WM Morrisons v Various Claimants [2020] UKSC 12

Morrisons’ employee Andrew Skelton, harbouring a grudge, copied payroll data of almost 100,000 staff and posted it online. Thousands sued Morrisons. The Supreme Court held Skelton acted on a personal vendetta, so Morrisons was not vicariously liable, clarifying limits of employer liability.

Facts

The appellant, WM Morrison Supermarkets plc, operates a chain of supermarkets. The respondents are 9,263 current or former employees whose personal data were disclosed online by another employee, Andrew Skelton.

Skelton was a senior internal auditor. In July 2013 he received a verbal warning for minor misconduct and thereafter held an irrational grudge against Morrisons. In preparation for Morrisons’ annual external audit, KPMG requested payroll data. The head of internal audit delegated the task of collating and transmitting this data to Skelton, who had also done it in 2012.

On 15 November 2013 Skelton was given access to payroll data for around 126,000 employees, including names, addresses, dates of birth, phone numbers, national insurance numbers, bank details and salaries. Between 15 and 21 November he transmitted the data to KPMG as instructed. However, on 18 November he covertly copied the data from his work laptop onto a personal USB stick.

Skelton took deliberate steps to conceal his identity and frame a colleague involved in his disciplinary process. He obtained a pay-as-you-go mobile phone, created a false email account in the name of a colleague, linked it to the phone, and later used the anonymity software “Tor”.

On 12 January 2014, while at home, Skelton uploaded a file containing the data of 98,998 employees to a publicly accessible file-sharing website and posted links on other websites. On 13 March 2014, the day Morrisons’ financial results were due to be announced, he anonymously sent CDs containing the file to three newspapers, purporting to be a member of the public who had found the data online. The newspapers did not publish the data; one alerted Morrisons.

Morrisons quickly arranged for removal of the data from the internet, commenced internal investigations, informed the police and its employees, and implemented identity protection measures. Skelton was arrested, convicted of criminal offences, and sentenced to eight years’ imprisonment. Morrisons spent over £2.26 million dealing with the disclosure, including identity protection for employees.

The claimants brought proceedings for compensation for “distress, anxiety, upset and damage”, alleging: (i) Morrisons’ primary liability in breach of section 4(4) of the Data Protection Act 1998 (DPA), misuse of private information and breach of confidence; and (ii) Morrisons’ vicarious liability for Skelton’s breaches of the DPA, misuse of private information and breach of confidence.

Issues

The agreed issues before the Supreme Court were:

1. Whether Morrisons was vicariously liable for Skelton’s conduct.
2. If so:
   1. Whether the DPA excludes vicarious liability for statutory torts committed by an employee data controller under the DPA.
   2. Whether the DPA excludes vicarious liability for misuse of private information and breach of confidence.

Judgment

Proceedings below

Langstaff J rejected any primary liability on the part of Morrisons under the DPA, or for misuse of private information or breach of confidence. However, he held Morrisons vicariously liable for Skelton’s breach of statutory duty under the DPA, misuse of private information and breach of confidence. He considered that Skelton had been put in a position to handle and disclose the data, and that events formed “a seamless and continuous sequence of events … an unbroken chain”. Adopting Lord Toulson JSC’s language in Mohamud v WM Morrison Supermarkets plc, he concluded:

“Adopting the broad and evaluative approach encouraged by Lord Toulson JSC in Mohamud’s case [2016] AC 677 I have therefore come to the conclusion that there is a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable ‘under the principle of social justice which goes back to Holt CJ’.”

The Court of Appeal dismissed Morrisons’ appeal. It held there was no exclusion of vicarious liability by the DPA in relation to misuse of private information and breach of confidence, and, applying its understanding of Mohamud, concluded that Skelton’s acts in sending the claimants’ data to third parties were within the “field of activities” assigned to him. The Court of Appeal regarded the events as a “seamless and continuous sequence” or “unbroken chain” and considered motive irrelevant.

Clarification of the Mohamud test

Lord Reed (with whom Lady Hale, Lord Kerr, Lord Hodge and Lord Lloyd-Jones agreed) held that the courts below had misunderstood the principles governing vicarious liability, in particular their reading of Mohamud. He emphasised that Mohamud did not change the law but applied the established “close connection” test as formulated by Lord Nicholls in Dubai Aluminium Co Ltd v Salaam:

“Perhaps the best general answer is that the wrongful conduct must be so closely connected with acts the partner or employee was authorised to do that, for the purpose of the liability of the firm or the employer to third parties, the wrongful conduct may fairly and properly be regarded as done by the partner while acting in the ordinary course of the firm’s business or the employee’s employment.”

Lord Reed stressed that this test must be applied by orthodox common law reasoning, drawing on earlier authorities, and that judges are not free to rely on a free‑floating sense of “social justice”.

He explained that in Mohamud, Lord Toulson’s reference to an “unbroken sequence of events” and a “seamless episode” was concerned with whether the employee was acting in the capacity of an employee throughout, not with mere temporal or causal connection. Likewise, the observation that “motive is irrelevant” was confined to the particular context of that case, where the employee was already found to be acting (albeit wrongly) in the course of his employer’s business.

Application to Skelton’s wrongdoing

Applying the correct test, the Court first identified Skelton’s authorised functions. He was entrusted with collating and transmitting the payroll data to KPMG for audit purposes, and he did so between 15 and 21 November 2013.

The question was whether his later disclosure of the data online, using the private copy made on 18 November, was so closely connected with these authorised acts that it could fairly and properly be regarded as done in the ordinary course of his employment.

The Court acknowledged that Skelton could not have committed the wrong without the opportunity afforded by his role: his access to the data enabled him to make the private copy he later used. However, it reiterated that opportunity alone is insufficient to justify vicarious liability.

Lord Reed noted that the courts below had erred in several important respects:

• The internet disclosure was not part of Skelton’s “functions or field of activities” in the sense used in Mohamud; it was not an act he was authorised to do.
• The five factors from Various Claimants v Catholic Child Welfare Society, relied on by the trial judge, concern whether a relationship is akin to employment, not whether particular wrongdoing is sufficiently connected to employment.
• A close temporal or causal link between events does not by itself satisfy the close connection test.
• Skelton’s reason for acting was highly relevant: whether he acted on his employer’s business or for purely personal reasons was central.

Lord Reed drew on authorities distinguishing acts done in furtherance of the employer’s business (even if misguided) from those done on a “frolic of his own”. He cited the classic statement in Joel v Morison that if a servant is on “a frolic of his own, without being at all on his master’s business, the master will not be liable”, and Lord Nicholls’ distinction in Dubai Aluminium between employees furthering their employer’s business and those “engaged solely in pursuing [their] own interests”.

The Privy Council decision in Attorney General of the British Virgin Islands v Hartwell was particularly relevant. There, a police officer used a service revolver to shoot in a bar for personal reasons. Despite his status and access to the weapon through his role, the Government was not vicariously liable because he had abandoned his duties and embarked on a personal vendetta:

“From first to last, from deciding to leave the island of Jost Van Dyke to his use of the firearm in the bar of the Bath & Turtle, Laurent’s activities had nothing whatever to do with any police duties, either actually or ostensibly. … That conduct falls wholly within the classical phrase of ‘a frolic of his own’.”

Similarly, in Warren v Henlys Ltd the petrol station attendant’s assault on a customer was held to be “an act entirely of personal vengeance”, not an act in the course of employment; whereas in Bellman v Northampton Recruitment Ltd, an assault by a managing director while asserting his managerial authority over staff was sufficiently connected to his authorised role to attract vicarious liability.

Applying these principles, Lord Reed concluded that Skelton’s acts were not done to further Morrisons’ business but were motivated by a personal vendetta, seeking revenge for earlier disciplinary proceedings. He was “engaged solely in pursuing his own interests” and on a “personal vendetta of his own”.

The Court held that, in these circumstances, Skelton’s wrongful disclosure was not so closely connected with his authorised functions that it could fairly and properly be regarded as done in the ordinary course of his employment. The necessary conditions for vicarious liability were therefore not met.

The Data Protection Act 1998 and vicarious liability

Although unnecessary to dispose of the appeal, the Court addressed whether the DPA excludes vicarious liability for: (a) breaches of the DPA by an employee data controller; and (b) misuse of private information and breach of confidence.

Lord Reed adopted the principles stated by Lord Nicholls in Majrowski v Guy’s and St Thomas’ NHS Trust that, unless a statute indicates otherwise, vicarious liability applies to breaches of statutory obligations sounding in damages committed in the course of employment:

“Unless the statute expressly or impliedly indicates otherwise, the principle of vicarious liability is applicable where an employee commits a breach of a statutory obligation sounding in damages while acting in the course of his employment.”

Morrisons argued that section 13 DPA and the seventh data protection principle impliedly confined liability to data controllers, based on a fault standard, and that it would be inconsistent to impose strict vicarious liability on an employer who was itself a compliant data controller while an employee, separately a data controller, acted wrongfully.

The Court rejected this argument. It held that the DPA’s imposition of liability on data controllers is not inconsistent with common law vicarious liability for breaches of statutory, common law or equitable duties by employees. The Act is silent on the position of employers, so there is no express or implied exclusion. The coexistence of fault-based primary liability and strict secondary liability is not anomalous and mirrors the general position in tort, where employers may be strictly vicariously liable for employees’ fault-based wrongs.

Accordingly, the Court held that, in principle, vicarious liability can apply to breaches of the DPA, misuse of private information and breach of confidence by an employee, provided the close connection test is met. On the facts, however, that prerequisite was not satisfied.

Implications

This decision significantly clarifies the boundaries of employer vicarious liability, particularly in data breach and information privacy contexts:

• It confirms that Mohamud did not expand vicarious liability and that the controlling test remains whether the wrongful act is so closely connected with authorised acts that it can fairly and properly be regarded as done in the ordinary course of employment.
• Temporal or causal links, or the mere fact that employment afforded the opportunity to commit the wrong, are insufficient; the employee’s purpose and whether he was furthering the employer’s business or pursuing a personal agenda are central.
• Employees’ intentional data breaches driven by personal vendettas are unlikely, absent more, to fall within the course of employment for vicarious liability purposes.
• The DPA 1998 does not, in principle, exclude the application of vicarious liability to statutory breaches, or to misuse of private information and breach of confidence; but liability turns on satisfaction of the close connection test.

The case is now a leading authority on the limits of vicarious liability for deliberate information misuse by employees and provides important guidance to employers, litigants and courts in privacy, data protection and wider tort litigation.

Verdict: Appeal allowed; WM Morrison Supermarkets plc was not vicariously liable for Andrew Skelton’s wrongful disclosure of employee data, and cannot be held liable for his conduct.

Source: WM Morrisons v Various Claimants [2020] UKSC 12