Supreme Court finds Morrisons not vicariously liable for mass data breach committed by disgruntled employee

Our team: Eddie Powell, Mike Tremeer, Michelle Waknine, Leigh Callaway

The Supreme Court has ruled that thousands of Morrisons’ employees will not be entitled to any compensation, following a recent decision that the UK’s fourth largest chain of supermarkets was not vicariously liable for a rogue employee leaking payroll information online.  Importantly, the Supreme Court’s judgment also gives clear guidance that the motive for any breach committed by an individual will be relevant when considering whether a third party (such as their employer) will be vicariously liable for their actions.


The claimants’ class-action proceedings were brought following the online publication in 2014 of a file containing personal details of 99,998 employees. The file had been posted on a file-sharing website by a disgruntled senior IT auditor employed by Morrisons, Andrew Skelton, and the details were also subsequently sent to three UK newspapers.

The claimants sought compensation from Morrisons for breaches of the Data Protection Act 1998 (DPA) (this data leak having predated the enactment of the GDPR), the tort of misuse of private information, and breach of confidence. The claims were also brought on the basis that Morrisons was vicariously liable for Skelton’s conduct.

In January 2018, the High Court found in favour of the claimants.  While it ruled out that Morrisons had committed any direct breach of obligation, it held that Morrisons had entrusted Skelton with the payroll data and as such took the risk that they might be wrong in placing trust in him. There was, in effect: “sufficient conduct between the position in which Skelton was employed and his wrongful conduct … to make it right for Morrisons to be held liable ‘under the principle of social justice’.” Fladgate previously reported on this decision here. The Court of Appeal upheld this decision in October 2018.

 On appeal, however, the Supreme Court has sided with Morrisons, finding that the supermarket chain was not vicariously liable for the mass data breach committed by Skelton.

Vicarious liability

The unanimous ruling by the Supreme Court held that “the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of relevant respects”, and that vicarious liability did not apply in this case, finding in particular that:

  • the disclosure of the information was not authorised by Morrisons, nor did it form part of Skelton’s functions or “field of activities”; and
  • the Court of Appeal had applied the wrong questions when considering whether Morrisons should be vicariously liable.  It was not enough that there was a link between the employee’s duties and the act complained of – the question that needed to be asked was whether Skelton’s acts were sufficiently “closely connected” with acts he was authorised to do, to be regarded as being carried out in the course of his employment – it was held that this was not the case.

The Supreme Court also highlighted the important distinction between cases where a) an employee was engaged in furthering his employer’s business and b) cases where an employee is engaged solely in pursuing his own interests on a “frolic of his own”. The Supreme Court thought that this case clearly fell into category b), on the basis that Skelton was pursuing a personal vendetta and seeking vengeance for the disciplinary proceedings he was subjected to some months earlier.

Data protection

Although Morrisons succeeded in its overall argument that vicarious liability did not apply in the circumstances of this case, it failed to convince the Supreme Court that, in any circumstance, the DPA impliedly excluded the vicarious liability of employers. This argument was presented on the basis that Section 13(1) and (3) of the DPA provides that even in the event of a breach of the DPA, no compensation is payable if the data controller took reasonable steps to avoid the breach (which the previous Courts found to be the case).

However, as Skelton became a third party “data controller” for the purpose of the DPA in respect of the data leaked and since the DPA is silent about the position of a data controller’s employer, it was held that there was no basis for finding that the common law doctrine of vicarious liability had been excluded by the DPA.  In the post-GDPR world, under which the Data Protection Act 2018 and the GDPR are also silent on this, this appears to have left the door open in the context of vicarious liability claims for data breaches.


This decision is of great significance in both the employment and data protection fields and has been welcomed by employers and large scale organisations, many of which were concerned following the decisions by the lower Courts and the rogue-employee-shaped gaping hole left in the ability to guard against risks of data security breaches. It is now clear that an employer will not be vicariously liable because of the deliberate act of a rogue employee acting outside of their authorised duties. Liability, however, may still arise if an employee causes a data breach through activities that are closely connected with their duties (for example, if an employee has inadvertently (and acting innocently) become the subject of a data hack).

The case also shines a light on the significant detriment, reputational damage and time and expense that can be caused by data breaches, and the importance for businesses to evaluate the level of data access employees are granted, and to ensure that robust data protection/GDPR policies are in place.

In a world that is becoming increasingly digital with more of us working remotely (which is more relevant now than ever given the Covid-19 crisis) and with data security breaches being at an all-time high, employers should strive to ensure that vigilance is at the forefront of employees’ minds at all times.

View by date:

View by author:

Would you like to hear more?