Skip to content

Employment Law Speed Read – 18/12/17

This week we feature a case in which the implications of a malicious data breach were considered.

Vicarious liability and deliberate data breaches by employees

In the recent case of Various Claimants v Wm Morrisons Supermarkets PLC the High Court has held that an employer can be vicariously liable for an employee’s deliberate disclosure of personal data.


Morrisons employed Mr Skelton (S) as a senior IT internal auditor. In July 2013, S was disciplined by Morrisons for an incident unrelated to data protection.

On 1 November 2013, Morrisons asked S to send payroll data to KPMG for external audit purposes. The data was contained in secure software, however as S was not one of the limited personnel who had access to this software, Morrisons provided him with the data on an encrypted USB stick. S subsequently copied the data from his PC to a personal USB stick.

Just before Morrisons’ annual financial reports were to be announced in 2014, S uploaded the personal details of almost 100,000 Morrisons employees onto a file sharing site.

Over 5,518 members of staff made a group claim against Morrisons for compensation in respect of breaches of the Data Protection Act, misuse of private information and breach of confidence.

High Court decision  

The Court found that Morrisons had breached the seventh data protection principle (in respect of technical and organisational measures) as it had not put in place an organised system for deleting data. However, it was found that this breach did not contribute to S’s disclosure.

The Court also found that Morrisons had no primary liability for misuse of private information or breach of confidence.

However, the Court found that Morrisons were vicariously liable for the disclosure of the personal data as there was a sufficient connection between the disclosure of the personal data and S’s employment.

The Court found that:

  • there was a seamless and continuous sequence of events;
  • Morrisons had deliberately entrusted S with the payroll data;
  • Morrisons had specifically tasked S with the job of sharing the data to KPMG which was closely linked to the unauthorised disclosure;
  • S was acting as employee at the time of the breach; and
  • the fact that the unauthorised disclosure happened whilst S was at home on a non-working day did not break the thread that linked his work to the disclosure.


This is obviously bad news for employers, who could very well find themselves liable for the actions of revengeful employees. Quantum has yet to be decided in this case, but the costs to Morrisons could be very significant if the other 94,000+ employees decided to make a claim.  However, this is not the end of the story as Morrisons have been granted the right of appeal.

If you have any questions on the above and how it will affect you, please do not hesitate to get in touch with a member of our employment team.

Please note that this briefing is designed to be informative, not advisory and represents our understanding of English law and practice as at the date indicated. We would always recommend that you should seek specific guidance on any particular legal issue.

This page may contain links that direct you to third party websites. We have no control over and are not responsible for the content, use by you or availability of those third party websites, for any products or services you buy through those sites or for the treatment of any personal information you provide to the third party.

Continue reading for free

This article is from our dedicated employment hub HR Protect. Please visit the hub to view the full article, completely for free.

Take me there

Follow us on LinkedIn

Keep up to date with all the latest updates and insights from our expert team

Take me there

What we're thinking