Stronachs Logo

Don’t worry – despite the festive season now being well and truly upon us, this is not another rehashed blog about the perils of the Christmas party! Instead, this week we look at a recent case which has received much publicity because it highlights to employers, who are already well aware that their data protection obligations are changing with the coming into force of European Union’s General Data Protection Regulation (GDPR) on 25 May 2018, that courts can and will hold them “vicariously liable” i.e. liable through the actions of another for unauthorised use of personal data by their employees.

In brief, the High Court in Various Claimants v Wm Morrisons Supermarket PLC, had to decide who was liable for the criminal actions of a Morrisons employee, Mr Skelton, which resulted in the personal data of almost 100,000 Morrisons employees being posted on the internet and sent to various newspapers. Mr Skelton held a grudge against Morrisons due to being disciplined for using the Morrisons mail room for his side business (the sale of a slimming drug via Ebay). As part of his duties, Mr Skelton, a Senior IT Auditor, was one of a handful of so-called super users of the software which held the personal details of employees (such as payroll information, dates of birth, and addresses). It was his responsibility to copy data requested by Morrisons’ external auditors and pass this information to them. After receiving a formal warning from Morrisons under their disciplinary procedure, he retained a copy of the data and uploaded it to the internet, with the intention of harming the company. When Morrisons became aware of the breach, the site was taken down, and Mr Skelton was eventually arrested and sentenced to 8 years imprisonment. However, 5,518 of the affected employees brought a claim against Morrisons, firstly alleging that it was directly and primarily liable because it had failed to properly control the data under the Data Protection Act, and secondly that it was vicariously liable through Mr Skelton’s illegal actions in the course of his employment.

On the question of direct or primary liability, the High Court held that appropriate steps had been taken by Morrisons. There had been nothing to suggest that Mr Skelton could not be trusted after the warning had been issued. The High Court accepted evidence that large data controllers will require a certain number of individuals to be super-users who have access to the data of others to ensure the proper running of the business, and there can never be 100% certainty that they will not misuse such data. Furthermore, appropriate steps were taken by Morrisons to ensure the security of the data once it was copied; for instance the laptop and USB that the data were copied to were encrypted and could only be accessed by Mr Skelton. The only failure identified by the High Court was that there was no procedure in place by which managers would check that such data had then been deleted once it had been transferred to the external auditors. However, it was held that this had not contributed to the breach in question.

On the question of vicarious liability, however, the High Court did consider that Morrisons should be held liable. It was held that there was an “unbroken thread” which linked the disclosure to Mr Skelton’s employment. It was a matter of fact that part of his duties had been the copying of the data, and he had been deliberately entrusted with this by Morrisons. He was acting as an employee when the copying took place. Furthermore, transmitting the data was also part of his duties, albeit that his authority was restricted to transferring the information to the external auditors. The fact that Morrisons themselves had done nothing wrong was not relevant; the question was whether Mr Skelton’s acts of wrongdoing were sufficiently closely connected to his employment for Morrisons to be vicariously liable.

Morrisons’ representatives argued that the purpose of Mr Skelton’s disclosure had been to harm Morrisons, and argued that it was clear it drew no benefit from the disclosure; in fact, the opposite was true. Although the High Court felt that this argument had “traction”, they ultimately held that “the issue is not so much at whom the conduct was aimed, but rather upon whose shoulders it is just for the loss to fall”. In this case, although Mr Skelton had aimed his actions at Morrisons, the employees whose data he exposed on the internet were also victims. In the circumstances, the High Court held that vicarious liability had been established.

Employers may well be alarmed by the outcome. Morrisons had, as the High Court acknowledged, taken steps to ensure the safety of the data, and were not themselves in breach of data protection legislation. It may well seem unjust that a rogue employee who was acting out of a grudge held against the company could be held to be sufficiently connected in his illegal actions to result in the employer’s vicarious liability.

Morrisons has been granted leave to appeal, so the issues raised in this case will now be determined by the Court of Appeal. Should the High Court’s decision be upheld, employers may well face more claims in the future as the GDPR extends the rights of data subjects against both data controllers and data processors. Given that there have been many high-profile data breaches in the news in recent years, it seems likely that the issues raised in this case will become more commonly litigated. The level of compensation has not yet been determined, but the reputational damage alone will have cost Morrisons dearly.

If you have concerns regarding either the issues raised in this case or the coming into force of the GDPR, please do not hesitate to contact a member of the Stronachs Employment Team.

Annika Neukirch, Solicitor


Chambers Leading Firm 2019

Contact Info

28 Albyn Place, Aberdeen AB10 1YL
Tel: +44 1224 845845


Camas House, Fairways Business Park,
Inverness IV2 6AA
Tel: + 44 1463 713225