246: Supreme Court overturns Morrisons data breach decisions of the Court of Appeal and High Court

In a highly welcome decision for employers and being the first Supreme Court decision involving a class action by data subjects for data protection breaches, the Supreme Court has overturned the judgments of the Court of Appeal and the High Court relating to the vicarious liability of Morrisons supermarket for data protection breaches committed by a disgruntled employee.

Mr Skelton was employed by Morrisons as an internal IT auditor. After receiving a verbal warning for minor misconduct, he developed a grudge against his employer. When asked to provide payroll data for the entire workforce to external auditors, he copied this data onto a USB stick, took it home and posted the data on the internet, using another employee’s details so as to conceal his actions. The data included names, addresses, dates of birth, phone numbers, national insurance numbers and bank details. Mr Skelton also sent this data to three national newspapers, purporting to be a concerned member of the public. One of the papers alerted Morrisons, which was able to remove the data from the internet. Mr Skelton was convicted of several criminal offences under data protection legislation and sentenced to eight years’ imprisonment.

Various claims were brought against Morrisons by 9,263 employees and former employees, including a claim that the supermarket was vicariously liable for Mr Skelton’s actions. The key issue was whether the connection between Mr Skelton’s employment and his wrongful acts was so close that it would be just and reasonable to impose liability. Ruling in favour of the claimants, the High Court and Court of Appeal concluded that Morrisons could be held vicariously liable because Mr Skelton had been entrusted with payroll data in the course of his duties, and publishing that data was part of a seamless and continuous chain of events. The fact that Mr Skelton had deliberately sought to harm his employer did not prevent Morrisons being vicariously liable for his actions.

In a landmark judgment, the Supreme Court has now overturned this decision. The Court found that the lower courts had focused too much on a Supreme Court ruling in 2016 that Morrisons was vicariously liable for an employee’s unprovoked assault of a customer at a petrol station. In that case, the employee’s actions were found to be connected to his employment, and his motives for the assault were held to be irrelevant. The Supreme Court held that some of this judgment had been taken out of context. Disclosing data on the internet did not form part of Mr Skelton’s duties and he was not authorised to disclose it to anyone other than the external auditors. Mr Skelton’s motives were also important, since the reason he had published the data was to cause harm to Morrisons. In these circumstances, disclosing the data was not so closely connected with acts that Mr Skelton was authorised to do, that it could be fairly and properly regarded as having been done in the course of his employment.

This decision will be a welcome relief to employers since it confirms that they will not generally be liable for the acts of rogue employees who are acting outside the scope of their duties. However, this will depend on the precise facts. Whilst not relevant to Morrisons, it is important to note that the Supreme Court also confirmed that vicarious liability could apply to breaches of data protection legislation committed by an employee who is a data controller acting in the course of their employment.