Wed 01 Apr 2020

Supreme Court issues landmark data protection judgement

The Supreme Court has overturned a unanimous Court of Appeal judgement to find supermarket chain Morrisons are not vicariously liable for a data breach that affected over 100,000 staff

WM Morrison Supermarkets plc v Various Claimants is the first ever class action brought under data protection legislation, with the claimants being some of the employees affected by the breach.  An employee of Morrisons who worked in their internal audit team, Andrew Skelton, copied and kept payroll data for the company's entire workforce when he was tasked with transmitting it to external auditors.  He bore a grudge against his employer having been issued with a verbal warning for minor misconduct.  In 2014 he uploaded the data to a publicly accessible file sharing website and anonymously sent copies to three UK newspapers.  One of the papers alerted Morrisons who took immediate steps to have the data removed from the internet and alerted the police.  Skelton was subsequently prosecuted and imprisoned.   

Some of the affected employees brought claims for breach of statutory duty under the Data Protection Act ("DPA"), misuse of private information and breach of confidence.  They were successful in the High Court where the judge concluded that while Morrisons bore no primary responsibility they were vicariously liable for Mr Skelton's conduct, on the basis that he had been acting in the course of his employment.  An appeal by Morrison's to the Court of Appeal was subsequently unanimously dismissed. 

To what will undoubtedly be sighs of relief from employers around the country, the Supreme Court has unanimously allowed the appeal, the focus of which was the employer's vicarious liability for Mr Skelton's actions.  The Supreme Court held that Skelton was authorised by Morrisons to transmit payroll data to auditors.  His subsequent disclosure of the data was not so closely connected to that task that it could be properly regarded as done while acting in the ordinary course of his employment - the fact the employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability.  The fact that Mr Skelton was pursuing a personal vendetta and not furthering his employer's business was also highly material.  On this basis the appeal was allowed.

Morrisons had also argued that the DPA excluded imposition of vicarious liability for either statutory or common law wrongs. The Court was not persuaded on this point finding that the imposition of a statutory liability upon a data controller was not inconsistent with the imposition of common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA or for breaches of duties arising under the common law.  However given their finding that Morrison's was not in any case vicariously liable for the acts of Mr Skelton, this did not have any impact on the final outcome of the appeal.   

This case rather turns the tide on recent decisions relating to vicarious liability which were tending to widen its scope.  The potential for high value class actions where there has been a significant breach of data protection legislation (which would now be covered by the General Data Protection Regulation rather than the DPA) - something which we seem to hear about with increasing regularity - has been significantly restricted in consequence of this decision. 

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice