Data Blast Special – Morrisons wins Supreme Court Appeal

On April 1st, the Supreme Court announced its much awaited decision in the Morrisons data breach case (previously covered here) finding the supermarket chain not liable for the actions of a disgruntled employee who intentionally leaked roughly payroll data of 100,000 employees online.

In summary, the case concerned the actions of disgruntled Morrisons auditor Andrew Skelton who, during a 2014 audit, copied personal payroll data and posted it online, for which he was given an 8-year prison sentence. The question for the Supreme Court was whether Morrisons was vicariously liable, a legal principle that employers can be held responsible for the actions of employees who commit crimes while on duty, for the breach resulting from Skelton’s actions.

The appeal stems from the first instance decision in 2017 of Langstaff J., who whilst rejecting the contention Morrisons was under a primary liability in any of the respects alleged, did find that Morrisons were vicariously liable for Skelton’s breach of statutory duty under the Data Protection Act 1998 (‘DPA’) for his misuse of private information, and his breach of his duty of confidence. The judge rejected Morrisons’ argument that vicarious liability could not attach to a breach of the DPA by Skelton as the data controller of the data copied on to his USB stick and subsequently disclosed by him, holding that the object of Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (‘the Directive’), transposed by the DPA, was the protection of data subjects, and that if vicarious liability did not apply, the purpose of the Directive would be defeated.  The trial judge also rejected Morrisons’ argument that Skelton’s wrongful conduct was not committed in the course of his employment – this as we now know was wrong.

In determining whether Morrisons should be held liable, the decision has reviewed the law on vicarious liability going back to the 17th century.  The origins and development of vicarious liability, developed mainly from the decisions of Sir John Holt CJ in the late 17th and early 18th centuries, when the doctrine was broadened in response to the expansion of commerce and industry. The Chief Justice had explained the doctrine was resting on the principle that, where an employer employed the wrongdoer, and the employee committed a wrongful act against the claimant within the area of the authority given to him, it was fairer that the employer should suffer for the wrongdoing than the person who was wronged.  The more recent authorities stem largely from the comments of Lord Nicholls in Dubai Aluminium [2002] HL when he identified the general principle (‘the best general answer,’ para 23) applicable to vicarious liability arising out of a relationship of employment: the wrongful conduct must be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment.

In overturning the decision, Lord Reed found that the disclosure of the data on the internet did not form part of Skelton’s functions or field of activities, in the sense in which those words were used by Lord Toulson: “It was not an act which he was authorised to do,” as Lord Nicholls put it.  Contrasting the Court of Appeal’s decision, Lord Reed held that whether Skelton had been acting for his employer’s business or for purely personal reasons was a highly material question in determining Morrisons’ liability.

Ultimately, it was held that Skelton’s actions were so removed from Morrisons’ business that they were not closely enough connected to establish vicarious liability. Summarising the decision, Lord Reed stated that “Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.” The fact that Skelton’s employment with Morrisons afforded him the opportunity to commit the wrongful act was insufficient in establishing Morrisons as being vicariously liable for his actions.

While the 9000+ Morrisons employees who joined the action for damages against the supermarket will surely be disappointed, this is the right outcome because of the underlying facts and general good conduct of Morrisons. To find otherwise would discourage companies from having policies and procedures, and seeking to do the right thing, because they would know whatever they did they would carry the liability of rogues. Here for example the facts established at trial included that within a few hours of learning of the breach, Morrisons had taken steps to ensure that the data was removed from the internet, instigated internal investigations, and informed the police. It also informed its employees and undertook measures to protect their identities. Skelton was arrested a few days after the breach because of the co-operation of the newspapers that Skelton had contacted, and Morrisons. He was subsequently convicted of a number of offences and sentenced to eight years’ imprisonment. It was noted that Morrisons had spent more than £2.26m in dealing with the immediate aftermath of the disclosure. A significant element of that sum was spent on identity protection measures for its employees. Morrissons had also done much to ensure staff understand the importance of security and the proper processing of personal data.

This decision helpfully clarifies that companies will not be held responsible for rogues if the circumstances show they did the right thing and the employee acted outside their employment obligations.  It also leaves the balance that companies still be held vicariously liable for employees’ actions that result in a data breach where the facts justify it. This was made clear in the decision, where Lord Reed held, “[T]he imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA, or for breaches of duties arising under common law or equity.” Effectively, Morrisons could be held vicariously liable for breaches of data protection law where an employee is a data controller in their own right, and their motive for breaching the law is in furthering Morrisons’ business, or where Morrissons had failed to properly train, instruct or supervise.

While disappointing for those employees who joined the action, the decision will be well received by employers and data protection practitioners, as well as the UK Information Commissioner’s Office, who had urged the Court of Appeal to dismiss the case last year.

There are several lessons for employers to consider in light of the decision. First, where employees process data not for personal reasons (as in this case) but at their employer’s behest, the employer is directly responsible for that processing. Second, those employers who lack proper security measures, which could connect data breaches to rogue employees, may be directly liable under the General Data Protection Regulation. The ICO, and other European data protection authorities, have fined several organisations for lacking adequate data security measures (see here for our coverage of a recent case). Lastly, employers should ensure that employees receiving data protection training, so that all employees know what constitutes a data breach, and what steps they should take when one occurs. We recommend annual training and assessment of privacy and risk for all businesses.