Court of Appeal holds that employer had vicarious liability for unlawful access of personal data by former employee (WM Morrison Supermarkets PLC vs Various Claimants)

In the case of WM Morrisons Supermarkets PLC vs Various claimants [2018] EWCA Civ 2339 the Court of Appeal held the causes of action for misuse of private information and breach of confidence are not excluded by the Data Protection Act (“DPA”).  Accordingly, the Judge was correct to hold that the common law remedy of vicarious liability of the employer was not excluded by the DPA. Further, the Judge had been correct to hold WM Morrisons Supermarkets PLC (“Morrisons”) liable for the torts committed by an employee that had committed a criminal act in the course of his employment.

The facts in WM Morrisons Supermarkets PLC vs Various claimants

Mr Skelton was a senior IT auditor employed by Morrisons.  Following a disciplinary hearing for an incident involving his unauthorised use of Morrisons’ postal facilities, he was given a formal verbal warning.  Annoyed at the sanction, Mr Skelton then had a grudge against Morrisons.

On 1 November 2013, KPMG requested a number of categories of data from Morrisons to undertake their annual audit.  The request included a copy of Morrisons’ payroll data.  A member of the HR team copied the data on to a USB stick which he took to Mr Skelton. Mr Skelton downloaded the data onto his laptop computer and then onto another USB stick which he then gave to KPMG.  On 18 November 2013 Mr Skelton copied the payroll data onto a personal USB and on 12 January 2014 Mr Skelton posted a file containing the personal details of 99,998 employees of Morrisons on a file sharing website.

Mr Skelton was arrested on 19 March 2014 and charged under, amongst other things, section 55 of the DPA.  He was tried and convicted and sentenced to 8 years in prison.

A class action was brought against Morrisons by 5,518 of the employees affected by the data breach for both primary and vicarious liability.  The Judge held that Morrisons had not been the data controller at the time of the breach, but that Mr Skelton had been. As such, there was no primary liability on behalf of Morrisons and they could only be held liable vicariously. He further held that Morrisons was not directly liable in respect of any breach of confidence or misuse of private information since they had not disclosed the information or misused it.  However, he said that merely because Mr Skelton became the data controller of the information did not exclude vicarious liability for his breaches under the DPA in respect of that information. He also said that the misuse of private information and the action for breach of confidence are not incompatible with the DPA, but complementary.  Despite the fact that the wrongful acts had been done at home from a personal computer, the Judge found that there was sufficient connection between the position in which Mr Skelton was employed and his wrongful conduct for Morrisons to be held vicariously liable.

Lastly, as the wrongful acts of Mr Skelton were deliberately aimed at Morrisons and they were now being held vicariously liable for those acts, he gave Morrisons permission to appeal.

The Law

The Court of Appeal had to decide whether the Judge ought to have concluded that on its proper interpretation the DPA excluded vicarious liability as well as the causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same.

They also had to decide whether the Judge was wrong to conclude that the wrongful acts of Mr Skelton occurred during the course of his employment and accordingly that Morrisons were vicariously liable for those wrongful acts.

The decision of the Court of Appeal

The Court of appeal decided that if Parliament had intended to eradicate common law and equitable rights, it would have done so expressly.  They found that the Judge was correct to hold that the common law remedy of vicarious liability was not expressively or impliedly excluded by the DPA.

With respect to vicarious liability, the relevant test was set out in the case of  Mohamud v WM Morrison Supermarkets Plc [2016] AC 667 namely: (i) what was the nature of his job, and (ii) whether there was “sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable’.

The Judge’s findings of fact in respect of these two questions were correct.  Morrison’s arguments that the act of disclosing the data happened weeks after he improperly downloaded it was rejected because the claimants had a cause of action the moment Mr Skelton downloaded their data on to a personal USB stick. The judge had also been correct to find Mr Skelton’s actions a ‘seamless and continuous sequence’ or ‘unbroken chain’ of events.

Accordingly, Morrison’s appeal was dismissed.

Our solicitors’ views on the case of WM Morrisons Supermarkets PLC vs Various claimants

Sacha Barrett, an associate in the employment department at Redmans, made the following comment on the case: “This case demonstrates that an employer can be held liable for the acts of employees, even where they are criminal, provided there is sufficient connection with what they ordinarily do in their job”.

The decision of the Court of Appeal in WM Morrisons Supermarkets PLC vs Various claimants [2018] EWCA Civ 2339 can be found here.