• Menu
  • Skip to right header navigation
  • Skip to main content
  • Skip to secondary navigation
  • Skip to primary sidebar
  • Skip to footer

Yorkshire's Employment Law & Data Protection Specialists

  • Home
  • About
    • About us
    • Brian Harrington
    • Nathan Combes
  • Services
    • Employment Law & HR Advice
    • Settlement Agreements
    • Data Protection
    • Training
    • Price transparency
  • Legal updates, news & events
  • Contact us
  • Search
  • Home
  • About
    • About us
    • Brian Harrington
    • Nathan Combes
  • Services
    • Employment Law & HR Advice
    • Settlement Agreements
    • Data Protection
    • Training
    • Price transparency
  • Legal updates, news & events
  • Contact us
  • Search
morrisons supermarket vicarious liability

Who’s legally responsible when an employee “goes rogue”

In a landmark decision the Supreme Court has confirmed that the supermarket Morrisons should not be held “vicariously liable” for unauthorised and malicious breaches of the Data Protection Act 1998 committed by one of its own employees.

You are here: Home / Who’s legally responsible when an employee “goes rogue”
morrisons supermarket vicarious liability

7th April 2020 //  by curcom76

In a landmark decision the Supreme Court has confirmed that the supermarket Morrisons should not be held “vicariously liable” for unauthorised and malicious breaches of the Data Protection Act 1998 committed by one of its own employees.

Case: WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12

The legal issues

This important Supreme Court decision concerns two key issues:

  1. the circumstances in which an employer can be held vicariously liable for wrongdoings committed by its employees; and
  • whether vicarious liability may also arise for breaches by an employee of duties imposed by the Data Protection Act 1998 (“DPA”).

The facts

Mr Skelton was employed by Morrisons in its internal audit team. In July 2013, Mr Skelton was given a verbal warning following disciplinary proceedings for minor misconduct. The Court accepted that Mr Skelton bore a grievance against Morrisons from this point onwards.

In November 2013, Mr was asked by Morrisons to send payroll data (relating to Morrisons entire workforce) to its external auditors. Mr Skelton did as he was asked. However, on this occasion he also made and kept a personal copy of the data.

In early 2014, Mr Skelton decided to upload a file containing the payroll data to a publicly accessible filesharing website. Mr Skelton also sent the file anonymously to three UK newspapers, purporting to be a concerned member of the public who had “found” it online. The newspapers decided against publishing the information and one of them alerted to Morrisons to the situation.

Morrisons took immediate steps to have the payroll data removed from the internet and took steps to protect its employees (including alerting the police). Unsurprisingly, Mr Skelton was quickly identified as the culprit and arrested (he has since been prosecuted and imprisoned).

Legal claims against Morrisons

As a result of Mr Skelton’s actions, a number of Morrisons employees brought proceedings against Morrisons personally and also on the basis that it should be held vicariously liable for Mr Skelton’s actions.

At the original trial, the judge decided that Morrisons bore no primary responsibility but that the supermarket was vicariously liable on each basis claimed. Unsurprisingly, Morrisons appealed.

The Supreme Court’s decision

In a judgement handed down on 02 April 2020, the Supreme Court unanimously allowed Morrison’s appeal against the finding that it should be held vicariously liable for Mr Skelton’s actions.

The Supreme Court’s judgment confirms that the Court of Appeal in finding against Morrisons had misunderstood the principles governing vicarious liability.

The Supreme Court found that the wrongful disclosure of the payroll data was not so closely connected with the requirement to transmit it to the supermarket’s external auditors that it can fairly and properly be regarded as made by Mr Skelton while acting in the “ordinary course” of his employment.

The Supreme Court was keen to emphasise that the fact that Mr Skelton’s job gave him the opportunity to commit the wrongful act was not, by itself, enough to render Morrisons vicariously liable for his actions.

In a key finding, the Supreme Court found that an employer will not normally be vicariously liable in circumstances where an employee is not engaged in furthering his employer’s business, but rather is involved in pursuing a personal vendetta. In short, the Supreme Court accepted that there was not a sufficiently close connection between Mr Skelton’s employment and the wrongdoing that he committed.

Vicarious liability and the Data Protection Act 1998

Whilst not strictly speaking necessary (given its other findings) the court also expressed its view on this ground of Morrisons appeal.

The court held that the imposition of a statutory liability on a data controller is not inconsistent with the imposition of a common law vicarious liability on their employer.

Our comments

This decision will no doubt cause employers to breathe a huge sigh of relief. It’s now clear that employers will not always be liable for data breaches committed by rogue employees.

Clearly, the facts in this case were extreme. Morrisons had no prior knowledge of the grudge that Mr Skelton held against them. In addition, it’s clear that Mr Skelton went to extraordinary lengths to cover up his wrongdoings.

Finally, notwithstanding the fact that this case was decided under the previous data protection regime, the GDPR retains many similar principles. It’s now clear that vicarious liability actions in data privacy proceedings can be commenced under the current data protection regime. Data controllers know that the GDPR makes the consequences of non- compliance far more onerous than was previously the case and that controllers now for controllers who fail to adequately safeguard data and/or who neglect to have sufficiently robust data protection governance in place risk being exposed to the huge revenue-based fines and data subject compensation claims.

Please contact us if you’d like more information about the issues raised in this article and/or or to find out more about the various Employment Law and HR related policies, procedures, guidance and training that we provide.

Disclaimer: the information set out above does not constitute legal advice and it is provided for general information purposes only. No warranty, whether express or implied is given and neither the author or Harrington Law shall be liable for any technical, editorial, typographical or other errors or omissions within the information provided.

You May Also Be Interested In:

Employer Update | Furlough Leave & Pay

Employer Update | TUC demands employers produce coronavirus (COVID-19) risk assessments

Employer update | Homophobic statements & discrimination in employment

morrisons supermarket vicarious liability

Who’s legally responsible when an employee “goes rogue”

Employer Update | Government announces new statutory right to neonatal leave and pay

covid-19 coronavirus graphic

Employer Update | COVID-19 (Coronavirus) & Data Protection

Data Protection | Understanding Brexit and the GDPR

Employer Update | Handling Disciplinaries

Data Protection | ICO issues fresh guidance regarding time limits for dealing with Data Subject Access Requests

Previous Post: « Employer Update | Government announces new statutory right to neonatal leave and pay
Next Post: Employer update | Homophobic statements & discrimination in employment »

Primary Sidebar

NEWS & EVENTS

Employer Update | Furlough Leave & Pay

Flexibility The Government has now confirmed that from 1 …

Employer Update | TUC demands employers produce coronavirus (COVID-19) risk assessments

The Trades Union Congress ("TUC") has demanded that all …

Employer update | Homophobic statements & discrimination in employment

The European Court of Justice ("ECJ") has confirmed that …

morrisons supermarket vicarious liability

Who’s legally responsible when an employee “goes rogue”

In a landmark decision the Supreme Court has confirmed that the …

Employer Update | Government announces new statutory right to neonatal leave and pay

The government has confirmed that a new statutory right to up to …

Footer

Our Lawyers

  • Brian Harrington
  • Nathan Combes

Our Offices

BRIGHOUSE
19 Bradford Road
Brighouse
HD6 1RW
Tel: 01484 240633

 

YORK
The Studio
30 Acomb Road
York YO24 4EW
Tel: 01904 238896

 

CLECKHEATON
27 Northgate
Cleckheaton
BD19 3HH
Tel: 01484 240633

Contact Us

Contact us today – find out how we can help you.

  • Privacy Notice
  • Website Terms & Conditions

Site Footer

Harrington Law is a trading name of Harrington Law Limited which is a limited company registered in England and Wales  with registered number 11651440 whose list of directors is available for inspection at its registered office which is 19 Bradford Road Brighouse West Yorkshire.  Harrington Law Limited are solicitors of England and Wales authorised and regulated by the Solicitors Regulation Authority under SRA number 666091.  Details of the Solicitors Code of Conduct can be found at www.sra.org.uk.

This website uses cookies to improve your experience. We'll assume you're ok with this, but you can opt-out if you wish. Cookie settingsACCEPT
Privacy & Cookies Policy

Privacy Overview

This website uses cookies to improve your experience while you navigate through the website. Out of these cookies, the cookies that are categorized as necessary are stored on your browser as they are essential for the working of basic functionalities of the website. We also use third-party cookies that help us analyze and understand how you use this website. These cookies will be stored in your browser only with your consent. You also have the option to opt-out of these cookies. But opting out of some of these cookies may have an effect on your browsing experience.
Necessary
Always Enabled

Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.

Non-necessary

Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website.