Skip to content

Limited access mode: Please note you need to be an HR Protect client to access some content on this Hub.  Please enquire.

Employment Law Speed Read – 18/12/17

This week we feature a case in which the implications of a malicious data breach were considered.

Vicarious liability and deliberate data breaches by employees

In the recent case of Various Claimants v Wm Morrisons Supermarkets PLC the High Court has held that an employer can be vicariously liable for an employee’s deliberate disclosure of personal data.


Morrisons employed Mr Skelton (S) as a senior IT internal auditor. In July 2013, S was disciplined by Morrisons for an incident unrelated to data protection.

On 1 November 2013, Morrisons asked S to send payroll data to KPMG for external audit purposes. The data was contained in secure software, however as S was not one of the limited personnel who had access to this software, Morrisons provided him with the data on an encrypted USB stick. S subsequently copied the data from his PC to a personal USB stick.

Just before Morrisons’ annual financial reports were to be announced in 2014, S uploaded the personal details of almost 100,000 Morrisons employees onto a file sharing site.

Over 5,518 members of staff made a group claim against Morrisons for compensation in respect of breaches of the Data Protection Act, misuse of private information and breach of confidence.

High Court decision  

The Court found that Morrisons had breached the seventh data protection principle (in respect of technical and organisational measures) as it had not put in place an organised system for deleting data. However, it was found that this breach did not contribute to S’s disclosure.

The Court also found that Morrisons had no primary liability for misuse of private information or breach of confidence.

However, the Court found that Morrisons were vicariously liable for the disclosure of the personal data as there was a sufficient connection between the disclosure of the personal data and S’s employment.

The Court found that:

  • there was a seamless and continuous sequence of events;
  • Morrisons had deliberately entrusted S with the payroll data;
  • Morrisons had specifically tasked S with the job of sharing the data to KPMG which was closely linked to the unauthorised disclosure;
  • S was acting as employee at the time of the breach; and
  • the fact that the unauthorised disclosure happened whilst S was at home on a non-working day did not break the thread that linked his work to the disclosure.


This is obviously bad news for employers, who could very well find themselves liable for the actions of revengeful employees. Quantum has yet to be decided in this case, but the costs to Morrisons could be very significant if the other 94,000+ employees decided to make a claim.  However, this is not the end of the story as Morrisons have been granted the right of appeal.

If you have any questions on the above and how it will affect you, please do not hesitate to get in touch with a member of our employment team.