviously great news for Morrisons and good news for data controllers generally. If the Court of Appeal’s judgment had been allowed to stand this would have left data controllers at risk of claims even where they had taken reasonable care of personal data. That said, the Supreme Court stopped short of finding that vicarious liability can never arise under data protection legislation. This means that each case will turn on its facts."

"In the Morrison’s case, the employee in question was acting maliciously and was convicted of a criminal offence carrying an eight year prison sentence. Other scenarios may not be so clear-cut," he said.

Employment law expert Anne Sammon of Pinsent Masons said employers would welcome the Supreme Court decision in the Morrison's case.

"The previous Court of Appeal decision had held that an organisation could be vicariously liable for data breaches caused by rogue employees, even where those organisations had taken appropriate measures to comply with their data protection obligations. This decision had potentially wide ranging impact, not only in the sphere of data protection compliance, but more generally, as potential claimants sought to rely on this decision to argue that employers were vicariously liable for the actions of rogue employees even where steps had been taken to prevent the particular conduct."