Last reviewed 8 April 2020

Should an employer be vicariously liable for breaches by an employee of duties imposed by the Data Protection Act 1998 (DPA)?

That was the question at the heart of WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) in which the Supreme Court was asked to consider the Court of Appeal’s decision to find against Morrisons.

The case arose when Andrew Skelton, who had been granted special access to the data as part of his job role with the supermarket, downloaded sensitive employee payroll data to his personal computer.

He uploaded the data onto a file-sharing website and later sent it to three newspapers, actions motivated, the Court was told, by a grudge against Morrisons after being subject to disciplinary procedures.

The newspapers did not publish the information. Instead, one alerted the supermarket which took immediate steps to have the data removed from the internet and to protect its employees, including by alerting police.

Mr Skelton was then arrested and has since been prosecuted and sentenced to eight years’ imprisonment.

Many of the affected employees brought proceedings against the appellant personally and on the basis of its vicarious liability for Mr Skelton’s acts. Their claims were for breach of statutory duty under the DPA, misuse of private information and breach of confidence.

At trial, the judge concluded that the appellant bore no primary responsibility but was vicariously liable on each basis claimed. Morrisons subsequent appeal to the Court of Appeal was dismissed.

Supreme Court allows the appeal

The Supreme Court reviewed the case law on vicarious liability, including Mohamud and Dubai Aluminium Co Ltd v Salaam.

In particular, it highlighted the House of Lords’ decision in the latter in which Lord Nicholls explained the existing “close connection” test of whether the wrongful conduct was so closely connected with acts the employee was authorised to do that for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

Finding unanimously in favour of the appellant, the Supreme Court concluded that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects.

For example, the online disclosure of the data was not part of Mr Skelton’s “field of activities”, as it was not an act which he was authorised to do. Furthermore, a temporal or causal connection alone does not satisfy the close connection test.

Finally, it was, the Court said, highly material whether Mr Skelton was acting on his employer’s business or for purely personal reasons.

“On long-established principles,” it concluded, “the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.”

Comment by Croner Associate Director Paul Holcroft

This long-awaited ruling from the Supreme Court seems to provide further clarity on vicarious liability, something that many employers are likely wary of.

As seen here, this form of liability should only arise when the act is closely connected to the job of the employee; here, the individual abused his position to conduct criminal acts due to his own personal grudge.

However, the fact that this case made it to the Supreme Court demonstrates that this can be an unclear area and will be fact specific. To this end, it is important that companies are prepared to respond quickly to any circumstances when they could face liability for the actions of their staff.