On the 1 April 2020 the Supreme Court made its judgment on the case of Morrisons Supermarkets plc v Various Claimants  UKSC 12. The main objective for the Supreme Court was to decide when an employer should be vicariously liable for the actions of its employees. Vicarious liability is when an employer is held responsible for an employees’ actions consequently making them legally liable. The employee must be acting within the scope of their employment and not have ‘gone rogue’.
The facts of the case begin in July 2013, when a senior auditor for Morrisons (Skelton) was subject to disciplinary proceedings. He was given a verbal warning for minor misconduct, which led to him harbouring a grudge against Morrisons.
In November 2013, Skelton was given access to payroll data relating to all of Morrisons workforce in preparation for an annual external audit, a task that he had completed in 2012. On the 18 November 2013 he copied the data from his work laptop, on to a personal USB stick. On the 12 January 2014 he then uploaded that data to a file sharing website. The upload contained information on 98,998 Morrison employees. Once Morrisons was made aware of the data leak, it took immediate steps to remove the data from the internet and took measures to protect its employees’ identities.
Skelton was arrested and subsequently convicted. He was sentenced to eight years imprisonment. Morrisons spent more £2.26 million dealing with the data leak with a large amount of that money going towards protecting its employees’ identities.
The claimants of this case then brought legal action against Morrisons for the breach of their private data under the Data Protection Act 1998 and for breach of mutual trust, claiming Morrisons was vicariously liable for Skelton’s actions.
The High Court ruled that Morrisons was vicariously liable for Skelton’s actions as it provided him with the data which he subsequently leaked. Morrisons trusted Skelton with confidential information, therefore accepting the risk that its trust may have been wrongly placed.
Morrisons appeal to the Court of Appeal was dismissed. The court concluded that there was nothing in the Data Protection Act 1998 that excluded vicarious liability for Skelton’s actions, as sending data to third parties was within the scope of Skelton’s employment. The court used precedent such as Lister v Hesley Hall Ltd  UKHL 22 to reach its decision. That case concerned the sexual abuse of children at a boarding school by the warden of that school. It concluded that if there was a close connection between the persons employment role and the act, then it would be just to hold the employers vicariously liable.
The Supreme Court has now stated the Court of Appeal misunderstood the principles of vicarious liability, as disclosing data on the internet did not form part of Skelton’s duties or activities. It was not an act he was authorised to do; therefore, it was not within the scope of Skelton’s employment. The Court of Appeal had incorrectly applied the close connection test. The fact that Morrisons gave Skelton the opportunity to commit the wrongful act was not sufficient to impose vicarious liability. The Supreme Court ruled that Morrisons was not liable for Skelton’s actions.
This Supreme Court judgment will have been what all employers would have hoped for when considering vicarious liability, especially considering the fines that can now be imposed under the new Data Protection Act 2018.
By Samuel Killoran who is a Law Student at Solent University