The case of WM Morrison Supermarkets plc v Various Claimants concerned the grocery store chain Morrisons in the UK, and a former employee of the company, Andrew Skelton. During his tenure with the company, Mr Skelton was a senior in-house auditor, who had access to employee information for auditing purposes. After a disciplinary action against him, Mr Skelton copied information relating to around 98,000 employees from Morrisons internal systems and shared the data on a file-sharing website (subsequently also sending the data to three newspapers as an anonymous third party). Morrisons took action to remove the data from the website, and Morrisons was then sued by the Respondents (a collective of various employees) alleging vicarious liability for Mr Skelton's actions and the data breach. After several years of litigation via the High Court and Court of Appeal (with Morrisons losing at every stage), the matter finally landed on the desk of the Supreme Court for final determination.
Lord Reed, handing down the judgment of the unanimous court, initially considered the long appellate history of the matter and the findings of the lower courts. Lord Reed considered that the lower courts had misunderstood the principles governing vicarious liability, and saw that the matter would have to be considered entirely afresh by the Supreme Court.
The first matter was to consider the matter under the test set out in Dubai Aluminium, which required the court to consider whether "...the disclosure of the data was so closely connected with acts [Mr Skelton] was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment". Indeed Mr Skelton was authorised to collate and transmit the data as a part of his function as an internal auditor. However, the question of whether the wrongful disclosure was so closely connected with that authorisation that it would render Morrisons liable for it.
Morrisons GC pictured before the judgment hearing |
As set in Dubai Aluminium, for the employee's acts to cause vicarious liability through their acts, misguidedly or not, they would need to be done "...in furthering his employer's business". Clearly, he was not engaged in furthering his employer’s business when he committed the wrongdoing, as he was merely pursuing a personal vendetta against Morrisons, and the wrongdoing, therefore "...was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment".
The Court then moved onto consider whether the Data Protection Act 1998 excludes vicarious liability for the torts caused by an employee.
As a starting point, DPA does not exclude vicarious liability either for a breach of the duties imposed by the DPA itself or for a breach of common law or equitable obligations. Although argued by Morrisons, the Court did not see that the DPA excluded employers vicarious liability impliedly (specifically under s. 13). In short, the Court concluded that "...the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment".
The Court ultimately decided that Morrisons could not be held responsible for Mr Skelton's actions and allowed their appeal.
The case is a huge win for employers, particularly considering the appellate history and Morrisons' consecutive losses, and sets an important precedent even in the light of the GDPR which has taken over from the DPA. The position would most likely be the same under GDPR, so employers liability should not be excluded. Employers should therefore be extra careful to avoid any data breaches by employees during the course of their employment, and take any measures possible to avoid issues like that, especially considering the humongous fines that the ICO can impose under the GDPR.