The Supreme Court has overturned the Court of Appeal ruling of last year, that Morrisons are vicariously liable for the malicious theft and publication online by its former IT auditor, Andrew Skelton, of personal data of other unwitting Morrisons employees.

The judgment in WM Morrisons Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12, is available here. 

The Supreme Court held that Skelton was acting “in an independent venture of his own” in a “personal vendetta” intended to cause harm to Morrisons. In so doing, Skelton was not acting within his employment “functions or field of activities” in the course of Morrisons’ business. Accordingly, Morrisons, which was found not to have breached any data protection laws or stored incorrectly the personal data which Skelton had exfiltrated for his own purposes, should not be held vicariously liable.

The Court of Appeal and High Court had “misunderstood the principles governing vicarious liability in a number of relevant respects“:

1. The disclosure of the personal data on the internet was not an act which Skelton was authorised to do or within his employment functions or “field of activities“.
2. It was wrong to consider whether the wrongdoing in question was so connected with the employment that vicarious liability ought to be imposed, but rather consider whether, in the case of wrongdoing committed by someone who was not an employee, the relationship between the wrongdoer and the defendant was sufficiently akin to employment as to be one to which the doctrine of vicarious liability should apply.
3. Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for onwards transmission to the external auditors KPMG and Skelton disclosing it on the internet, a temporal or causal connection does not of itself satisfy the close connection test.
4. The reasons why Skelton had acted wrongly were not irrelevant; on the contrary, whether he was acting on his employer’s business or for purely personal reasons was “highly material“.

The Supreme Court emphasised that the correct test, (as laid down in the Dubai Aluminium case), is whether Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

This fair and commonsensical outcome will be a huge financial and reputational relief for Morrisons and its insurers. Morrisons is facing a major high profile class action for huge aggregate damages by 9,263 aggrieved present and former employees whose personal data had wrongfully been published online. Morrisons’ exposure in the class action could be upwards of £80million. A successful judgment for the Claimants is likely to have been a precedent for similar copy-cat actions.

One further relevant outstanding issue was briefly addressed by the Supreme Court. It determined that, since the Data Protection Act neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is data controller in the course of his employment.

On the same day, the Supreme Court handed down its judgment in proceedings brought by various individuals against Barclays Bank (Barclays Bank plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 13. The subject matter was quite different, concerning sexual assaults alleged to have been by a Dr Bates when conducting medical examinations on prospective employees of Barclays Bank. Dr Bates was not an employee of Barclays Bank and the issue was whether the bank could nevertheless be vicariously liable for his conduct.

The Supreme Court held the test remains whether the tortfeasor was carrying out business on their own account or whether there was a relationship akin to that of an employee-employer and that will remain a facts based assessment (not to be overlaid with statutory concepts of what a “worker” may be). The court held that Dr Bates carried out business on his own account and one of his clients was the bank, such that it was not vicariously liable for his conduct.

The Morrisons and Barclays cases were decided on the specific facts against the claimants in each case. The judgments confirm previous legal tests for holding employers vicariously liable for acts of employees, former employees or independent contractors. However, that does not mean employers can be complacent. On the contrary, statutory and common law obligations of proper oversight, accountability and control remain and proportionate protective measures continue to be essential. This is especially so where there is a sufficiently close relationship between the employer and the individual data controller or perpetrator of harm to justify the imposition of vicarious liability and it is fair and reasonable, on the specific facts, to do so.