October 29, 2018

In 2013 Andrew Skelton was a senior IT internal auditor employed by the defendant, WM Morrison Supermarkets plc (Morrisons). Following a disciplinary hearing, he was given a formal verbal warning.  Mr Skelton was annoyed by the disciplinary proceedings and the sanction, which left him with a grudge against Morrisons.

In January 2014 a file containing personal details of 99,998 employees of Morrisons was posted on a file sharing website. Shortly after, links to the website were also placed on the web. The data consisted of the names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details. It was quickly established that the data had almost certainly been derived from data held by Morrisons in relation to its employees.

In March 2014, Mr Skelton was arrested and charged with offences under the Computer Misuse Act 1990 and s 55 of the Data Protection Act 1998. He was subsequently tried and convicted, and sentenced to a term of eight years imprisonment.

Some 5,518 employees of Morrisons, whose data was disclosed by the actions of Mr Skelton, claimed compensation for breach of s 4(4) of the DPA, misuse of private information, and breach of confidence.

At first instance, Mr Justice Langstaff held that there was no primary liability on the part of Morrisons, since at the time of disclosure Morrisons was not the “data controller”: it was Mr Skelton who had disclosed the data and was therefore the “data controller”. However, he held that the wrongful actions of Mr Skelton had been “sufficiently connected” to the position in which he had been employed to make it right for the employer to be held liable vicariously.

Morrisons appealed the decision, arguing that the judge had erred because the DPA excludes, by necessary implication, an employer’s vicarious liability at common law for an employee’s misuse of private information and breach of confidence. Further, it said, the wrongful acts of Mr Skelton did not occur during the course of his employment, therefore Morrisons could not be vicariously liable for those wrongful acts.

The Master of the Rolls, Sir Terence Etherton, held that if Parliament had intended the eradication of common law and equitable rights by the DPA, it would have said so expressly. Further, Morrisons had conceded that the causes of action for primary liability for misuse of private information and breach of confidentiality were not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA – Morrisons maintained that the DPA excluded only vicarious liability for those torts. That concession, together with fact that the DPA does not address the situation of an employer where an employee data controller breaches the statute, meant that the judge had been correct to hold that the common law remedy of vicarious liability of the employer was not expressly or impliedly excluded by the DPA.

As for whether Mr Skelton had been acting in the course of his employment, Sir Terence noted that, as Lord Toulson had said in Mohamud v WM Morrison Supermarkets plc [2016] AC 667, the first question to consider was what functions or “field of activities” had been entrusted by the employer to the employee? In other words, what was the nature of his job?

The second question to ask, Lord Toulson had said, was whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable.

Sir Terence found that the judge had correctly answered the first question, when he had held that Morrisons had deliberately entrusted Mr Skelton with the payroll data, which he was obliged to keep confidential and to disclose only to the company’s accountants. The fact that Mr Skelton had chosen to disclose the data to others was not authorised, the judge had said, but it had nonetheless been closely related to what he had been tasked to do.

As for the second question, Morrisons argued that the close connection test had not been satisfied, since the tortious act that had caused the harm was done by Mr Skelton at his home, using his own computer, on a Sunday, several weeks after he had downloaded the data at work onto his personal USB stick.

Sir Terence said that the time and place at which the act or acts occurred was always a relevant issue, although not conclusive. Nevertheless, there were numerous cases in which employers had been held vicariously liable for torts committed away from the workplace (for example, Bellman v Northampton Recruitment Ltd [2016] EWHC 3104).

Sir Terence found that the tortious acts of Mr Skelton in sending the claimants’ data to third parties were within “the field of activities” assigned to him by Morrisons, and that “the careful and detailed findings” by the judge were a complete answer to this part of Morrison’s argument. Sir Terence agreed with the judge’s finding that the online disclosure of the payroll data was not “disconnected by time, place and nature from [Mr] Skelton’s employment”, and that it had not been a sequence of random events, “but an unbroken chain beginning even before, but including, the first unlawful act of downloading data from his personal work computer to a personal USB stick”.

Sir Terence also noted that, in Mohamud v WM Morrison Supermarkets, Lord Toulson had said that the employee’s motive was irrelevant. Sir Terence therefore rejected Morrison’s argument in this case that there was an exception to the irrelevance of motive where the motive was, by causing harm to a third party, to cause financial or reputational damage to the employer.

Finally, Sir Terence found Morrison’s argument that a finding of vicarious liability would impose an enormous financial burden on the supermarket “unconvincing”. Sir Terence said that there had been many instances reported in the media in recent years of data breaches on a massive scale caused by either corporate system failures or negligence by individuals acting in the course of their employment. These might indeed lead to a large number of claims against the company for potentially ruinous amounts, he said, but the solution was not to absolve employers of vicarious liability, but to insure against such catastrophes. “The fact of a defendant being insured is not a reason for imposing liability, but the availability of insurance is a valid answer to the Doomsday or Armageddon arguments put forward by … Morrisons”. (WM Morrison Supermarkets plc v Various Claimants [2018] EWCA Civ 2339 (22 October 2018) — to read the judgment in full, click here).