In October 2013 Andrew Skelton, a disgruntled employee of Morrison Supermarkets plc, posted the personal details of nearly 100,000 employees of Morrisons online. These details included the name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff. Mr Skelton had access to this data for the legitimate purposes of transmitting it to external auditors but ultimately his actions, which he had attempted to frame a co-worker for, were discovered and he was sentenced to eight years' imprisonment.

Subsequently over 9,000 of the victims of Mr Skelton's data breach sued Morrisons for breach of statutory duty under the Data Protection Act 1998, misuse of private information and breach of confidence on the basis that it was vicariously liable for the actions of its employee. The claimants were successful both in the High Court and in the Court of Appeal. However, the Supreme Court has recently overturned these judgments on the basis that they had misunderstood the principles governing vicarious liability.

Examination of Vicarious Liability by the Supreme Court

The Supreme Court presented a comprehensive assessment of the history of the law of vicarious liability which has developed as a doctrine from the late 17th century in response to the expansion of commerce and industry. The principle behind it is that where an employer employed the wrongdoer, and the employee committed a wrongful act against the claimant within the area of the authority given to him, it was fairer that the employer should suffer for the wrongdoing than the person who was wronged.

There have been a number of cases which have extended this principle further including amongst others: cases on the abuse of children in educational establishments; an assault on a customer by a petrol station attendant; a manager punching a colleague at a Christmas party; and a police officer shooting a man in a bar. In some cases, the employers were held liable for the actions of its employees but in others they were not as the actions of the employees were not sufficiently connected to their employment. None of the employees in these cases would have been authorised to act in the ways that they did. Therefore, the basic question is, when are employers liable for the actions of rogue employees?

The Supreme Court paid close attention to the "close connection" tests outlined in the 2003 case of Dubai Aluminium v Salaam. Applying these tests to the facts, the Supreme Court found that, while Mr Skelton was authorised to transmit the payroll data to the auditors, his wrongful disclosure of the data was not so closely connected with that task that it could be properly regarded as taking place in the ordinary course of his employment. While Mr Skelton was afforded the opportunity to commit his criminal actions through his employment, that was not sufficient to warrant the imposition of vicarious liability. Not only was Mr Skelton not engaged (misguidedly or otherwise) in furthering his employer's business, he was actually acting on a "frolic of his own" pursuing a personal vendetta to harm his employer.

For completeness, the court considered the second limb of Morrison's appeal, namely that the Data Protection Act excluded the imposition of vicarious liability on employers, and rejected it. The court found that it was irrelevant that a data controller's statutory liability under the Data Protection Act is based on a lack of reasonable care, while vicarious liability for an employee's conduct requires no proof of fault. The same contrast exists at common law between, for example, an employee's liability in negligence and an employer's vicarious liability. Since the Data Protection Act is silent about the position of a data controller's employer, the court found that there cannot be any inconsistency between the two regimes.


It is easy to sympathise with the position of Morrisons in this case and the previous decisions had caused a certain degree of worry for employers (particularly since the massive increase in potential fines post GDPR). It would also create a worrying principle if rogue employees were able to succeed in their aims of causing large liabilities for their employers when the employer had done nothing wrong. Therefore, it is easy to see why the Supreme Court made the decision that it did. However, the wide range of cases on vicarious liability, and the fact that claimants know that the employer will have deeper pockets than the rogue employee, means that this will not be the last case we see testing the boundaries of vicarious liability in the future. In the field of data protection, the confirmation from the Supreme Court that employers can be vicariously liable for the data breaches of employees will be useful for future data protection class actions.

This article has been produced for general information purposes and further advice should be sought from a professional advisor. Please contact our Employment team at Cleaver Fulton Rankin for further advice or information.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.