On 1 April 2020, the Supreme Court handed down judgment in an eagerly awaited appeal by Morrisons Supermarket, ruling that it was not liable for the criminal acts of a rogue employee. The court’s unanimous decision will have data controllers everywhere breathing a sigh of relief.
In July 2013, Andrew Skelton, a senior Morrisons’ auditor, was subjected to internal disciplinary proceedings by the company but kept his job. Following those proceedings, Skelton was said to harbour an irrational grudge against Morrisons. Four months later, Skelton was entrusted with the company’s payroll data to assist Morrisons’ external auditor, KPMG. Prior to obtaining the payroll data (which included names, bank details, home addresses, dates of birth and the gender of thousands of employees), Skelton had familiarised himself with the anonymity software ‘Tor’ and equipped himself with an ‘untraceable’ mobile phone. Having done so, he copied the employees’ personal data to his own USB stick. Using the name of a colleague who had been involved in the earlier disciplinary proceedings, Skelton then created a false email account and uploaded the employees’ personal data to a file-sharing website, thereby risking identity theft on a massive scale. In March 2014, when Morrisons’ financial results were due to be announced, Skelton anonymously sent three UK newspapers copies of the files feigning concern that the data was publicly available. Unsurprisingly, the newspapers refused to publish and instead contacted Morrisons which investigated and contacted the police. Skelton was arrested, prosecuted for fraud by abuse of position and imprisoned for eight years.
The claimants (9,263 of them) brought proceedings against Morrisons for its own alleged breach of the statutory duty created by section 4(4) of the Data Protection Act 1998 (DPA), misuse of private information, and breach of confidence. The claims were also brought on the basis that Morrisons was vicariously liable for Skelton’s conduct. The trial judge rejected the contention that Morrisons was under a primary liability in any of the respects alleged but held that it was vicariously liable for Skelton’s breach of statutory duty under the DPA, his misuse of private information, and his breach of his duty of confidence. He also rejected Morrisons’ argument that Skelton’s wrongful conduct was not committed in the course of his employment, holding that Morrisons had provided him with the data in order for him to carry out the task assigned to him. While it was true that his disclosure to anyone other than KPMG was unauthorised, there was nonetheless a sufficient connection between the position in which Skelton was employed and his wrongful conduct.
Court of Appeal
Morrisons appealed to the Court of Appeal but was unsuccessful. The appellate court stated that there was no pleaded claim against Morrisons on the ground of vicarious liability for Skelton’s breach of the DPA. It was conceded that the causes of action for misuse of private information and for breach of confidence were not excluded by the DPA. The court considered that there was nothing in the DPA which excluded vicarious liability for such conduct.
The court agreed with the trial judge that the tortious acts of Skelton in sending the claimants’ data to third parties were within the field of activities assigned to him by Morrisons. The court also emphasised that the relevant facts constituted a “seamless and continuous sequence” or “unbroken chain” of events. It also ruled that although it was an unusual feature of the case that Skelton’s motive in committing the wrongdoing was to harm his employer, that motive was irrelevant. The court therefore agreed with the judge that Morrisons was vicariously liable for Skelton’s wrongdoing.
The issues for the Supreme Court were whether a) Morrisons was vicariously liable for Skelton’s conduct and, if it was: i) whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA; and ii) whether the DPA excludes the imposition of vicarious liability for misuse of private information and breach of confidence.
The Law Lords held that “the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of relevant respects.” They are summarised below.
- The “field of activities” was cast too widely. Contrary to the lower courts’ conclusions, Skelton’s online disclosure of the payroll data did not fall within the field of his employed activities.
- A temporal and/or causal link is not enough to establish vicarious liability. The fact that there was a close temporal link and an unbroken chain of causationlinking the provision of the data to Skelton by Morrisons for the purposes of his job and his unlawful disclosure was not sufficient.
- The lower courts’ interpretation of Mohamud was wrong. Whether Skelton was acting on his employer’s business or for purely personal reasons was highly material, and it was abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing.
The court then applied the general test laid down by Lord Nicholls in Dubai Aluminium which asked ‘whether Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.” The court found that the disclosure was not so closely connected.
In terms of the wider question of vicarious liability under the DPA, Morrisons was unsuccessful insofar that it argued that the DPA operated so as to exclude vicarious liability altogether. Since the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment. Clearly the nature of the employer’s and employee’s actions will determine the extent to which vicarious liability attaches to the employer under the DPA.
Significance of the Judgment
Quite apart from saving Morrisons from a class action brought by over 9,000 claimants, the judgment will be reassuring and helpful to conscientious and data protection compliant employers facing similar risks. However, danger remains for data controllers with lax data protection safeguards because a non-compliant company could still be liable for a primary breach of the data protection legislation regardless of the actions of a rogue employee. It was only because Morrisons succeeded in defending primary liability that vicarious liability became an issue in the first place. Further, even if an employer could defeat an argument that it was primarily liable, the judgment does not exclude the possibility of vicarious liability where the facts are appropriate. Vitally, the judgment restores faith in the practical and purposive intention of the law, namely to address wrongdoing carried out by those who are in fact at fault.
Although the case concerned what is now old law (the DPA having been superseded by the GDPR and the DPA 2018), the interpretation and development of the law by the Supreme Court will undoubtedly influence similar cases in future.
The full judgment can be found here: https://www.supremecourt.uk/cases/docs/uksc-2018-0213-judgment.pdf
 WM Morrison Supermarkets plc v Various Claimants  UKSC 12,
 per Mohamud  AC 677)
  EWCA Civ 2339
  2 AC 366
 WM Morrison Supermarkets plc v Various Claimants  UKSC 12 [para. 32]
 Ibid. [para. 47]
 Ibid. [para. 55]