The Supreme Court has today delivered the final word on this case which had until now left employers facing potential vicarious liability (and the prospect of having to pay damages under civil law principles) for a major, deliberate data breach by one of its former employees.
The breach occurred when Mr Skelton, who had been employed by Morrisons as part of its internal audit team, took an unauthorised copy of the supermarket’s entire workforce database. He was able to access this because part of his role was to liaise with external auditors, sharing some of the data for lawful payroll and other purposes. Mr Skelton held a grudge against Morrisons following some unrelated disciplinary proceedings. He took a copy of the database for himself and later uploaded it to a filesharing website where the data was publicly accessible.
The case has brought
together two important areas of law (i) the concept of the vicarious liability of an employer for the conduct of its employees
generally when they are acting in the course of their employment and (ii) the
data protection rules, which impose specific statutory obligations on employers
to protect the personal data they process – can vicarious liability ever apply
in relation to the data protection rules?
The case had been to the
High Court and Court of Appeal before reaching the Supreme Court of course but
now the legal position is clear-
(a) An employer can be
vicariously (that’s to say, indirectly) liable in circumstances where third
parties have suffered a compromise of their personal data through the actions
of one of its employees.
(b) That liability will
only arise, however, if and to the extent that the employee’s actions that
caused the data breach were sufficiently closely connected to his tasks as an
The court concluded that
authorised to transmit the payroll data to the auditors. His wrongful
disclosure of the data [copying it for himself and then uploading it to a filesharing
website] was not so closely connected with that task that it can fairly and
properly be regarded as made by Skelton while acting in the ordinary course of
Citing long established employment law principles about vicarious liability the court said
“…the fact that his employment gave him the
opportunity to commit the wrongful act is not sufficient to warrant the
imposition of vicarious liability. An employer is not normally vicariously
liable where the employee was not engaged in furthering his employer’s
business, but rather was pursuing a personal vendetta…”
So businesses can breathe a sigh of relief for
now, but it does not remove the need for them to ensure that they have suitable
technical and organisational controls in place to protect personal data from
For his part in all this Mr Skelton was prosecuted
for his offences under the (old) Data Protection Act and imprisoned.
Tim Heywood is a Partner in gunnercooke llp specialising in data protection, regulatory and cyber security matters.