In WM Morrison Supermarkets plc v Various Claimants, the Court of Appeal has upheld the decision of the High Court that an employer was vicariously liable for the actions of a rogue employee, who disclosed the personal information of around 100,000 colleagues on the Internet. The Data Protection Act 1998 (DPA) did not exclude vicarious liability in such circumstances, and there was a sufficiently close connection between the employee’s employment and his wrongful conduct for it to be just to hold the employer liable. In so holding, the Court has confirmed that motive is irrelevant to the test for vicarious liability, even when, as here, the employee’s motive was to harm the employer rather than to achieve some benefit for himself, or to inflict injury on a third party.

Mr Skelton, a disgruntled senior IT internal auditor at Morrisons, was asked to send data to external auditors. He exploited his legitimate working access to their databases to steal and post online the personal details of employees. The data consisted of names, addresses, gender, date of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes and account numbers, and salary details. He was convicted of fraud and offences under the Computer Misuse Act 1990 and the DPA, in pursuit of a personal grudge against Morrisons. Some 5,000 employees sought to hold them vicariously liable for Mr Skelton’s misuse of their private information and breach of confidence.

Peter Stanway, our BackupHR™ legal expert comments:

Lawyers’ views remain divided on whether such activity was truly in the course of employment, or a ‘frolic of the employee’s own’. From a corporate compliance standpoint, the decision causes a problem, since there is, in effect, very little that can be done to protect an employer (and consequently data subjects) from the actions of a rogue employee. For the Courts to find that the employer can be liable for a malicious breach, notwithstanding that it took appropriate steps to protect the data, will be of concern to many businesses.

The Court of Appeal specifically rejected Morrisons’ public-policy argument that vicarious liability in similar scenarios imposes a disproportionate burden on “innocent” employers. The Court’s strict stance in that regard should be viewed in conjunction with the possible increase in data protection-related group litigation now that the GDPR is in force. The decision is particularly notable in light of the ICO’s conclusion, following its investigation into this case, that Morrisons had not breached the DPA, and as such, should not be fined. On a practical level, the Court suggested that employers should insure against data breaches committed by employees given the large potential liabilities involved.

The case is likely to go to the Supreme Court, but whatever the result there, organisations cannot be complacent about data protection.


Notwithstanding our concern that there is little that can be done to prevent clever, senior, malicious individuals from committing illegal acts; employers should ensure that they have:

  1. Properly vetted staff, particularly where they require access to confidential information.
  2. Clear, easily understood and relevant policies, which are regularly updated and communicated to employees and some contractors.
  3. Train staff on security rules and requirements.
  4. Close monitoring of how sensitive data is handled.
  5. Protocols which prevent indiscriminate access to, and copying of, sensitive information to personal devices.
  6. Strong indemnities in employment contracts as a financial deterrent to potential rogue employees.
  7. Sufficient insurance policies in the event of “Armageddon” – as the Court put it.

The guidance provided in this article is just that – guidance. Before taking any action make sure that you know what you are doing, or call us for a free initial chat on 01480 677980.