0370 270 6000

Supreme Court curbs the liability of employers for data breaches committed by their employees

1 April 2020

In a judgment that will be welcomed by private and public sector employers throughout the country, the Supreme Court has today upheld the appeal in the Morrisons Supermarkets case about whether vicarious liability may arise for data protection breaches by a rogue employee. A copy of the judgment can be found here.

The facts of this case are now well known. Briefly, an employee of Morrisons (Mr Skelton) uploaded the company’s entire payroll data to a publicly accessible filesharing website because he bore a grudge against the company after he was the subject of disciplinary proceedings. He also sent the data anonymously to three UK newspapers, purporting to be a concerned member of the public who had found it online. One of the newspapers alerted Morrisons, which took immediate steps to have the data removed from the internet and to protect its employees, including by alerting police. Mr Skelton was subsequently arrested and imprisoned for his actions. 

Some of the affected employees brought proceedings for breach of statutory duty under the Data Protection Act 1998 (“DPA 1998”), misuse of private information, and breach of confidence against Morrisons in its own right and on the basis of its vicarious liability for the acts of Mr Skelton. Both the High Court and Court of Appeal held that Morrisons was vicariously liable. 

The Supreme Court unanimously allowed the appeal. Morrisons was not vicariously liable because the wrongful disclosure of the data was not so closely connected with the task for which Mr Skelton was instructed that it could fairly and properly be regarded as made by Mr Skelton while acting in the ordinary course of his employment. This was because: (1) the online disclosure of the data was not an act which Mr Skelton was authorised to do by his employer; (2) the fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability; and (3) it was highly material that in making the disclosure Mr Skelton was acting for purely personal reasons rather than on his employer’s business. 

Whilst this resolved the appeal, the Court also proceeded to consider separately the issue of whether the DPA 1998 impliedly excluded vicarious liability for either statutory or common law wrongs – the argument advanced by Morrisons being that the statutory liability of a data controller under section 13 of the DPA 1998 1 is based on a lack of reasonable care, whereas vicarious liability is not based on fault (ie it involves strict liability). This argument was rejected by the Court, which was of the view that there was nothing inconsistent between the two regimes given that the DPA 1998 was silent about the position of a data controller’s employer (the lower courts having concluded that, in making the disclosure, Mr Skelton became a data controller in his own right). 

The judgment will provide significant comfort to those employers who take their data protection responsibilities seriously but are faced with a serious data breach when one of their employees ‘goes rogue’ and commits an act which is unauthorised, outside their usual tasks and done purely for personal reasons.  

 

1 The reasonable care defence is not available under the Data Protection Act 2018. 

Training and events

13Dec

Claims Club London office

We are pleased to invite you to join us for our popular Claims Club, which will take place in-person in our London office. With a focus on risk in the public sector, as well as discussion on the topics outlined below we are hoping there will be time for Mr Jonathan Cook to don his sparkly jacket for a short festive quiz! Following the session there will be an opportunity for an informal catch up for those who can stay on.

View event

Focus on...

The UK's green agenda - the outcomes of COP27 and actions since COP26

Just over a year ago world leaders, policymakers, scientists and environmental activists gathered in Glasgow for COP26. Now many of those same people have also travelled to Egypt to attend this year's summit for what has been billed as “A moment of truth for the international community”.

View

Press releases

Browne Jacobson helps launch new innovative council company network with Wiltshire Council and Christ Church Business School

Law firm Browne Jacobson has collaborated with Wiltshire Council and Christ Church Business School on the launch event of The Council Company Best Practice and Innovation Network, a platform which brings together academic experts and senior local authority leaders, allowing them to share best practice in relation to council companies.

View

Legal updates

Dipping in and out of the Investment Zones

Announced in September but scrapped on 17 November the investment zone proposals were very short lived. The proposal has now morphed into the proposal for a smaller number of clustered zones earmarked for investment.

View

Legal updates

Public Matters - November 2022

Updates include COP27, The end of drop in applications, Settlement agreements, Investment zones and Assaults on school staff.

View

The content on this page is provided for the purposes of general interest and information. It contains only brief summaries of aspects of the subject matter and does not provide comprehensive statements of the law. It does not constitute legal advice and does not provide a substitute for it.

Mailing list sign up

Select which mailings you would like to receive from us.

Sign up