In this case update, we consider the much awaited judgment of the Supreme Court in Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12 and what it means for employers.
This case concerned the actions of Mr Skelton, who was formerly employed by Wm Morrison Supermarkets plc (“Morrisons”) as an internal IT Auditor. Mr Skelton was said to hold a grudge against Morrisons following earlier disciplinary action taken against him. However, rather than raise his complaints in a conventional way, Mr Skelton took confidential payroll data from Morrisons and subsequently published the data on the internet in an apparent act of revenge.
As a consequence of his actions, Mr Skelton was convicted of criminal offences under the Data Protection Act 1998 and the Computer Misuse Act 1990. However, since Mr Skelton did not personally have the funds to compensate the victims of his actions, more than 9,000 individuals affected by his unlawful conduct brought a High Court claim seeking compensation from Morrisons (as his employer).
The High Court held that Morrisons was not primarily liable to the claimants because it had not directly misused the data or permitted the misuse of the data in any way. However, Morrisons was found to be vicariously liable for Mr Skelton’s actions on the basis that there was a sufficiently close connection between his position as IT Auditor and his actions.
Morrisons appealed to the Court of Appeal and argued that it could not be vicariously liable for Mr Skelton’s actions since his wrongdoing was motivated by a personal vendetta and he was not acting in the course of his employment when he published the confidential data.
Morrisons also argued that provisions in the Data Protection Act 1998 had the effect of excluding vicarious liability in respect of the misuse of private data.
The Court of Appeal held that Mr Skelton’s motive for taking and misusing the confidential data was irrelevant and it agreed with the High Court’s findings that there was a sufficiently close connection between Mr Skelton’s employment and his actions. The Court of Appeal also held that there was no express or implied exclusion of the common law principle of vicarious liability in the Data Protection Act 1998.
Morrisons appealed to the Supreme Court.
The Supreme Court rejected the Court of Appeal’s finding that Mr Skelton’s motives for the wrongdoing were irrelevant and made clear that the question of whether Mr Skelton was acting on Morrison’s business or for purely personal reasons was highly material. The Supreme Court therefore allowed the appeal on the basis that Mr Skelton’s actions were motivated by a personal vendetta and were not so closely connected to the acts which he was authorised to carry out that it could be said that the wrongdoings were carried out during the course of his employment.
Notwithstanding the fact that the Supreme Court found in favour of Morrisons, it agreed that the Data Protection Act 1998 did not exclude the common law on vicarious liability.
This decision will be reassuring to employers, since even with the most sophisticated of data security systems, it is not always possible to predict or prevent disgruntled employees from acting unlawfully, taking and misusing confidential data without permission. However, employers should still take all reasonable steps to ensure that their data systems and processes are secure and not vulnerable to theft and data misuse.