Morrisons appeal success in landmark data privacy case

The Supreme Court’s recent decision that the supermarket group should not be liable for a data breach committed by a rogue employee is welcome news. The judgment overturned earlier decisions that would have left employers financially exposed to unauthorised activity by disgruntled staff. There are lessons to learn from a data protection perspective and also on the wider questions of employer liability for the acts of their workforce.

Release of sensitive payroll data

An employee in the internal audit team of Morrisons, Andrew Skelton, downloaded sensitive employee payroll data that he was entrusted with at work onto his personal computer. He later uploaded the data onto a publicly accessible website and sent it to national newspapers. He was, it seems, motivated by a grudge against Morrisons after being subject to disciplinary proceedings.

Over 5,500 employees, whose personal data was unlawfully disclosed, brought a claim against Morrisons. They argued that the business was responsible as employer (vicariously liable) for Mr Skelton’s misuse of personal information, breach of confidence, and breach of his statutory duties under the Data Protection Act 1998 - the DPA.

In 2018, the Court of Appeal upheld the High Court’s earlier decision that Morrisons had not breached its own duties owed to its staff as a data controller under the DPA. Morrisons was, however, vicariously liable for Mr Skelton’s wrongful actions, which were in breach of his own duties under the DPA and at common law.

Supreme Court decision

The Supreme Court ruled in Morrisons’ favour – the business was not vicariously liable for Mr Skelton’s activity.  Important to the decision was how “closely connected” an employee’s actions are, as compared to the acts they are authorised to do.  

The Supreme Court found that the “close connection” test was not satisfied in this case for the following reasons:

  1. The employee’s actions in causing the data breach were not within the “field of activities” of the employee. His actions were not so closely connected with acts that he was authorised to do that they could fairly and properly be regarded as made by the employee while acting in the ordinary course of his employment.
  2. The fact that the employment gave the employee the opportunity to commit the data breach did not on its own satisfy the “close connection” test.  
  3. An employer is not normally vicariously liable where the employee was “not acting on his employer’s business, but in pursuit of his own private ends”. The employee’s motive is important.

Morrisons had also argued that the DPA set up a complete system that ruled out the concept of vicarious liability for either statutory or common law wrongs committed by an employee who is a data controller in the course of their employment. This argument failed. The legislation does not deal with employer responsibility and so the vicarious liability principle continues unaffected.

Take away points

This decision is very welcome to employers after the concerns raised by the earlier rulings. Although employment may provide an opportunity to commit a wrongful act, that alone is not enough to make an employer responsible. Employers will not normally be vicariously liable where an employee commits a wrongful act while pursuing a personal vendetta.

However, the Supreme Court has not completely shut the door to the possibility of ‘no fault’ vicarious liability under data protection legislation. If an employee’s activity did meet the “close connection” test at the time of the data breach, vicarious liability on the part of the employer remains a possibility. A member of staff who carries out his work in a sloppy way, or who takes risks with information that he is given access to, could come within the scope of the test with the possibility of big compensation payouts. Keeping risk to a minimum means a close focus on building and maintaining robust systems and processes for safeguarding personal data.

Note that this decision was made under data protection legislation that applied at the time. This has now been replaced with the GDPR and the Data Protection Act 2018.  However, we would not expect the result to be different under the new law. 

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.

Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.