Morrisons wins appeal at Supreme Court over payroll data breach

Supermarket retailer Morrisons has won a Supreme Court appeal over whether it is liable for the criminal act of an employee who leaked payroll data of around 100,000 members of staff.

Morrisons brought a Supreme Court challenge in an attempt to overturn a ruling which gave the go-ahead for compensation claims by thousands of employees whose personal details were leaked by Andrew Shelton, former senior auditor at the organisation’s Bradford branch in 2014.

The court unanimously concluded that Morrisons was not liable for Skelton’s conduct saying: “His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.”

Susan Hall, data protection and data security lawyer at Clarke Willmott, said: “It’s very much the judgment all employers must have hoped the Supreme Court would reach; a common-sense restatement of the law of vicarious liability which allows it to be properly applied in relevant cases where the employee has acted improperly within the scope of their duties (including where the employee is a data controller of data) but has not gone completely off piste. In fact, the Supreme Court has breathed new life into the concept of “a frolic of their own”.

Paul Holcroft, associate director at Croner, added: “This long-awaited ruling from the Supreme Court seems to provide further clarity on vicarious liability, something that many employers are likely wary of.

“As seen here, this form of liability should only arise when the act is closely connected to the job of the employee; here, the individual abused his position to conduct criminal acts due to his own personal grudge. However, the fact that this case made it to the Supreme Court demonstrates that this can be an unclear area and will be fact specific. To this end, it is important that employers are prepared to respond quickly to any circumstances when they could face liability for the actions of their staff.”

Julia Wilson, partner in the employment practice at Baker McKenzie, said: “In this case, the wrongdoing was a data breach and the unlawful release of personal data of over 125,000 Morrisons employees. While often the vicarious liability of an employer has limited effects, in this case the data breach element amplified the risk to Morrisons, which faced over 9,000 claimant employees in the end.

Sign up to our newsletters

Receive news and guidance on a range of HR issues direct to your inbox

This field is for validation purposes and should be left unchanged.

“If the Court of Appeal decision had been upheld, the level of damages Morrisons might have faced would be huge. The Supreme Court has overturned the Court of Appeal’s decision, finding that the wrongdoer’s actions were not sufficiently closely connected with his employment that Morrisons should be liable for them.”