In its judgment in the case of WM Morrison Supermarkets plc v Various Claimants ( UKSC 12) handed down on 1 April 2020, the Supreme Court reversed the decision of the Court of Appeal and found that Morrisons was not vicariously liable for a rogue employee who posted payroll data of 100,000 other employees on a file-sharing website.
This decision is good news for compliant businesses that nevertheless come under fire as a result of data breaches and other acts perpetrated by malicious employees.
The Supreme Court also found that imposing statutory liability on data controllers (in this case through the Data Protection Act 1998 (the “DPA”) but by analogy also under the GDPR) is not inconsistent with the co-existence of vicarious liability at common law.
What was the claim about?
In March 2014, it came to Morrisons’ attention that a file containing personal data relating to 99,998 employees had been posted to a file-sharing website. The file contained information including names, dates of birth, addresses, national insurance numbers, and bank sort codes and account numbers. It soon became apparent that the file was posted by a senior IT auditor, who had access to the data when he was tasked with delivering it to Morrisons’ external auditors on a USB stick.
The individual had been harbouring a grudge against Morrisons stemming from a previous disciplinary issue, and took the opportunity to copy the data from the USB stick and post it online. The individual was arrested and subsequently sentenced to eight years imprisonment for offences under the Computer Misuse Act 1990 and the DPA.
The claim was initially brought by 5,518 of the employees whose data had been included in the file, a group that subsequently expanded to 9,263 by the time of the Supreme Court hearing.
The employees alleged that Morrisons was:
- Directly liable, for breach of statutory duty (under section 4(4) of the DPA) and under common law (for misuse of personal data and breach of confidence); and/or
- Vicariously liable for the actions of its employee (the IT auditor).
The Court of Appeal, upholding the High Court’s decision, found that, whilst Morrisons was not directly liable for the data breaches and had taken appropriate technical and organisational measures to protect the data, Morrisons was in any event vicariously liable for the actions of the individual. Although the act of uploading the file had taken place outside work hours and premises, there was “an unbroken thread that linked his work to the disclosure: what happened was a seamless and continuous sequence of events”. It was relevant that the individual had been entrusted with the data, not merely given access rights to it. His task was to store the data and disclose it to a third party. What he had done was not what he was authorised to do, but was closely related to the task he was entrusted to perform.
Whilst it was true that the employee’s intention was to damage Morrisons, his direct method of doing that was to release the personal data of a large number of employees. As the judge put it: “The issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall.”
Morrisons appealed to the Supreme Court, which was asked to consider:
(1) Whether Morrisons was vicariously liable for the individual’s conduct; and
(2) If so, whether the DPA excludes the imposition of vicarious liability for (a) statutory torts committed by an employee data controller under the DPA and (b) misuse of private information and breach of confidence.
What did the court decide?
(1) Vicarious liability
The Supreme Court dismissed the reasoning of the Court of Appeal and considered the position afresh, finding that the High Court and the Court of Appeal had misunderstood the existing authority on vicarious liability.
In particular, the Court of Appeal appeared to have taken Lord Toulson’s comment in the case of Mohamud v WM Morrisons Supermarkets plc  UKSC 11 that “motive is irrelevant” out of context. On the contrary, the Supreme Court considered that “whether he was acting on his employer’s business or for purely personal reasons was highly material”.
The key question, applying the established test, was whether the individual’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.
Their Lordships found that the mere fact that the individual’s employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability. They reasoned that:
“In the present case, it is abundantly clear that Skelton [the employee in question] was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.” 
Morrisons could not, therefore, be vicariously liable for the actions of the individual.
(2) Whether the DPA excludes vicarious liability
Having concluded that the necessary conditions for the imposition of vicarious liability did not exist, it was not strictly necessary for the Court to go on to consider this issue. However, the Court elected to do so.
The Court found that, since the DPA neither expressly nor impliedly indicates otherwise, imposing statutory liability on the employee as a data controller was not inconsistent with the co-existence of potential vicarious liability of employers at common law, whether for a breach of the DPA or for a common law or equitable wrong. Vicarious liability was not, therefore, excluded by the DPA.
The decision is good news for employers, particularly in the context of their potential liability for data breaches. It reaffirms that where employers can demonstrate that they have complied with their own obligations as a data controller, they will not be liable for the acts of employees that are carried out for their own personal motives outside of their duties.
Whilst most data breaches are caused by external attacks or inadvertent human error, deliberate thefts or leaks of data by employees are increasingly common, and we have seen the Information Commissioner’s Office becoming more active in the criminal prosecution of such actors. And so it will be welcome news that if a company has taken the appropriate measures to protect against such attacks, they will not be pinned with liability simply because the unlawful act was carried out in a work context.
However, the risk of vicarious liability remains. Employers need to be especially vigilant of the roles of responsibility of those entrusted to access and protect personal data and keep such privileges under constant review, particularly if employees fall under suspicion.
The judgment again highlights the incredible costs to business of such actions by rogue employees. It is noted that Morrisons had spent more than £2.26m in dealing with the immediate aftermath of the disclosure, a significant part of which was spent on identity protection measures for its employees. Even where there is no finding of any wrongdoing by a data controller, the costs can be enormous where an employee acts maliciously, or even negligently, in the course of their duties.
Ashley Hurst is a Partner and Philip Kemp a Senior Associate at Osborne Clarke.