The Facts

On 12 January 2014, an employee of the Defendant “Morrisons” posted a file containing the personal details of almost 100,000 colleagues on the Internet. Mr Andrew Skelton, a senior IT Auditor at Morrisons, was later charged and convicted under the Computer Misuse Act 1990 and section 55 of the Data Protection Act 1998 (‘DPA’).

The Claimants – 5,518 employees whose data was disclosed – brought a group action against Morrisons claiming compensation for breach of section 4(4) of the DPA, misuse of private information, and breach of confidence.

Skelton had developed a grudge against his employer. In his role at the company, he was responsible for internal document audits, and checking his colleagues’ documents and other sensitive information. He was highly IT literate. He also had access to payroll data that was stored on the ‘PeopleSoft’ System.

However, alongside this employment, he also had his own business, selling a legal slimming drug. He would sometimes send the product to his customers via the post room at Morrisons, having prepaid the postage first. However, on 20 May 2013, some white powder came out of one of the packages. The police were called and he was arrested.

Later, once it was confirmed it was a legal drug, he returned to work and faced a disciplinary hearing. He was given a formal verbal warning that would remain on his file for 6 months. Skelton objected and appealed the decision through the internal disciplinary process. It was rejected in August 2013. Over the following months Skelton created a fake email address, bought an untraceable pay-as-you-go mobile and began to use the TOR system.

On 1 November, he was asked by his manager to provide KPMG – the external auditor – with a number of categories of personnel data. These he uploaded onto his work laptop computer. On 18 November a USB device was inserted into the laptop and the files uploaded, and later appeared on a file-sharing website. The files were deleted off the USB using his personal computer. Skelton also set up a fake email address to implicate a colleague. After uploading the files he contacted (anonymously) two newspapers, which in turn informed Morrisons.

The Arguments

The Claimant argued that Morrisons had both primary and secondary liability for the actions of its employee. The Defendant contended that it could not be held primarily liable for any breaches because it had not itself committed them. In regards to secondary liability they responded as follows:

• The DPA does not recognise any possibility of vicarious liability.
• Paragraph 10 of Schedule 1 DPA provides that the data controller must take reasonable steps to ensure reliability of any employees who have access to personal data.
• Section 13(3) provides a data controller a defence if it can show that it took reasonable care to comply with the relevant requirement (here that it took all reasonable care to ensure its employee’s reliability), which would be otiose if vicarious liability were permitted.
• If data controllers are held to be vicariously liable for the actions of their employees, in the absence of fault, it could expose them, unjustly, to burdensome and expensive group litigation.
• Vicarious liability at common law, or equity, cannot go beyond the liability imposed by Parliament under the DPA. Under the DPA, Morrisons, acting as data controller, is liable, but not for an employee acting separately in breach of its own obligations under the Act.
• In any event, the act central to liability was the disclosure of the information on 12 January 2014. This was not committed at work, or on a work computer and was far removed from the act of copying the data (November 2013). The disclosure therefore did not arise in the course of employment and the connection was not close enough to attract vicarious liability.
• This case involves a large number of claimants; Shelton did not act on Morrison’s behalf in disclosing the data; Skelton’s actions were neither part of Morrison’s business activity, nor part of his core duties.

The Judgment

The Judge did not find for the Claimant on primary liability. On data protection, he found that the systems and procedures that Morrisons had in place at the time, particularly regarding the use of USB sticks and data deletion periods, did not breach the DPA. Further, had they monitored his emails or Internet research history it would undoubtedly have been invasive as per the decision in Barbulescu v Romania [2017] ECHR 754.

In regards to misuse of private information the Judge concluded that Morrisons did not directly misuse any information personal to the data subjects, or permit it to be misused, and so was not liable either primarily or vicariously. Morrisons had also not breached confidence, because they had not disclosed the information.

However the Judge did find Morrisons vicariously liable. He pointed to the principle in Majrowski v Guy’s and St Thomas’ NHS Trust [2005] EWCA Civ 251 that vicarious liability applies where an employee commits a breach of statutory obligations whilst in the course of employment, unless the Statute expressly or impliedly states otherwise. The DPA implements the EU Data Protection Directive, the emphasis of which is on the protection of data subjects.

Therefore even though the effect of the DPA is that Skelton became a data controller of the information, it is not compatible with the purpose of the Directive that vicarious liability is thereafter excluded, as it weakens the rights of the data subject in regards to their information. The Judge’s view was that additional liabilities add layers of protection, and so it cannot be that the DPA excludes common law and equitable actions in respect of the same data disclosure.

In his view there was an “unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events” beginning before the first unlawful act of downloading the data to a USB stick (paragraph 183). His role was to receive the payroll data, store it, and disclose it to a third party. This is in fact what he did, albeit it to an unauthorised third party, and at all times had been acting as an employee. Morrisons had entrusted him with the payroll data, thereby taking the risk that they might have been wrong to do so.

The Judge followed Lord Toulson’s broad and evaluative approach in Mohamud v William Morrison Supermarket Plc [2016] UKSC11 and concluded that there was sufficient connection between Skelton’s position at Morrisons and the wrongful conduct, to make it right for Morrisons to be held liable. This would be the position irrespective of whether there was a breach of duty under the DPA, misuse of private information or a breach of duty of confidence.

Finally, the Judge was not persuaded by the argument that group litigation of this sort would ‘overwhelm’ a company, pointing out that so far there had not been one case involving vicarious liability that had done so, and that companies obtain appropriate insurance to cover such risk.

Damages were not determined and this case is under appeal.

If you are interested in any further information or advice, please contact my clerks on 020 3179 2023 or privacylawbarrister@proton.me