The Supreme Court has found that Morrisons was not vicariously liable for the deliberate and criminal disclosure by an employee of personal data belonging to co-workers in Wm Morrisons Supermarket plc v Various claimants. This decision will come as a huge relief to employers who will no longer have to ensure that they have insurance cover in place to insure against losses caused by disgruntled employees.
Mr Skelton was employed by Morrisons as a senior IT internal auditor. He had been disciplined for a separate incident when he was asked to send payroll data from Morrisons to KPMG. He was provided with an encrypted USB stick which contained the information. As well as forwarding the information to KPMG, he also downloaded it onto his work computer. Just before Morisons' annual financial reports were announced, a file containing the personal details of almost 100,000 Morrisons' employees was posted on a file sharing website by Mr Skelton. Soon afterwards, he was arrested and charged with fraud, an offence under the Computer Misuse Act 1990 and under section 55 of the Data Protection Act 2018. The co-workers whose data had been disclosed made a group civil claim against Morrisons for compensation arguing that Morrisons had both primary liability for its own acts and omissions, and vicarious liability for the actions of Mr Skelton.The Supreme Court overturned the decisions of both the High Court and the Court of Appeal that Morrisons was vicariously liable for Mr Skelton's actions. Mr Skelton was authorised by Morrisons to transmit payroll data to Morrisons' auditors. His wrongful disclosure of the data was not so closely connected with that task that it could be properly regarded as made by Mr Skelton while acting in the ordinary course of his employment. The fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to lead to vicarious liability on the part of his employer. The Court reasoned that an employer will not normally be vicariously liable in situations where the employee was not engaged in furthering his employer's business, but rather was pursuing a personal vendetta.
Although the case was decided under the previous data protection regime, the GDPR and the Data Protection Act 2018 are based on broadly similar principles, and it will still be possible for vicarious liability action to be brought. However, following the Supreme Court's decision employers will still be able to avoid vicarious liability by demonstrating that appropriate measures have been implemented in accordance with data protection legislation. There will be no liability where an employee is pursuing "a personal vendetta of his own" or "an act entirely of personal vengeance".
It's worth noting that the GDPR makes compliance more onerous now for data controllers, and if there is a failure to safeguard data and to have proper measures in place to curb the wrongful acts of rogue employees, they will run the risk of huge fines and data subject compensation claims.
