Supreme Court allows appeal in Morrisons data theft case

An employer is not vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.

The Supreme Court has allowed Morrisons’ appeal in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12.

The appeal concerned:

  • the circumstances in which an employer is vicariously liable for wrongs committed by its employees, and
  • whether vicarious liability may arise for breaches by an employee of duties imposed by the Data Protection Act 1998.


The appellant operates a chain of supermarkets and employed S. In 2013 S received a verbal warning after disciplinary proceedings for minor misconduct and subsequently bore a grievance against the appellant. S was asked to transmit payroll data for the appellant’s entire workforce to its external auditors, as he had done the previous year. He did so, but also made and kept a personal copy of the data. In early 2014, he used this to upload a file containing the data to a publicly accessible filesharing website. He also sent the file anonymously to three UK newspapers, purporting to be a concerned member of the public who had found it online. The newspapers did not publish the information. Instead, one alerted Morrisons, which took immediate steps to have the data removed from the internet and to protect its employees, including by alerting police. S was soon arrested and has since been prosecuted and imprisoned.

The respondents were some of the affected employees. They brought proceedings against the appellant personally and on the basis of its vicarious liability for S’s acts. Their claims were for breach of statutory duty under the DPA, misuse of private information, and breach of confidence. At trial, the first instance judge concluded that the appellant bore no primary responsibility but was vicariously liable on each basis claimed. The judge rejected the appellant’s argument that vicarious liability was inapplicable given the DPA’s content and its foundation in an EU Directive. The judge also held that S had acted in the course of his employment. The appellant’s subsequent appeal to the Court of Appeal was dismissed and they appealed to the Supreme Court.


The Supreme Court unanimously allowed the appeal.

The primary issue before the court was whether Morrisons was vicariously liable for S’s conduct.  The court considered the existing case law, in particular the existing “close connection” test of whether the wrongful conduct was so closely connected with acts the employee was authorised to do that for the purposes of the liability of the employer to third parties, that it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment. The test had to be applied having regard to the circumstances of the case and previous court decisions.

The first question was what functions or “field of activities” the employer had entrusted to the employee. The Court concluded that the first instance judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects. In particular, the online disclosure of the data was not part of S’s field of activities, as it was not an act which he was authorised to do. A temporal or causal connection alone does not satisfy the close connection test. In addition, it was highly material whether S was acting on his employer’s business or for purely personal reasons.

The Supreme Court said that no vicarious liability arose in this case. S was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it could fairly and properly be regarded as made by S while acting in the ordinary course of his employment. On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability. An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta. The “close connection” test was not satisfied.

The second major issue before the court was whether the DPA 1998 excluded the imposition of vicarious liability for either statutory or common law wrongs. The court found the appellant’s argument that liability is excluded unpersuasive. Imposing statutory liability on a data controller like S is not inconsistent with the co-existence of vicarious liability at common law, whether for breach of the DPA or for a common law or equitable wrong, as the DPA says nothing about a data controller’s employer. It is irrelevant that a data controller’s statutory liability under the DPA is based on a lack of reasonable care, while vicarious liability for an employee’s conduct requires no proof of fault. The same contrast exists at common law between, for example, an employee’s liability in negligence and an employer’s vicarious liability. It makes no difference that an employee’s liability may arise under statute instead.

The appeal was therefore allowed.

Published: 2020-04-01T13:00:00

    Please wait...