0370 270 6000

already registered?

Please sign in with your existing account details.

need to register?

Register to access exclusive content, sign up to receive our updates and personalise your experience on brownejacobson.com.

Privacy statement - Terms and conditions

employer responsible for ex-employee data breach

19 November 2018

In the recent case of Wm Morrison Supermarkets PLC v Various Claimants the Court of Appeal held that an employer could be held vicariously liable even where the intention of the employee committing the relevant act was to harm his employer rather than to achieve some benefit for himself or to inflict injury on a third party. The employee’s motive in committing the act is irrelevant.


In July 2013, Mr Andrew Skelton was employed by Morrisons as an IT Internal Auditor. Mr Skelton received a formal verbal warning after using Morrisons’ postal facilities for a separate, private business. It seems Mr Skelton felt aggrieved by the disciplinary sanction and held a grudge against his employer.

During the course of a later audit, Mr Skelton copied payroll data of 99,998 Morrisons employees to a personal USB stick and posted the data on a file sharing website. He later sent a CD containing the data to three newspapers in the UK.

As a result of that breach, a class action was launched against Morrisons by over 5,000 employees. The employees argued that, in failing to prevent the breach, Morrisons was liable for the breaches of the Data Protection Act 1998 (‘the Act’), misuse of private information, and/or breaches of confidence. Alternatively, they argued that Morrisons was vicariously liable for Mr Skelton’s misuse of private information and/or breaches of confidence.


In the High Court, Langstaff J determined that, although Morrisons itself had not mishandled or misused the data, it was vicariously liable for the breach.

The decision was subsequently appealed to the Court of Appeal. In upholding the High Court judgment, the Court of Appeal held that;

notwithstanding that Mr Skelton had committed the Breach: (1) from a personal computer; (2) at home; and (3) outside of working hours; there was a ‘seamless and continuous sequence’ or ‘unbroken chain’ of events linking back to his employment”.


Although this case was considered under the old Data Protection Act 1998, the principles of the case would apply to any similar incidents under GDPR.

While there was probably nothing more that Morrisons could have done to prevent the data breach in this case, it is important that schools and academies have measures in place which prevent employees having the ability to access and process confidential personal data.

Within the Court of Appeal judgment, the judge appeared to be suggesting that the only other option available to employers to protect themselves against potential claims like this was to ensure that they have sufficient insurance to cover losses caused by dishonest or malicious employees.

However, it remains to be seen whether malicious breaches of GDPR would in fact be covered by insurance and further information on this point will no doubt be needed.

If you have any concerns about the way that personal data is stored within your school or academy please do not hesitate to get in touch with one of our legal team.

training and events


EdCon 2020

We’re delighted to invite you to join us at EdCon 2020 - Browne Jacobson’s first virtual conference for schools and academy trusts.Taking place over three days this December, EdCon 2020 will provide you with inspirational ideas, up-to-date advice and guidance and networking opportunities with one key purpose: creating great places to learn and work.

View event


ASCL Annual Conference Online

Come and meet the team at ASCL’s annual conference.

View event

focus on...

Legal updates

Are you ready for Brexit: Immigration update for schools and academy trusts

On 31 December 2020 the Brexit transition period will come to an end. This will end the free movement of EU, EEA and Swiss nationals to live, work and study in the UK without prior permission.


Legal updates

Advocacy in Action: Inquests, suicide and self-harm

The Browne Jacobson team of barristers are celebrating their 10th anniversary in December 202 and will be reflecting on their experience at hearings before Courts and Tribunals nationwide to identify key issues and lessons for schools and education providers.


Legal updates

Contracts – top 10 tips on how to get it right

Effective contract management can ensure that the parties minimise risks and avoid disputes arising. We have set out below our top tips for avoiding contract disputes in the education sector.


Ask the experts: managing people and health and safety matters during a pandemic

Human resource teams in higher education institutions continue to deal with the challenges brought about by coronavirus. In this on-demand video, our experts help you at this critical time to answer the questions that really matter to you.


The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

mailing list sign up

Select which mailings you would like to receive from us.

Sign up