covid banner

Morrisons data leak: Supermarket liable for data breach by disgruntled staff member

Employers are vicariously liable for their employee’s leaking of personal data even where the leaking employee is held to be personally acting as the data controller in respect of the leaked data.

That was the conclusion reached by Langstaff J in a high profile class action[1] brought by Morrisons’ staff against their employer.

The case arose out of the wrongful acts of a disgruntled senior employee, Mr Skelton, who posted the payroll data of thousands of Morrisons employees on the internet. Mr Skeleton was later prosecuted for a variety of offences including breaches of the Data Protection Act 1998 (DPA) and sentenced to eight years in prison.

Although the Court held that Morrisons had failed in its statutory responsibilities under the seventh Data Protection Principle that was not causative of the data breach which gave rise to the proceedings. The Court also held that, in posting payroll data of fellow Morrisons’ employees on the internet, Mr Skelton was acting as a data controller, and that Morrisons was not the data controller in respect of the leaked data at the time of the leak. Consequently, Langstaff J found that, as a data controller, Morrisons had no primary liability for breaching the DPA.

However, the court went on to consider the issue of vicarious liability and determined that Morrisons was vicariously liable for the actions its employee.

There is an uneasy juxtaposition in the finding that Mr Skelton was acting as the data controller when he leaked the data and the determination that Morrisons is vicariously liable for those acts. That unease is reflected in Langstaff J’s decision to give Morrisons permission to appeal his decision on vicarious liability. Concluding his judgment he commented:

‘The point which most troubled me in reaching these conclusions was the submission that the wrongful acts of Mr Skelton were deliberately aimed at the party whom the claimants seek to hold responsible, such that to reach the conclusion I have may seem to render the court an accessory in furthering criminal aims.’

Given that the proceedings involve in excess of 5,000 claimants it will not come as a surprise if Morrisons avails of the opportunity to appeal.

It is worth bearing in mind that the new Data Protection Bill is currently working its way through Parliament. It remains to be seen whether the judgment in this case prompts calls for amendments to address the issue of vicarious liability.

For more information, please contact:

Stewart Duffy
020 7227 7418

[1] Various Claimants vs WM Morrison PLC [2017] EWHC 3113


This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.

Briefing tags