Court of Appeal Agrees Supermarket is Vicariously Liable for the Criminal and Rogue Actions of its Employee

Together we are Forbes


05 November, 2018

WM Morrison Supermarkets PLC v Various Claimants (2018)[2018] EWCA Civ 233

Morrisons supermarket has lost its appeal to the Court of Appeal. The Court upheld the decision that the supermarket should be vicariously liable for an employee who intentionally disclosed the personal details of staff on a file sharing website.

The Facts

In 2014, a file containing the personal details of 99,998 Morrisons' employees was posted on a file sharing website. Following a police investigation, an employee, Andrew Skelton, was charged and sentenced to a term of 8 years imprisonment. Skelton was a senior IT internal auditor and was described by colleagues as reliable and trustworthy. He ran a side-line business dealing a legal slimming drug. He did not use Morrisons' facilities, except on occasions when he would put a package through the post room. In May 2013, an envelope came open in the post room at Morrisons'. It contained white powder and caused immediate alarm. Skelton was arrested and escorted from the premises. He was suspended from work, pending a definitive laboratory analysis of the powder.   Results showed that the drug was not illegal and Skelton who had been on suspension for a month was permitted to return to work. Morrisons disciplined him, and he was given a formal verbal warning. Skelton thought that Morrisons had acted excessively and held a serious grudge against his employer. In retaliation, he resolved to disclose the personal details of staff to damage the supermarket.

First Instance Decision

The 5000 co-workers whose data had been disclosed brought a group civil claim against their employer, Morrisons. The Court concluded that neither primary liability for misuse of private information nor breach of confidentiality could be established. The Defendant did not directly misuse any information personal to the data subjects, they did not authorise its misuse, and it was not disclosed due to any carelessness on their part. It was a criminal act which was not its doing, and was not facilitated or authorised by Morrisons. However, the Court did find that Morrisons was vicariously liable for the unlawful acts carried out by Skelton as he had acted in the course of his employment.

The Appeal

Morrisons appealed the decision that they were vicariously liable to the claimants for the actions of Skelton. They argued that:

  • the Data Protection Act 1998 excludes the application of vicarious liability for misuse of private information and breach of confidence; and
  • the Judge was wrong to conclude that the wrongful acts of Mr Skelton occurred during the course of his employment and, accordingly, that Morrisons was vicariously liable for those wrongful acts.

The Court of Appeal dismissed the appeal. They held that the common law remedy of vicarious liability of the employer for Skelton's misuse of private information and breach of confidence was not expressly or impliedly excluded by the Act. Furthermore, they agreed that the judge had correctly concluded that Skelton's actions at work and the disclosure on the web was a seamless and continuous sequence of events. Morrisons deliberately entrusted Skelton with the payroll data, his role in respect of the payroll data was to receive and store it, and to disclose it to a third party. It was in his 'field of activities'. His decision to disclose it to others was not authorised, but it was nonetheless closely related to what he was tasked to do.

Forbes comment

This Judgment reinforces that for an employer to be deemed vicariously liable for the actions of an employee, the relevant "act" does not need to take place "on the job". Whilst the time and place at which the act took place will be relevant, it is not conclusive. In the recent case of Bellman v Northampton Recruitment 2018, the Court of Appeal overturned a lower court decision finding a company vicariously liable for an employee who punched another employee during impromptu drinks following a works Christmas party.

Many will be concerned that this case places a disproportionate and unfair burden on employers. The Court found that Morrisons had not done anything wrong; they had adequate and appropriate controls in place, but for reasons of public policy, they ought to be responsible to the victims. The employer usually has deeper pockets and in most circumstances will be in a position to provide compensation. Whilst the Court of Appeal was mindful that by imposing vicarious liability in such situations it might lead to claims for "potentially ruinous" amounts, it noted that the solution was to insure against such possibilities.

It is likely that this decision will pave the way for future group civil actions. The ruling in Vidal Hall v Google also allows data subjects to claim distress damages. In the Morrisons case even though the individual awards are likely to be small; if each of the 99,998 employees were to bring a claim then the overall financial cost would be colossal.

We understand that Morrisons intend to appeal to the Supreme Court. In the meantime, employers should check their insurance policies to ensure that they have adequate cover in place.

Contact Us

Get in touch to see how our experts could help you.

Call0800 689 3206

CallRequest a call back

EmailSend us an email

Contacting Us

Monday to Friday:
09:00 to 17:00

Saturday and Sunday: