The Supreme Court has overturned the Court of Appeal decision in Various Claimants v WM Morrison Supermarkets Plc [2018] EWHC Civ 2339 finding the appellant (“Morrisons”) not vicariously liable for the illegal acts of a rogue employee. It was a unanimous decision. The Supreme Court judgment is available here.

The Supreme Court considered:

1. Whether Morrisons is vicariously liable for the employee’s conduct.

2.  Whether the Data Protection Act 1998 (“DPA”) excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA, and for misuse of private information and breach of confidence.

The facts:

On 12 January 2014, Mr Andrew Skelton – then a senior IT Auditor for Morrisons – posted a file containing the personal details of almost 100,000 colleagues on the Internet. Skelton was later charged and convicted under the Computer Misuse Act 1990 and section 55 of the DPA. The Claimants, 5,518 employees whose data was disclosed, brought a group action against Morrisons claiming compensation for breach of section 4(4) of the DPA, misuse of private information, and breach of confidence.

In Skelton’s role at Morrisons, he was responsible for internal document audits, and checking documents of other employees. He also had access to payroll data that was stored on the ‘PeopleSoft’ System. In 2013 he developed a grudge against his employer. Skelton had another business on the side, selling a legal slimming drug. He would sometimes send the product to his customers via the post room at Morrisons. However, on 20 May 2013, some white powder came out of one of the packages. The police were called and he was arrested.

Later, once it was confirmed it was a legal drug, he returned to work and faced a disciplinary hearing. He was given a formal verbal warning that would remain on his file for 6 months. Skelton objected and appealed the decision through the internal disciplinary process. It was rejected in August 2013. Over the following months Skelton created a fake email address, bought an untraceable pay-as-you-go mobile and began to use the TOR system.

On 15 November, he was given Morrisons payroll data to provide their external auditor with a number of categories of personnel data. These he uploaded onto his work laptop computer and carried out the task. However, on 18 November he also copied the data onto a USB device and on 12 January 2014 uploaded the data onto a file-sharing website using the fake email address. The files were deleted from the USB using his personal computer. After uploading the files he contacted (anonymously) two newspapers, one of which informed Morrisons.

The Supreme Court’s decision:

The Court decided that Morrisons was not vicariously liable on the facts of the case and that the trial judge and the Court of Appeal had adopted an incorrect approach, having taken some of the phrasing of Lord Toulson in the case of Mohamud v William Morrison Supermarket Plc[1] out of context. It affirmed that the approach taken in Mohamud was correct and did not depart from the principle that vicarious liability can be established where the unauthorized acts of an employee are so closely connected with acts which the employer has authorized, that they can be regarded as being within the scope of employment.[2]

The Supreme Court made the following points:

• Skelton’s employed activities at Morrisons did not include the disclosure of data on the Internet and his act could therefore not be seen as within the function, or field of activities, that he was authorized to do in his position.

• There had been some misunderstanding of Lord Toulson’s comments in Mohamud, where he had described the actions of the employee in that case as representing “an unbroken sequence of events” that were part of “a seamless episode”[3]. These comments, the Supreme Court said, were directed towards the capacity in which that employee was acting, not the temporal or causal connection between the various events.[4] Therefore, the fact that Skelton had been given the data to send to the external auditor, and having done so had copied it and sent it to another third party, did not mean that this temporal or causal connection established the ‘close connection’ part of the test.

• The reliance on the factors outlined in Various Claimants v Catholic Child Welfare Society[5] was misplaced. That case dealt with the question of how the doctrine of vicarious liability applies when the person who committed the wrongdoing was not an employee. Those factors were related to assessing that particular relationship, and were not relevant to Skelton and Morrisons.

• Lord Toulson’s reference to motive being irrelevant in Mohamud did not establish a legal principle.[6] Skelton’s motive was highly relevant. There is a distinction to be drawn between circumstances where an employee is misguidedly pursuing the employer’s business, and those where the employee is pursuing their own personal intentions. Skelton was “not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier”.[7]

• Lord Toulson’s comments about social justice in Mohamud should not be interpreted as suggesting a court should consider whether it is right or not from a personal sense of justice to impose vicarious liability.[8]

The second important question that the Supreme Court considered was whether the DPA excludes the imposition of vicarious liability for statutory torts committed by an employee, or for misuse of private information and breach of confidence. Whilst it was not necessary for the Supreme Court to go into this analysis given that it had found that Morrisons was not vicariously liable in answer to the first question, Lord Reed stated that it was “desirable that the court should express its view”.[9]

Morrisons presented their arguments on domestic principles rather than on the Data Protection Directive 95/46/EC (which has now been replaced by the General Data Protection Regulation (EU) 2016/679 (“GDPR”)). The relevant principles of domestic statutory interpretation are outlined by Lord Nicholls in Majrowski[10] and summarised as: “unless the statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of statutory obligation sounding in damages while acting in the course of his employment.”[11]

The Supreme Court was not persuaded by the argument that the wording of section 13 of the DPA implies that liability is imposed only on data controllers, and that Skelton was a data controller in his own right so that Morrisons could not be vicariously liable for his breach of duties. The court concluded that the DPA neither expressly nor impliedly excludes the principle of vicarious liability. The principle applies to the breach of the statutory obligations the DPA imposes and to those that arise at common law or in equity when committed by an employee who is a data controller in the course of their employment.[12]

This is an important conclusion. Even though vicarious liability did not arise in the circumstances of this case, does not mean that on a different set of facts, vicarious liability for the acts of an employee cannot be established where data has been improperly used. Although this case considered legislation that is pre-GDPR, it is likely that the judgment will still be relevant in post-GDPR litigation.

Finally, the Supreme Court handed down judgment in another case about vicarious liability on the same day as this judgment. In Barclays Bank plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 13 the Appellant was found not to be vicariously liable for sexual assaults allegedly committed during pre-employment medical assessments. In Barclays the Supreme Court examined whether the relationship between an independent contractor and an employer can be broadened in light of the cases of Various Claimants v Catholic Child Welfare Society and Armes v Nottinghamshire County Council [2017] UKSC 60; [2018] AC 355 to establish vicarious liability. Whilst I have not analysed this case in detail, those interested may wish to read it.

An audio version of this article is available here:

If you are interested in any further information or advice, please contact my clerks on 020 3179 2023 or privacylawbarrister@proton.me

[1] [2016] AC 677.

[2] See Lister v Hesley Hall Ltd [2001] UKHL 22; [2002] 1 AC 215 and Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48; [2003] 2 AC 366.

[3] Lord Toulson in Mohamud [2016] AC 677 at paragraph 47.

[4] See paragraph 28 of this judgment.

[5] [2013] 2 AC1.

[6] Paragraphs 16 and 17 of this judgment.

[7] Paragraph 47 of this judgment.

[8] At paragraph 45 of Mohamud, and examined in paragraphs 16, 25 and 26 of this judgment.

[9] Paragraph 48 of this judgment.

[10] [2007] 1 AC 224 at paragraph 10.

[11] Paragraph 17 of Majrowski and paragraph 51 of this judgment.

[12] Paragraph 54 of this judgment.