Employers can breathe a sigh of relief. Today, the Supreme Court handed down its long awaited judgment for WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents)  UKSC 12 and held that Morrisons cannot be liable for the actions of an employee who uploaded the data of almost 100,000 employees to a publicly-accessible file-sharing website due to a personal vendetta against his employer. This decision related to a breach of the Data Protection Act 1998, but the decision is of assistance in understanding the likely outcome of claims brought under GDPR.
By way of background, one of Morrisons’ senior auditors was asked to transfer payroll data to Morrisons’ external auditors. The employee held a grudge against Morrisons, having received a warning for minor misconduct, and used this task as an opportunity to make a personal copy of and upload the data of 98,998 employees to a publicly-accessible file-sharing website. He then waited until the day Morrisons was due to announce their financial results to anonymously contact three UK newspapers purporting to be a concerned member of the public who had discovered the file-sharing website. The newspapers alerted Morrisons to the data breach and Morrisons acted promptly to have the data removed and to protect its employees. Despite Morrisons’ swift action, 9,000 staff sued Morrisons for damages and the High Court and Court of Appeal held that whilst Morrisons was not to blame, they were vicariously liable for the employee’s wrongdoing as he had been entrusted with the data during the course of his employment.
However, today the Supreme Court unanimously allowed for Morrisons appeal. The Supreme Court explained that the test which applies in deciding if an employer is liable is that the wrongful conduct must be so closely connected with the act the employee was asked to do, that it may fairly and properly be regarded as done by the employee as acting in the ordinary course of employment. As the employee was not engaged in furthering Morrisons’ business and on the contrary was pursuing a personal vendetta, Morrisons was held not to be vicariously liable.
This doesn’t mean that a successful claim for vicarious liability couldn’t be brought in the future where a breach caused by an employee was “closely connected” to their role, but this decision confirms that employers are not liable in all circumstances which is a welcome relief.
For more information please get in touch with one of our information law and privacy experts:
For further support and advice relating to the impact of COVID-19, please view our COVID-19 Advisory Service page.