11 July 2019

Many will already be familiar with the Court of Appeal decision in WM Morrisons Supermarket PLC v Various Claimants [2018] EWCA Civ 2339, confirming that organisations can be vicariously liable for data breaches caused by rogue employees – even where the organisation has taken appropriate measures to comply with its data protection obligations. The Supreme Court has now granted Morrisons permission to appeal against the Court of Appeal decision.

The outcome of this case could, if Morrisons are unsuccessful on appeal, have significant implications for organisations processing personal data and may open the floodgates to a large number of similar class action claims. We recap briefly on the earlier High Court and Court of Appeal decisions in light of the General Data Protection Regulation (GDPR) and pending appeal to the Supreme Court.


The case concerns the unauthorised publication of payroll data of almost 100,000 Morrisons’ employees by a former employee, Andrew Skelton. Skelton, then a senior IT auditor, had been subject to unrelated disciplinary proceedings, which apparently led him to harbour a grudge against Morrisons. Skelton copied the payroll data of Morrisons’ employees onto a USB stick and posted it onto a public file sharing site on his personal computer. Morrisons, on being notified of the data breach, took swift action to remove the leaked data from the site.

Skelton was convicted for offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998) and sentenced to eight years’ imprisonment. Notably, the Information Commissioners Office (ICO) also investigated the incident at the time and decided that Morrisons had not breached the DPA 1998 and no enforcement action was necessary.

Claim against Morrisons

Subsequently, more than 5,000 employees bought proceedings in the High Court against Morrisons in a class action for breach of the DPA, misuse of private information and breach of confidence. At the time of the data breach, the GDPR was not then in force and so the claim was heard under the DPA 1998. The claims were made on the basis that Morrisons was both (i) primarily liable for its own acts and omissions, and (ii) vicariously liable for the actions of Skelton.

It was the claimants’ position that Morrisons remained the data controller at all times and that the publication of the payroll data breached various data protection principles under the DPA 1998.

Primary liability

The High Court held that Morrisons were not primarily liable for the data breach under the DPA 1998. The judge concluded that, whilst Morrisons was the data controller of the original payroll data, Skelton became the data controller of the copied data once he decided to act autonomously (without Morrisons’ authority) in deciding how to use the payroll data, e.g. when he copied the data for the purpose of disclosing it. As such, the acts that breached the DPA 1998 were those of an independent data controller (Skelton), not Morrisons. 

Morrisons were deemed to have taken appropriate technical and organisational measures to prevent the unlawful use of the original payroll data, save that it fell short in one minor respect, by not having sufficient control processes for the deletion of data from Mr Skelton’s computer. In any event, the High Court noted that this would not have prevented Mr Skelton's misuse of the data and so it was not causative of any loss suffered by the claimants. Accordingly, the judge dismissed all claims of primary liability against Morrisons under the DPA 1998.

Vicarious liability

Although Morrisons were found not to be primarily liable, the High Court was prepared to hold Morrisons vicariously liable for the unlawful acts of Skelton. This was the question at issue in the Court of Appeal. In summary, the Court of Appeal agreed with the High Court and held that:

  • it is possible for an employer to be held vicariously liable for breaches by its employees of the DPA;
  • on the facts of this case, there was a sufficient connection between Mr Skelton’s employment and his unlawful conduct to make Morrisons vicariously liable for Skelton’s acts.

Skelton was entrusted with the payroll data by Morrisons, and on the facts there was an unbroken chain of events linking back to Skelton’s employment with Morrisons. The fact that the disclosure took place on Skelton’s personal computer outside of working hours was not sufficient to break this chain of events.

Appeal to the Supreme Court

Permission has been granted by the Supreme Court to appeal against the Court of Appeal decision. A hearing date for the appeal has been set for 6-7 November 2019.

The Supreme Court will consider:

  • whether vicarious liability is excluded in cases that engage data protection legislation;
  • whether it is equally excluded in respect of any related common law or equitable causes of action (e.g. misuse of private information and breach of confidence); and
  • if vicarious liability is not excluded, whether the Court of Appeal erred when it decided to uphold the conclusion that Morrisons was vicariously liable in the circumstances of the case.

Implications for organisations

Should the finding of vicarious liability be upheld by the Supreme Court, organisations could be exposed to serious financial consequences as a result of a rogue employee’s conduct, particularly in light of the GDPR.  Under the GDPR, it is easier for individuals and consumer groups to bring claims regarding a data breach and individuals can now claim non-pecuniary damages (e.g. where there has been no monetary loss). This could include, for example, claims for reputational damage or distress arising from the loss of personal data. Combined with the increased public awareness of data protection issues following the introduction of the GDPR, this could open the floodgates to similar cases in the event of a data breach.

Whilst it remains to be seen what decision the Supreme Court will reach, what is certain is that organisations need to be more mindful than ever about the security measures they have in place to protect personal data. Had it not been for Morrisons’ robust security measures, it may well have faced primarily liability as well. We will provide a further update following the Supreme Court appeal – watch this space.

How can Burges Salmon help?

For further information, please contact our Data Protection team.

Key contact

Headshot of Adrian Martin

Adrian Martin Partner

  • Head of Employment
  • TUPE: Business Transfers and Outsourcing
  • Restructuring and Redundancy

Subscribe to news and insight

Burges Salmon careers

We work hard to make sure Burges Salmon is a great place to work.
Find out more