In a landmark decision the Supreme Court has confirmed that the supermarket Morrisons should not be held “vicariously liable” for unauthorised and malicious breaches of the Data Protection Act 1998 committed by one of its own employees.
Case: WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12
The legal issues
This important Supreme Court decision concerns two key issues:
- the circumstances in which an employer can be held vicariously liable for wrongdoings committed by its employees; and
- whether vicarious liability may also arise for breaches by an employee of duties imposed by the Data Protection Act 1998 (“DPA”).
The facts
Mr Skelton was employed by Morrisons in its internal audit team. In July 2013, Mr Skelton was given a verbal warning following disciplinary proceedings for minor misconduct. The Court accepted that Mr Skelton bore a grievance against Morrisons from this point onwards.
In November 2013, Mr was asked by Morrisons to send payroll data (relating to Morrisons entire workforce) to its external auditors. Mr Skelton did as he was asked. However, on this occasion he also made and kept a personal copy of the data.
In early 2014, Mr Skelton decided to upload a file containing the payroll data to a publicly accessible filesharing website. Mr Skelton also sent the file anonymously to three UK newspapers, purporting to be a concerned member of the public who had “found” it online. The newspapers decided against publishing the information and one of them alerted to Morrisons to the situation.
Morrisons took immediate steps to have the payroll data removed from the internet and took steps to protect its employees (including alerting the police). Unsurprisingly, Mr Skelton was quickly identified as the culprit and arrested (he has since been prosecuted and imprisoned).
Legal claims against Morrisons
As a result of Mr Skelton’s actions, a number of Morrisons employees brought proceedings against Morrisons personally and also on the basis that it should be held vicariously liable for Mr Skelton’s actions.
At the original trial, the judge decided that Morrisons bore no primary responsibility but that the supermarket was vicariously liable on each basis claimed. Unsurprisingly, Morrisons appealed.
The Supreme Court’s decision
In a judgement handed down on 02 April 2020, the Supreme Court unanimously allowed Morrison’s appeal against the finding that it should be held vicariously liable for Mr Skelton’s actions.
The Supreme Court’s judgment confirms that the Court of Appeal in finding against Morrisons had misunderstood the principles governing vicarious liability.
The Supreme Court found that the wrongful disclosure of the payroll data was not so closely connected with the requirement to transmit it to the supermarket’s external auditors that it can fairly and properly be regarded as made by Mr Skelton while acting in the “ordinary course” of his employment.
The Supreme Court was keen to emphasise that the fact that Mr Skelton’s job gave him the opportunity to commit the wrongful act was not, by itself, enough to render Morrisons vicariously liable for his actions.
In a key finding, the Supreme Court found that an employer will not normally be vicariously liable in circumstances where an employee is not engaged in furthering his employer’s business, but rather is involved in pursuing a personal vendetta. In short, the Supreme Court accepted that there was not a sufficiently close connection between Mr Skelton’s employment and the wrongdoing that he committed.
Vicarious liability and the Data Protection Act 1998
Whilst not strictly speaking necessary (given its other findings) the court also expressed its view on this ground of Morrisons appeal.
The court held that the imposition of a statutory liability on a data controller is not inconsistent with the imposition of a common law vicarious liability on their employer.
Our comments
This decision will no doubt cause employers to breathe a huge sigh of relief. It’s now clear that employers will not always be liable for data breaches committed by rogue employees.
Clearly, the facts in this case were extreme. Morrisons had no prior knowledge of the grudge that Mr Skelton held against them. In addition, it’s clear that Mr Skelton went to extraordinary lengths to cover up his wrongdoings.
Finally, notwithstanding the fact that this case was decided under the previous data protection regime, the GDPR retains many similar principles. It’s now clear that vicarious liability actions in data privacy proceedings can be commenced under the current data protection regime. Data controllers know that the GDPR makes the consequences of non- compliance far more onerous than was previously the case and that controllers now for controllers who fail to adequately safeguard data and/or who neglect to have sufficiently robust data protection governance in place risk being exposed to the huge revenue-based fines and data subject compensation claims.
Please contact us if you’d like more information about the issues raised in this article and/or or to find out more about the various Employment Law and HR related policies, procedures, guidance and training that we provide.
Disclaimer: the information set out above does not constitute legal advice and it is provided for general information purposes only. No warranty, whether express or implied is given and neither the author or Harrington Law shall be liable for any technical, editorial, typographical or other errors or omissions within the information provided.