Employers can breathe a sigh of relief.  Today, the Supreme Court handed down its long awaited judgment for WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 and held that Morrisons cannot be liable for the actions of an employee who uploaded the data of almost 100,000 employees to a publicly-accessible file-sharing website due to a personal vendetta against his employer.   This decision related to a breach of the Data Protection Act 1998, but the decision is of assistance in understanding the likely outcome of claims brought under GDPR.

By way of background, one of Morrisons’ senior auditors was asked to transfer payroll data to Morrisons’ external auditors. The employee held a grudge against Morrisons, having received a warning for minor misconduct, and used this task as an opportunity to make a personal copy of and upload the data of 98,998 employees to a publicly-accessible file-sharing website. He then waited until the day Morrisons was due to announce their financial results to anonymously contact three UK newspapers purporting to be a concerned member of the public who had discovered the file-sharing website. The newspapers alerted Morrisons to the data breach and Morrisons acted promptly to have the data removed and to protect its employees. Despite Morrisons’ swift action, 9,000 staff sued Morrisons for damages and the High Court and Court of Appeal held that whilst Morrisons was not to blame, they were vicariously liable for the employee’s wrongdoing as he had been entrusted with the data during the course of his employment.

However, today the Supreme Court unanimously allowed for Morrisons appeal. The Supreme Court explained that the test which applies in deciding if an employer is liable is that the wrongful conduct must be so closely connected with the act the employee was asked to do, that it may fairly and properly be regarded as done by the employee as acting in the ordinary course of employment. As the employee was not engaged in furthering Morrisons’ business and on the contrary was pursuing a personal vendetta, Morrisons was held not to be vicariously liable.

This doesn’t mean that a successful claim for vicarious liability couldn’t be brought in the future where a breach caused by an employee was “closely connected” to their role, but this decision confirms that employers are not liable in all circumstances which is a welcome relief.

For more information please get in touch with one of our information law and privacy experts:

For further support and advice relating to the impact of COVID-19, please view our COVID-19 Advisory Service page.

Our use of cookies

We use necessary cookies to make our site work. We'd also like to set optional analytics cookies to help us improve it. We won't set optional cookies unless you enable them. Using this tool will set a cookie on your device to remember your preferences. For more detailed information about the cookies we use, see our Cookies page.

Necessary cookies

Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.

Analytics cookies

We'd like to set Google Analytics cookies to help us to improve our website by collection and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone.
For more information on how these cookies work, please see our Cookies page.