Employers can sleep easy as employees go on “frolic of their own”- Supreme Court unanimously allows appeal for WM Morrison Supermarkets.
The Supreme Court yesterday handed down a unanimous judgment in the case of WM Morrison Supermarkets plc v Various Claimants  UKSC 12.
In what will come as a relief to Morrisons and hundreds of other employers, the Supreme Court held that “the judge and the Court of Appeal misunderstood the principles governing vicarious liability in a number of relevant respects” . It ultimately reversed the lower Courts’ decisions (allowing the appeal) and held that Morrisons was not vicariously liable for a data breach committed by a rogue employee.
In July 2013, Andrew Skelton (an employee in the internal audit team at Morrisons), received a verbal warning after disciplinary proceedings for minor misconduct, unconnected to these proceedings. He subsequently bore a grievance against Morrisons.
As a result of his position, and having been tasked with providing payroll information of 126,000 employees to an external auditor (KPMG) as part of Morrisons’ annual audit, Skelton stole and unlawfully stored personal data of Morrisons employees on a personal USB stick. On 12 January 2014, Skelton uploaded a file containing the data of 98,998 of the employees to a publicly accessible file-sharing website, with links to the data posted on other websites. On the day on which Morrisons’ financial results were due to be announced (13 March 2014), Skelton anonymously sent CDs containing the file to three UK newspapers.
The newspapers contacted by Skelton (who held himself out to be a concerned member of the public who had allegedly found the file on the file-sharing website) chose not to publish any of the stolen data. In fact, one of the papers notified Morrisons who took immediate steps to have the material removed from the internet, notified the police and informed employees of the breach. Skelton was subsequently convicted of a number of offences and was sentenced to eight years’ imprisonment.
The Claimants initiated proceedings against Morrisons for (1) a breach of statutory duties under the Data Protection Act 1998 (DPA) (2) Misuse of Private Information and (3) Breach of Confidence. The claim was against Morrisons personally and also on the basis of vicarious liability resulting out of the actions of one of its employees.
A Group Litigation Order was made and the matter proceeded to Trial on the issue of liability (with quantum to be determined separately if liability was established). At First Instance, Mr. Justice Langstaff rejected the direct liability claim but found Morrisons vicariously liable on each basis claimed. The Court of Appeal upheld the Judge’s findings and stated that Mr. Justice Langstaff was correct to have found that Skelton had in fact been acting in the course of his employment and therefore correct to impose vicarious liability.
Morrisons appealed and the Supreme Court was tasked with determining the following issues:
- Whether Morrisons was vicariously liable for Skelton’s conduct; and
- If so, whether the DPA excludes imposition of vicarious liability for either statutory or common law wrongs.
Supreme Court Ruling
The Supreme Court judgment gives a detailed analysis of the precedent case law to date on the subject of vicarious liability. Indeed, what is clear is from the brief history on the subject as explored by the Court, is that the relevant “Sufficient Connection” test has withstood the test of time and has, up until today, generally been found in favour of a wronged party. The Supreme Court trace the test back some 200 years, with Sir John Holt CJ first stating that “where an employer employed the wrongdoer, and the employee committed a wrongful act against the claimant within the area of the authority given to him, it was fairer that the employer should suffer for the wrongdoing than the person who was wronged.” 
The test has been applied and refined somewhat since then through key case law such as Mohamud and later, Dubai Aluminum. As the Court made clear in Dubai Aluminum, it is important to note that “a lack of precision is inevitable, given the infinite range of circumstances where the issue arises. The crucial feature or features, either producing or negativing vicarious liability, vary widely from one case or type of case to the next” . The Court went on to set out two key steps in the Sufficient Connection test:
- Identify acts the wrongdoer was authorised to do; and
- Decide if there is a sufficient connection between the wrongdoer’s authorised activities and the wrongful acts, in order to determine whether the employer ought to be vicariously liable under the principle of social justice.
Upon careful consideration of the case law and application of the Sufficient Connection test, the Supreme Court found:
- The personal data that Skelton disclosed did not form part of the functions and/or activities he had been authorized to do in his position of employment with Morrisons;
- The application of the Catholic Child Welfare Society factors by the Court of Appeal was not applicable in this case and more relevant when determining whether vicarious liability could be found in a quasi-employment relationship;
- A ‘close link’ and an unbroken chain of causation between the wrongful disclosure of data and the authorised transmitting to KPMG would not in itself indicate that the employee’s wrongful act was made within his authorised capacity as an employee; a close and temporal link would not necessarily suffice the Sufficient Connection test. The Supreme Court focused on whether his wrongful act “may fairly and properly be regarded as made by him while acting in the ordinary course of his employment” , which they found it could not; and
- Importantly, the Supreme Court gave weight to the wrongdoer’s motive for the wrongful act. They went as far as to say that reasons such as causing harm to the employer’s business and/or for personal gain were “highly material” . As such, as previously stated by Lord Nicholls in Dubai Aluminum, vicarious liability could not be found where an employee was found to have gone on a “frolic of their own”  and therefore “acts as to be in effect a stranger in relation to his employer with respect to the act he has committed” . This reasoning was further bolstered by the Privy Council ruling in the case of Hartwell, which found that a police officer had committed an assault as a personal vendetta and as such, no vicarious liability existed. The Supreme Court in this case found that Mr Skelton’s earlier disciplinary proceedings had clearly given him a personal vendetta which motivated him to disclose the data.
For these reasons, the Supreme Court found that Morrisons had no vicarious liability in respect of Skelton’s wrongful acts. It flowed therefore that it was not strictly necessary to consider whether the DPA excludes imposition of vicarious liability for either statutory or common law wrongs for the purposes of these proceedings. However, the Supreme Court addressed the issue briefly, which may prove helpful guidance for future cases and the applicability to the Data Protection Act 2018 and the regime of the General Data Protection Regulation (GDPR).
The Court found that, given that the DPA does not expressly or impliedly indicate otherwise, the principle of vicarious liability applies to breaches of the obligations it imposes and also to the obligations arising at common law or in equity.
Implications / Commentary
The Supreme Court judgment will be welcomed by employers who will have been extremely concerned as to the potential ramifications and implications of the Courts’ earlier decisions. Employers had argued that if the Court did not allow the appeal, then companies may find themselves in a position whereby they could be held vicariously liable for the unlawful and criminal acts of an employee, where that employee had deliberately set out to harm the employer. The Supreme Court judgment goes some way to restoring the balance in that regard.
Notwithstanding this decision on liability, the Supreme Court did send a warning to employers that a company can still, in principle and based on specific facts, be liable for a data leak by one of its employees under the “vicarious liability” principle. Indeed, points made by the earlier Court of Appeal flagged the supermarket’s overreliance on a manual process, which neither caused nor contributed to the tort. Employers would do well to heed this warning and to ensure that their online security is compliant with both their GDPR and DPA obligations.
Furthermore, albeit brief, the Supreme Court’s ruling on whether vicarious liability can arise through obligations imposed by the DPA and/or common law should encourage employers to put in place rigorous screening and training of any employee who may have access to personal data and that such screening and training ought to be kept under constant review.
In conclusion, the Supreme Court in this case has not set down new principles to follow in cases involving vicarious liability, but instead they have clarified the approach to take when considering vicarious liability considerations.
Please click here to find out more information.