• This field is for validation purposes and should be left unchanged.

Data Protection – Vicarious Liability

The Supreme Court has held in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC12 that Morrison Supermarkets (“Morrisons”) is not vicariously liable for the actions of a disgruntled employee releasing the personal data of the whole of Morrisons’ workforce onto the internet, in an act to further his personal vendetta against the supermarket.

“S” was a senior auditor for Morrisons. He harboured a grudge against Morrisons as he had been disciplined for minor misconduct and received a verbal warning. In an act of revenge against Morrisons, on his day off, from his personal computer, he posted the payroll data of 99,998 employees onto the internet and forwarded it to 3 newspapers, claiming to be a concerned citizen. This was a criminal act by S and he was arrested and prosecuted for fraud under the Computer Misuse Act 1990 and Data Protection Act 1998.

Some of the employees of Morrisons who had their personal data published brought legal claims against Morrisons for breach of s4(4) of the Data Protection Act 1998, breach of confidence and misuse of private information.

The trial judge held that Morrisons were liable for S’s breach of statutory duty, breach of confidence and misuse of private information. This decision was upheld in the Court of Appeal. The Supreme Court has reversed that decision and held that Morrisons was not  liable for the actions of S.

The Supreme Court identified that the key legal test was whether  S’s disclosure of the data had been so closely connected with acts that he had been authorised to do that, for the purposes of the liability of his employer to the employees who had their data published, his wrongful disclosure could fairly and properly be regarded as done by him while acting in the ordinary course of his employment. The Supreme Court held that the answer to this was no.

First, the disclosure of the data on the internet had not formed part of S’s functions or field of activities, in the sense that it had not been an act which he had been authorised to do. He had been authorised to disclose the payroll data to external auditors, not to the internet or newspapers.

Second, although the provision of the data to S for the purpose of transmitting it to the auditors and his disclosing it on the internet had occurred very close in time and there was an unbroken chain of causation, this did not in itself satisfy the close connection test.

Third, the reason why S had acted wrongfully was relevant; whether he had been acting on his employer’s business or for purely personal reasons (in this case pursuing a personal vendetta) was highly material.

In these circumstances Morrisons could not be held vicariously liable for S’s action.

This decision will be welcomed by employers. It was clear that there were no reasonable steps that Morrisons could have taken to prevent this unlawful data breach by its disgruntled employee. In such circumstances employers will be relieved that the Supreme Court has held that an employer will not be vicariously liable for an employee breaching data protection legislation in the course of a personal vendetta.


Should you require any further information or advice on dealing with specific issues such as data protection or employment matters generally, please contact the Employment Law Unit:-                              

 Tel: 028 9024 5034

Copyright 2020 Elliott Duffy Garrett

Every care has been taken in the preparation of this bulletin; readers are advised however to seek legal advice in relation to specific issues.