WM Morrisons Supermarkets plc v Various Claimants

Mr Skelton, Morrisons’ former senior internal IT auditor, downloaded the payroll data of c.100,000 employees onto a personal USB and took it home. He later uploaded the data onto a file-sharing website and sent anonymous links to three UK newspapers, motivated by a grudge against his employer following minor disciplinary proceedings earlier that year.

9,263 employees, whose personal data had been disclosed, issued a claim against Morrisons for damages for breach of the Data Protection Act 1998 (“DPA”) and/or for the misuse of private information and/or for breach of confidence by Mr Skelton, in respect of whose conduct Morrisons was alleged to be vicarious liable.

Applying the principles in Mohamud v Wm Morrison Supermarkets plc [2016] AC 677 at [44]-[45], the High Court and Court of Appeal found that Morrisons was vicariously liable for Mr Skelton’s conduct, whether for breach of statutory duty under the DPA, tortious misuse of private information or breach of confidence in equity.

The Supreme Court upheld Morrisons’ appeal, finding that the lower courts had “misunderstood the principles governing vicarious liability in a number of relevant respects.” [31]

Lord Reed, giving the judgment of the Court, stated that the relevant question (applying Dubai Aluminium [2003] 2 AC 366 at [23]) was “whether Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.” [32]

Lord Reed held that the answer was “no”, having regard to the following:

1. First, the disclosure of data on to the Internet did not form part of Mr Skelton’s functions or “field of activities” in the sense in which the words were used by Lord Toulson in Mohamud at [44]: “it was not an act which he was authorised to do.” [31]

2. Second, it was not sufficient for the imposition of vicarious liability that the employment gave the employee the “mere opportunity” to commit a wrongful act, or that the employee was “doing acts of the same kind as those which it was within his authority to do.” [35]  

3. Third, whilst there was a “close temporal link” and an “unbroken chain of causation” between the provision of data to Mr Skelton in the course of his employment and its subsequent disclosure, “a temporal or casual connection does not in itself satisfy the close connection test.” [31]

4. Fourth, motive was not irrelevant: on the contrary, “whether he was acting on his employer’s business or for purely personal reasons was highly material.”[31] Mr Skelton was “not acting on his employer’s business, but in pursuit of his own private ends” [44] and “seeking vengeance for the disciplinary proceedings some months earlier” [47].

The Supreme Court dismissed the second ground of appeal, which concerned whether the DPA excluded the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA and misuse of private information and breach of confidence. [48]-[55]

Lord Pannick QC and Gayatri Sarathy acted for the successful Appellant in the Supreme Court.

The full judgment is available here.