Various Claimants v Wm Morrison Supermarkets PLC

Reference: [2018] EWCA Civ 2239

Court: Court of Appeal

Judge: The Master of the Rolls, Bean, Flaux LJJ

Date of judgment: 22 Oct 2018


Data Protection Act 1998  – Misuse of private information – Breach of confidence – Vicarious Liability

Download: Download this judgment

Appearances: Jonathan Barnes KC (Respondent)  Victoria Jolliffe (Respondent) 

Instructing Solicitors: JMW Solicitors LLP for the Claimants, DWF LLP for the Defendant


D, a supermarket chain, had entrusted S, a senior IT auditor, with passing on payroll information of just under 100,000 employees to an external auditor as part of its annual audit. S took a copy of the data and uploaded a version of it to the internet. S was subsequently convicted of criminal offences arising from this conduct.

In a group litigation claim, 5,518 employees/former employees sued D for breach of the Data Protection Act 1998 (“DPA 1998”), misuse of private information and breach of confidence. The claim was brought on the basis that D was directly liable and/or vicariously liable. D denied that it was liable on either basis.

In relation to vicarious liability: D argued that the DPA excluded the possibility of vicarious liability and that Parliament has legislated in the field so as to exclude claims under breach of confidence and misuse of private information. Alternatively, S was not acting in the course of his employment when he disclosed the information.

Langstaff J rejected the direct liability claim, but found D vicariously liable.

The judge gave D permission to appeal his finding on vicarious liability.


(1): on its proper interpretation and having regard to the nature and purposes of the statutory scheme, did the DPA exclude the application of vicarious liability?

(2): on its proper interpretation, did the DPA exclude the application of causes of action for misuse of private information and breach of confidence and/or the imposition of vicarious liability for breaches of the same?

(3): did the wrongful acts of S occur during the course of his employment by D?


Held: Dismissing the appeal:

(1) & (2): parliament had not excluded by necessary implication the application of vicarious liability under the DPA or the common law/equitable causes of action:

  • If Parliament had intended such a substantial eradication of common law and equitable rights, it might have been expected to say so expressly.
  • D’s concession that it was only vicarious liability for the causes of action, and not the causes of action themselves, that had been excluded was a difficult line to tread: “not least because it may be said to present an inconsistency in the application of one of the principal objects of the Directive and of the DPA, namely the protection of privacy and the provision of an effective remedy for its infringement (including by an employee of limited means), rather than their curtailment.”
  • It was not in issue that S (not D) was the data controller of the copy of the data S had made/disclosed. The DPA said nothing at all about the liability of an employer, who is not a data controller, for breaches of the DPA by an employee who is a data controller. The DPA is only concerned with the primary liability and obligations of the data controller. It has nothing at all to say about the liability of someone else for wrongful processing by the data controller. Parliament has not entered that field at all.

(3): S was acting in the course of his employment and the judge was correct to impose vicarious liability:

  • The relevant test was that set out in the two questions identified by Lord Toulson in Mohamud v WM Morrison Supermarkets Plc [2016] AC 667 namely: (i) what functions or “field of activities” have been entrusted by the employer to the employee, or, in everyday language, what was the nature of his job, and (ii) whether there was “sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ.”
  • The Judge’s findings of fact in respect of these two questions were correct.
  • D’s argument that it was the act of disclosing the data (weeks later when S was at home and using his own equipment) that had caused the Cs distress and accordingly, the cause of action was not completed during the course of employment was rejected. The Cs had complete causes of action against S at the point he improperly downloaded their data.   
  • D’s submission that the jurisprudence demonstrated that the employer is only liable if the employee was “on the job” when the tort occurred was rejected. The phrase “on the job” was not found in the authorities.
  • The judge’s evaluation of his (undisputed) findings of fact in respect of S’s actions as “a seamless and continuous sequence” or “unbroken chain” of events was correct.
  • There was no exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer.
  • The fact of a defendant being insured was not a reason for imposing liability, but the availability of insurance was a valid answer to D’s argument that imposing vicarious liability would amount to an enormous burden on D and could place on other innocent employers.


This decision is a resounding endorsement by the Court of Appeal of the approach of the trial judge Langstaff J.