In November 2013, Andrew Skelton, an employee at Morrisons supermarket, downloaded payroll data he was entrusted with at work onto a personal USB stick and took it home. He later uploaded the data onto a file-sharing website and sent it to newspapers, pretending to be a concerned member of public who had found it online.
More than 5,500 employees whose personal data was disclosed sought damages from Morrisons.
The Justices considered whether vicarious liability can apply to a Data Protection Act 1988 breach, and whether breach occurred in the course of Skelton’s employment, in WM Morrison Supermarkets v Various Claimants [2020] UKSC 12.
Lord Reed, giving the judgment, found that vicarious liability can apply to a data protection breach under common law, but that the employer had no liability in this case.
Claire Greaney, senior associate, Charles Russell Speechlys said: ‘Today’s decision is welcome news for businesses, confirming that they will not be vicariously liable for breaches of this nature.
Going forward, in these “rogue employee” cases the focus will be on what the data controller has or hasn’t done to prevent the breach for occurring. Courts will be looking at whether the data security principle of the GDPR has been breached. This requires data controllers to ensure appropriate security of personal data, which will be different for every company. Conducting data protection impact assessments will be critical to demonstrating compliance.
However, it wasn’t all good news for businesses today. The Court did not say there could never be vicarious liability for the conduct of employees in the world of data protection. If the door to vicarious liability was left ajar by the Court of Appeal, the Supreme Court has confirmed that it is staying open. In the GDPR era of mandatory notification businesses will need to look carefully at the measures they take to mitigate these risks, including taking out data insurance to protect themselves.’
Susan Hall, data protection partner, Clarke Willmott, said: ‘It’s very much the judgement all employers must have hoped the Supreme Court would reach; a common sense restatement of the law of vicarious liability which allows it to be properly applied in relevant cases where the employee has acted improperly within the scope of their duties (including where the employee is a data controller of data) but has not gone completely off piste.’
Employment barrister Mark Thomas, of 5 Essex Court, said: ‘The Supreme Court have reversed [the Court of Appeal's] decision, restoring normality to the previously established position on vicarious liability. Morrisons has been saved by the Supreme Court’s recognition that “it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier”.
‘This case also has wider implications for employers through the country. It means that, if they adopt conscientious and careful data control and protection measures, then they can be relatively sure that they are protected against the legal consequences of vindictive data breaches.’