No products in the cart.

Employers vicariously liable for data breach

Employers could be vicariously liable for misusing employee’s data even if they had done all they reasonably could to prevent it.

Various Claimants V Wm Morrisons Supermarket Plc [2017] EWHC3113 before Mr Justice Langstaff Royal Courts Of Justice – 1 December 2017

Executive Summary

Employers could be vicariously liable for an employee’s misuse of data even if they had done all they reasonably could to prevent the misuse and were not legally at fault.


On 12 January 2014 a file containing personal details of 99,998 employees of Morrisons was posted on a file sharing website. On 13 March 2014 a CD containing a copy of the data was sent to three newspapers. Following investigations it was identified that Andrew Skelton, who had been formerly employed by the company as an auditor, was responsible for the data disclosure.

In July 2015 Skelton was convicted of offences under the Computer Misuse Act 1990 and under the Data Protection Act 1998 (DPA). He was sentenced to eight years in prison.

The claim was brought by 5,518 employees of Morrisons whose data was disclosed by the actions of Skelton on 12 January and 13 March 2014. They claimed compensation for breach of statutory duty (under section 4(4) of the DPA) and at common law (the tort of misuse of private information and an equitable claim for breach of confidence). The claim was put on the basis that Morrisons had both primary liability for their own acts or admissions and were vicariously liable for the actions of Skelton.


After a two week trial on liability between 9 and 19 October 2017 Mr Justice Langstaff handed his reserved judgment down on 1 December 2017.

He dismissed the claim against Morrisons on the basis that they had not been at fault by breaking any of the data protection principles save in one respect which was not causative of any loss and they could not be held liable for misuse of private information or breach of confidentiality.

The judge concluded, having heard evidence from staff at Morrisons, that they had proper control mechanisms in place to protect data and that those control mechanisms, save for one exception, were appropriately applied. The judge held that the disclosure took place as a result of a criminal act which was not of Morrisons’ doing and which was neither facilitated by Morrisons nor authorised by them.

He did however go on to find, following an exhaustive analysis of the law in relation to vicarious liability, that Morrisons were liable to compensate the claimants for the actions of Skelton.

The judge adopted the test set out in Mohamud v William Morrison Supermarket Plc [2016] UKSC11 where the Supreme Court held that a petrol pump attendant (also employed by Morrisons) was acting in the course of his employment when he physically attacked a customer.

In that case the court looked at two issues:

  • what function or field of activities have been entrusted to the employee (i.e. what was the nature of his job). This is to be considered in a broad context.
  • whether there is a sufficient connection between the position in which he was employed and his wrongful conduct for it to be just for the employer to be liable.

Applying that test the judge concluded that Skelton was acting within the course of his employment because there was a thread that linked Skelton’s work to the disclosure which included his actions in downloading data from his personal work computer to a personal USB stick…. FULL ARTICLE