Morrisons Found Not Vicariously Liable for Data Breach

April 1, 2020
Tim Heywood


View profile

The Supreme Court has today delivered the final word on this case which had until now left employers facing potential vicarious liability (and the prospect of having to pay damages under civil law principles) for a major, deliberate data breach by one of its former employees.

The breach occurred when Mr Skelton, who had been employed by Morrisons as part of its internal audit team, took an unauthorised copy of the supermarket’s entire workforce database. He was able to access this because part of his role was to liaise with external auditors, sharing some of the data for lawful payroll and other purposes. Mr Skelton held a grudge against Morrisons following some unrelated disciplinary proceedings. He took a copy of the database for himself and later uploaded it to a filesharing website where the data was publicly accessible.

The case has brought together two important areas of law (i) the concept of the vicarious liability of an employer for the conduct of its employees generally when they are acting in the course of their employment and (ii) the data protection rules, which impose specific statutory obligations on employers to protect the personal data they process – can vicarious liability ever apply in relation to the data protection rules?

The case had been to the High Court and Court of Appeal before reaching the Supreme Court of course but now the legal position is clear-

(a) An employer can be vicariously (that’s to say, indirectly) liable in circumstances where third parties have suffered a compromise of their personal data through the actions of one of its employees.

(b) That liability will only arise, however, if and to the extent that the employee’s actions that caused the data breach were sufficiently closely connected to his tasks as an employee.

The court concluded that

“…Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data [copying it for himself and then uploading it to a filesharing website] was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment…”

Citing long established employment law principles about vicarious liability the court said

“…the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta…”

So businesses can breathe a sigh of relief for now, but it does not remove the need for them to ensure that they have suitable technical and organisational controls in place to protect personal data from unauthorised access/disclosure.

For his part in all this Mr Skelton was prosecuted for his offences under the (old) Data Protection Act and imprisoned.

Tim Heywood is a Partner in gunnercooke llp specialising in data protection, regulatory and cyber security matters.