The Supreme Court has overturned the previous decisions of the Court of Appeal and High Court, finding that Morrisons supermarket were not vicariously liable for the unauthorised uploading of payroll data to the internet by an employee who used his own personal equipment at home on his day off.
The facts of this case concern Mr Skelton (“S”) who was employed by Morrisons supermarket as a senior auditor within their internal audit team. In July 2013, S received a formal warning following a disciplinary hearing for an incident involving unauthorised private use of Morrisons’ postal facilities, which caused him to hold a grudge against his employer. In November 2013, S was tasked with providing KPMG with confidential payroll data of around 126,000 Morrisons’ employees for external auditing purposes. S was provided with an encrypted USB stick which he downloaded onto his work computer and provided a copy to KPMG. At a later date, S copied the data onto his own USB stick and released the majority of that personal data around January 2014 to numerous websites under the guise of a fellow employee. In March 2014, on the day Morrisons’ financial results were due to be announced, S anonymously sent CDs containing the file to three UK newspapers who alerted Morrisons.
S was investigated and subsequently arrested, charged and convicted of fraud under the Computer Misuse Act 1990 and under Section 55 of the Data Protection Act 1998 (since amended by the GDPR) and was sentenced to 8 years in prison due to the seriousness of the offence. Morrisons had spent more than £2.26m in dealing with the immediate aftermath of the disclosure, including identity protection measures for its employees.
Subsequently, a total of 9,263 employees brought a group action for damages against the supermarket claiming that it had breached its statutory duty under Section 4(4) of the DPA 1998, for misuse of private information and breach of confidence.
The High Court found Morrisons were not under primary liability under the DPA as it did not directly misuse, authorise or carelessly permit the misuse of the personal information – S did. However, Morrisons could be found to be vicariously liable for S’s actions. Both the HC and CA adopted the approach of the SC decision in a previous case Mohamud v William Morrison Supermarkets plc finding that there was a sufficient connection between S’s actions and his employment rendering Morrisons vicariously liable.
The SC disagreed, concluding that the principles governing vicarious liability had been misunderstood in a number of respects. They held in order to decide whether or not an employer is vicariously liable for an employee’s wrongful conduct towards third parties, it is necessary to apply the “close connection” test. This involves asking whether the conduct was so closely connected with acts that the employee was authorised to do, that it may fairly and properly be regarded as done by that employee in the “ordinary course of their employment”.
SC held the online disclosure of the data was not part of S’s “field of activities” as it was not an act which he was authorised to do. He was only authorised to send that data to the external auditors.
SC also held S’s wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by S while acting in the ordinary course of his employment. The mere fact his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability. S was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta - seeking revenge for the prior disciplinary proceedings.
Accordingly, the SC found that Morrisons were not vicariously liable for S’s actions.
Employment partner, Graham Irons comments:
"This highly awaited judgment will no doubt come as a sigh of relief to many employers, particularly in the current circumstances with more employees than ever working from home. This case was the first data class action in the UK of its type and sets a new precedent. It has provided much needed clarity for situations where employers could have found themselves vicariously liable for the actions of rogue employees.
However, this case is a stark reminder of the importance of taking particular care when entrusting employees with the handling of sensitive personal data and employers must ensure they take all necessary steps to comply with their obligations under GDPR.
If you would like to discuss the implications of this case further you can get in touch with our dedicated GDPR & Data Protection team here."
The information on this site about legal matters is provided as a general guide only. Although we try to ensure that all of the information on this site is accurate and up to date, this cannot be guaranteed. The information on this site should not be relied upon or construed as constituting legal advice and Howes Percival LLP disclaims liability in relation to its use. You should seek appropriate legal advice before taking or refraining from taking any action.