Various Claimants v WM Morrisons Supermarket PLC

Reference: [2017] EWHC3113 (QB); [2018] IRLR 200; [2018] EMLR 12

Court: High Court of Justice, Queen's Bench Division

Judge: Langstaff J

Date of judgment: 1 Dec 2017

Summary: In a trial of liability for breach of the Data Protection Act 1998, misuse of private information and breach of confidence: where a then employee of the D had made a copy of the Cs’ private/confidential information held on D’s payroll and uploaded it to the internet, was D liable either on a direct or vicarious liability basis? Data Protection Act 1998  – Misuse of private information – Breach of confidence – Vicarious liability – DPP7

Download: Download this judgment

Appearances: Jonathan Barnes KC (Claimant)  Victoria Jolliffe 

Instructing Solicitors: JMW LLP for the Cs, DWF LLP for D


D, a supermarket chain, had entrusted S, a senior IT auditor, with passing on payroll information of just under 100,000 employees to an external auditor as part of its annual audit. S took a copy of the data and uploaded a version of it to the internet. S was subsequently convicted of criminal offences arising from this conduct.

In a group litigation claim, 5,518 employees/former employees sued D for breach of the Data Protection Act 1998 (“DPA 1998”), misuse of private information and breach of confidence. The claim was brought on the basis that D was directly liable and/or vicariously liable. The Cs contended, inter alia, that since they had not given their consent for the disclosure of their information entrusted to D liability arose without more. Further, they argued that in choosing S (who had a formal warning for a separate unrelated incident) as the conduit, and failing to ensure that he had deleted the data, D had failed to comply with the 7th Data Protection Principle (“DPP7”) which requires a data controller to have appropriate technical and organisational measures against unauthorised or unlawful processing. The Cs also argued that S’s conduct had a sufficient connection to his employment such that D should be held vicariously liable.

D denied that it was liable on either basis. In relation to direct liability: D denied that it was the data controller once S had taken control of his copy of the data. D also denied that it had breached any of the data protection principles including DPP 7.

In relation to vicarious liability: D argued that the DPA excluded the possibility of vicarious liability and that Parliament has legislated in the field so as to exclude claims under breach of confidence and misuse of private information. Alternatively, S was not acting in the course of his employment when he disclosed the information.


  1. Strict liability: whether D was liable (1) for any misuse of the data, howsoever caused, or (2) because the misuse came about in circumstances where (i) D knew or ought reasonably to have known that S posed a threat to that data and/or (ii) D was obliged to but failed to put in place certain control mechanisms which would have prevented the misuse (“the inadequate controls claim”).
  2. Vicarious liability: (1) whether D was vicariously liable for S’s criminal misuse of the data in circumstances where it was not directly liable for that misuse pursuant to s4(4) DPA; (2) Whether the DPA itself recognises the principle of vicarious liability; (3) whether D was vicariously liable in relation to obligations under the common law or equity.


  1. D had not broken the data protection principles in any manner which caused or contributed to the disclosure. It had not itself, as data controller, breached those principles. The acts were those of a 3rd party (S).
  2. D did not directly misuse any information personal to the Cs. It did not authorise its misuse, nor permit it by any carelessness on its part.
  3. It was not in contention that of the elements necessary for a breach of confidence action to succeed, there was information given to D, it was confidential, and it was disclosed; however this claim failed as it was not disclosed by D either directly or by an agent.
  4. D did not know nor ought it reasonably to have known that S posed a threat to the employee database. Save in one respect there were no control mechanisms which D ought to have applied in respect of S which were not appropriately applied. D did however fall short of the requirements of DPP7 in that it had no organised system for the deletion of data such as the payroll data stored for a brief while on S’s computer. However, this failure neither caused nor contributed to the disclosure which occurred.
  5. The principle expressed in Majrowski v Guys & St Thomas’ NHS Trust [2007] 1 AC 224 is that vicarious liability is applicable where an employee commits a breach of statutory obligations, even where they rest on him alone, while acting in the course of his employment, unless the statute expressly or impliedly indicates otherwise. The fact that the Act had the effect that S became the data controller of the information he was later to disclose did not exclude vicarious liability.
  6. Part of the purpose of the Data Protection Directive 95/46/EC was to achieve a measure of harmonisation of the laws of member states. However the purpose of the Directive and therefore the Act was to provide greater protection for the rights of data subjects. Additional liabilities in respect of data, insofar as the Act creates them, over and above such liabilities as there would otherwise be in equity or at common law, add layers of protection. Accordingly, D’s contention that the DPA excluded common law and equitable actions in respect of the same data disclosure was rejected.
  7. Applying the principles in Mohamud v Morrison Supermarkets plc [2016] AC 677 there was a sufficient connection between the position in which S was employed and his wrongful conduct. Put into the position of handling and disclosing the data as he was by D (albeit disclosure was meant to be to the auditor alone), it was right for D to be held liable “under the principle of social justice which can be traced back to Holt CJ” (a reference to Boston v Sandford (1691) 2 Salk 440).
  8. This conclusion would be the same irrespective of whether a breach of duty under the DPA, a misuse of private information, or a breach of the duty of confidence was concerned. The essential acts constituting a legal wrong in each case were the same.


This is the first case to hold that the principles of vicarious liability apply to data protection. The judgment contains a detailed analysis of the relevant principles to be applied, although it is clear that any case will be highly fact sensitive.

The judgment also contains a helpful analysis of the operation of DPP7.

The Court has given D permission to appeal its conclusions on vicarious liability.