Clifford Chance

The Supreme Court has ruled that Morrisons supermarket was not vicariously liable for an employee's actions in uploading personal data about the company's entire staff onto the internet.

In late 2013, the UK supermarket chain Morrisons was going through its annual audit.  Its auditors, KPMG, asked for payroll data for the business in order to test its accuracy.  The data consisted of the name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff.

The job of collating and transmitting the data to KPMG was given to Andrew Skelton, who was a member of Morrisons' internal audit team.  Mr Skelton carried out the task he had been assigned.  But he bore a grudge against Morrisons over disciplinary proceedings earlier in the year, and he also copied the data onto a personal USB stick.  A short time later he uploaded it all onto the internet, using a pay-as-you-go mobile phone and an email address he had created in the name of one of his colleagues.  He then sent it to three newspapers.  One of the newspapers notified Morrisons, which spent more than £2 million having the data removed from the internet and on identity protection measures for its employees.

A group of employees sued Morrisons for  breach of its statutory duty under the Data Protection Act 1998, for misuse of their private information and for breach of confidence.  They also claimed that Morrisons was vicariously liable for Mr Skelton's conduct, as he had made the unlawful disclosure using information that Morrisons had provided to him.

The case went to the High Court, where the judge found that Morrisons had no primary liability, but was vicariously liable for Mr Skelton's activities.  This was important for the claimants, as Mr Skelton was by that point in jail, serving an eight-year sentence, and unlikely to be worth suing.  The Court of Appeal agreed with the High Court.  The Supreme Court did not, and allowed Morrisons' appeal, finding that no vicarious liability existed.

The lower courts had relied on the decision of the Supreme Court in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11; [2016] AC 677, which involved an altercation at a petrol station owned by Morrisons.  A customer went into the station kiosk to ask whether some documents could be printed for him.  The employee in the kiosk refused, ordered the customer to leave, using racist and threatening language, then followed him back to his car, opened the door and ordered him never to come back, again using threatening language. When the customer told the employee to close the door, the employee assaulted him.  The Supreme Court held at [47] that the employee had been acting on behalf of his employer in that case:  "[I]t was [the employee's] job to attend to customers and to respond to their inquiries. His conduct in answering the [customer's] request in a foul-mouthed way and ordering him to leave was inexcusable but within the 'field of activities' assigned to him."

This case was different.  The Supreme Court said that there had been "misunderstandings" about its decision in Mohamud and set about correcting them.  The question to be answered was whether Mr Skelton's disclosure of the data on the internet was so closely connected with the acts he was authorised to do that it could fairly be regarded as done by him when acting in the ordinary course of his employment.  The answer to that question was "no".  He was only authorised to collate the payroll data and transmit it to KPMG.  His additional wrongful disclosure of the data was not connected with the authorised activity at all.  He was acting entirely on his own behalf.  True, he only had the data because he had been asked to collate it and send it to KPMG, but the mere fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability on Morrisons.

A second issue in the case was whether vicarious liability was excluded by the wording of the Data Protection Act 1998 for statutory torts committed by an employee data controller under the Act and for misuse of private information or breach of confidence.  Although the Supreme Court did not need to answer that question, it said that vicarious liability was not excluded by the Act.  So whilst this claim did not succeed on its facts, we may continue to see vicarious liability claims for data breaches.

The Data Protection Act 1998 has now been superseded by the GDPR and the Data Protection Act 2018.  Companies should keep in mind that data subjects also have the right to pursue direct claims for personal data breaches against a data controller or data processor under that legislation.  Further, the Google v Lloyd action has recently been appealed, meaning the Supreme Court will shortly be revisiting liability and procedural issues associated with data claims.

The decision will be welcomed by Morrisons and other organisations dealing with data breaches.  However, data breaches can cause reputational damage even where there is no financial liability.  Anyone dealing with personal data, and particularly large sets of data which might make a splash on the internet, should satisfy themselves as far as possible that it cannot be copied onto USB sticks or other media and misused by disgruntled employees or others.