April 6, 2020

In 2013, Andrew Skelton was a senior IT internal auditor employed by the defendant, WM Morrison Supermarkets plc. Following a disciplinary hearing, he was given a formal verbal warning. Mr Skelton was annoyed by the disciplinary proceedings and the sanction, which left him with a grudge against Morrisons.

In January 2014, a file containing personal details of 99,998 employees of Morrisons was posted on a file-sharing website. Shortly after, links to the website were also placed on the internet. The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details. It was quickly established that the data had almost certainly been derived from data held by Morrisons in relation to its employees.

In March 2014, Mr Skelton was arrested and charged with offences under the Computer Misuse Act 1990 and s 55 of the Data Protection Act 1998. He was subsequently tried and convicted and sentenced to a term of eight years imprisonment.

Some 5,518 employees of Morrisons, whose data was disclosed by the actions of Mr Skelton, claimed compensation for breach of s 4(4) of the DPA, misuse of private information, and breach of confidence.

At first instance, Mr Justice Langstaff held that there was no primary liability on the part of Morrisons, since at the time of disclosure, Morrisons was not the data controller of the misused data: it was Mr Skelton who had disclosed the data and was the data controller. However, he held that the wrongful actions of Mr Skelton had been “sufficiently connected” to the position in which he had been employed to make it right for the employer to be held liable vicariously.

The Court of Appeal subsequently upheld Langstaff J’s decision. Morrisons appealed to the Supreme Court.

Giving the lead judgment, with which all the Justices agreed, Lord Reed noted that the starting point was Lord Toulson’s judgment in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11, which was intended to follow Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366, in which Lord Nicholls explained the “close connection” test.

Lord Toulson had explained the “close connection” test and then summarised the law. The first question is what functions or “field of activities” the employer has entrusted to the employee. Next, he said, “the court must decide whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ”. This had been more fully explained by Lord Nicholls in Dubai Aluminium. Lord Reed said that Lord Toulson was not suggesting any departure from Lord Nicholls’ approach. Further, read in context, Lord Toulson’s comments that, on the facts of Mohamud, there was an “unbroken sequence of events” and a “seamless episode”, referred to the capacity in which the employee had been purporting to act when the wrongful conduct took place, namely “about his employer’s business”. Lord Toulson’s comment in relation to the facts of Mohamud, that “motive is irrelevant”, should not be read in isolation and out of context: whether the employee is acting on his employer’s business or for personal reasons is important. On the facts of Mohamud, the reason why he had committed the tort could not make a material difference to the outcome.

Accordingly, Lord Reed concluded that both Langstaff J and the Court of Appeal had misunderstood the principles governing vicarious liability. First, the online disclosure of the data was not part of Mr Skelton’s “field of activities”, as it was not an act that he was authorised to do. Secondly, the satisfaction of the factors referred to by Lord Phillips in Various Claimants v Catholic Child Welfare Society [2012] UKSC 56, was not relevant. Thirdly, a temporal or causal connection alone does not satisfy the close connection test. Finally, it was highly material whether Mr Skelton was acting on his employer’s business or for purely personal reasons.

Lord Reed said that no vicarious liability arose in this case. Mr Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it could fairly and properly be regarded as made by Mr Skelton while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee is not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta – on a “frolic of his own”. The “close connection” test was not satisfied.

The second major issue was therefore academic in this case: whether the DPA excluded imposition of vicarious liability for either statutory or common law wrongs. Lord Reed said that Morrison’s argument that liability was excluded was unpersuasive. Imposing statutory liability on a data controller such as Mr Skelton was not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller’s employer. It is irrelevant that a data controller’s statutory liability under the DPA is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault. Lord Reed said that the same contrast exists at common law between, for example, an employee’s liability in negligence and an employer’s vicarious liability. It makes no difference that an employee’s liability might arise under statute instead. However, since no vicarious liability had been present in this case the point was moot. The appeal was therefore allowed. (WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 (1 April 2020) — to read the judgment in full, click here).