“Employers around the UK can breathe a sigh of relief at the Supreme Court’s decision in the Morrisons’ case”, this is the opinion of Julia Wilson, a partner in the Employment practice at Baker McKenzie. The Supreme Court overturned the Court of Appeal in a landmark ruling that confirmed that Morrisons is not vicariously liable for employee’s deliberate disclosure of personal data of co-workers.
Andrew Skelton, a former senior internal auditor leaked the payroll data of over 100,000 staff which resulted in thousands of Morrisons staff making claims against the supermarket. The Court of Appeal’s decision regarding the case was overturned by the Supreme Court stating the chain should not be held accountable for the criminal acts of an ex-employee.
The Supreme Court’s president, Lord Reed explained that the company should not be held accountable for Mr Skelton’s “personal vendetta” against the business, as he had received a disciplinary a month earlier. Lord Reed said that businesses can only be held liable for the actions of staff if they were linked to their daily duties.
 |
Get our essential weekday HR news and updates.
|
Ms Wilson said:
The previous Court of Appeal decision had stretched the concept of an employer’s vicarious liability for its employees very far, to hold an employer liable for the acts of an employee who was pursuing a personal vendetta outside the workplace, and had deliberately tried to hide his wrongdoing. In this case, the wrongdoing was a data breach and the unlawful release of personal data of over 125,000 Morrisons employees. Whilst often the vicarious liability of an employer has limited effects (usually owing liability to one or a small handful of employees), in this case the data breach element amplified the risk to Morrisons – who faced over 9,000 claimant employees in the end. If the Court of Appeal decision had been upheld, the level of damages Morrisons might have faced would be huge. The Supreme Court has overturned the Court of Appeal’s decision, finding that the wrongdoer’s actions were not sufficiently closely connected with his employment that Morrisons should be liable for them.
There is a sting in the tail: the Supreme Court considered whether an employer could be vicariously liable for data breaches at all under data protection law. They have decided that an employer can be liable, and data breaches are daily news. So in situations where an employee commits a data breach which is found to be “in the course of employment”, the employer can be liable.
Esther Smith, employment partner at UK law firm TLT said:
Employers will be pleased to learn that the Supreme Court has found in favour of Morrisons today, in relation to a major data breach maliciously caused by a rogue employee. The Supreme Court has held that Morrisons does not have to pay compensation to the employees whose personal data was leaked.
Following this decision, it is now less likely that there will be a finding of vicarious liability in cases where an employee’s actions are not ‘closely connected’ to their duties at work.
While this judgment will be reassuring for employers, it is important that organisations do not rest on their laurels and should continue to implement the right policies, procedures and employee training across their businesses.
Darius is the editor of HRreview. He has previously worked as a finance reporter for the Daily Express. He studied his journalism masters at Press Association Training and graduated from the University of York with a degree in History.
- Darius McQuaid
- Darius McQuaid
- Darius McQuaid
- Darius McQuaid
