In a long-awaited decision on vicarious liability in data protection claims, the Supreme Court has found that Morrisons is not liable for a data breach carried out by a rogue employee, but has confirmed that, in principle, the vicarious liability regime will apply in claims for breach of data protection legislation

Various Claimants v Wm Morrison [2020] UKSC 12

Background

In 2014, Andrew Skelton, a Morrisons employee who bore a grudge against his employer, deliberately posted the personal information of thousands of other employees on the internet. 

Mr Skelton was employed as a Senior Auditor and had been given the task of collating the payroll data of the entire Morrisons workforce. After obtaining the data, he covertly uploaded a file containing the data of 98,998 of the employees to a publicly accessible file sharing website. He also sent the information anonymously to three newspapers. He was motivated by a desire to cause harm to Morrisons. 

Despite his efforts to cover his tracks, Mr Skelton's actions were quickly uncovered. The information was removed from the internet within a few hours, and Mr Skelton was arrested, and ultimately convicted and sentenced to 8 years in prison. 

9,263 of the affected employees brought a collective action against Morrisons, seeking damages for breach of data protection legislation, misuse of private information and breach of confidence. 

The decision of the lower courts

Both the High Court and the Court of Appeal found that while Morrisons was not directly liable for Skelton's conduct, it was vicariously liable. Those Courts had decided that there was a sufficiently close connection between Mr Skelton's wrongful acts and his employment to impose liability on Morrisons to pay compensation, and that Mr Skelton's motivation to harm his employer was irrelevant. 

The lower courts' decisions were based on an interpretation of Lord Toulson's judgment in Mohamud [2016] AC 677, which outlines the "close connection" test for establishing vicarious liability. The trial judge held that Morrisons had provided Mr Skelton with the data in order for him to carry out the task assigned to him, and that what had happened thereafter was, in the words of Lord Toulson's judgment, “a seamless and continuous sequence of events … an unbroken chain”. The actions were therefore committed in the course of Mr Skelton's employment. 

The Court of Appeal agreed, noting that, while it was an unusual feature of the case that Skelton's motivation had been to cause harm to his employer, Lord Toulson had commented in Mohamud that "motive is irrelevant". 

The Supreme Court's decision

The Supreme Court has now reversed the decisions of the High Court and Court of Appeal. The Court explained that the lower courts had misunderstood Lord Toulson's judgment in Mohamud, which had not been intended to change the law of vicarious liability. 

The Court confirmed that the close connection test is not merely a question of timing or causation; rather, it concerns the capacity in which the individual is acting. Further, Lord Toulson's comment that "motive is irrelevant" should be read in the specific context of the Mohamud case – it was not intended as a broader comment on the elements of the close connection test.

The Supreme Court found that, in the present case, Mr Skelton's motivation was highly relevant. Mr Skelton was not engaged in furthering his employer's business when he committed the act; rather, he was pursuing a personal vendetta. His actions could not therefore be said to be closely connected with the work he was employed to do, so Morrisons could not be held liable for them.

Significantly, although it decided that Morrisons was not liable on this occasion, the Supreme Court confirmed that, in principle, employers can be vicariously liable for breaches of the Data Protection Act. Morrisons had sought to argue that the Data Protection Act impliedly excluded vicarious liability as it made clear that liability was only to be imposed on data controllers where they had acted without reasonable care. The Supreme Court was not persuaded, and held that imposition of a statutory liability upon a data controller (where the data controller is at fault) is not inconsistent with the imposition of common law vicarious liability on his employer (where the employer has himself done nothing wrong). The same will apply in claims for breach of confidence and misuse of private information. 

Comment

The decision provides welcome clarification of the scope of vicarious liability, not only in data protection claims but also more widely. Employers will be relieved to know they will not have to pay compensation following acts carried out deliberately to cause them harm. 

However, the decision does not let employers entirely off the hook. They will still be vicariously liable for data breaches caused by data controllers whom they employ, in circumstances where the data controllers can properly be said to be acting in the course of their employment. 

The case was decided under the old data protection regime.  However, the principles will be equally applicable in claims under the GDPR and Data Protection Act 2018.