Morrisons Vicariously Liable for Employee’s Disclosure of Personal Data

13 December 2017


The High Court has held that Morrisons Supermarket was vicariously liable for its employee’s disclosure of co-workers’ personal data on the internet. This is the first ever group litigation data breach case to come before the courts, and has huge implications for anyone who processes personal data using employees or agents.

Mr Skelton was employed by Morrisons as a senior IT internal auditor. He was subject to disciplinary action by Morrisons, and held a grudge against his employer as a result. In 2013, he was tasked with sending payroll data, including the personal data of staff, to KPMG for external audit purposes. He was provided with an encrypted USB stick with the data, which he downloaded onto his work computer. He sent the information on to KPMG, but retained the data on his work computer. In 2014, he uploaded the data onto a public file sharing site. In 2015, Mr Skelton was arrested and charged with fraud, an offence under the Computer Misuse Act 1990 and under Section 55 of the Data Protection Act 1998. He was convicted and sentenced to eight years in prison.

The co-workers whose data was disclosed brought a group civil claim against Morrisons for compensation in respect of a breach of statutory duty under the Data Protection Act 1998, misuse of private information, and breach of confidence. They argued that Morrisons was vicariously liable for the acts of its employee, Mr Skelton.

Morrisons argued that the Data Protection Act does not recognise any form of vicarious liability for unauthorised acts by employees. However, the Court disagreed. The Court held that if an employee misused information and the employer ceased to be liable on the basis that it was no longer the data controller, this would defeat the rights of data subjects rather than enhance them. The Court decided that it is more consistent with the principles of Data Protection law, to make the employee personally liable, as well as retaining his employer’s vicarious liability.

The Court found that the motive of the employee, and the fact that he was acting out of a grudge against his employer, was not relevant. Where an employee misuses his position to harm others, the Court held that the employer who entrusted the employee with that position should be held responsible.

The case is likely to be heard by the Court of Appeal.


This decision will be of great concern to employers. It suggests that even where employers have taken steps to prevent misuse of personal data, and are not directly at fault, they could still be found vicariously liable for the actions of a “rogue” employee. If Morrisons’ appeal is unsuccessful they may have to compensate the 5,518 claimants involved in the case, and potentially the 94,480 other employees whose information was placed online.

From May 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998, strengthening the rights of data subjects and increasing the responsibilities of data controllers and data processors. It is possible that there could be an increase in claims such as this one under the GDPR, and the administrative fines that can be levied by the ICO will also be significantly greater.

If you have any queries about this decision, or any aspect of Data Protection law, please do not hesitate to contact our Information Law team.