Supreme Court finds Morrisons not liable for data breach by disgruntled employee

3 April, 2020

The Supreme Court has overturned a previous judgement by the Court of Appeal and ruled that the supermarket chain Morrisons should not be held vicariously liable for the actions of a disgruntled employee who leaked the payroll data of almost 100,000 members of staff.

Morrisons faced the action after its internal auditor Andrew Skelton, posted employees’ personal details on the internet and sent them to newspapers after being issued with a verbal warning following disciplinary proceedings. Mr Skelton was subsequently found guilty of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed in 2015 for eight years.


Case history

The case had previously made headlines after the judgment by the High Court (which was upheld by the Court of Appeal) gave the go-ahead for a landmark class action case by 9,000 Morrisons employees seeking compensation for upset and distress.

In 2017 the High Court accepted that Morrisons was not directly responsible for the data leak by Mr Skelton because Morrisons had ceased to be the data controller once the employee data was taken by Mr Skelton without authorisation.

The High Court also accepted that whilst Morrisons was responsible, as data controller, for ensuring that it had adequate organisational and technical measures in place to secure the employee data before it was taken by Mr Skelton, the actions of Mr Skelton could not have been prevented by Morrisons’ safeguards.

However, the High Court did hold Morrisons vicariously liable for Mr Skelton’s actions as its employee under ordinary common law principles.

Morrisons’ subsequent appeal to the Court of Appeal was dismissed and the case moved on to the Supreme Court.


Supreme Court ruling

The Supreme Court allowed Morrisons’ appeal, finding that Mr Skelton’s actions did not amount to vicarious liability. In reaching its decision the Court held that the fact that Mr Skelton’s employment gave him the opportunity to commit the wrongful act was not in itself sufficient to make Morrison’s liable.

In his judgement Lord Reed said employers could only be held liable for the actions of its employees if they were “closely connected” with their duties at work. Because in the present case Mr Skelton was perusing a “personal vendetta” against Morrisons for the disciplinary proceedings rather than being engaged in furthering Morrisons’ business, the court held that Mr Skelton was not acting “in the course of his employment” and Morrisons could not be vicariously liable for his wrongdoings.


Implications of the decision

Whilst the decision will no doubt be a relief to organisations which feared the case would increase the risk of them being liable for data breaches by rogue employees, the judge in the case made it clear that the findings would not relieve businesses of their primary data protection obligations. Where businesses are handling personal data it is still vitally important that they:

  • Maintain suitable technical and organizational measures to ensure that data is kept secure;
  • Ensure that access controls and restrictions are put in place to limit employee access to personal data;
  • Follow strict data minimisation practices to ensure that personal data is only collected where it is necessary for the purpose in question and that it is deleted as soon as that purpose is satisfied; and
  • Provide regular employee training to ensure that those employees who have access to personal data are aware of their data protection obligations.