The Supreme Court have handed down a highly anticipated judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)  UKSC 12, regarding when employers will be held to have been vicariously liable for their employees. Following the introduction of the General Data Protection Regulations in 2018, there has been increased attention on the protection of personal data. So what happens when your personal data is leaked online? If the leak is not caused by a mistake but the actions of an employee, should the company be held to be vicariously liable for them?
What is vicarious liability?
Vicarious liability is a form of secondary liability, imposed upon one person for the tort of another. This usually occurs when the tortfeasor is an employee, and his act results in his employer becoming vicariously liable for his wrong. However, an employer can only be held vicariously liable for the tort committed by an employee if it occurs during the course of his employment and not ‘on a frolic of his own’ (Storey v Ashton (1869) L. R. 4 Q B 476).
Morrisons, the appellant in this matter, is a well known company which operates supermarkets. The respondents are over 9000 of its employees or former employees. Personal information about the respondents was published on the Internet by another of Morrisons’ employees, Mr Andrew Skelton.
Mr Skelton was a senior auditor in Morrisons’ internal audit team. In July 2013 he was subject to disciplinary proceedings for minor misconduct and was given a verbal warning. Following those proceedings, Mr Skelton was said to have harboured an irrational grudge against Morrisons.
Morrisons’ accounts are subject to an annual external audit. In preparation for the audit, on 1 November 2013 the auditors, KPMG, requested payroll data from Morrisons in order to test their accuracy. The head of Morrisons’ internal audit team delegated the task of collating and transmitting the data to Skelton. He had also performed that task in 2012. To enable him to carry out the task, he was given access to the payroll data relating to the whole of Morrisons’ workforce: around 126,000 employees. These consisted of the name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff.
On 9 October 2013 Skelton had searched, using his work computer, for “Tor”, a software which is capable of disguising the identity of a computer which has accessed the Internet. On 7 November he made an internal request for the payroll data. On 14 November he obtained a pay-as-you-go mobile phone, which could not be traced back to him.
On 15 November 2013 the payroll data was provided to Skelton so that he could carry out his task. On a date between then and 21 November, he transmitted the data to KPMG as he had been instructed to do. On 18 November, he surreptitiously copied the data from his work laptop on to a personal USB stick. On 8 December he used the username and date of birth of a fellow employee, Mr Andrew Kenyon, to create a false email account, in a deliberate attempt to frame him. Mr Kenyon had been involved in the disciplinary proceedings earlier that year. The email account was linked to the pay-as-you-go phone. He then deleted the data from his work laptop.
On 12 January 2014 Skelton uploaded a file containing the data of 98,998 of the employees to a publicly accessible file-sharing website, with links to the data posted on other websites (“the disclosure”).
On 13 March 2014, the day on which Morrisons’ financial results were due to be announced, Mr. Skelton sent CDs containing the file anonymously to three UK newspapers. He purported to be a concerned member of the public who had found the file on the file-sharing website. The newspapers did not publish the data. Instead, one of them alerted Morrisons. Within a few hours, Morrisons had taken steps to ensure that the data was removed from the Internet, instigated internal investigations, and informed the police. It also informed its employees and undertook measures to protect their identities. Skelton was arrested a few days later. He was subsequently convicted of a number of offences and sentenced to eight years’ imprisonment.
What was the judgment in this case?
The pertinent issues before the Supreme Court were:
- whether Morrisons could be held to be vicariously liable for the actions of their employee, Mr Skelton; and
- if so, whether the Data Protection Act excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA and whether the DPA excludes the imposition of vicarious liability for misuse of private information and breach of confidence.
In response to the first issues, Lord Reed found that the Court of Appeal were wrong in determining Morrisons vicariously liable for the actions of Mr Skeleton stating:
“In the present case, it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances, applying the test laid down by Lord Nicholls in Dubai Aluminium in the light of the circumstances of the case and the relevant precedents, Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.Lord Reed, paragraph 47
In relation to the second issue, Lord Reed did not think it was strictly necessary to for the court to consider this as they had previously concluded that the conditions for the imposition of vicarious liability did not exist in this case. However, he did wish to express the courts view on this matter stating:
It follows that, applying the orthodox principles of statutory interpretation explained by Lord Nicholls in Majrowski, since the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment, as explained in Dubai Aluminium.Lord Reed, paragraph 54
How does this decision impact the law regarding vicarious liability?
Whilst the law regarding vicarious liability is highly fact specific, the Supreme Court have provided guidance for employers and crucial precedent in this case. It will ease the worry that many employers may have had following the Court of Appeal judgment, that they may face a class action and be vicariously liable for actions of an employee with a vendetta.
Additionally, this judgment represents one of the first data class actions that has come before the UK Supreme Court, which will guide future cases. The judgment seemingly will affect individuals who have had their data leaked online, as they may now face difficulties in pursuing an action on the grounds of vicarious liability where an employee is acting maliciously.
You can read the full judgment here.
Book an Initial Consultation with our Professional Negligence Lawyers
Do you have a claim against a professional? If you want expert legal advice, do not delay in instructing us so we can assess the legal merit of your case.
We can often take on such claims on a no win no fee basis (such as a Conditional Fee Arrangement) once we have discussed the claim with you and then assessed and advised you on the merits of the proposed professional negligence action.
Our expert legal team of leading Professional Negligence Solicitors & Barristers can provide urgent help, advice or representation to you. Just call our Professional Negligence Lawyers on 02071830529 or email us now.
Want legal advice on the merits of your case?
Our simple enquiry form goes immediately to our litigation team in Middle Temple, London. Call us on +442071830529 from 9am-6pm.
Instruct Specialist Professional Negligence Solicitors
We are a specialist City of London law firm made up of Solicitors & Barristers operating from the only law firm based in the Middle Temple Inn of Court adjacent to the Royal Courts of Justice. Our team have expertise in advising on claims for compensation against professionals that have fallen below the standard expected, which causes clients financial or personal loss. We are experienced in bringing successful claims against negligent solicitors, barristers, financial advisers, surveyors, valuers, architects, tax advisers and IFAs.
LIMITATION ACT 1980 – WARNING
The Limitation Act 1980 sets out strict statutory deadlines within which you must bring litigation claims. Your legal rights will become irreversibly time-barred if you fail to take legal action (or defend a claim on time). Therefore, you should seek specific legal advice about your legal dispute at the very first opportunity so that you understand the time you have left. Failure to take advice or delay in taking action can be fatal to your prospects of success.