Skip to content

Limited access mode: Please note you need to be an HR Protect client to access some content on this Hub.  Please enquire.

Employment Law Speed Read – 05/11/18

Last month the Court of Appeal handed down an important judgment in WM Morrison Supermarkets Plc v Various Claimants.
The decision is likely to have far-reaching consequences for employers as the Court of Appeal upheld that Morrisons were vicariously liable for the misuse of its employees' personal data, when a former employee maliciously published its employees’ confidential information online.


Mr Skelton was employed by Morrisons as a Senior IT Internal Auditor; he therefore had access to large amounts of confidential and sensitive information. As part of his role, he was required to supply payroll information to an external auditor.

Following a disagreement with his employer, he transferred the payroll information from an encrypted USB stick to his own electronic device. On 12 January 2014, he then deliberately and maliciously uploaded the confidential information to a file sharing website.

The personal data of almost 100,000 Morrisons’ employees was leaked online. The personal data that was published was highly sensitive and included names, addresses, phone numbers, national insurance numbers and bank account details of employees.

Mr Skelton was convicted of fraud and various offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA) and was sentenced to eight years imprisonment.

The High Court

A group of more than 5,500 affected employees sought to hold Morrisons vicariously liable for Mr Skelton’s actions. The group of employees claimed against Morrisons for misuse of private information, breach of confidence and a breach of statutory duty under Section 4(4) of the DPA.

The High Court ruled in favour of the employees and held that Morrisons were vicariously liable for the wrongful conduct of Mr Skelton.

The High Court held that there was a sufficient connection between Mr Skelton’s employment and his wrongful act of publishing the personal data online to hold Morrisons liable in damages to the affected employees.

Morrisons appealed to the Court of Appeal.

The Court of Appeal

The Court of Appeal dismissed Morrisons’ appeal and upheld the decision of the High Court. It held that there was a sufficiently close connection between Mr Skelton’s wrongful conduct and his employment. Mr Skelton was specifically assigned to dealing with the payroll information; it was his role to receive the data, store it and disclose it to third parties.

Further, the Court of Appeal held that although the time and place at which the wrongful act occurs is relevant, it is not conclusive. As such, the fact that Mr Skelton published the confidential information from his home, and several weeks after he had initially transferred the files to his personal device, was not determinative. Mr Skelton’s motive for publishing the confidential information was held to be irrelevant.

The Court of Appeal concluded that there was an “unbroken chain of events” that linked Mr Skelton’s employment duties and the disclosure; consequently, Morrisons were vicariously liable for the actions of Mr Skelton.


This case demonstrates that employers may be held liable for deliberate and malicious data breaches committed by their employees. This remains the case even if the employer itself was the target of the breach.

Given the “potentially ruinous amounts” of compensation which employers may be required to pay out following a finding of liability, the Court of Appeal emphasised the importance of employers insuring against data breaches committed by employees.

If you have any questions on the above and how it will affect you, please do not hesitate to get in touch with a member of our employment team.