A disgruntled employee deliberately leaked colleagues' personal data. The Supreme Court held that the employer, Morrisons, was not vicariously liable because the employee's act was a personal vendetta, not an act done a in the course of his employment.
Facts
An employee of Morrisons, Mr Andrew Skelton, a senior IT internal auditor, developed a grievance against the company following disciplinary proceedings. Tasked with transmitting payroll data for the entire workforce to an external auditor, Skelton illicitly copied the data, which included names, addresses, bank account details, and salaries of nearly 100,000 employees. He subsequently uploaded this data to a publicly accessible file-sharing website and sent links to several newspapers. His actions were motivated by a desire for revenge against his employer. Skelton was prosecuted and convicted for his actions under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA 1998). A group of affected employees brought a group litigation claim against Morrisons, alleging that the company was vicariously liable for Skelton’s breach of statutory duty under the DPA 1998, misuse of private information, and breach of confidence. Both the High Court and the Court of Appeal found in favour of the claimants, holding Morrisons vicariously liable. Morrisons appealed to the Supreme Court.
Issues
The Supreme Court considered two primary legal issues:
- Whether Morrisons was vicariously liable for its employee’s wrongful conduct on the basis that it was ‘so closely connected’ with his employment that it could be considered to be in the course of it.
- Whether the Data Protection Act 1998 excludes the application of vicarious liability for the torts of misuse of private information and breach of confidence, or for a breach of the duties imposed by the Act itself.
Judgment
The Supreme Court unanimously allowed the appeal, overturning the decisions of the lower courts. Lord Reed gave the sole judgment.
The ‘Close Connection’ Test
The Court analysed the ‘close connection’ test for vicarious liability established in Lister v Hesley Hall Ltd. Lord Reed clarified that the test requires a court to ask two questions: first, what functions or ‘field of activities’ have been entrusted by the employer to the employee; and second, whether there was a sufficient connection between the position in which he was employed and his wrongful conduct. The court must assess whether the wrongdoing can be fairly and properly regarded as being done by the employee while acting in the ordinary course of his employment.
The question is whether Skelton’s disclosure of the data was so closely connected with the acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as made by him while acting in the ordinary course of his employment.
The Court held that the Court of Appeal had misunderstood the principles governing vicarious liability. The key distinction is whether the employee is acting, however improperly, in the furtherance of their employer’s business or is acting purely on their own account. Skelton was not furthering his employer’s business; he was pursuing a personal vendetta. The fact that his employment provided the opportunity and means to commit the wrongdoing was not sufficient to establish vicarious liability.
In the present case, it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings some months earlier.
The Data Protection Act 1998
Although the ruling on the primary issue was decisive, the Court also addressed the second issue concerning the DPA 1998. It concluded that the DPA 1998 did not exclude the operation of vicarious liability. Lord Reed stated that the imposition of a statutory duty upon an employee (in this case, as a data controller) does not implicitly exclude the vicarious liability of the employer for a breach of that duty, or for related common law wrongs. The statutory scheme and vicarious liability could operate concurrently.
In these circumstances, the imposition of vicarious liability in the event of a data breach is not inconsistent with the statutory scheme. On the contrary, it is consistent with the aim of offering a remedy to the person whose privacy has been invaded.
Implications
The judgment significantly clarifies and arguably narrows the scope of the ‘close connection’ test for vicarious liability. It provides reassurance to employers that they will not be held strictly liable for the malicious and personal acts of ‘rogue employees’, even where the employment created the opportunity for the wrongdoing. The employee’s motive is a relevant, and in this case critical, factor. The decision distinguishes cases of personal vendetta from cases where an employee’s wrongful act is a misguided or unauthorised mode of performing their assigned duties. It also confirms that, in principle, vicarious liability can apply to data breaches under the DPA/GDPR framework, even though it was not established on the facts of this specific case.
Verdict: The appeal by Morrisons was allowed. The Supreme Court held that Morrisons was not vicariously liable for its employee’s actions.
Source: WM Morrisons v Various Claimants [2020] UKSC 12
Cite this work:
To cite this resource, please use the following reference:
National Case Law Archive, 'WM Morrisons v Various Claimants [2020] UKSC 12' (LawCases.net, October 2025) <https://www.lawcases.net/cases/wm-morrisons-v-various-claimants-2020-uksc-12/> accessed 12 October 2025
