The Supreme Court has ruled that supermarket chain Morrisons was not vicariously liable for the actions of an employee, Andrew Skelton, who unlawfully published employee payroll data on the internet.


Claire Gill

Thousands of employees brought claims against Morrisons for data protection breaches, breach of confidence and misuse of private information.

Mr Skelton was given payroll data as part of his job as a senior auditor. But he bore a grudge against his employer, after having received an earlier disciplinary warning. He set out deliberately to harm them by publishing the data. He was convicted of a range of offences including securing unauthorised access to computer material, disclosing personal data and fraud. He was jailed for eight years.

In the High Court, a judge found that Morrisons was not directly liable (having not committed the acts itself) but that it was vicariously liable. The Court of Appeal agreed that Morrisons was vicariously liable for Skelton’s actions.

The question of whether to hold an employer liable for acts of its employees is not always easy. Nevertheless The Supreme Court took a different view. They found that, on the facts of this case, the disclosure of data on the internet did not form part of Skelton’s functions or field of activity, and was not an act he was authorised to do. The court found it was highly material that he was acting for purely personal reasons.

The ruling will be a relief to companies, but that relief may be misplaced, because this was an extreme case on the facts.

The doctrine of vicarious liability still allows for liability to be imposed on an employer for accidental acts, and even in cases of deliberate acts of misconduct or where employees defy express instructions.

There is a policy reason for this. It is thought fairer to impose liability on an employer than to leave those wronged without an effective remedy.

What is required to establish vicarious liability is a close connection between the wrongful act and the acts that the employee was authorised to do, so that the act may fairly be regarded as being done in the ordinary course of employment. In another set of circumstances, the decision may have gone the other way.

The circumstances in which a company can be primarily or directly liable for data breaches of its employees is also likely to be re-visited. At first instance in this case, the judge found that Morrisons was no longer the 'data controller' once Skelton took it upon himself to do something with the data that was not authorised, meaning the company could not be directly liable. The risk of direct liability ought not to be ruled out in other cases.

To mitigate risks, companies still have to put in place adequate controls, processes and training, to ensure compliance with data protection laws. They also have to have clear processes setting out what action should be taken in the event of a data breach. Companies have to act very quickly once a data breach is identified, including where appropriate notifying the Information Commissioners Office and contacting those affected.


Claire Gill, partner, Carter-Ruck