The Supreme Court has today given judgment in Various Claimants v Wm Morrison Supermarkets Ltd, one of the most hotly anticipated data protection and employment appeals of recent years.
The appeal concerned the question whether Morrisons was liable under the Data Protection Act 1998 or the common law for the actions of a rogue employee, Mr Andrew Skelton, who in January 2014 deliberately and criminally published Morrisons’ payroll data online. Mr Skelton’s actions were intended to harm Morrisons, as revenge for a perceived slight in the course of minor disciplinary proceedings in 2013. The courts below held that Morrisons was not directly liable for the online disclosure, but that it was vicariously liable, as the disclosure had been effected by Mr Skelton ‘within the course of his employment’, his intention to harm Morrisons notwithstanding. The latter conclusion potentially exposed Morrisons to damages claims from all of the c. 100,000 employees affected by Skelton’s disclosure.
The Supreme Court has allowed Morrisons’ appeal. It held that common law vicarious liability could in principle apply in cases falling within the ambit of the data protection legislation but there was no vicarious liability on the facts of the case. More widely, the judgment provides important guidance on the scope of the vicarious liability principle, with the Court holding that its 2016 judgment in Mohamud v Morrisons has been misunderstood, resulting in an overly wide approach to vicarious liability being adopted by the lower courts.
Anya Proops QC and Rupert Paines acted for Morrisons at all stages of the litigation, instructed by Andrew Harris and Michelle Maher of DWF LLP.