April 3, 2020

UK Supreme Court finds employer not vicariously liable for employee’s data breach

On April 1, 2020, the UK Supreme Court ruled that Morrisons, a supermarket chain, was not liable for the wrongful actions of one its employees, Andrew Skelton, who published the personal information of almost 100,000 Morrisons employees on the internet, including names, addresses, gender, birthdates, telephone, national insurance numbers, salary and bank account number.  According to the court documents, Skelton was a senior auditor tasked with copying and transmitting personal information for thousands of Morrisons employees to a third-party auditor; in reaction to a verbal warning for minor misconduct, Skelton posted the personal information on the internet two months after sending it to the auditor as requested. 

At the end of 2017, around 5000 Morrisons’  employees filed the first data privacy dispute to be heard by the English courts using a collective action mechanism. The employees sought compensation from Morrisons for the data breach caused by Skelton, basing their claims on Morrisons’ alleged breach of the statutory duty created by section 4(4) of the Data Protection Act 1998, misuse of private information, breach of confidence, and vicarious liability for Skelton’s conduct.

At first instance, the court determined that Morrisons did not have primary liability for the breach, but was vicariously liable for Skelton’s wrongful conduct, which, according to the court, was performed in the ordinary course of employment, part of a “seamless and continuous sequence of events,” and “closely related” to what Skelton was tasked to do.  Morrisons appealed the decision to the Court of Appeal, where the appeal was dismissed.  Morrisons then appealed to the Supreme Court.

The questions presented on appeal were whether Morrisons was vicariously liable, and if so, whether the Data Protection Act 1998 (which has since been repealed and replaced by the Data Protection Act 2018) excludes the imposition of vicarious liability for statutory torts committed by an employee or for the misuse of private information and breach of confidence.  The Supreme Court, disagreeing with the interpretation of the court of first instance, ruled that sharing the information with anyone other than the third-party auditor went beyond the task that Skelton was authorized to do, thereby failing the “close connection” test and demonstrating that Skelton was not furthering his employers’ business but satisfying his own personal interests.  On the question of whether the Data Protection Act of 1998 excludes vicarious liability, the Supreme Court stated that a finding of vicarious liability would not be inconsistent with the Act, and should be allowed for both statutory violations and common law actions.

UK Supreme Court Press Release | UK Supreme Court Judgment