Various Claimants v WM Morrison Ltd – Opening the Data Breach Floodgates?


Last week the High Court gave judgment in the critically important group litigation case of Various Claimants v WM Morrison Ltd. The case concerned the question of whether one of the UK’s largest supermarket chains, Morrisons, could be held either directly or vicariously liable for the criminal misuse of its payroll data effected by a rogue employee. The court held that Morrisons was not directly liable for the misuse: it had not breached its obligations under the Data Protection Act 1998 (DPA), save in one respect which was not causally relevant to the employee’s misuse, and it had not otherwise tortiously misused the payroll data or acted in breach of confidence. In other words, it was an entirely innocent party so far as the employee’s misuse was concerned. However, the court went on to hold that Morrisons was nonetheless vicariously liable for the misuse on the basis that the employee was ‘acting in the course of his employment’ when he criminally disclosed the data online. The court reached this conclusion despite the fact that the employee’s entire criminal venture was designed and intended so as to damage his employer’s interests. The court went on to grant Morrisons permission to appeal of its own motion. Morrisons, who was represented by 11KBW’s Anya Proops KC and Rupert Paines, has publicly confirmed that it intends to appeal.This hugely important judgment is to be considered at a seminar to be held at 6.00pm at 11KBW on 16 January 2018 at the Kelvin Lecture Theatre, IET London Savoy Place, 2 Savoy Pl, London WC2R 0BL.

Issues to be discussed will include:

– the court’s approach to the application of the seventh data protection principle concerning data security

– the court’s conclusion that the DPA could be construed so as to enable an innocent employer/data controller to be fixed with common law vicarious liability for a breach of the DPA effected by a third party data controller;

– the court’s analysis of the relationship between the DPA and the common law

– the court’s conclusion that the rogue employee was ‘acting in the course of his employment’ when he criminally disclosed the payroll data, notwithstanding that this disclosure was effected whilst the employee was off work and for the specific purpose of damaging his employer

– whether the GDPR may call for a different approach

Speakers will include Timothy Pitt-Payne KC and Robin Hopkins 

Conference Details

Date: 16 January 2018
Venue: Kelvin Lecture Theatre, IET London Savoy Place, 2 Savoy Pl, London WC2R 0BL
Registration from 5.30pm with the seminar starting at 6pm until 7pm with a drinks reception afterwards.

Cost: this seminar is free of charge

How to book?

To book your place on this conference please email with the delegate name, firm, email address.

Please note that spaces for this event are limited and would advise early booking.

You will be then sent a confirmation email of your place.