Supreme Court holds Morrisons not liable for actions of a disgruntled employee
The Supreme Court has recently held that an employer was not liable for data breaches made by a rogue employee, overturning the decision of the Court of Appeal.
In Wm Morrison Supermarkets plc v Various Claimants  UKSC 12, the Supreme Court has overturned judgments of the High Court and Court of Appeal and decided that the supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by a disgruntled employee.
Background and decision of Court of Appeal
Mr Skelton was employed by Morrisons as a senior IT consultant who had developed a grudge against his employer. He was tasked with sending payroll dated to external auditors and copied the data of around 100,000 employees onto a personal USB stick and later posted this data online. Mr Skelton was jailed for eight years. Over 9000 affected employees commenced a group litigation claim for damages from Morrisons for: breach of use of private information; breach of confidence and breach of statutory duty under the Data Protection Act 1998 (in force at the time). The employees claimed that Morrisons were primarily (or “vicariously”) liable for Mr Skelton’s conduct.
The High Court and the Court of Appeal found that Morrisons were vicariously liable for the actions of Mr Skelton.
Decision of Supreme Court
Morrisons appealed to the Supreme Court on two issues, namely:
- Whether the Court of Appeal made an error in concluding that the disclosure of data by Mr Skelton occurred in the course of his employment, for which Morrisons should be held vicariously liable.
- Whether the Data Protection Act 1998 (“DPA”) excluded the application of vicarious liability to a breach of that Act.
The Supreme Court allowed Morrisons’ appeal, finding that Mr Skelton’s actions did not amount to vicarious liability. It found that the High Court judge and the Court of Appeal had misunderstood the principles governing vicarious liability in the following two key respects:
- The disclosure of the data on the internet did not form part of Mr Skelton’s functions or field of activities – this was not an act which he was authorised to do.
- The reason why Mr Skelton acted wrongfully was not irrelevant, as had been held by the Court of Appeal. Whether Mr Skelton was acting on his employer’s business or for purely personal reasons was in fact highly material.
Vicarious Liability under the Data Protection Act
Given its findings in relation to the existence of vicarious liability, it was not necessary for the court to consider whether the DPA excluded vicarious liability. Nevertheless the court provided some helpful guidance in respect of this second point of the appeal. The Court found that the DPA (and by extension the GDPR) does not exclude the imposition of vicarious liability and that data protection legislation was intended to increase, not lessen, the protection afforded to personal data.
This decision will no doubt come as a relief for Morrisons and indeed for many employers. It provides welcome confirmation for employers that they will not always be liable for data breaches committed by rogue employees. It reaffirms that where employers can demonstrate that they have complied with their own obligations as a data controller, they will not be liable for the acts of employees that are carried out for their own personal motives outside of their duties. However, businesses and employers should take note that the GDPR will not always exclude the imposition of vicarious liability and ultimately the employer’s and employee’s actions will determine the extent to which vicarious liability attaches to this legislation.