Skip to main content

News story

May 26, 2020

Supreme Court clarifies employer’s vicarious liability

The Supreme Court clarifies the scope of an employer’s vicarious liability for the conduct of its employees

In the recent case WM Morrison Supermarkets v Various Claimants, the Supreme Court held that Morrisons was not liable for the criminal acts of an employee who bore a grudge against its business and published the personal data of its entire workforce online.

In its judgment, the Supreme Court clarified the extent of an employer’s vicarious liability regarding the Data Protection Act 1998 (DPA 1998), which was the law in force at the time of the publication.

What is vicarious liability?

Vicarious liability is the common law principle of strict, no-fault liability for wrongs committed by another person. In an employment relationship, the employer is held liable for wrongs committed by an employee if it can be shown that those acts were carried out during their employment. It does not matter that the employer itself committed no wrongdoing or may not have known what the employee was up to.

What is the DPA 1998?

The DPA 1998 was the data protection law in force when the Morrisons’ employee published the personal data. The DPA 1998 imposed broad obligations on those who collect personal data (data controllers) and gives rights to individuals about whom data is collected (data subjects).

Background

Andrew Skelton, a senior IT auditor and employee of Morrisons, was given access to its entire payroll data to carry out his role in its annual audit. Consequently, Skelton published the personal data of 100,000 of Morrisons’ current and former employees online, which consisted of names, addresses, gender information, dates of birth, phone numbers, national insurance numbers, bank details and salaries.

Skelton harboured an irrational grudge against the company dating back to 2013. This grudge motivated him to publish the personal data in the hope of damaging Morrisons’ reputation.

Under the false pretence of being a concerned member of the public, Skelton anonymously disclosed the existence of these files to three newspapers. Morrisons were fortunately alerted to the breach by one of the newspapers. Morrisons took swift action, spending more than £2.6 million to have the information taken down, protect its employees’ identities, and quickly informed the police. The information was removed from the internet, and Skelton was prosecuted and sentenced to eight years’ imprisonment.

Just over 9,000 claimants brought a group action against Morrisons under two limbs: principle liability and vicarious liability for Skelton’s conduct (based on claims of a breach of statutory duty created by the DPA 1998, misuse of private information and breach of confidence). The claimants sought damages for distress, anxiety and upset.

The High Court

The High Court held that Morrisons was not principally liable as they were not the data controller at the time of the breach, Skelton was, and Morrisons had provided adequate safeguard controls. It did, though, find that Morrisons was vicariously liable because Skeletons’ conduct was committed during his employment.

The Court of Appeal

Morrisons appealed to the Court of Appeal, submitting that it could not be vicariously liable for Skelton’s wrongful acts because they did not occur during his employment, and there could be no vicarious liability for breach of statutory duty created by the DPA 1998. The appeal was dismissed on both grounds, and Morrisons appealed to the Supreme Court.

The Supreme Court

The Supreme Court, the final court of appeal in the UK, upheld the appeal in favour of Morrisons, stating that the lower courts had misinterpreted the principles governing vicarious liability and, in particular, the “close connection test” set out in the case of Dubai Aluminium.

The close connection test

“…the wrongful conduct had to be so closely connected with acts the employee was authorised to do that, for the purposes of the liability of the employer to third parties, it might fairly and properly be regarded as done by the employee while acting in the ordinary course of their employment.”

The Supreme Court found that the close connection test was not satisfied because (in summary) when Skelton transmitted the data, it was not connected to the task he was asked to do; the fact that he was given the opportunity to commit a wrongful act does not necessitate the imposition of vicarious liability, and Skelton was not advancing Morrisons’ business but was instead pursuing a personal grudge designed specifically to harm the company.

The Supreme Court held that the lower courts had misunderstood previous case law and decided incorrectly that motive wasn’t relevant. Whether Skelton was engaged in furthering his employer’s business or pursuing a personal vendetta when committing the wrongdoing was highly material.

Did the DPA 1998 exclude the imposition of vicarious liability?

Given the findings, the Supreme Court was not required to consider this question but opted to do so. Morrisons’ argument that the DPA 1998 excluded vicarious liability was rejected. If, during their employment, an employee acts, and such acts breach obligations imposed by the DPA 1998, then the employer may be vicariously liable.

Lessons learned

Employers should be pleased with this decision as it confirms they should not be vicariously liable for the conduct of rogue employees. However, employers should remain vigilant, as the court did not entirely exclude the possibility of vicarious liability in circumstances where an employee satisfies the close connection test.

A practical question for employers: “On the job or not?”

Answer: When an employee commits wrongdoing, you must ask yourself whether the employee was going about your business, was acting in their employed capacity or in a purely personal capacity, or was exercising their authority as an employee.

GDPR and the Data Protection Act 2018 have since replaced the DPA 1998. Both make compliance far more onerous for employers. Employers risk astronomical fines and compensation claims if they do not safeguard their data. Putting in place suitable data protection policies and procedures can protect them from the acts of rogue employees.

For all your employment and data protection needs, call Karen Cole today.

Note: This is not legal advice; it provides information of general interest about current legal issues.

Stay in touch

Subscribe to our newsletter

Stay in touch

By completing your details and submitting this form you confirm you are happy for us to send you marketing communications and that you agree to our Website Privacy Policy and Legal Notice and to us using Mailchimp to process your data.


Sending

News/Insight

  • Deal or no deal? Keeping negotiations on track
    How to keep commercial deals on track with Heads of Terms, NDAs and exclusivity, improving efficiency, reducing risk and avoiding delays.


    Read more

  • Rights and wrongs: How AI is reshaping Employment Tribunal claims
    AI may be a familiar presence in the workplace, but it’s now starting to appear somewhere less expected: the Employment Tribunal (ET). Grayson Stuckey explores this trend – and what it means for employers.


    Read more

  • Renters’ Rights Act: why process and paperwork matter more than ever for landlords
    The Renters’ Rights Act has now passed into law, marking one of the most significant shifts in the private rented sector in a generation. Most of the new measures will take effect in May 2026, with a national landlord database to follow later in th


    Read more

  • Understanding the Roles of Executors and Trustees
    When making a will, you place significant trust in those appointed to carry out your wishes. Executors and trustees are key roles, often held by the same people, but their responsibilities differ. Understanding these roles and their obligations helps


    Read more

  • Assigning or Subletting a Commercial Lease: What Tenants Need to Know
    This article explains the key differences between assignment and subletting, outlines the legal framework in England and Wales, and highlights the practical issues tenants should consider before taking action.


    Read more

What they say...

  • Paul Woodman, March 2026
    Will writing “Excellent service from start to finish. Efficient and good value. Charlotte was very professional, knowledgeable and understanding.”

  • Client, March 2026
    Great Service “Contacted RIAA to update my will and other things. Charlotte and James provided an efficient, friendly service, and the process was dealt with quickly. Much appreciated.”

  • Client, March 2026
    Expert knowledge and support “Pippa was invaluable in her insight, knowledge, and support. Through what is a very difficult time, she gave me hope that there is something to be done. Very solutions-oriented!”

  • Eve, March 2026
    Professional, compassionate and seamless legal support “I would like to express my sincere gratitude to Charlotte, Solicitor at RIAA Barker Gillette (UK) LLP, for the outstanding support she provided to my father during the creation of his will

  • Laura Kelly, February 2026
    Review of legal guidance received “I recently worked with Patrick Simpson on my settlement agreement. Patrick guided me through every stage with exceptional care and diligence. He kept the process moving efficiently, always updating me promptly

Read more
 
Send this to a friend