The Morrisons Supermarket Case: Employers Breathe a Sigh of Relief

assorted vegetable lot

Photo by Matheus Cenali on

The long-awaited decision in the Supreme Court appeal by Morrison Supermarkets was handed down yesterday. WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 concerned an appeal by Morrisons from an earlier decision by the Court of Appeal.  The latter agreed with the previous High Court judgement that Morrisons was liable for the actions of its former employee who stole and then maliciously posted the payroll details of his colleagues online before leaving his job. Employers will now breathe a big sigh of relief. The earlier decisions seem to suggest that no matter what precautions an employer takes, it would still be liable for the actions its rogue employees.

Let’s look at the facts in a bit more detail before turning to the judgment.

The Facts

In January 2014 a file containing personal details of almost 100,000 Morrisons’ employees was posted on a file sharing website and later a CD, containing a copy of the data, was received by three UK newspapers. The file contained names, addresses, gender, date of birth, home and mobile phone numbers, National Insurance numbers, bank sort codes, bank account numbers and salary details. None of the newspapers published the story and one of them informed Morrisons who called the police after having the file removed from the file sharing website.

Andrew Skelton, a senior IT auditor at Morrisons, who had previously been subject to disciplinary action for another matter, had been tasked with preparing the file for Morrisons’ auditors, when he decided to take his revenge. He was charged with various offences and later sentenced to eight years in prison.

Over 5,000 employees of Morrisons later brought a group legal action for damages. They argued that Morrisons was liable for Skelton’s malicious misuse of their personal data. The judge ruled that Morrisons had not breached the Data Protection Act 1998 (this case started before GDPR came into force) because they had adequate security in place to protect the data, in compliance with the then 7th Data Protection Principle. He ruled that Morrisons was not primarily to blame for the incident but it was vicariously liable for Skelton’s malicious actions as his employer. The judge took account of, amongst other things, the fact that Morrisons had selected Skelton for a trusted position which involved transferring the personal data to their auditors, KPMG. The Court of Appeal agreed.

The Judgment

The case was primarily about the employment law principle of “vicarious liability.” It aimed to answer the question; when is an employer liable for the actions of an employee when they deliberately behave in a way designed to harm their employer and others? Are they still acting within the scope of their employment or “on a frolic of their own”?  The facts of the case also meant that data protection officers and lawyers were watching with bated breath and asking “Can an employer be legally responsible for data breaches caused entirely by their employee?”

The Supreme Court unanimously allowed Morrisons’ appeal. It ruled that whatever Skelton was doing when he disclosed his colleagues’ personal data, he was not acting “in the course of his employment”, and accordingly no vicarious liability could be imposed.

However, Morrisons lost on the argument that the Data Protection Act 1998 (DPA) operated so as to exclude vicarious liability. This principle can also be applied to the GDPR and so employers can “never say never” when it comes to vicariously liability for malicious data breaches by staff. It all depends on the facts of the breach.

This case only went as far as it did because the aggrieved employees failed to show, at first instance, that Morrisons was primarily liable for the data breach. If an employer fails to comply with its security obligations in a manner that is causally relevant to a rogue employees actions, it can still be exposed to primary liability under Article 32 of GDPR as well as the now 6thData Protection Principle.

Practical Steps

Data Controllers and Processors need to consider doing the following:

  1. Check your data protection and security policies and procedures. Who has access to personal data? Is it based on a need to know? Are they a trusted employee?
  2. Undertaking regular compliance and access audits and reviews. Carry out Data Protection Impact Assessments for high risk processing.
  3. Introduce mandatory (and refresher) data protection training for all staff. Our e-learning course is ideal for this.
  4. Revise your data breach notification procedure. Ask yourself what your detection and response capabilities are.
  5. Check your insurance policies.  Are you covered for actions of rogue employees as well as innocent ones?

More on this and other developments in our GDPR update webinar.  Looking for a GDPR qualification from the comfort of your home office? Our GDPR practitioner certificate is now available as an online option.


About actnowtraining

Act Now Training Ltd specialise in information law. We have been providing training and consultancy services globally for over 17 years. We have an extensive GDPR and FOI course programme from live and recorded webinars, accredited foundation through to higher level certificate courses delivered throughout the country or at your premises.
This entry was posted in GDPR, Uncategorized and tagged . Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s