covid banner

Vicarious liability – A sigh of relief

In WM Morrison Supermarkets plc v Various Claimants the Supreme Court was required to address the following question:

If an employee steals the payroll data of his employer’s staff and publishes it online in a vendetta against his employer, should his employer be vicariously liable for his wrongdoing?

On the facts before it in this case the Supreme Court determined that the employer should not be held vicariously liable. However, they did not exclude the possibility of a data controller being vicariously liable for data breaches resulting from the conduct of their employees acting beyond their employer’s instructions; such liability was not excluded by the relevant legislation.

In holding that Morrisons were not vicariously liable the Supreme Court reversed the decisions of the Court of Appeal and High Court. In doing so their decision vindicated the sense of unease which Langstaff J expressly referred to in his judgment in the High Court. He was clearly troubled that his decision would serve to give full effect to the vindictive goals of the rogue employee.

The employee had authority to receive the payroll data, and to disclose it to a specific third party, KPMG. The High Court had held that his disclosure in a different and unauthorised way was sufficiently closely related to the task he was instructed to undertake to render Morrisons vicariously liable. The Court of Appeal held that the employee’s actions in making the unauthorised disclosure were “within the field of activities assigned to him by Morrisons.” They too imposed vicarious liability.

In the way that only the Supreme Court can, the judgment clarifies the misunderstandings evident in the lower courts’ interpretation of the Supreme Court decision in the case of Mohamud.[1] A case which coincidentally also involved Morrisons. Lord Reed explains that the lower courts’ errors were premised on a failure to read the Supreme Court’s decision in Mohamud ‘as a whole’. The judgment reminds us that the essential principal that an employer will not be vicariously liable for damage resulting from the employee going on a “frolic of his own” dates back to 1834.

In short, the Supreme Court’s decision makes it clear that a temporal or causal connection between the wrongdoer’s legitimate activities as an employee is not sufficient to give rise to vicarious liability. Where the wrongdoing occurs in the employee’s pursuit of their personal ends, unconnected with their employer’s objectives the employer will not be vicariously liable. The wrongdoer’s motive is important evidence on that issue. In this case the wrongdoing (disclosure on-line) was not an act the employee was authorised to do. The Supreme Court emphasised that the mere fact that employment created the opportunity is insufficient to create vicarious liability.

From a data protection perspective the employee was acting as a data controller when he made the wrongful disclosure; as he was acting beyond the scope of the employing controller’s instructions. Although the judgment does not exclude vicarious liability of an employer (controller) for the conduct of their employee where the employee is acting as a controller in their own right. The fact that an employee is acting as a controller in their own right is evidence that they are acting out with their employer’s instructions. Thus, at the very least, the employee’s status as controller would indicate that there is evidence pointing away from the imposition of vicarious liability.


Given the scale of the claim which Morrisons were facing the judgment will undoubtedly come as a huge relief to them and to other employers, and insurers. It is important to note that the wrongdoer in this case was prosecuted and sentenced to an eight-year term of imprisonment. It is also important to note that employers (controllers) could be held to be primarily liable where their failure to comply with the requirements of the GDPR played a causative role in a breach of this sort. That was not the situation in this case.

[1] Mohamud v VW Morrison Supermarkets plc [2016] UKSC 11


This briefing is for guidance purposes only. RadcliffesLeBrasseur LLP accepts no responsibility or liability whatsoever for any action taken or not taken in relation to this note and recommends that appropriate legal advice be taken having regard to a client's own particular circumstances.

Briefing tags ,