In its judgment handed down on 1 April, the Supreme Court confirmed that Morrisons is not vicariously liable for the acts of a rogue employee in a deliberate leak of payroll data.
Mr Skelton had been a member of the Morrisons internal audit team since 2013 and was responsible for collating and transmitting payroll data to Morrisons’ external auditors. As an act of revenge after receiving a verbal warning for minor misconduct, he deliberately published large quantities of Morrisons’ payroll data online and also leaked it to several newspapers.
As a result, a group of employees whose personal information had been published on the internet brought claims against Morrisons on the basis that Morrisons had breached its statutory duty under the Data Protection Act 1998, misused private information and breached its confidentiality obligations. The employees also claimed that Morrisons was vicariously liable for Mr Skelton’s actions.
The High Court and the Court of Appeal both found in favour of the employees. However, the Supreme Court overturned the decision and held that Morrisons was not vicariously liable for Mr Skelton’s conduct.
The Supreme Court found that the mere fact that Mr Skelton’s employment gave him the opportunity to commit the data breach was not enough to impose vicariously liability on his employer. Mr Skelton was not engaged in furthering his employer’s business when he committed the data breach and was instead acting on a personal vendetta. The Supreme Court therefore held that Mr Skelton’s wrongful disclosure of the data was “not so closely connected to acts he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him in acting in the ordinary course of his employment” (para 47 of the judgment).
Interestingly, the Supreme Court expressed its view that the principles of vicarious liability generally apply to breaches of the obligations of the Data Protection Act 1998. Although not confirmed by the Supreme Court, it appears that similar logic could also be applied to the obligations under the General Data Protection Regulation (GDPR) and the Data Protection Act 2018.
What does this mean for employers?
The Morrisons case turned on the Supreme Court’s assessment that Mr Skelton’s actions were not sufficiently connected to those he was authorised to carry out as a Morrisons employee. That Mr Skelton was acting for purely personal reasons was also held to be “highly material”. This decision may be welcomed by employers in light of the increased scope for liability under the GDPR, although some caution should be exercised before relying on this judgment, given the specific fact pattern of this particular case.
Despite its outcome, this case is a useful reminder that employers can be responsible for the actions and omissions of their employees with respect to the handling of personal data. As such, employee engagement, training and responsibility continue to be key to ensuring compliance with data protection regulation.