WM Morrison Supermarkets plc (“Morrisons”) v Various Claimants (Supreme Court, 1 April 2020)

The Supreme Court has held that Morrisons was not vicariously liable for the acts of one of its employees who, pursuing a personal vendetta, illicitly copied employee data given to him in his role as an auditor and published it online.

Facts

In 2013, Mr Skelton, an employee of Morrisons, published personal details of almost 100,000 Morrisons employees online, including names, contact details, bank account numbers and salaries.

Mr Skelton had been given access to the data in his role as a senior auditor, with instructions to pass it on to external auditors. He surreptitiously copied the data onto a personal USB stick. He then used the details of a fellow employee to create a false email account to use to publish the information online. This was a deliberate attempt to frame the fellow employee (who had been involved in disciplinary proceedings against Mr Skelton). Mr Skelton then anonymously sent CDs containing the data to three UK newspapers, purporting to be a concerned member of the public.

One of the newspapers alerted Morrisons. Within a few hours, Morrisons had taken steps to ensure that the data was removed from the internet, instigated internal investigations, and informed the police. It also informed its employees and undertook measures to protect their identities. Mr Skelton was arrested a few days later. He was subsequently convicted and sentenced to eight years’ imprisonment.

The Claimants in this case were c.9,000 Morrisons employees whose information had been published.

Issues

The matters brought to the Supreme Court for consideration were:

• whether Morrisons was vicariously liable for Mr Skelton’s conduct; and
• if the answer to the above question was yes, whether the Data Protection Act 1998 (“the DPA98”) excluded vicarious liability for breaches committed by an employee who is a data controller.

Judgment

Whether Morrisons was vicariously liable for Mr Skelton’s conduct

The Supreme Court noted that the current statement of the law on vicarious liability of an employer is as follows:

“in a case concerned with vicarious liability arising out of a relationship of employment, the court generally has to decide whether the wrongful conduct was so closely connected with acts the employee was authorised to do that, for the purposes of the liability of his employer, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment” (the “close connection test”).

Its analysis of the close connection test contained the following key points:

• the test does not mean that there was simply an unbroken series of events between the employee acting in the course of employment and the misconduct;
• the employee’s motive, ie whether they were acting on their employer’s business, however misguidedly, or for purely personal reasons (on a “frolic of their own”), is highly material;
• the fact that the employment gave the employee the opportunity to commit the wrongful act is not sufficient to warrant vicarious liability; and
• the words “fairly and properly” are not an invitation to judges to decide cases according to their personal sense of justice, but require them to consider the guidance from decided cases.

Overturning the decision of the Court of Appeal, the Supreme Court concluded that Morrisons was not vicariously liable for Mr Skelton’s actions as, among other matters:

• the disclosure of the data on the internet did not form part of Mr Skelton’s functions or field of activities; it was not an act which he was authorised to do; and
• Mr Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question; he was pursuing a personal vendetta.

Whether the DPA98 excludes vicarious liability

Although the Court found that the answer to the first question was ‘no’, it still considered whether the DPA98 excluded vicarious liability.

Morrisons argued that, under the DPA98, liability can only be imposed on data controllers and, as Mr Skelton was acting as a data controller in relation to the data he copied, vicarious liability of his employer was therefore impliedly excluded.

The Court was not convinced. It concluded that since the DPA98 neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment.

Comment

Although the case relates to the DPA98, which has since been replaced by the Data Protection Act 2018 (“the DPA18”), the reasoning is still relevant under that new legislation. This decision will come as a relief, in particular to employers, but employers and trustees should still ensure that their employees’ and members’ data is sufficiently protected, as required by the GDPR and the DPA18.