October 22, 2018
Court of Appeal Upholds Morrisons Data Breach Claim
Morrisons’ challenge to vicarious liability finding dismissed
The Court of Appeal has dismissed Morrisons’ appeal of the decision of Langstaff J that the supermarket chain was vicariously liable for the leak of data by one its employees.
The claim, brought in data protection, misuse of private information and breach of confidence, related to disclosure of the claimants’ payroll data which had been stolen by a then employee of Morrisons. Senior IT auditor Andrew Skelton had been entrusted with passing on the payroll data of just under 100,000 employees to KPMG as part of the annual audit process. Skelton made a copy of the data and subsequently uploaded a version to the internet. In July 2015 Skelton was convicted of offences of fraud and under s55 Data Protection Act 1998.
Following a trial brought by 10 lead claimants, Mr Justice Langstaff had held that although Wm Morrison Supermarkets plc was not directly liable, the company was vicariously liable in each cause of action for the actions of Skelton. The judge gave Morrisons permission to appeal.
Morrisons’ first and second grounds of appeal were that (1) the Data Protection Act 1998 impliedly excluded vicarious liability and that being so, (2) vicarious liability for misuse of private information and breach of confidence in respect of processed personal information was also excluded. Crucially, Morrisons did not submit that the causes of action themselves were excluded and it was not in issue that Morrisons ceased to be the data controller of the stolen information at the point Skelton made his copy.
In a unanimous judgment handed down on 22 October 2018, the Master of the Rolls, Lord Justice Bean and Lord Justice Flaux dismissed Morrisons’ arguments, concluding:
“the concession that the causes of action for misuse of private information and breach of confidentiality are not excluded by the DPA in respect of the wrongful processing of data within the ambit of the DPA, and the complete absence of any provision of the DPA addressing the situation of an employer where an employee data controller breaches the requirements of the DPA, lead inevitably to the conclusion that the Judge was correct to hold that the common law remedy of vicarious liability of the employer in such circumstances (if the common law requirements are otherwise satisfied) was not expressly or impliedly excluded by the DPA.”
Morrisons’ third ground – that the trial judge was wrong to conclude that the wrongful acts of Mr Skelton had occurred during the course of his employment – was also dismissed. In respect of the issue which had troubled Langstaff J, namely the submission that because the wrongful acts of Skelton were deliberately aimed at Morrisons, to find Morrisons vicariously liable may render the court “an accessory in furthering his criminal aims”, the Court of Appeal did not accept “that there is an exception to the irrelevance of motive where the motive is, by causing harm to a third party, to cause financial or reputational damage to the employer.”
The Court of Appeal refused permission to appeal. It is not yet known if Morrisons will apply to the Supreme Court for permission.