April 03, 2020

Morrisons is not vicariously liable for a trusted employee publishing personal data without authorisation : the UK Supreme Court overturns the Court of Appeal

Share

Further to our November 2019 update (link here), the UK Supreme Court has now ruled in the case of WM Morrisons Supermarkets plc v Various Claimants1.

In its judgment of 1 April 2020 the Supreme Court, overturning the decision of the Court of Appeal, unanimously agreed with the supermarket chain WM Morrison (“Morrisons”) that it should not be held vicariously liable for its then in-house senior internal auditor publishing the personal data of almost 100,000 employees deliberately and without authorisation. The claim had been brought against Morrisons by 9,263 employees and former employees of those whose data had been published and was managed under a group litigation order.

The Supreme Court used this judgment as an opportunity to correct what it described as “misunderstandings” which had arisen in relation to the law on vicarious liability. This will bring comfort to employers in understanding their potential liability for the actions of their employees. It is especially important in light of two significant developments which have the potential to result in more high-profile, high-value claims being brought against companies. First, a growth in claimant firms actively looking for opportunities to pursue claims on a collective basis on behalf of a large number of claimants; and, second, the coming into force of the EU’s General Data Protection Regulation (“GDPR”) and the UK’s Data Protection Act 2018 (“DPA 2018”), which raised the profile of parties’ data protection obligations and significantly increased the sanctions for failing to comply with those obligations, and which actively encourage group claims for data breaches.

Summary

The Supreme Court confirmed that to determine vicarious liability the court must consider:

  • Were the actions in question within the acts the employee was authorised to do; and
  • Were the wrongful conduct and the acts the employee was authorised to do so closely connected that the wrongful conduct may fairly and properly be regarded as done whilst acting in the ordinary course of the employee’s employment?

The court also stated that, in determining whether there is a sufficiently close connection, it is important to draw a distinction between cases where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee was engaged in solely pursuing his own interests.

Applying those tests to the facts of this case, the Supreme Court held that:

  • The senior in-house auditor’s task was to collate and transmit payroll data to the external auditor – the publication of the data on a third party website did not fall within the actions he was authorised to do; and
  • Whilst the task allocated to the senior in-house auditor enabled him to publish the personal data in question, that publication was a “personal vendetta” and it was “abundantly clear” that this did not further his employer’s business, such that his publication of the personal data was not so closely connected to the task allocated to him by Morrisons that it could fairly and properly be regarded as done by him in the ordinary course of his employment.

Accordingly, Morrisons was not vicariously liable for the in-house auditor’s wrongdoing.

Also, though it did not strictly need to pass judgment on this point, the court confirmed that the Data Protection Act 1998 (“DPA 1998”) did not impliedly exclude vicarious liability for breaches of a statutory duty arising under the DPA 1998, or for the misuse of personal data, or for breach of confidence. While the Supreme Court did not address vicarious liability for employees’ actions under the DPA 2018 and the GDPR, it is likely that the same analysis would be applied.

Facts

In July 2013 Mr Andrew Skelton, a senior in-house auditor at Morrisons, had been subject to disciplinary proceedings as a result of which he was given a verbal warning. It appears that Mr Skelton developed a grudge against Morrisons as a result. In November 2013, to prepare for Morrisons’ annual external audit, Mr Skelton was delegated with the task of collating and transmitting payroll data to the external auditors, meaning that he had access to that data for all 126,000 Morrisons employees. In addition to providing this data to the external auditors, Mr Skelton copied this data to a personal USB stick.

Whilst at home on 12 January 2014 Mr Skelton uploaded a file, created from the copy of the data he had taken in November 2013, containing the data of 98,998 Morrisons employees to a publicly accessible file-sharing website, and posted links to that data on other websites. In uploading the data, Mr Skelton used a false email account he had set up in the name of a fellow employee who had been involved in Mr Skelton’s disciplinary proceedings, in what the Supreme Court called “a deliberate attempt to frame” that fellow employee.

On 12 March 2014 – the day Morrisons’ financial results were to be published – Mr Skelton sent CDs containing the personal data to three newspapers, posing as a member of the public who had found it on the file-sharing website. The newspapers did not publish the data, and one alerted Morrisons which immediately took steps to protect its position, including seeking to have the data removed from the website. Morrisons, the Supreme Court stated, had spent more than £2.26 million dealing with the immediate aftermath of Mr Skelton’s disclosure, including funding identity protection measures for its employees (a common step for employers to take). Mr Skelton was arrested and, upon conviction for a number of offences, was sentenced to eight years in prison.

The decision of the Supreme Court

The principal question that the Supreme Court was invited to determine was whether Morrisons was vicariously liable for Mr Skelton’s conduct. If Morrisons was so liable, the Court was then invited to determine whether the DPA 1998 excluded the imposition of vicarious liability for (a) the breach of the statutory duty under the DPA 1998 committed by an employee data controller or (b) the misuse of private information and breach of confidence.

In giving the sole judgment of the 5-strong panel, Lord Reed held that Morrisons had not been vicariously liable for Mr Skelton’s conduct. This overturned the decision of the Court of Appeal which had, it said, applied the 2016 Supreme Court judgment on vicarious liability of Mohamud v WM Morrison Supermarkets plc2 (Mohamud). However Lord Reed found that the Court of Appeal had “misunderstood the principles governing vicarious liability in a number of relevant respects.”3

The decision in Mohamud and its application in the Court of Appeal

In Mohamud, a petrol station employee had, using foul and abusive language, ordered a customer to leave the petrol station before punching the customer to the floor and subjecting him to a serious attack on the petrol station forecourt. The Supreme Court in that case found that the employer was vicariously liable for the actions of its employee.

Lord Reed explained that in Mohamud Lord Toulson, giving the main judgment of the court, had applied the test for vicarious liability as follows: first, the employee’s authorised actions (Lord Toulson found the phrase “field of activities” from an earlier case helpful4) included attending to customers and responding to their inquiries; second he had rejected the argument that the assault on the customer was unconnected with the employee’s field of activities. It was on this basis that the employer was liable for the employee’s assault on the customer.

However, Lord Reed stated, the Court of Appeal had focused on the final paragraphs of Lord Toulson’s judgment in Mohamud, in which he had been applying the existing law to the facts of the case before him, and it had applied those paragraphs to determine if Morrisons was vicariously liable in this claim. The result of the Court of Appeal adopting this approach, Lord Reed held, was to effect a change in the law of vicarious liability which was not the intention of Lord Toulson’s judgment.

In those final paragraphs of Mohamud Lord Toulson had found that the request to leave the petrol station was within the “field of activities” assigned to the employee, and that what happened subsequently was “an unbroken sequence of events”.5 He also noted that whilst it appeared obvious that the employee’s actions were “motivated by personal racism rather than a desire to benefit his employer’s business”, on the facts the employee’s “motive [was] irrelevant.”6

In reviewing the Court of Appeal’s application of these paragraphs to the facts of this case, Lord Reed stated it had misunderstood the principles governing vicarious liability , particularly in finding that (i) the publication of the personal data on the third party website was an act Mr Skelton had been authorised to do, and (ii) the fact there was an “unbroken sequence of events” linking the provision of the personal data to Mr Skelton and his publishing it meant there was sufficiently close connection to the actions Mr Skelton was authorised to do, such that Morrisons should be liable. The Court of Appeal had also not taken into account why Mr Skelton had acted wrongfully, when in fact it was highly material whether he had been acting on Morrison’s business or for purely personal reasons.7

The law on vicarious liability

Lord Reed took the opportunity to revisit the development of the law on vicarious liability. The definition of a wrongful act by an employee in the course of his employment was captured in 1907 in the first edition of Salmond on Torts as being “either (a) a wrongful act authorised by the master or (b) a wrongful and unauthorised mode of doing some act authorised by the master”, where the master is liable for acts he has not authorised if they are “so connected with acts which he has authorised, that they might rightly be regarded as modes – although improper modes – of doing them”. This definition was applied by the courts throughout the 20th century in a variety of factual scenarios, including employers’ liability for employees, civil fraud and sexual abuse.

Given the wide range of facts to which this test has had to apply the courts have refined it over time, the most important decision being the 2003 case of Dubai Aluminium Co Ltd v Salaam.8 Following that decision, Lord Reed set out the test that the court had to consider to determine whether Morrisons was vicariously liable for Mr Skelton’s actions:

  • first, were the actions within the acts the employee was authorised to do;9 and
  • second, was the wrongful conduct “so closely connected with acts [the employee] was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”10

In relation to the second element, Lord Reed explained that previous cases had drawn a distinction between cases “where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged in solely pursuing his own interests: on a ‘frolic of his own’”.11

The Supreme Court’s decision: Morrisons was not vicariously liable

In determining whether Morrisons was vicariously liable for Mr Skelton’s wrongdoing Lord Reed held that, first, Mr Skelton’s task was to collate and transmit payroll data to Morrisons’ external auditors. Whilst this enabled him to make his personal copy of the data, the publication of the data to the website was not an action falling within the acts he was authorised to do.

The court then had to consider whether Mr Skelton’s “disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment”12 such that Morrisons should be vicariously liable.

At first instance the High Court had treated as important the fact that Mr Skelton’s disclosure of the data to the website was “closely related to what he was tasked to do”,13 an approach the Court of Appeal had endorsed saying it was “plainly correct”14. Lord Reed described this approach as a “fallacy”15: a previous Court of Appeal decision had found that an employee “even while performing acts of the class which he was authorised, or employed, to do, may so clearly depart from the scope of his employment that his master will not be liable for his wrongful acts.” 16

Lord Reed also found that Mr Skelton was not engaged in furthering his employer’s business but “pursuing a personal vendetta”17 – essentially, “a frolic of his own”18.Therefore Mr Skelton’s wrongful conduct was not “so closely connected with acts that he was authorised to do” that Morrisons should be held vicariously liable.

Having found that Morrisons was not vicariously liable for Mr Skelton’s wrongdoing, it was not strictly necessary to consider whether the DPA 1998 excluded vicarious liability but, as these points had been fully argued before the court, Lord Reed proceeded to express the court’s view.

Does the DPA 1998 exclude vicarious liability?

Lord Reed took as his starting point the statement in the case of Majrowski that “unless statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of a statutory obligation sounding in damages while acting in the course of his employment.”19

Morrisons argued that section 13 of the DPA 1998 impliedly excluded the vicarious liability of an employer. Section 13 entitled persons who had suffered damage or distress compensation for that damage or distress. However it would be a defence for the defendant data controller to prove “that he had taken such care as in all the circumstances was reasonably required to comply with the requirement concerned” (the “requirement concerned” here being the seventh data protection principle which required a data controller to “take reasonable steps to ensure the reliability of any employees of his who have access to personal data”). Morrisons argued that this statutory regime, which imposed liability only on data controllers and only where they had acted without reasonable care, was incompatible with the strict liability regime where an employer is found to be vicariously liable for the actions of its employee.

Lord Reed was not persuaded of this approach; he held that there is no inconsistency in imposing the two regimes of statutory liability and common law vicarious liability. Therefore, as the DPA 1998 did not expressly or impliedly indicate otherwise, vicarious liability could in principle apply to the statutory breaches of the DPA 1998, to the misuse of data, and to breach of confidence. While the Supreme Court did not address the position under the GDPR and the DPA 2018, it seems unlikely that a court would exclude vicarious liability for statutory breaches under those laws as, similar to the DPA 1998, the GDPR and DPA 2018 do not expressly or impliedly exclude vicarious liability of employers for actions of their employees.

Conclusion

This is an important judgment as any claim for vicarious liability will turn on its specific set of facts. It is therefore welcome that the Supreme Court has sought to clarify relatively promptly the “misunderstandings” regarding the test for vicarious liability that had arisen following the Supreme Court’s 2016 decision in Mohamud. In reaffirming the test as had always been understood to apply, and explaining the decision in Mohamud, the Supreme Court has sought to bring what certainty it can to this area.

At a time when the profile of, and sanctions for breach of, parties’ data obligations has increased dramatically, this decision also reduces the risk that employers could face a potential  “double jeopardy” when a data breach arises from the actions of a rogue employee, despite implementing appropriate technical and organisational measures to ensure appropriate data security. When such a data breach occurs, a company often has to spend significant amounts of money to assist those persons who have suffered from a data breach, as Morrisons did in this case. It would be a bitter pill to swallow if the company was also at risk of being found vicariously liable to those same persons for the actions of the rogue employee that gave rise to the data breach.



1 [2020] UKSC 12.
2 [2016] UKSC 11.
3 [2020] UKSC 12 at para 31.
4 Used in Central Motors (Glasgow) Ltd v Cessnock Garage and Motor Co 1925 SC 796 at 802; see Mohamud [2016] UKSC 11 at para 36.
5 [2016] UKSC 11 at para 47.
6 [2016] UKSC 11 at para 47.
7 [2020] UKSC 12 at para 31.
8 [2003] 2 AC 366.
9 [2020] UKSC 12, at paras 27 and 31.
10 [2020] UKSC 12, at para 32, applying the test  set out in Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366 at para 23.
11 [2020] UKSC 12, at para 38, quoting Lord Nicholls in Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366 at para 32.
12 [2020] UKSC 12, at para 32.
13 [2017] EWHC 3113 (QB), at para 185.
14 [2018] EWCA Civ 2239, at para 63.
15 [2020] UKSC 12, at para 35.
16 Kooragong Investments Pty Ltd v Richardson & Wrench Ltd [1982] AC 462, at p. 473.
17 [2020] UKSC 12, at para 47.
18 Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366 at para 32.
19 [2007] 1 AC 224, per Lord Nicholls at para 10.

Stay Up To Date With Our Insights

See how we use a multidisciplinary, integrated approach to meet our clients' needs.
Subscribe