Can an employer be liable for an employees’ data protection breach? Guidance from the UK Supreme Court

Can an employer be held to be vicariously liable for unauthorised breaches of the Data Protection Act 1998 (the “DPA 1998”) committed by an employee? The UK Supreme Court sets the record straight in a case where Wm Morrison Supermarkets plc’s (“Morrisons”) disgruntled employee uploads nearly 100,000 of Morrisons’ employees’ details onto a publicly accessible website.


Mr Skelton was employed by Morrisons as a senior auditor in Morrisons’ internal audit team. In July 2013 he was given a verbal warning for minor misconduct, but this led to Mr Skelton harbouring an irrational grudge against Morrisons.

Subsequently, in preparation for Morrisons’ regular external audit, the auditors, KPMG, requested payroll data from Morrisons to test their accuracy. The task of collating and transmitting the data was given to Mr Skelton. To enable him to carry out the task, he was given access to the payroll data relating to the whole of Morrisons’ workforce (around 126,000 employees).

After providing the data to KPMG, Mr Skelton copied the data onto a USB stick which he took home and posted the data on the internet and sent the data to three national newspapers. None of the newspapers published the data, but one did alert Morrisons. Morrisons immediately took steps to remove the data from the internet, contacted the police and started an internal investigation. Mr Skelton was arrested a few days later and sentenced to eight years imprisonment.

What was being claimed?

The claimants were 9,263 of Morrisons’ employees or former employees who claimed Morrisons was either primarily or vicariously liable for Mr Skelton’s wrongful conduct and therefore, claimed damages for misuse of private information and breach of confidence, and breach of its statutory duty under s 4(4) of the DPA 1998.

S 4(4) of the DPA 1998 requires a data controller to comply with eight principles of data protection and s 13(1) of the DPA 1998 entitles any victim of a breach of the DPA 1998 to receive compensation for that damage.

What is vicarious liability?

Vicarious liability is a doctrine where an employer will be liable for torts committed by its employee where there is a sufficient connection between the employment and the wrongdoing. There is a two-stage test:

  1. Is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?
  2. Is the connection between the employment and the wrongful act so close that it would be just and reasonable to impose liability?

The High Court’s decision

In the first instance, the High Court dismissed the claim under s 4(4) of the DPA 1998 and found that Morrisons was not primarily liable for Mr Skelton’s actions as it had not directly misused or permitted the misuse of any personal information of its employees.

However, in deciding whether Morrisons was vicariously liable for Mr Skelton’s actions, the High Court considered the Supreme Courts decision in Mohamud v Wm Morrison Supermarkets plc [2016], in which it was held that Morrisons was vicariously liable for an employee’s unprovoked violent assault on a customer because there was such a close connection between the employee’s job role of attending to customers and the assault. After considering this, the High Court held that there was a sufficient connection between how Mr Skelton was employed and his wrongful conduct, resulting in Morrisons being held vicariously liable for Mr Skelton’s actions.

Court of Appeal

Morrisons appealed to the Court of Appeal and submitted that:

  1. the DPA 1998 impliedly excludes the application of vicarious liability of the employer for the misuse of private information or breach of the duty of confidence; and
  2. the wrongful acts of Mr Skelton did not occur during his employment and therefore, Morrisons could not be vicariously liable for those wrongful acts.

The Court of Appeal dismissed the appeal, concluding that the High Court was right in deciding that the task given to Mr Skelton by Morrisons included the sending of data to third parties. Court of Appeal also considered the Supreme Court’s decision in Mohamud, in which it was stated that the employee’s motive was irrelevant and therefore, the fact that Mr Skelton was trying to harm Morrisons in carrying out the act, did not prevent Morrisons from being vicariously liable for his actions.

 The Court of Appeal also concluded that vicarious liability for misuse of private information and breach of confidence was not expressly or impliedly excluded by the DPA 1998.

Supreme Court

Morrisons further appealed to the Supreme Court. The Supreme Court held that the Court of Appeal had misunderstood the principals of vicarious liability and allowed Morrisons’ appeal.

The Supreme Court considered the relevant question to be whether Mr Skelton’s act of disclosing the data was so closely connected to the acts he had been employed to do that, for the purposes of Morrisons’ liability to third parties, the disclosure may be regarded as made while acting in the ordinary course of his employment.

The connecting factor between what Mr Skelton was authorised to do and the disclosure, is that he could not have made the disclosure if he had not been given the task of collating the data and transmitting it to KPMG. It was the provision of the data to him so that he could perform that task, that enabled him to make a private copy of the data, which he subsequently used to make the disclosure. However, the Supreme Court considered the fact that Mr Skelton’s employment presented him with the opportunity to disclose the information did not justify the finding of vicarious liability. Further, it is not common for an employer to be found vicariously liable when an employee is pursuing a personal vendetta. Therefore, on the facts, the ‘close connection’ test had not been satisfied.

Although the Supreme Court had found there was no vicarious liability, for completeness, it still expressed its view on Morrisons’ assertion that the DPA 1998 excluded vicarious liability. Morrisons had argued DPA 1998 impliedly excluded the vicarious liability of an employer in these circumstances because s13 of the DPA 1998 provided that liability was only to be imposed on data controllers who had acted without reasonable care. The court rejected this argument and considered it irrelevant that the statutory liability of a data controller under the DPA 1998 is based on reasonable care, whereas vicarious liability is not based on fault.


This decision has provided some much needed clarity on the scope of vicarious liability. It represents mostly good news for employers in that employers will not always be held vicariously liable for the acts of its disgruntled employees. However, it is important to remember that the Supreme Court was not persuaded by Morrisons’ argument that the DPA 1998 excludes vicarious liability. Therefore, if the ‘close connection’ test was satisfied, it remains possible for an employer to be vicariously liable for a data breach.


This article contains information of general interest about current legal issues, but does not provide legal advice. It is prepared for the general information of our clients and other interested parties. This article should not be relied upon in any specific situation without appropriate legal advice. If you require legal advice on any of the issues raised in this article, please contact one of our specialist construction lawyers.

To view this article in pdf format, please click here.


© Hawkswell Kilvington Limited 2020