Morrisons supermarkets liable for employee’s criminal publication of personal data
26 October 2018
WM Morrison Supermarkets Plc v Various Claimants  EWCA 2339 (22 October 2018) – read judgment
The Court of Appeal has ruled that the supermarket chain was vicariously liable for one of its employees’ unlawful disclosure of personal data belonging to other employees even though this act took place away from the workplace and the was part of a sequence of planned events leading to the commission of this wrongdoing.
The central issue before the Court was whether an employer is liable in damages to those of its current or former employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee, who had a grudge against the employer, in breach of the Data Protection Act 1998, and in breach of that employee’s obligation of confidence. The Court held that it did; the common law remedy of vicarious liability of an employer for its employee’s misuse of private information and breach of confidence was not expressly or impliedly excluded by the Data Protection Act 1998, notwithstanding that the Act itself excluded an employer’s liability for wrongful processing of personal data by an employee.
This was an appeal by Morrisions by a decision in the court below that it was liable in damages to the respondent employees for disclosure of their personal information by a former employee Mr Skelton.
Background law and facts
Mr Skelton worked for the employer as a senior IT auditor. He developed a grudge against the employer after a disciplinary hearing and obtained the personal data, including payroll data, of a large number of employees which he copied onto a USB stick. He took the stick home and posted the data on the web, using another employee’s details in an attempt to conceal his actions. He was convicted of criminal offences, including an offence under Section 55 of the Data Protection Act 1998.
The employees affected claimed damages from the employer for misuse of private information and breach of confidence, and for breach of statutory duty under s.4(4) of the Act. According to the employees, the employer was either primarily liable under those heads of claim or vicariously liable for Mr Skelton’s wrongful conduct. It was undisputed that Mr Skelton was the data controller, within the meaning of the Act, in respect of the data wrongfully copied. The High Court found that Morrisons had not directly misused or authorised or carelessly permitted the misuse of any information personal to the employees. It therefore dismissed the claims against Morrisons in equity and at common law for primary liability for breach of confidence and misuse of personal information. However, Langstaff J found that there was sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct to justify holding Morrisons vicariously liable.
He concluded his judgment by saying that the point which most troubled him in reaching his conclusions was the submission that the wrongful acts of Mr Skelton were deliberately aimed at the party whom the claimants sought to hold responsible, such that to reach the conclusion he had might seem to render the court an accessory in furthering Mr Skelton’s criminal aims. It would appear that it was for that reason that he gave permission to appeal.
Morrisons brought their appeal on three grounds. They submitted first that the judge ought to have concluded that, on its proper interpretation and having regard to the nature and purposes of the statutory scheme, the DPA excludes the application of vicarious liability. Second, the court below ought to have concluded that, on its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same. Third, the judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and, accordingly, (b) that Morrisons was vicariously liable for those wrongful acts.
The Court of Appeal dismissed the appeal.
Reasoning behind the Court’s decision
The common law principle of vicarious liability is not confined to common law wrongs. It holds good for a wrong comprising a breach of statutory duty provided the statute does not expressly or impliedly indicate otherwise: Majrowski v Guy’s and St Thomas’s NHS Trust  UKHL 34,  1 AC 224 at  Lord Nicholls).
The appellant’s core submission was that the DPA is specialist legislation which was intended by Parliament to cover the entire field of liability of an employer for the wrongful processing of personal data by an employee. In that connection they emphasised that the DPA, the tort of misuse of private information and the cause of action in equity for breach of confidence all relate to the same subject matter – privacy.
The test of “necessary implication” was appropriate. If the statutory code covered precisely the same ground as vicarious liability at common law, and the two were inconsistent with each other in one or more substantial respects, then the common law remedy would almost certainly have been excluded by necessary implication. The question was whether, taken as a whole, the common law remedy would be incompatible with the statutory scheme and therefore could not have been intended to co-exist with it as in R (on the application of Child Poverty Action Group) v Secretary of State for Work and Pensions  UKSC 54. In that case Lord Dyson said:
If the two remedies cover precisely the same ground and are inconsistent with each other, then the common law remedy will almost certainly have been excluded by necessary implication. To do otherwise would circumvent the intention of Parliament. A good example of this is Marcic, where a sewerage undertaker was subject to an elaborate scheme of statutory regulation which included an independent regulator with powers of enforcement whose decisions were subject to judicial review. The statutory scheme provided a procedure for making complaints to the regulator. The House of Lords held that a cause of action in nuisance would be inconsistent with the statutory scheme. It would run counter to the intention of Parliament.
However, there were three major obstacles to the employer’s contention that the Act excluded vicarious liability by necessary implication. First, if Parliament had intended such a substantial eradication of common law and equitable rights, it would have said so expressly. Second, although the employer had conceded that the causes of action at common law and in equity operated in parallel with the Act in respect of the primary liability of the wrongdoer for the wrongful processing of personal data, it was at the same time contending that vicarious liability for the same causes of action had been excluded by the Act. That was a difficult line to tread, not least because it appeared to present an inconsistency in the application of one of the principal objects of Directive 95/46, which the Act was designed to implement, and of the Act itself; namely the protection of privacy and the provision of an effective remedy for its infringement. Third, the DPA says nothing at all about the liability of an employer, who is not a data controller, for breaches of the DPA by an employee who is a data controller. That is the situation here in respect of the payroll data disclosed by Mr Skelton. In terms of processing duties and liability, the DPA is only concerned with the primary liability and obligations of the data controller. It has nothing at all to say about the liability of someone else for wrongful processing by the data controller. Parliament has not entered that field at all. Thus, the common law remedy of vicarious liability of the employer for Mr Skelton’s misuse of private information and breach of confidence was not expressly or impliedly excluded by the Act.
As for the claim that the wrongful conduct must be close to the workplace, this did not stand up in relation to analogous cases on vicarious liability. It was no doubt true that, as Lord Clyde said in Lister v Hesley Hall Ltd  1 AC 215 at 235, the time and place at which the act or acts occurred will always be relevant, though not conclusive. Nevertheless, there are numerous cases in which employers have been held vicariously liable for torts committed away from the workplace. The employees’ causes of action in tort against Mr Skelton were already established when he improperly downloaded their data onto his USB stick. The judge had correctly concluded that Mr Skelton’s actions at work and the disclosure on the web was a seamless and continuous sequence of events: the steps he had taken and his attempts to hide them were all part of a plan. If the employer’s arguments were to succeed, an employee who misused data to steal money from an employee’s bank account would have no remedy except against the wrongdoer themselves. Accordingly, the employer was vicariously liable for Mr Skelton’s tortious behaviour.