Supermarket Sweep—UK Supreme Court Clarifies Law Regarding Vicarious Liability: Key Take-Aways for Employers
In what is likely to be viewed as a landmark decision, the Supreme Court has recently overturned decisions of the High Court and Court of Appeal and found that the supermarket chain Morrisons is not vicariously liable for the unauthorised and unlawful disclosure of personal data by one of its employees.
The Supreme Court held that a disgruntled employee was not “acting in the course of his employment” when he unlawfully published the data outside of work hours. Instead, he was pursuing a personal vendetta and seeking vengeance for disciplinary proceedings which had been brought against him months earlier. The fact that his employment gave him the opportunity to commit the wrongful act was held not be sufficient to warrant the imposition of vicarious liability.
Although ultimately inconsequential, the Supreme Court also addressed an argument by Morrisons that the Data Protection Act 1998 (the “DPA 1998”) excludes vicarious liability. The Court found that the DPA 1998 does not exclude the imposition of vicarious liability for statutory breaches of its provisions by an employee data controller, nor for the torts of misuse of private information and breach of confidence.
The Supreme Court’s decision brings welcome clarification to the law on vicarious liability and no doubt significant relief to employers. It is important to note that it has not changed the law on vicarious liability, but it does appear to break new ground in relation to the scenario where an employee commits an act which, although damaging to third parties, is primarily aimed at harming their employer. The judgment suggests that it is unlikely (albeit not impossible) that the employer will be found vicariously liable for wrongdoing which is designed specifically to harm it.
However, it is also important to remember that the decision was based on the specific facts of the case. The decision does not necessarily mean that an employer will not be held liable for the rogue acts of an employee generally. The “close connection” test still remains fairly broad and every case will continue to turn on its facts.
Even though Morrisons avoided liability for civil claims brought by 5,500 claimants, it still spent more than £2.26m in dealing with the immediate aftermath of the disclosure - a significant amount of which was spent on identity protection measures for its employees. However, if the Supreme Court had upheld the decisions of the lower courts and found Morrisons vicariously liable, the potential value of the civil claims could easily have been far higher. Given the current lack of precedence concerning the quantum of damages in personal data breach group actions, it is difficult to predict the precise extent of damages Morrisons may have been liable for. However, even if damages on a per claimant basis were relatively low, the cumulative damages payable to all claimants could have been very substantial.
Accordingly, as regards data protection, employers must continue to ensure that compliance with applicable data protection laws remains of paramount importance, particularly with respect to data security. In doing so, an employer should maintain sufficient policies, procedures, systems and controls to reduce the risk of unauthorised disclosure of, or access to, personal data. Key staff should receive tailored training in prevention techniques, and in crisis management responses, in case the worst does happen. Further, in the hope of mitigating the cost if things do go wrong, employers should ensure that they have the right type of insurance cover and at the right level. Employers should also not underestimate the potential for negative brand and reputational damage that is often caused by a data breach, whether or not a company is ultimately found liable. Compliance with data protection law in areas such as security has never been more important.
In its recent judgment in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)  UKSC 12,
the circumstances in which an employer may be held vicariously liable for the acts of its employee; and
whether the DPA 1998 excludes the application of vicarious liability for: (i) statutory torts committed by an employee data controller under the DPA 1998; and (ii) misuse of private information and breach of confidence.
As regards vicarious liability, the Supreme Court overturned the decisions of both the judge at first instance and the Court of Appeal, and found that Morrisons was not vicariously liable for the acts of a disgruntled employee who, motivated by a desire to harm his employer, had unlawfully disclosed the personal details of 5,500 of the supermarket’s current and former employees. In doing so, the Supreme Court addressed certain misunderstandings following Lord Toulson’s judgment in Mohamud v WM Morrison Supermarkets plc  UKSC 11 (“Mohamud”) and reaffirmed the test for vicarious lability set out in Dubai Aluminium Co Ltd v Salaam  2 AC 366 (“Dubai Aluminium”).
The Supreme Court also held that the principle of vicarious liability applies to breaches of the DPA 1998, and to breaches of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment.
While the Supreme Court’s decision reaffirms well-established principles concerning vicarious liability, it provides welcome clarity over the circumstances in which the doctrine will be held to apply in most cases and, in particular, as regards the liability of an employer for the acts of an employee which were specifically designed to harm it. This scenario had not previously been considered by the English courts.
Andrew Skelton was an employee of Morrisons in its internal audit team. In July 2013, he was the subject of disciplinary proceedings and became disgruntled with his employer.
In November 2013, Skelton was responsible for transmitting payroll data for Morrisons’ employees to its external auditors, KPMG. He completed the task but also maintained a copy of the data and uploaded it to a publicly accessible file-sharing website. He then sent the file anonymously to three UK newspapers, purporting to be a concerned member of the public who had come across it online. One of the newspapers alerted Morrisons, which subsequently took steps to have the data removed from the internet, and reported the issue to the police. Skelton was subsequently arrested, prosecuted for a number of offences and sentenced to eight years’ imprisonment.
Employees and former employees of Morrisons, whose data Skelton had posted online, brought civil proceedings against Morrisons on the basis that it was vicariously liable for Skelton’s acts.
The judge at first instance concluded that Morrisons was vicariously liable for Skelton’s breach of statutory duty under the DPA 1998, misuse of private information and breach of confidence. Langstaff J found that Skelton’s wrongful conduct was committed in the course of his employment, and that his subsequent act of copying the data and posting it online was “a seamless and continuous sequence of events” and “an unbroken chain” which was “closely related” to the task that Morrisons had asked him to carry out. Furthermore, Langstaff J found that the five policy reasons identified by Lord Phillips in the Catholic Child Welfare Society case
The Court of Appeal dismissed Morrisons’ appeal, agreeing with the High Court that Skelton’s acts constituted an “unbroken chain” of events. The Court of Appeal confirmed that Morrisons was vicariously liable for Skelton’s wrongdoing, as his unauthorised disclosure of the personal data was “within the field of activities assigned to him by Morrisons”. Even though Skelton’s motive was to harm his employer, the Court of Appeal found that motive was irrelevant to the question of whether vicarious liability should be applied.
The Supreme Court unanimously allowed Morrisons’ appeal, concluding that it should not be vicariously liable for Skelton’s conduct.
Vicarious Liability Under English Law
Lord Reed, who gave the leading judgment, observed that the starting point was Lord Toulson’s judgment in Mohamud
Lord Reed noted that, having considered this test and explained how it had been applied in subsequent cases, Lord Toulson then went on to try and summarise the law in “the simplest terms” when he observed that a court had to consider the following two key questions:
first, what functions or “field of activities” had been entrusted to the employee by their employer (i.e. what acts was the employee authorised to carry out); and
second, whether there was a sufficient connection between the position in which the employee was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice.
Lord Reed explained that some of the phrases used by Lord Toulson in Mohamud had since been taken out of context and had been treated as signalling a departure from the approach adopted by Lord Nicholls in Dubai Aluminium. However, he explained that Lord Toulson was not suggesting that in determining vicarious liability, a court only needed to consider whether there was a temporal or causal connection between the employment and the wrongdoing, and whether it was right for the employer to be held liable as a matter of social justice.
Lord Reed went on to observe that:
“Plainly, the close connection test is not merely a question of timing or causation, and the passage which Lord Toulson cited from Dubai Aluminium makes it clear that vicarious liability for wrongdoing by an employee is not determined according to individual judges’ sense of social justice.”
He also held that:
Lord Toulson’s comments in Mohamud that there was an “unbroken sequence of events” and a “seamless episode” were not directed towards the temporal or causal connection between the various events, but instead towards the capacity in which the employee had been purporting to act when the wrongful conduct took place (i.e. whether the employee was acting “about his employer’s business”);8and
Lord Toulson’s decision that the employee’s motive in Mohamud was “irrelevant” was not intended to convey a general principle that an employee’s motive is irrelevant to the question of whether their employer should be held vicariously liable for their wrongful acts.
Having clarified these aspects of Lord Toulson’s judgment in Mohamud, Lord Reed went onto to observe that the Court of Appeal had misunderstood the principles governing vicarious liability. He set out four ways in which the Court of Appeal’s finding of vicarious liability against Morrisons was mistaken:
first, Skelton’s unauthorised disclosure of the data on the internet did not form part of his functions or “field of activities” and was not an act which he was authorised to do;
second, the fact that the five factors listed by Lord Phillips in Catholic Child Welfare Society were all present was irrelevant to the case. Those factors were not concerned with the question of whether the wrongdoing in question was so closely connected with the wrongdoer’s employment that vicarious liability ought to be imposed. Instead, they were relevant to the question of whether, in the case of wrongdoing committed by someone who was not an employee, the relationship between the wrongdoer and the defendant was sufficiently similar to one of employment that the doctrine of vicarious liability should apply;
third, although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to KPMG and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test; and
fourth, the reason why Skelton acted wrongfully (i.e. his motive) was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material.
Lord Reed then re-affirmed the test for vicarious liability set out by Lord Nicholls in Dubai Aluminium and observed that:
“the question is whether Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”
In applying this test, he made it clear that it is necessary to have regard to the guidance provided by previous court decisions, although he noted that there did not appear to be any previous cases where it had been argued that the employer might be vicariously liable for wrongdoing which was specifically designed to harm it. Accordingly, he based his analysis on previous cases where the employee had engaged in an independent personal venture. Having considered such cases, he held that:
“All these examples illustrate the distinction drawn by Lord Nicholls at para 32 of Dubai Aluminium  2 AC 366 between ‘cases … where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.’”
This led him to conclude as follows:
Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question; instead, he was pursuing a personal vendetta and seeking vengeance for the disciplinary proceedings which had been brought against him months earlier;
in these circumstances, Skelton’s unlawful disclosure of data was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment; and
further, the fact that Skelton’s employment gave him the opportunity to commit the wrongful act would not be sufficient to warrant the imposition of vicarious liability.
Vicarious Liability and the DPA 1998
Having concluded that Morrisons was not vicariously liable for Skelton’s acts, it was not strictly necessary for the Supreme Court to consider whether the DPA 1998 excludes the imposition of vicarious liability in relation to statutory breaches of its provisions by an employee data controller and the torts of misuse of private information and breach of confidence. However, given that the point had been fully argued by the parties, Lord Reed felt that the Supreme Court should express its view.
Morrisons had argued that: (i) the DPA 1998 made it clear that liability was to be imposed only on data controllers, and only where they had acted without reasonable care; and (ii) since it was common ground that Morrisons had adequately performed its obligations as data controller, and that Skelton was a data controller in his own right in relation to the data which he copied and disclosed, it followed that Morrisons could not be vicariously liable for his breach of his duties under the DPA 1998.
Lord Reid held that Morrisons’ argument, although “attractive”, was not persuasive.
imposing statutory liability on a data controller, like Skelton, was not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA 1998 or for a common law or equitable wrong, as the DPA 1998 says nothing about a data controller’s employer;
it is irrelevant that a data controller’s statutory liability under the DPA 1998 is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault; and
since the DPA 1998 does not indicate (whether expressly or impliedly) whether the principle of vicarious liability applies to breaches of its obligations, an employer can be found vicariously liable for breaches which are committed by an employee data controller.
The Supreme Court’s judgment provides some welcome clarification on the law of vicarious liability. It is important to note that it has not changed the law, but has rather corrected a misapplication of the previous key case law by the lower courts and clarified and reconciled previous judgments to produce a clear precedent which can be followed in future cases.
Where it does appear to break new ground is in relation to the scenario where an employee commits an act which, although damaging to third parties, is primarily aimed at harming their employer. Lord Reed observed that this scenario had not previously been considered by the courts and his judgment suggests that it is unlikely that the employer will be found vicariously liable for wrongdoing which is designed specifically to harm it. In this sense, the scenario appears to fall into the category of the employee “acting on a frolic of their own”.
Accordingly, the Supreme Court’s decision will bring significant relief to employers. Indeed, upholding the decisions of the lower courts would have had far-reaching consequences. In particular, it would have resulted in the application of the close connection test being expanded to such a level that it is difficult to envisage the circumstances in which employers could successfully argue that the rogue acts of their employees fell outside the ordinary course of their employment.
However, while the decision has provided clarity on the potential scope of vicarious liability in respect of the rogue acts of employees, it is also important to remember that it was decided based on the specific facts of the case and any subsequent application of the decision will do the same.
Indeed, it does not appear that it would necessarily follow that an employer will never be held liable for the unauthorised disclosure of personal data as a result of the acts of one of its employees. In this case, Morrisons had complied with its statutory obligations under the DPA 1998. The Supreme Court, in determining Morrisons was not vicariously liable, placed a significant amount of emphasis on the fact that Skelton was pursuing his own interests and a personal vendetta against his employer, in respect of which the damage suffered by data subjects appears to have been collateral. However, the Supreme Court also made it clear that even if an employer has satisfied its own obligations as a data controller under the DPA 1998, it can still be vicariously liable where an employee is also acting as a data controller and breaches their statutory obligations. This would of course depend on the facts of the case and the application of the “close connection” test which remains fairly broad.
In this regard, it is important to note that although the Supreme Court considered the position by reference to the DPA 1998, its analysis would apply equally under the Data Protection Act 2018.
When it comes to the security of personal information, which, particularly since the inception of the GDPR, has become such a fertile ground for disputes, employers must continue to ensure that they have sufficient technical and operational measures, policies, procedures and controls in place to reduce the risk of unauthorised disclosures of, or access to, personal data, including by employees.
Indeed, it will not be lost on employers that even though Morrisons escaped liability for the civil claims, it still spent more than £2.26m in dealing with the immediate aftermath of the disclosure - a significant amount of which was spent on identity protection measures for its employees.
If Morrisons had been found liable for the civil claims, it is difficult to predict the quantum of damages it would have been required to pay given the current lack of precedence concerning damages in data breach group actions of this nature. This is particularly the case where claimants seek damages solely for distress. However, even if damages on a per claimant basis were relatively low, the cumulative damages payable to all claimants could have been very substantial.
The idea of a group action for a data protection breach is a relatively new concept in the UK, but something we are already seeing significantly more of and something that will only increase, particularly as there are a number of law firms who now specifically target these types of claim and are voracious in seeking press opportunities and advertising for clients, often on a ‘no win / no fee’ basis.
Given the value of some of the claims currently being pursued in the English courts in relation to personal data breaches, and the cost of investigating and defending these claims, the result could be financially crippling. In many instances, the associated press coverage causes significant brand and reputational damage whether or not a company is ultimately found liable. Compliance with data protection law in areas such as security has never been more important. Not only do policies, procedures, systems and controls need to be fit for purpose, key staff should also receive tailored training in prevention techniques, and in crisis management responses, in case the worst does happen. Further, in the hope of mitigating the cost if things do go wrong, it might also be a good time to review your level of insurance coverand the small print.