You might have more pressing matters to deal with at present, but one less thing to worry about is the ramifications of the Morrisons case (Morrisons v Various Claimants).

Let's recap because it's been a while.

Skelton was a senior auditor in Morrisons' internal audit team. In July 2013 (before Coronavirus, and before even Brexit, if you can remember such a time), he was given a verbal warning for minor misconduct. Skelton didn't respond well to being disciplined and decided that he would take action during Morrisons' annual external audit.

During the audit, Skelton was assigned the task of collating and transmitting payroll data to Morrisons' auditors. It was a task he had performed before, and he was given access to access to the payroll data (including name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number, and salary) relating to the whole of Morrisons' 126,000 strong workforce.

Skelton completed the task, but also made a copy of the data onto a personal USB stick. He then created a false email account in the name of an individual who had been involved in his disciplinary proceedings and linked the email account to a pay-as-you-go phone purchased especially for the task. In January 2014, Skelton uploaded a file containing the personal data of 98,998 of the employees on to a publicly accessible file-sharing website (using the false email account and phone), with links posted on other websites, and then sent the information on CDs to three UK newspapers purporting to be a concerned member of the public.

The trail was intended to frame Skelton's work colleague, but the plan didn't work as envisaged. Rather than publish the story, one of the papers alerted Morrisons and their response was admirable. Within hours the personal data was removed from the Internet, internal investigations were instigated and the police were informed. In addition, all staff members were notified and steps were taken to protect their identities (Morrisons in fact spent more than £2.26m in dealing with the response). Skelton was later identified as the perpetrator (despite his attempts to cover his tracks) and was arrested and subsequently imprisoned.

You might think that that would be the end of it, but you'd be wrong. 9263 of Morrisons' employees or former employees brought a claim against Morrisons arguing that Morrisons was vicariously liable for the conduct of Skelton. The claim was that vicarious liability arose under breach of the Data Protection Act 1998, misuse of private information and breach of confidence, and the claims were for damages of alleged "distress, anxiety, upset and damage".

Both the trial judge, Langstaff J, and the Court of Appeal found in favour of the claimants and held that Morrisons was vicariously liable for Skelton's actions. This was on the basis that "[t]he tortious acts of Mr. Skelton in sending the claimants' data to third parties were in our view within the field of activities assigned to him by Morrisons".

The decision was alarming. The courts' broad interpretation of what they would consider "within the field of activities" assigned to an employee meant that no matter what steps or procedures an employer put in place to protect personal data, they could still be held liable if a rogue employee was intent on causing harm. This was a particular concern for employers given the strengthening of data protection legislation under the General Data Protection Regulation.

Morrisons appealed, and the decision of the Supreme Court will be a welcome relief to employers.

The Supreme Court stated that "the question is whether Skelton's disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment." In this case the answer was no, and so Morrison's was not vicariously liable for the damage caused by Skelton.

The Supreme Court was also fairly critical of the Court of Appeal, holding that in attempting to follow the precedents set in previous case law, certain phrases had been taken out of context thus creating new legal principles which represented a departure from the principles the court was seeking to follow.

A separate question that was raised was whether it was even possible for an employer to be vicariously liable under the Data Protection Act 1998. Whilst it was a moot point given that Morrisons' appeal was successful, the Supreme Court did agree with Court of Appeal on this point and held that there was no exclusion of vicarious liability under the Data Protection Act 1998. One would think that the position would be the same under the Data Protection Act 2018.

Originally published 3 April, 2020

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.