Morrisons not liable for actions of employee over data leak, Supreme Court rules
The UK’s highest court has ruled that Morrisons should not be held liable for the criminal act of an employee with a “grudge” who leaked payroll data of around 100,000 members of staff.
The supermarket giant brought a Supreme Court challenge in a bid to overturn previous judgments which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet.
A panel of five justices unanimously ruled on Wednesday that Morrisons was not “vicariously liable” for the actions of Andrew Skelton, who disclosed staff information on the internet and also sent it to newspapers.
Announcing the decision via livestream, the court’s president Lord Reed said Skelton leaked the data because of a “grudge” after he was given a verbal warning following disciplinary proceedings.
The judge said employers could only be held liable for the actions of employees if they were “closely connected” with their duties at work.
He said: “In the present case, Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing in question.
“On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier.
“In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable.”
The decision overturns previous rulings in the High Court and Court of Appeal, which held that Morrisons was vicariously liable for Skelton’s actions.
It was argued on behalf of Morrisons that if those findings were allowed to stand, the company, although “entirely blameless”, would be exposed to “compensation claims on a potentially vast scale”.
The latest round of the litigation at the Supreme Court followed a blow for Morrisons at the Court of Appeal in October last year, when three leading judges upheld a 2017 High Court finding on the issue of liability.
Legal action was launched after a security breach in 2014 when Skelton, a senior internal auditor at the retailer’s Bradford headquarters, leaked the payroll data of around 100,000 employees.
Information included their names, addresses, bank account details and salaries.
Lawyers for more than 9,000 claimants have previously described the action as a “classic David and Goliath case”.
They sought compensation for the upset and distress caused in a case with potential implications for every individual and business in the country.
In July 2015, Skelton was found guilty at Bradford Crown Court of fraud, securing unauthorised access to computer material and disclosing personal data, and was jailed for eight years.
The Supreme Court was asked to decide whether the Data Protection Act 1998 excludes the application of vicarious liability to a breach of that Act, or for misuse of private information or breach of confidence.
It was also asked to rule on whether the Court of Appeal “erred in concluding that the disclosure of data” by its employee occurred in the course of his employment, for which the company should be held vicariously liable.