Supreme Court rules Morrisons was not liable for 2014 data breach

The UK’s Supreme Court has ruled that Morrisons was not liable for a staff member who unlawfully disclosed the personal data of thousands of the company’s employees in 2014.


Cyber security for accountants

3 ways to protect yourself and your clients online


After a disgruntled employee leaked the payroll information of 100,000 of the supermarket chain’s workers six years ago, Morrisons was found to be vicariously liable, as opposed to directly liable.

The Supreme Court has overruled past decisions after Morrisons lodged an appeal, however, with judges finding the supermarket could not be held responsible for the actions of former auditor Andrew Skelton.

After receiving a verbal warning following disciplinary proceedings in 2013, Skelton was tasked with transmitting payroll data for Morrison’s entire workforce to external auditors, as he had done the previous year.

Skelton completed the task, but also made a personal copy of the data.

He uploaded a file containing the data to a publicly accessible filesharing website in 2014, and sent the file anonymously to three UK newspapers, posing as a concerned member of the public.

Morrisons was then alerted and took steps to have the data removed and contact the police, who arrested Skelton following an investigation. He was imprisoned in 2015 for eight years.

Some of the affected employees brought proceedings against the supermarket, seeking compensation, with arguments centred on its statutory duty under the Data Protection Act 1998, with regards to the misuse of private information and breach of confidence.

The High Court, at the time, ruled in favour of the company’s employees and rejected Morrison’s argument that "vicarious liability" was inappropriate given the DPA’s content and its foundation in an EU directive.

Morrisons appealed to the High Court, which upheld the initial ruling in 2018, leaving the company facing the prospect of a hefty compensation bill for its employees.

The supermarket then took the case to the Supreme Court, which unanimously allowed the appeal. Lord Reed ruled in the supermarket chain’s favour, with fellow judges agreeing on the decision.

“The Court concludes that the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of respects,” the Supreme Court said.

“The online disclosure of the data was not part of Skelton’s “field of activities”, as it was not an act which he was authorised to do.

“Considering the question afresh, no vicarious liability arises in the present case. Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.”

The Supreme Court’s ruling, a reversal of past decisions, has implications for all organisations who may fear repercussions should a disgruntled employee violate data protection laws.

"With this judgment, employers – and the insurance sector (which might have been asked to cover a lot of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees,” said Mishcon de Reya partner Adam Rose.

“They must still comply with the security requirements of GDPR, but – as long as they have done so – they shouldn't find themselves defending an action in which they were also arguably a victim.”

Keumars Afifi-Sabet

Keumars Afifi-Sabet is a writer and editor that specialises in public sector, cyber security, and cloud computing. He first joined ITPro as a staff writer in April 2018 and eventually became its Features Editor. Although a regular contributor to other tech sites in the past, these days you will find Keumars on LiveScience, where he runs its Technology section.