Upgrade to Chrome Upgrade to Firefox Upgrade to Internet Explorer Upgrade to Safari
Legal News | 21.04.20

Wm Morrison Supermarkets plc found not to be vicariously liable for data protection breach committed by an employee

Morissons Data Breach Verdict

The legal doctrine of ‘Vicarious Liability’ provides for an employer to be held liable for a wrongful act or omission (tort) committed by an employee. To hold an employer vicariously liable, the Courts will consider a two-stage test:

  1. Is there a relationship between the wrongdoer and the business, which is capable of giving rise to vicarious liability; and
  2. Is the connection between the employee’s duties and their wrongful act or omission so ‘close’ that it would be just and reasonable to imply liability (i.e. is there a sufficient connection)?

A ‘sufficient connection’ has been outlined to be “(t)he wrongful conduct must be so closely connected with the acts the…employee was authorised to do, that… the wrongful conduct may fairly and properly be regarded as done by the partner while acting in the ordinary course of…business.”

The facts of the data protection breach

At the request of his employer, Mr Skelton provided external auditors with the payroll details of the entire workforce. Mr Skelton took a copy of the details home on a USB stick and proceeded to publish the payroll details on the internet. Mr Skelton had a grudge against his employer and used another employee’s details to upload the payroll content. Additionally, he provided the details to three national newspapers, under the proviso that he was a concerned member of the public.

Morrisons were notified by one of the national newspapers. They took steps to immediately remove the information, contacted the police and started an internal investigation. Mr Skelton was arrested and charged with criminal offences under the Computer Misuse Act 1990 and section 55 of the Data Protection Act 1998 (DPA 1998).

Affected staff brought their action against Morrisons, claiming that they were vicariously liable for the actions of its employee, Mr Skelton.

The Supreme Court’s explanation of the legal principles to be applied

The Supreme Court addressed the application of existing case law by the High Court and the Court of Appeal. The legal principles the Courts should be considering are:

  1. What functions or ‘field of activates’ had been entrusted by the employer to the employee?
  2. Is there a sufficient connection between the position in which the employee was employed and the wrongful conduct to make it right that the employer is held liable?
  3. An ‘unbroken sequence of events’ refers to the capacity in which the employee was acting.
  4. The reason for the employee’s actions do not make a material difference to the outcome where it is clear that the employee is not acting on the employer’s business.

Application of the legal principles to the facts

The disclosure of the personal data on the internet is not part of Mr Skelton’s function or field of activity. The employer did not authorise him to take such action. A temporal link or unbroken chain of causation in itself is not sufficient to satisfy the close connection test. Therefore, the unbroken chain or causal link between Mr Skelton providing the data to the auditors and uploading it to the internet did not satisfy the connection test.

The motivation behind Mr Skelton’s actions were relevant for establishing if he was acting on the employer’s business, or purely for personal reasons.

Vicarious Liability applies to breaches of obligations imposed under the DPA 1998. As well as breaches arising under common law, committed by an employee who is carrying out data processing activities on behalf of their employer (i.e. the data controller).

Key points to take away

Employers will not always be found liable for data protection breaches committed by rouge employees.

Although the case was decided on the principles of the DPA 1998, principles that apply under the Data Protection Act 2018 are broadly similar. Under the General Data Protection Regulation 2018, compliance for data controllers is now more onerous, with the increased risk of exposure to huge revenue-based fines.

Even though Morrisons escaped liability this time, employers need to be aware that they may be vicariously liable for the wrongful acts or omissions of their employees.


Posted By Our Corporate & Commercial Team