WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)
Reference:  UKSC 12
Court: Supreme Court
Judge: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones
Date of judgment: 1 Apr 2020
Summary: Vicarious liability – Data Protection Act 1998 – Misuse of private information – Breach of confidence
Download: Download this judgment
Jonathan Barnes (Respondent)
Victoria Jolliffe (Respondent)
Morrisons the supermarket chain entrusted Andrew Skelton, a senior IT auditor, with passing on payroll information of 126,000 employees to an external auditor as part of its annual audit. Mr Skelton took a copy of the data and uploaded the personal payroll data of 99,998 employees to the internet. He did so because of a grudge he harboured against Morrisons arising from previous disciplinary proceedings against him. Mr Skelton was subsequently convicted of criminal offences arising from this conduct and sentenced to eight years’ imprisonment.
In a group litigation claim 9,263 employees and former employees sued Morrisons for breach of the Data Protection Act 1998 (“DPA 1998”), misuse of private information and breach of confidence. The claim was brought on the basis that Morrisons was directly liable for the breach and/or vicariously liable for Mr Skelton’s conduct. Morrisons denied that it was liable on either basis.
In relation to vicarious liability Morrisons argued that DPA 1998 excluded the possibility of vicarious liability and that Parliament has legislated in the field so as to exclude claims also brought in relation to breach of confidence and misuse of private information. Alternatively Morrisons argued that Mr Skelton was not acting in the course of his employment when he disclosed the information.
At trial Langstaff J rejected the direct liability claim but found Morrisons vicariously liable. The Judge gave Morrisons permission to appeal his findings on vicarious liability.
The Court of Appeal (Etherton MR, Bean and Flaux LJJ) upheld the Judge’s findings appealed against. Parliament had not excluded by necessary implication the application of vicarious liability to the DPA 1998 or the common law or equitable causes of action. Mr Skelton had indeed been acting in the course of his employment and the Judge had been correct to impose vicarious liability.
Morrisons appealed to the Supreme Court.
(1) Whether Morrisons is vicariously liable for Mr Skelton’s conduct.
(2) If yes:
(a) Whether DPA 1998 excludes the imposition of vicarious liability for statutory torts committed by an employee data controller under DPA 1998.
(b) Whether DPA 1998 excludes the imposition of vicarious liability for misuse of private information and breach of confidence.
Allowing the appeal on the first issue and therefore overall:
(1) Both the Judge and the Court of Appeal had misunderstood the principles governing vicarious liability by their reading of Mohamud v WM Morrison Supermarkets plc  UKSC 11;  AC 677. Mohamud followed the earlier House of Lords case of Dubai Aluminium Co Ltd v Salaam  UKHL 48;  2 AC 366 in which Lord Nicholls had stated with reference to Lord Millett’s speech in Lister v Hesley Hall Ltd  1 UKHL 22;  1 AC 215 that the general test for vicarious liability was to the effect that the wrongful conduct must be so closely connected with acts the employee was authorised to do that for the purpose of the liability of the employer to third parties the wrongful conduct may fairly and properly be regarded as done by the employee while acting in the ordinary course of the employee’s employment. Four relevant respects that were particularly important in the misunderstanding of the correct principles by the courts below were first that the disclosure of the data on the Internet did not form part of Mr Skelton’s functions or field of activities in the sense intended by the authorities. Secondly the fact that the five factors in Various Claimants v Catholic Child Welfare Society  2 AC 1 for the imposition of vicarious liability for wrongdoing by someone other an employee were all present was nothing to the point. Thirdly although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Mr Skelton and his disclosing it on the Internet a temporal or causal connection in itself does not satisfy the relevant “close connection” test. Fourthly the reason why Mr Skelton acted wrongfully was not irrelevant as the courts below had concluded: on the contrary whether Mr Skelton was acting on his employer’s business or for purely personal reasons was highly material.
Given these misunderstandings it fell to the Supreme Court to assess the question of Morrisons’ vicarious liability afresh. First the Supreme Court considered that so far as relevant the acts which Mr Skelton was authorised to do consisted only in the task of collating and transmitting payroll data to KPMG. Secondly when considering the connection between what Mr Skelton was authorised to do in his employment and the disclosure the distinction was important as set out by Lord Nicholls in Dubai Aluminium between cases where the employee was engaged however misguidedly in furthering his employer’s business and cases where the employee is engaged solely in pursuing his own interests on a ‘frolic of his own’. It was abundantly clear that Mr Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary he was pursuing a personal vendetta seeking vengeance for the disciplinary proceedings some months earlier that had given rise to his grudge. As to the point about the relevance of Mr Skelton’s motive to harm his employer in the present case compared to the racial motivation of the employee’s assault in Mohamud which Lord Toulson in that case had said was “irrelevant” the Supreme Court explained that the employee’s motive in Mohamud had been said to be “irrelevant” only in the context of findings already made which held the employee had been going about his employer’s business – albeit using unauthorised violence for reasons which did not matter to the outcome of Mohamud – rather than pursuing his private ends.
Accordingly Mr Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that for the purposes of Morrisons’ liability to third parties it can fairly and properly be regarded as done by Mr Skelton while acting in the ordinary course of his employment.
(2) Upholding the decision of the Judge and the Court of Appeal on the second issue by applying the orthodox principles of statutory interpretation explained by Lord Nicholls in Majrowski  1 AC 224 since the DPA 1998 neither expressly nor impliedly indicates otherwise the principle of vicarious liability applies to the breach of the obligations which it imposes and to the breach of obligations arising at common law or in equity committed by an employee who is a data controller acting in the course of his employment.
Allowing the appeal on the first issue disposes of the employees’ group claim in Morrisons’ favour. The Supreme Court discarded the approach taken by the courts below and imposed its own findings having analysed the approach emerging from Dubai Aluminium as the Court explained it to have been reflected by the decision in Mohamud. That will no doubt be a great relief to Morrisons in this particular case.
However of much greater potential significance for all data controllers was the Supreme Court’s confirmation – upholding the findings of the trial Judge and the Court of Appeal – that DPA 1998 did not exclude as a matter of principle the imposition of vicarious liability on an employer whose employee during the course of his or her employment acts in breach of DPA 1998 or the laws of misuse of private information or breach of confidence. DPA 1998 was not the exclusive scheme for which Morrisons contended in this respect. Going forward it seems likely that the Data Protection Act 2018 in conjunction with the regime of the General Data Protection Regulation (GDPR) will fall to be interpreted in the same way.