Earlier this year we reported on the High Court's decision that Morrisons supermarket was vicariously liable for damage suffered by its employees after an IT auditor deliberately disclosed their personal information on the internet. The link to our previous article can be found here.

The High Court's decision has now been approved by the Court of Appeal, leaving concerns about how an organisation in Morrisons' shoes could avoid liability.

What happened?

In January 2014 Mr Skelton, then a senior IT auditor at Morrisons, deliberately posted the personal details of almost 100,000 Morrisons employees on a data sharing website. He was acting in revenge for disciplinary action Morrisons had taken against him the previous year. Mr Skelton was arrested, charged and eventually convicted and sentenced to 8 years in prison.

Over 5,000 employees whose personal data had been disclosed by Mr Skelton then brought a group civil claim against Morrisons seeking compensation. Amongst other claims, they argued that Morrisons was vicariously liable for Mr Skelton's actions.

The High Court recognised that Morrisons was not directly liable for the breach as Mr Skelton had effectively stepped into the supermarket's shoes as 'data controller' when he took it upon himself to disclose the information to the public. However, the Court delivered a real curveball on the question of vicarious liability. It said that there was a sufficient connection between Mr Skelton's position and duties as senior IT auditor and his wrongful conduct to make it fair that Morrisons should be held responsible for his actions.


Morrisons appealed to the Court of Appeal arguing that:

  1. the relevant data protection legislation excluded the application of vicarious liability; and
  2. the High Court was wrong to conclude that the wrongful acts of Mr Skelton occurred during the course of his employment, and, consequently, that Morrisons was vicariously liable for his actions.

The appeal was unsuccessful on both grounds.

The Court of Appeal said the High Court had been correct to find that the data protection legislation included the possibility of vicarious liability and it went on to set out a two-part test for deciding whether Morrisons should be vicariously liable:

  1. What functions or 'field of activities' had been entrusted by Morrisons to Mr Skelton, and what was the nature of his job?
  2. Was there sufficient connection between Mr Skelton's job and his wrongful conduct so as to make it right for Morrisons to be held liable?

The Court was satisfied that Morrisons had entrusted Mr Skelton with the employee data as part of his day-to-day role and that he had been appointed on the basis that he could be trusted to deal with this kind of confidential information. It agreed that Morrisons should be vicariously liable as there was an unbroken thread that linked Mr Skelton's work to the disclosure and which therefore constituted a continuous sequence of events. It did not matter that Mr Skelton’s motive in committing the data breach was to harm his employer.

Where does this leave employers?

This isn't a helpful decision for employers as it effectively concludes that, no matter how good your data security measures are, there is no way to guarantee protection from vicarious liability if one of your employees deliberately and maliciously sets out to cause a data breach. However, it does provide a forceful reminder of the importance of having robust data protection security measures that protect against internal as well as external threats.

For many charities, this will mean reviewing what personal data can be accessed by volunteers, self-employed consultants and trustees, as well as employees. Do you have appropriate authorisation levels in place so that confidential and sensitive information can only be accessed by the people who really need to see it? Do you provide data protection training to all personnel on induction? Do you have strict retention and deletion processes? Do you regularly check that data security processes and procedures are being followed? And, if all else fails, does your insurance cover personal data breaches?

Our charity and social business team provides data protection training to charities and carries out data protection reviews. We also advise clients on dealing with personal data breaches. If you have any concerns or questions, get in touch - charity.law@russell-cooke.co.uk.