News & Insights

Can an employer be liable for the actions of a rogue employee?

Last month, the Court of Appeal dismissed an appeal against the High Court’s ruling that Morrisons was vicariously liable for its employee’s misuse of personal data. This case was brought by 5,518 affected employees and was decided under the Data Protection Act 1998.


Mr Skelton was employed by Morrisons as a senior IT consultant. Due to a previous incident, he had developed a grudge against his employer. During his employment he was tasked with sending payroll data to external auditors. He copied the employee data of around 100,000 employees onto a personal USB stick and some months later posted this data online. Criminal action was brought, and Mr Skelton was jailed for eight years.

The affected employees commenced group litigation claiming damages from Morrisons for:

  • Misuse of private information
  • Breach of confidence
  • Breach of statutory duty under the Data Protection Act (“DPA”)

The employees claimed that Morrisons were primarily or vicariously liable for Mr Skelton’s conduct.

Initial judgment

Initially, it was held that Morrisons was not primarily liable for the misuse of private information or breach of confidence.  Mr Skelton was a data controller and Morrisons had provided “adequate and appropriate controls” in every area except the deletion of data. It was deemed that the lack of such controls could not have prevented the data breach.  The court did, however, find that Morrisons was vicariously liable for all three claims.

Appeal judgment

Morrisons appealed on the following grounds:

  1. The DPA excluded vicarious liability
  2. The DPA excluded claims for misuse of private information and breach of confidence
  3. Mr Skelton’s action did not take place during his employment.

On the first and second ground, Morrisons argued that the DPA provided a “comprehensive and specialist” code that excluded other claims and remedies relating to the wrongful processing of personal data.

On the third ground, the court set out a thorough overview of vicarious liability, ultimately agreeing with the initial decision.  Mr Skelton was employed by Morrisons and specifically entrusted with payroll data and there was sufficient connection between his authorised tasks and his wrongful acts.  Morrisons was accordingly financial liable for his actions.

Implications for employers

This case is one that employers would be wise to take note of. The Court’s strict stance regarding vicarious liability, even in the case of a rogue employee, is significant and may lead to increased group litigation cases of this nature, particularly given the heightened requirements of the General Data Protection Regulation (“GDPR”).

Organisations should accordingly ensure they have in place appropriate technical and organisational measures to best protect the personal data they process or control to avoid such incidents occurring in the first place.

If you are unsure as to what you need to be doing to avoid liability under the GDPR then please contact Ian Machray for a free initial discussion.