Morrisons supermarkets liable for employee’s criminal publication of personal data

26 October 2018 by

morrisons-supermarketWM Morrison Supermarkets Plc v Various Claimants [2018] EWCA 2339 (22 October 2018) – read judgment

The Court of Appeal has ruled that the supermarket chain was vicariously liable for one of its employees’ unlawful disclosure of personal data belonging to other employees even though this act took place away from the workplace and the was part of a sequence of planned events leading to the commission of this wrongdoing.

The central issue before the Court was whether an employer is liable in damages to those of its current or former employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee, who had a grudge against the employer, in breach of the Data Protection Act 1998, and in breach of that employee’s obligation of confidence.  The Court held that it did; the common law remedy of vicarious liability of an employer for its employee’s misuse of private information and breach of confidence was not expressly or impliedly excluded by the Data Protection Act 1998, notwithstanding that the Act itself excluded an employer’s liability for wrongful processing of personal data by an employee. 

This was an appeal by Morrisions by a decision in the court below that it was liable in damages to the respondent employees for disclosure of their personal information by a former employee Mr Skelton.

Background law and facts

Mr Skelton worked for the employer as a senior IT auditor. He developed a grudge against the employer after a disciplinary hearing and obtained the personal data, including payroll data, of a large number of employees which he copied onto a USB stick. He took the stick home and posted the data on the web, using another employee’s details in an attempt to conceal his actions. He was convicted of criminal offences, including an offence under Section 55 of the Data Protection Act 1998.

The employees affected claimed damages from the employer for misuse of private information and breach of confidence, and for breach of statutory duty under s.4(4) of the Act. According to the employees, the employer was either primarily liable under those heads of claim or vicariously liable for Mr Skelton’s wrongful conduct. It was undisputed that Mr Skelton was the data controller, within the meaning of the Act, in respect of the data wrongfully copied. The High Court found that Morrisons had not directly misused or authorised or carelessly permitted the misuse of any information personal to the employees. It therefore dismissed the claims against Morrisons in equity and at common law for primary liability for breach of confidence and misuse of personal information. However, Langstaff J found that there was sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable.

He concluded his judgment by saying that the point which most troubled him in reaching his conclusions was the submission that the wrongful acts of Mr Skelton were deliberately aimed at the party whom the claimants sought to hold responsible, such that to reach the conclusion he had might seem to render the court an accessory in furthering Mr Skelton’s criminal aims. It would appear that it was for that reason that he gave permission to appeal.

Morrisons brought their appeal on three grounds. They submitted first that the judge ought to have concluded that, on its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability. Second, the court below ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same. Third, the judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal dismissed the appeal.

Reasoning behind the Court’s decision

The common law principle of vicarious liability is not confined to common law wrongs. It holds good for a wrong comprising a breach of statutory duty provided the statute does not expressly or impliedly indicate otherwise: Majrowski v Guy’s and St Thomas’s NHS Trust [2006] UKHL 34, [2007] 1 AC 224 at [10] Lord Nicholls).

The appellant’s core submission was that the DPA is specialist legislation which was intended by Parliament to cover the entire field of liability of an employer for the wrongful processing of personal data by an employee. In that connection they emphasised that the DPA, the tort of misuse of private information and the cause of action in equity for breach of confidence all relate to the same subject matter – privacy.

The test of “necessary implication” was appropriate. If the statutory code covered precisely the same ground as vicarious liability at common law, and the two were inconsistent with each other in one or more substantial respects, then the common law remedy would almost certainly have been excluded by necessary implication.  The question was whether, taken as a whole, the common law remedy would be incompatible with the statutory scheme and therefore could not have been intended to co-exist with it as in R (on the application of Child Poverty Action Group) v Secretary of State for Work and Pensions [2010] UKSC 54. In that case Lord Dyson said:

If the two remedies cover precisely the same ground and are inconsistent with each other, then the common law remedy will almost certainly have been excluded by necessary implication. To do otherwise would circumvent the intention of Parliament. A good example of this is Marcic, where a sewerage undertaker was subject to an elaborate scheme of statutory regulation which included an independent regulator with powers of enforcement whose decisions were subject to judicial review. The statutory scheme provided a procedure for making complaints to the regulator. The House of Lords held that a cause of action in nuisance would be inconsistent with the statutory scheme. It would run counter to the intention of Parliament.

However, there were three major obstacles to the employer’s contention that the Act excluded vicarious liability by necessary implication. First, if Parliament had intended such a substantial eradication of common law and equitable rights, it would have said so expressly. Second, although the employer had conceded that the causes of action at common law and in equity operated in parallel with the Act in respect of the primary liability of the wrongdoer for the wrongful processing of personal data, it was at the same time contending that vicarious liability for the same causes of action had been excluded by the Act. That was a difficult line to tread, not least because it appeared to present an inconsistency in the application of one of the principal objects of Directive 95/46, which the Act was designed to implement, and of the Act itself; namely the protection of privacy and the provision of an effective remedy for its infringement.  Third, the DPA says nothing at all about the liability of an employer, who is not a data controller, for breaches of the DPA by an employee who is a data controller. That is the situation here in respect of the payroll data disclosed by Mr Skelton.  In terms of processing duties and liability, the DPA is only concerned with the primary liability and obligations of the data controller. It has nothing at all to say about the liability of someone else for wrongful processing by the data controller. Parliament has not entered that field at all.  Thus, the common law remedy of vicarious liability of the employer for Mr Skelton’s misuse of private information and breach of confidence was not expressly or impliedly excluded by the Act.

As for the claim that the wrongful conduct must be close to the workplace, this did not stand up in relation to analogous cases on vicarious liability.  It was no doubt true that, as Lord Clyde said in Lister v Hesley Hall Ltd [2002] 1 AC 215 at 235, the time and place at which the act or acts occurred will always be relevant, though not conclusive. Nevertheless, there are numerous cases in which employers have been held vicariously liable for torts committed away from the workplace.  The employees’ causes of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. The judge had correctly concluded that Mr Skelton’s actions at work and the disclosure on the web was a seamless and continuous sequence of events: the steps he had taken and his attempts to hide them were all part of a plan. If the employer’s arguments were to succeed, an employee who misused data to steal money from an employee’s bank account would have no remedy except against the wrongdoer themselves. Accordingly, the employer was vicariously liable for Mr Skelton’s tortious behaviour.

Welcome to the UKHRB


This blog is run by 1 Crown Office Row barristers' chambers. Subscribe for free updates here. The blog's editorial team is:
Commissioning Editor: Jonathan Metzer
Editorial Team: Rosalind English
Angus McCullough QC David Hart QC
Martin Downs
Jim Duffy

Free email updates


Enter your email address to subscribe to this blog for free and receive weekly notifications of new posts by email.

Subscribe

Categories


Tags


7/7 Bombings 9/11 A1P1 Aarhus Abortion Abu Qatada Abuse Access to justice adoption AI air pollution air travel ALBA Allergy Al Qaeda Amnesty International animal rights Animals anonymity Article 1 Protocol 1 Article 2 article 3 Article 4 article 5 Article 6 Article 8 Article 9 article 10 Article 11 article 13 Article 14 article 263 TFEU Artificial Intelligence Asbestos Assange assisted suicide asylum asylum seekers Australia autism badgers benefits Bill of Rights biotechnology birds directive blogging Bloody Sunday brexit Bribery British Waterways Board Catholic Church Catholicism Chagos Islanders Charter of Fundamental Rights child protection Children children's rights China christianity circumcision citizenship civil liberties campaigners civil partnerships climate change clinical negligence closed material procedure Coercion Cologne Commission on a Bill of Rights common buzzard common law communications competition confidentiality confiscation order conscientious objection consent conservation constitution contact order contempt of court Control orders Copyright coronavirus costs costs budgets Court of Protection crime criminal law Criminal Legal Aid criminal records Cybersecurity Damages data protection death penalty declaration of incompatibility defamation DEFRA Democracy village deportation deprivation of liberty derogations Detention devolution Dignitas dignity Dignity in Dying diplomacy director of public prosecutions disability Disability-related harassment disciplinary hearing disclosure Discrimination Discrimination law disease divorce DNA doctors does it matter? domestic violence Dominic Grieve don't ask don't ask don't tell don't tell Doogan and Wood double conviction DPP guidelines drones duty of care ECHR economic and social rights economic loss ECtHR Education election Employment Environment environmental information Equality Act Equality Act 2010 ethics Ethiopia EU EU Charter of Fundamental Rights EU costs EU law European Convention on Human Rights European Court of Human Rights European Court of Justice european disability forum European Sanctions Blog Eurozone euthanasia evidence Exclusion extra-jurisdictional reach of ECHR extra-territoriality extradition extradition act extradition procedures extradition review extraordinary rendition Facebook Facebook contempt facial recognition fair procedures Fair Trial faith courts fake news Family family courts family law family legal aid Family life fatal accidents act Fertility fertility treatment FGM fisheries fishing rights foreign criminals foreign office foreign policy France freedom of assembly Freedom of Association Freedom of Expression freedom of information Freedom of Information Act 2000 freedom of movement freedom of speech free speech game birds gangbo gang injunctions Garry Mann gary dobson Gary McFarlane gay discrimination Gay marriage gay rights gay soldiers Gaza Gaza conflict Gender General Dental Council General Election General Medical Council genetic discrimination genetic engineering genetic information genetics genetic testing Google government Grenfell grooming Gun Control gwyneth paltrow gypsies habitats habitats protection Halsbury's Law Exchange hammerton v uk happy new year harassment Hardeep Singh Haringey Council Harkins and Edwards Health healthcare health insurance Heathrow heist heightened scrutiny Henry VII Henry VIII herd immunity hereditary disorder High Court of Justiciary Hirst v UK HIV HJ Iran HM (Iraq) v The Secretary of state for the home department [2010] EWCA Civ 1322 Holder holkham beach holocaust homelessness Home Office Home Office v Tariq homeopathy hooding Hounslow v Powell House of Commons Housing housing benefits Howard League for Penal Reform how judges decide cases hra damages claim Hrant Dink HRLA HS2 hs2 challenge hts http://ukhumanrightsblog.com/2011/04/11/us-state-department-reports-on-uk-human-rights/ Human Fertilisation and Embryology Act Human Fertilisation and Embryology Authority human genome human rights Human Rights Act Human Rights Act 1998 human rights advocacy Human rights and the UK constitution human rights commission human rights conventions human rights damages Human Rights Day human rights decisions Human Rights Information Project human rights news Human Rights Watch human right to education human trafficking hunting Huntington's Disease HXA hyper injunctions Igor Sutyagin illegality defence immigration Immigration/Extradition Immigration Act 2014 immigration appeals immigration detention immigration judge immigration rules immunity increase of sanction India Indonesia Infrastructure Planning Committee inherent jurisdiction inherited disease Inhuman and degrading treatment injunction Inquest Inquests insult insurance insurmountable obstacles intelligence services act intercept evidence interception interests of the child interim remedies international international conflict international criminal court international humanitarian law international human rights international human rights law international law international treaty obligations internet internet service providers internment internship inuit investigation investigative duty in vitro fertilisation Iran iranian bank sanctions Iranian nuclear program Iraq Iraqi asylum seeker Iraq War Ireland irrationality islam Israel Italy iTunes IVF ivory ban jackson reforms Janowiec and Others v Russia ( Japan Jason Smith Jeet Singh Jefferies Jeremy Corbyn jeremy hunt job Jogee John Hemming John Terry joint enterprise joint tenancy Jon Guant Joseph v Spiller journalism judaism judges Judges and Juries judging Judicial activism judicial brevity judicial deference judicial review Judicial Review reform judiciary Julian Assange jurisdiction jury trial JUSTICE Justice and Security Act Justice and Security Bill Justice and Security Green Paper Justice Human Rights Awards JUSTICE Human Rights Awards 2010 just satisfaction Katyn Massacre Kay v Lambeth Kay v UK Ken Clarke Ken Pease Kerry McCarthy Kettling Kings College Klimas koran burning Labour Lady Hale lansley NHS reforms LASPO Law Commission Law Pod UK Law Society Law Society of Scotland leave to enter leave to remain legal aid legal aid cuts Legal Aid desert Legal Aid Reforms legal blogs Legal Certainty legal naughty step Legal Ombudsman legal representation legitimate expectation let as a dwelling Leveson Inquiry Levi Bellfield lewisham hospital closure lgbtq liability Libel libel reform Liberal Democrat Conference Liberty libraries closure library closures Libya licence conditions licence to shoot life insurance life sentence life support limestone pavements limitation lisbon treaty Lithuania Litigation litvinenko live exports local authorities locked in syndrome london borough of merton London Legal Walk London Probation Trust Lord Bingham Lord Bingham of Cornhill Lord Blair Lord Goldsmith lord irvine Lord Judge speech Lord Kerr Lord Lester Lord Neuberger Lord Phillips Lord Rodger Lord Sumption Lord Taylor LSC tender luftur rahman machine learning MAGA Magna Carta mail on sunday Majority Verdict Malcolm Kennedy malice Margaret Thatcher Margin of Appreciation margin of discretion Maria Gallastegui marriage material support maternity pay Matthew Woods Mattu v The University Hospitals of Coventry and Warwickshire NHS Trust [2011] EWHC 2068 (QB) Maya the Cat Mba v London Borough Of Merton McKenzie friend Media and Censorship Medical medical liability medical negligence medical qualifications medical records medicine mental capacity Mental Capacity Act Mental Capacity Act 2005 Mental Health mental health act mental health advocacy mental health awareness Mental Health Courts Mental illness merits review MGN v UK michael gove Midwives migrant crisis Milly Dowler Ministerial Code Ministry of Justice Ministry of Justice cuts misfeasance in public office modern slavery morality morocco mortuaries motherhood Motor Neurone disease Moulton Mousa MP expenses Mr Gul Mr Justice Eady MS (Palestinian Territories) (FC) (Appellant) v Secretary of State for the Home Department murder murder reform Musician's Union Muslim NADA v. SWITZERLAND - 10593/08 - HEJUD [2012] ECHR 1691 naked rambler Naomi Campbell nationality National Pro Bono Week national security Natural England nature conservation naturism Nazi negligence Neuberger neuroscience Newcastle university news News of the World new Supreme Court President NHS NHS Risk Register Nick Clegg Nicklinson Niqaab Noise Regulations 2005 Northern Ireland nuclear challenges nuisance nursing nursing home Obituary Occupy London offensive jokes Offensive Speech offensive t shirt oil spill olympics open justice oppress OPQ v BJM orchestra Osama Bin Laden Oxford University paramountcy principle parental rights parenthood parking spaces parliamentary expenses parliamentary expenses scandal Parliamentary sovereignty Parliament square parole board passive smoking pastor Terry Jones patents Pathway Students Patrick Quinn murder Pensions persecution personal data Personal Injury personality rights perversity Peter and Hazelmary Bull PF and EF v UK Phil Woolas phone hacking phone taps physical and mental disabilities physician assisted death Pinnock Piracy Plagiarism planning planning human rights planning system plebgate POCA podcast points Poland Police police investigations police liability police misconduct police powers police surveillance Policy Exchange report political judges Politics Politics/Public Order poor reporting Pope Pope's visit Pope Benedict portal possession proceedings power of attorney PoW letters to ministers pre-nup pre-nuptial Pre-trial detention predator control pregnancy press press briefing press freedom Prince Charles prince of wales princess caroline of monaco principle of subsidiarity prior restraint prison Prisoners prisoners rights prisoners voting prisoner vote prisoner votes prisoner voting prison numbers Prisons prison vote privacy privacy injunction privacy law through the front door Private life private nuisance private use proceeds of crime Professional Discipline Property proportionality prosecution Protection of Freedoms Act Protection of Freedoms Bill Protest protest camp protest rights Protocol 15 psychiatric hospitals Public/Private public access publication public authorities Public Bodies Bill public inquiries public interest public interest environmental litigation public interest immunity Public Order Public Sector Equality Duty putting the past behind quango quantum quarantine Queen's Speech queer in the 21st century R (on the application of) v Secretary of State for the Home Department & Ors [2011] EWCA Civ 895 R (on the application of) v The General Medical Council [2013] EWHC 2839 (Admin) R (on the application of EH) v Secretary of State for the Home Department [2012] EWHC 2569 (Admin) R (on the application of G) v The Governors of X School Rabone and another v Pennine Care NHS Foundation Trust [2012] UKSC 2 race relations Rachel Corrie Radmacher Raed Salah Mahajna Raed Saleh Ramsgate raptors rehabilitation Reith Lectures Religion resuscitation RightsInfo right to die right to family life right to life Right to Privacy right to swim riots Roma Romania Round Up Royals Russia saudi arabia Scotland secrecy secret justice Secret trials security services sexual offence Sikhism Smoking social media social workers South Africa south african constitution Spain special advocates spending cuts Standing starvation statelessness stem cells stop and search Strasbourg super injunctions Supreme Court Supreme Court of Canada surrogacy surveillance swine flu Syria Tax Taxi technology Terrorism terrorism act tort Torture travel treason treaty accession trial by jury TTIP Turkey Twitter UK Ukraine unfair consultation universal jurisdiction unlawful detention USA US Supreme Court vaccination vicarious liability Wales War Crimes Wars Welfare Western Sahara Whistleblowing Wikileaks wildlife wind farms WomenInLaw Worboys wrongful birth YearInReview Zimbabwe

Disclaimer


This blog is maintained for information purposes only. It is not intended to be a source of legal advice and must not be relied upon as such. Blog posts reflect the views and opinions of their individual authors, not of chambers as a whole.

Our privacy policy can be found on our ‘subscribe’ page or by clicking here.

%d bloggers like this: