News Updates

Supreme Court on vicarious liability

Tuesday 14th April 2020

The SC has held that WM Morrison Supermarkets plc is not vicariously liable for a payroll data breach resulting from the actions of a disgruntled employee.

Mr Skelton was tasked with providing Morrisons’ external auditor with sensitive payroll data for their annual audit. The data was copied onto an encrypted USB stick, downloaded to Mr Skelton’s encrypted laptop and copied again onto an encrypted USB stick provided by, and then given to, the auditors. Mr Skelton, disgruntled following disciplinary action, subsequently copied the information and posted a file containing the sensitive data of thousands of employees on a sharing website, using an account set up with another employee’s identity.

A group of employees claimed compensation, arguing Morrisons was vicariously liable, under the Data Protection Act 1998, for Mr Skelton’s actions. Morrisons sought to argue that the legislation did not allow for vicarious liability. The High Court held there was a “seamless and continuous sequence” or “unbroken chain” of events sufficient to establish the required connection between Mr Skelton’s actions and his employment. The fact that the disclosures were made from home with personal equipment and on a Sunday did not sever the connection. Morrisons appealed.

The CA found that there is no express or implied exclusion in the DPA preventing vicarious liability. The CA identified the two elements of the close connection test: did Mr Skelton’s actions fall within the “field of activities” entrusted to him by Morrisons and, if so, was there sufficient connection between the position he held and his wrongful conduct to “make it right” for Morrisons to be held liable. The CA agreed there had been an unbroken chain of events and that Mr Skelton’s motive was irrelevant in determining vicarious liability.  

However, the SC has held that the High Court and CA misunderstood the principles governing vicarious liability. While the close connection test is key to establishing liability, demonstrating a sequential link and unbroken chain of causation alone is not sufficient. The SC also considered that motive was not irrelevant. Mr Skelton’s employment gave him the opportunity to commit a data breach, but this was not enough to result in vicarious liability. He was not furthering his employer’s business, but was instead engaged in a personal vendetta.

Although not necessary to determine the appeal, the SC confirmed that the principles of vicarious liability apply to breaches of obligations imposed by the DPA.

All information in this update is intended for general guidance only and is not intended to be comprehensive, or to provide legal advice.