Morrisons – the impact on Group Data claims?

On 1 April 2020 the Supreme Court handed down it’s landmark judgment in the case of WM Morrison Supermarkets Plc (“Morrisons”) v Various Claimants.

The case concerned not only the circumstances in which an employer may be vicariously liable for wrongs committed by its employees, but also whether vicarious liability may arise for breaches, by an employee, of duties imposed by the Data Protection Act 1998 (“DPA”).

The facts

The case arose from a crime. 

Andrew Skelton was a senior internal auditor for Morrisons. He was disgruntled following an earlier disciplinary process, and during the course of his employment he made and kept a copy of the payroll data of it’s entire 100,000 workforce. 

He later published the data onto a website and sent it to 3 separate newspapers. 

As soon as Morrisons became aware of the breach it took action to remedy the situation and mitigate financial losses stemming from the data leak. 

Morrisons were not found liable for any wrongdoing. Mr Skelton was convicted under the Data Protection Act 1998 (DPA) and Fraud Act 2006 and sentenced to eight years in prison.

Vicarious Liability

The first issue before the court was whether Morrisons were vicariously liable for Mr Skelton’s actions.

The principle of Vicarious liability is that an employer is liable for an employee’s negligent actions if they were committed in the course or scope of the employee’s employment or are closely connected with what the employee is authorised by the employer to do.

A great deal of court time has been devoted to the extent to which this principle applies to difference scenarios, there is a perception that, in recent years, the scope was being broadened. 

In this case the court decided that whilst Mr Skelton’s’ action were a breach of data protection legislation, Morrisons were not liable for his actions when he did so.

The court gave much needed guidance on the scope of vicarious liability.  This was a useful and reassuring decision for employers.

Data Protection Act 1998

The second issue before the Supreme Court was whether the DPA excludes the imposition of vicarious liability for either statutory or common law wrongs.

The Supreme Court found Morrisons argument that liability is excluded unpersuasive. Whilst the DPA does address a situation in which data is entrusted to an employee by an employer (or controller), it is not concerned with the next stage of the analysis.

The DPA does not address whether an employer is then vicariously liable for the processing activities of an employee who has become a third party data controller in their own right.

The Supreme Court put it neatly, “the DPA is silent about the position of a data controller’s employer” and, as such, there can be no basis for concluding that the doctrine of vicarious liability is excluded. 

This, therefore remains a risk to be managed by employers and data controllers more generally.


The lessons to be learned from this case are:

  • Whilst this case was brought under the ‘old’ data legislation. The same principles are likely to apply under the GDPR regime.
  • Where an employee is acting in the course of their employment the employer will be responsible and legally liable for that processing under our data legislation.
  • If an employer contributes in some way to the breach then they will still face liability, even if the breach has been caused primarily by a rogue employee.
  • Employers must ensure that they comply with their security obligations and ensure staff are properly trained.

Overall the Morrisons case has tightened up what was becoming an increasingly wide application of the principle of vicarious liability. 

However the case makes it clear that employers, even when faced with a rogue employee can still face liability if they have failed to comply with their own obligations under data legislation.

For more information on the article above please contact Christopher Francis.

Send us a message