In a landmark class action case, the Supreme Court has decided that WM Morrison Supermarkets PLC (“Morrisons”) is not liable to employees whose personal data had been leaked by a disgruntled colleague.

Employers will be comforted that this decision overturns the controversial judgments of the High Court and Court of Appeal which, despite the rogue employee’s intention to harm the company, had both decided Morrisons was liable.

Facts

In 2013, Andrew Skelton was a senior internal auditor at Morrisons. He had been subject to disciplinary proceedings in July, one month before embarking on a rogue mission intentionally to harm his employer’s business.

Mr Skelton had been entrusted with payroll data relating to almost 100,000 employees and former employees of Morrisons.  This data comprised of the name, address, gender, date of birth, phone number, National Insurance number, bank account number and salary of the individuals.

It was intended that the data be provided to Morrisons’ external auditor, KPMG, for audit purposes, but Mr Skelton secretly copied this data and uploaded it to a publicly accessible file-sharing website. He then anonymously informed 3 UK newspapers of the data breach.  It is understood that Mr Skelton made careful efforts to hide his actions, including trying to frame another employee, and Morrisons had been unaware of the grudge he held against them.

Mr Skelton was given an 8 year prison sentence for fraud, securing unauthorised access to computer material, and disclosing personal data.

Although Morrisons acted rapidly in dealing with the breach and implementing identity protection measures, a claim brought by 9,263 employees and former employees turned into an uphill battle.

The issues

The claimants brought proceedings against Morrisons for its own alleged breach of statutory duty under the Data Protection Act 1998, misuse of private information and breach of confidence. The trial judge rejected these claims on the basis that Morrisons did not itself breach these duties or misuse information, nor did they authorise it or permit it by carelessness.

However, the claimants also brought these claims on the basis that if Morrisons were not held liable on their own account, Morrisons, as the employer, could be held vicariously liable for the data breach caused by then-employee Mr Skelton.

Vicarious liability in an employment context means that an employer can be held liable for the actions of an employee, under certain circumstances. The test to determine whether an employer is vicariously liable has been developed through case law.

Arguments at both the High Court and Court of Appeal turned to whether Mr Skelton’s wrongful conduct constituted a “seamless and continuous sequence” or an “unbroken chain of events”. Both courts found that even though his task was to receive and store personal data which was to be disclosed to a specified third party (KPMG), the disclosure to a third party (the general public via the internet) was deemed to be close enough to hold Morrisons vicariously liable.

At the Supreme Court

The key issue to be determined was whether there was a sufficiently “close connection” between the actions of Mr Skelton and the task he was authorised by Morrisons to carry out.

The Supreme Court considered arguments that the Data Protection Act 1998 (which was the applicable law at the time of the breach) excludes the imposition of vicarious liability “unconvincing”.

However, in a unanimous judgment, overturning the decisions of the lower courts, it was held that this “close connection” had not been established because:

  • Disclosing the information on the internet did not form part of “his function or field of activities”, and
  • Mr Skelton was fulfilling a personal vendetta, stemming from the disciplinary action taken against him, rather than furthering his employer’s business, making his motive “highly material”.

Morrisons was therefore found not to be vicariously liable for the data breach.

What does this mean for employers?

As the judgments of the lower courts had left very little protection for employers in the case of rogue employees, their overturning by the Supreme Court will be widely welcomed.

Having said that, even though Morrisons is not liable in these circumstances, this is not to say that an employer will never be vicariously liable for breaches by employees, rogue or otherwise. Where a sufficiently “close connection” between the employee’s work and the breach can be established, an employer can be held liable.

Although the case was decided under the previous data protection regime, the principles under the General Data Protection Regulation (GDPR) remain similar to those under the Data Protection Act 1998. The risk of vicarious liability to data subjects comes on top of the huge potential fines under the GDPR for data breaches, so employers should remain vigilant.

Particularly with so many employees working from home during the COVID-19 pandemic, employers find themselves needing to trust their employees more than ever. It is therefore even more important for employers to ensure robust data protection policies and procedures are in place, and that employees are reminded of their obligations to handle personal data responsibly.