Morrisons Held Not Vicariously Liable for Intentional Data Breach of Disgruntled Employee

PUBLISHED: 2nd April 2020

Photo to illustrate article https://www.lkshields.ie/images/uploads/news/Morrisons_Data_Breach_Employee_Supreme_Court_Judgment.png.

The UK Supreme Court has allowed Morrisons’ appeal on the basis that its employee’s wrongdoing was not closely connected to acts he was authorised to do.

In October 2018, we reported on the UK Court of Appeal decision that held Morrisons vicariously liable for the unauthorised disclosure of personal data by a disgruntled rogue employee – Mr Skelton.  That decision potentially exposed employers in all sectors to liability for the unauthorised actions of dishonest or malicious employees. The UK Supreme Court has now unanimously overturned the Court of Appeal’s ruling, allowing Morrisons’ appeal. 

Lord Reed gave the only judgment, with which the other four justices agreed. He stated that the test to be applied, in line with previous case law, was as follows:

the question is whether Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Lord Reed found that the lower courts had “misunderstood the principles governing vicarious liability in a number of relevant respects.” In particular, he noted the following:

  • Disclosure of the data on the internet was not authorised by Morrisons and did not form part of the field of activities assigned to Skelton;
  • The close temporal and causal connection between the provision of the data to Skelton and its subsequent unauthorised disclosure is not sufficient of itself to satisfy the close connection test; and
  • The employee’s reasons for acting, whether purely personal or for his employer’s business, were very relevant.

As Lord Reed points out, the “connecting factor” between what Skelton was authorised by Morrisons to do and his wrongful act, is that he could not have made the unauthorised disclosure if he had not been tasked with handling the relevant data and transferring it to Morrisons’ external auditors. The mere fact that Skelton’s job gave him the opportunity to act as he did does not mean that Morrisons should be held vicariously liable for his actions.

Lord Reed considered previous case law and noted the distinction drawn by Lord Nicholls in Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48 between cases, “where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catchphrase.”  Skelton’s deliberate disclosure of personal data in this case was not done in the interests of furthering Morrisons’ business, indeed it was calculated to harm his employer. The Court found that Skelton, in making the unauthorised disclosures, “was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.”

Accordingly, there was not a sufficiently close connection between Skelton’s wrongful acts and the acts that Morrisons authorised him to do, and those wrongful acts cannot fairly and properly be regarded as having been done in the ordinary course of Skelton’s employment.

The Court also expressed its view as to whether the Data Protection Act 1998 (DPA) excludes the imposition of vicarious liability.  Lord Reed stated that the imposition of a statutory liability on a data controller does not preclude the imposition of a common law vicarious liability on his employer.  As the DPA neither expressly nor impliedly indicates otherwise, “there cannot be any inconsistency between the two regimes.”  This is the case regardless of the fact that the employee’s liability is fault-based, while the employer’s vicarious liability is not based on fault.

Good News for Employers

The decision is good news for employers as it limits their exposure to claims for vicarious liability based on the actions of disgruntled or rogue employees. It offers some reassurance to employers that they are unlikely to be held vicariously liable where an employee is not engaged with furthering the employer’s business and commits a wrongful act while pursuing a personal vendetta.

However, the Supreme Court has clearly indicated that employers could be held vicariously liable where an employee, as a data controller, breaches their data protection obligations. Employers should continue to ensure that they have the necessary data privacy policies and procedures in place to limit their exposure to future claims.  Given the large number of people newly working from home as a result of COVID-19, this decision is a timely reminder of the central nature of such policies and procedures for prudent employers. 


For guidance on your company's data privacy policies and procedures, please contact Jeanne Kelly at jkelly@lkshields.ie or Aoife Bradley at abradley@lkshields.ie.

By using this website you allow us to place cookies on your computer. Our cookies do not personally identify you.