Morrisons supermarkets liable for employee’s criminal publication of personal data

26 October 2018 by

morrisons-supermarketWM Morrison Supermarkets Plc v Various Claimants [2018] EWCA 2339 (22 October 2018) – read judgment

The Court of Appeal has ruled that the supermarket chain was vicariously liable for one of its employees’ unlawful disclosure of personal data belonging to other employees even though this act took place away from the workplace and the was part of a sequence of planned events leading to the commission of this wrongdoing.

The central issue before the Court was whether an employer is liable in damages to those of its current or former employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee, who had a grudge against the employer, in breach of the Data Protection Act 1998, and in breach of that employee’s obligation of confidence.  The Court held that it did; the common law remedy of vicarious liability of an employer for its employee’s misuse of private information and breach of confidence was not expressly or impliedly excluded by the Data Protection Act 1998, notwithstanding that the Act itself excluded an employer’s liability for wrongful processing of personal data by an employee. 

This was an appeal by Morrisions by a decision in the court below that it was liable in damages to the respondent employees for disclosure of their personal information by a former employee Mr Skelton.

Background law and facts

Mr Skelton worked for the employer as a senior IT auditor. He developed a grudge against the employer after a disciplinary hearing and obtained the personal data, including payroll data, of a large number of employees which he copied onto a USB stick. He took the stick home and posted the data on the web, using another employee’s details in an attempt to conceal his actions. He was convicted of criminal offences, including an offence under Section 55 of the Data Protection Act 1998.

The employees affected claimed damages from the employer for misuse of private information and breach of confidence, and for breach of statutory duty under s.4(4) of the Act. According to the employees, the employer was either primarily liable under those heads of claim or vicariously liable for Mr Skelton’s wrongful conduct. It was undisputed that Mr Skelton was the data controller, within the meaning of the Act, in respect of the data wrongfully copied. The High Court found that Morrisons had not directly misused or authorised or carelessly permitted the misuse of any information personal to the employees. It therefore dismissed the claims against Morrisons in equity and at common law for primary liability for breach of confidence and misuse of personal information. However, Langstaff J found that there was sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable.

He concluded his judgment by saying that the point which most troubled him in reaching his conclusions was the submission that the wrongful acts of Mr Skelton were deliberately aimed at the party whom the claimants sought to hold responsible, such that to reach the conclusion he had might seem to render the court an accessory in furthering Mr Skelton’s criminal aims. It would appear that it was for that reason that he gave permission to appeal.

Morrisons brought their appeal on three grounds. They submitted first that the judge ought to have concluded that, on its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability. Second, the court below ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same. Third, the judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal dismissed the appeal.

Reasoning behind the Court’s decision

The common law principle of vicarious liability is not confined to common law wrongs. It holds good for a wrong comprising a breach of statutory duty provided the statute does not expressly or impliedly indicate otherwise: Majrowski v Guy’s and St Thomas’s NHS Trust [2006] UKHL 34, [2007] 1 AC 224 at [10] Lord Nicholls).

The appellant’s core submission was that the DPA is specialist legislation which was intended by Parliament to cover the entire field of liability of an employer for the wrongful processing of personal data by an employee. In that connection they emphasised that the DPA, the tort of misuse of private information and the cause of action in equity for breach of confidence all relate to the same subject matter – privacy.

The test of “necessary implication” was appropriate. If the statutory code covered precisely the same ground as vicarious liability at common law, and the two were inconsistent with each other in one or more substantial respects, then the common law remedy would almost certainly have been excluded by necessary implication.  The question was whether, taken as a whole, the common law remedy would be incompatible with the statutory scheme and therefore could not have been intended to co-exist with it as in R (on the application of Child Poverty Action Group) v Secretary of State for Work and Pensions [2010] UKSC 54. In that case Lord Dyson said:

If the two remedies cover precisely the same ground and are inconsistent with each other, then the common law remedy will almost certainly have been excluded by necessary implication. To do otherwise would circumvent the intention of Parliament. A good example of this is Marcic, where a sewerage undertaker was subject to an elaborate scheme of statutory regulation which included an independent regulator with powers of enforcement whose decisions were subject to judicial review. The statutory scheme provided a procedure for making complaints to the regulator. The House of Lords held that a cause of action in nuisance would be inconsistent with the statutory scheme. It would run counter to the intention of Parliament.

However, there were three major obstacles to the employer’s contention that the Act excluded vicarious liability by necessary implication. First, if Parliament had intended such a substantial eradication of common law and equitable rights, it would have said so expressly. Second, although the employer had conceded that the causes of action at common law and in equity operated in parallel with the Act in respect of the primary liability of the wrongdoer for the wrongful processing of personal data, it was at the same time contending that vicarious liability for the same causes of action had been excluded by the Act. That was a difficult line to tread, not least because it appeared to present an inconsistency in the application of one of the principal objects of Directive 95/46, which the Act was designed to implement, and of the Act itself; namely the protection of privacy and the provision of an effective remedy for its infringement.  Third, the DPA says nothing at all about the liability of an employer, who is not a data controller, for breaches of the DPA by an employee who is a data controller. That is the situation here in respect of the payroll data disclosed by Mr Skelton.  In terms of processing duties and liability, the DPA is only concerned with the primary liability and obligations of the data controller. It has nothing at all to say about the liability of someone else for wrongful processing by the data controller. Parliament has not entered that field at all.  Thus, the common law remedy of vicarious liability of the employer for Mr Skelton’s misuse of private information and breach of confidence was not expressly or impliedly excluded by the Act.

As for the claim that the wrongful conduct must be close to the workplace, this did not stand up in relation to analogous cases on vicarious liability.  It was no doubt true that, as Lord Clyde said in Lister v Hesley Hall Ltd [2002] 1 AC 215 at 235, the time and place at which the act or acts occurred will always be relevant, though not conclusive. Nevertheless, there are numerous cases in which employers have been held vicariously liable for torts committed away from the workplace.  The employees’ causes of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. The judge had correctly concluded that Mr Skelton’s actions at work and the disclosure on the web was a seamless and continuous sequence of events: the steps he had taken and his attempts to hide them were all part of a plan. If the employer’s arguments were to succeed, an employee who misused data to steal money from an employee’s bank account would have no remedy except against the wrongdoer themselves. Accordingly, the employer was vicariously liable for Mr Skelton’s tortious behaviour.

Welcome to the UKHRB

This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates

Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.




Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals Anne Sacoolas anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology blogging Bloody Sunday brexit Bribery British Waterways Board care homes Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Commission on a Bill of Rights common law communications competition confidentiality consent conservation constitution contact order contact tracing contempt of court Control orders Copyright coronavirus coronavirus act 2020 costs costs budgets Court of Protection covid crime criminal law Cybersecurity Damages data protection death penalty defamation DEFRA deportation deprivation of liberty derogations Detention Dignitas diplomacy diplomatic relations disability disclosure Discrimination disease divorce DNA domestic violence duty of care ECHR ECtHR Education election Employment Environment Equality Act Equality Act 2010 Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice evidence extradition extraordinary rendition Facebook Facial Recognition Family Fatal Accidents Fertility FGM Finance foreign criminals foreign office foreign policy France freedom of assembly Freedom of Expression freedom of information freedom of speech Gay marriage gay rights Gaza Gender genetics Germany Google Grenfell Gun Control hague convention Harry Dunn Health HIV home office Housing HRLA human rights Human Rights Act human rights news Human Rights Watch Huntington's Disease immigration India Indonesia injunction Inquests insurance international law internet inuit Iran Iraq Ireland islam Israel Italy IVF ivory ban Japan joint enterprise judaism judicial review Judicial Review reform Julian Assange jury trial JUSTICE Justice and Security Bill Law Pod UK legal aid legal aid cuts Leveson Inquiry lgbtq liability Libel Liberty Libya lisbon treaty Lithuania local authorities marriage Media and Censorship mental capacity Mental Capacity Act Mental Health military Ministry of Justice modern slavery morocco murder music Muslim nationality national security naturism neuroscience NHS Northern Ireland nuclear challenges nuisance Obituary ouster clauses parental rights parliamentary expenses scandal patents Pensions Personal Injury physician assisted death Piracy Plagiarism planning planning system Poland Police Politics Pope press prison Prisoners prisoner votes Prisons privacy procurement Professional Discipline Property proportionality prosecutions prostituton Protection of Freedoms Bill Protest Public/Private public access public authorities public inquiries quarantine Radicalisation refugee rehabilitation Reith Lectures Religion RightsInfo right to die right to family life Right to Privacy right to swim riots Roma Romania round-up Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials sexual offence shamima begum Sikhism Smoking social media social workers South Africa Spain special advocates Sports Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance sweatshops Syria Tax technology Terrorism The Round Up tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine universal credit universal jurisdiction unlawful detention USA US Supreme Court vicarious liability Wales War Crimes Wars Weekly Round-up Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: