Some Good News For Employers: Supreme Court Reverses Court Of Appeal's Decision That Morrisons Was Vicariously Liable For Unlawful Disclosure Of Personal Data By Rogue Employee

WM Morrisons Supermarkets plc v Various Claimants [2020] UKSC 12 (1 April 2020). Morrisons has won its appeal from the Court of Appeal's decision that it was vicariously liable in damages to over 5,000 employees and ex-employees for the unlawful disclosure by a rogue employee, an internal IT auditor, of payroll data comprising their personal data. While it agreed that the Data Protection Act 1998 (DPA) did not exclude vicarious liability, the Supreme Court held that the judge at first instance and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects. In particular, the Supreme Court considered that when assessing whether the employee's wrongful conduct was closely connected with acts that he was entitled to do, it was "highly material" that he was acting for purely personal reasons, here pursuing a vendetta against the company.

Background

Andrew Skelton was employed by Morrisons in its internal audit team. In July 2013 he was subject to disciplinary proceedings for minor misconduct and was given a verbal warning. Following those proceedings, he harboured an irrational grudge against the company.

In November 2013, Skelton was tasked with transmitting payroll data for Morrisons' entire workforce to its external auditors, KPMG. He transmitted the data to KPMG as he had been instructed to do but also surreptitiously copied the data from his work laptop onto a personal USB stick. The data consisted of the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and salary details.

In early 2014, using the personal details of a fellow employee who had been involved in the disciplinary proceedings to create a false email account, Skelton uploaded, from home, a file containing the data from the USB stick to a publicly accessible file-sharing website, with links to the data posted on other websites. The file contained data of 98,998 Morrisons employees. He also sent a CD containing a copy of the data and a link to the file-sharing site to three newspapers in the UK. One of the newspapers alerted Morrisons, which within a few hours took steps to ensure that the website had been taken down. Morrisons also alerted the police.

Skelton was arrested and charged with fraud and offences under the Computer Misuse Act 1990 and s 55 of the DPA. In July 2015, he was convicted and sentenced to eight years' imprisonment.

Some 9,263 employees of Morrisons whose data was disclosed by Skelton's actions now make up the group involved in bringing the...