Yesterday the Supreme Court handed down its judgement in the case of WM Morrison Supermarkets PLC v Various Claimants.
In 2013, Morrisons was in the process of completing an external audit of accounts with KPMG. Andrew Skelton was employed by Morrisons’ as a senior internal auditor and it was part of his job to take a copy of the entire Morrisons’ employee payroll data and send that data to KPMG. Mr Skelton complied with the instructions and sent the payroll data to KPMG. However, because of a personal grudge against Morrisons, he also took a further copy of that data and subsequently released the personal data of circa 100,000 Morrisons’ employees onto the internet. He also sent copies of that data to UK newspapers. The personal data of the staff included (a) name (b) address (c) gender (d) date of birth (e) phone numbers (f) national insurance numbers (g) bank sorting code and account number (h) salary.
There is a long and intriguing back story to Mr Skelton’s grudge against Morrisons, but for this article it is suffice to say that it arose because of Morrisons’ decision to discipline Mr Skelton for minor misconduct. Mr Skelton was ultimately arrested for releasing the personal data and sentenced to 8 years imprisonment.
A group of circa 9,000 Morrisons’ employees sued Morrisons for direct breach of Data Protection 1998 (“DPA”), misuse of private information and breach of confidence. They also presented the same claims arising under the principle of vicariously liability, meaning that Morrisons would be liable if Mr Skelton’s acts were an unauthorised method of carrying out an authorised act.
The employees lost on direct liability point, but won on vicarious liability at the High Court and Court of Appeal because those courts found that there was a sufficiently close connection between the acts that Mr Skelton was required to undertake (sending the data to KPMG) and his unlawful release of the data on the internet.
"No losses were determined, but conservative estimates put the claim value in the region of £22m. The matter was heard in the Supreme Court on 6 and 7 November 2019."
The Supreme Court found that Morrisons was not vicariously liable for Mr Skelton’s acts. It reviewed the historic case law regarding vicarious liability and explained that the High Court and Court of Appeal had extended the scope of the law too far. Lord Reed, giving the leading judgment, said that
- Mr Skelton’s act of disclosing the personal data of staff on the internet was not an act he was authorised to do;
- Although there is arguably a close link (“a close temporal and causal connection”, in legal speak) between Mr Skelton’s actions and his unauthorised disclosure of the personal data, those things of themselves are not relevant to satisfy the test of “close connection”. Instead, the test should take into account the entire context of the actions of the employee.
- In contrast to the High Court and Court of Appeal, the Supreme Court ruled that Mr Skelton’s motive was relevant to the outcome of the case.
Ultimately, the Supreme Court’s assessment was that Mr Skelton was “going on a frolic of his own”.
With regard to the employees arguments relating to liability under the Data Protection Act 1998 and liability arising under the tort of misuse of private information and misuse of confidential information, the Supreme Court declined to prohibit vicarious liability for employers arising from unauthorised acts of employees. It follows that it is logically possible for a company in Morrisons’ position to be vicariously liable, but on the facts of this case, the Supreme Court found that liability had not arisen.
What does this all mean?
In one respect, this outcome will be welcomed by businesses’ around the UK. The previous decisions from the High Court and Court of Appeal had been met with consternation by many businesses who felt that the courts were just creating even greater data protection liability for them.
On the other hand, the Supreme Court did not abolish forever the idea of vicarious liability for breach of data protection law. Equally, the GDPR and Data Protection Act 2018 both give individuals the right to present claims against businesses for non-material losses (i.e. injury to feelings, distress and harm). So, whilst the immediate finding is cause for businesses to be relieved, the ultimate position is much as it was before.
Finally, the case does not abolish the claims industry for data breach claims. There are currently several group/class litigation claims running in the UK which readers may be aware of, including British Airways, Marriot Hotels and Equifax. None of these cases involve disgruntled employees; rather they are customers of those companies suing for non-material loss arising from very public data breaches.
If you would like to discuss any of the issues raised in this article, or need any advice, please contact Matthew Holman.
 WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)  UKSC 12
 At para 37, quoting Joel v Morison (1834) 6 C & P 501