For an employer to be held vicariously liable for the actions of their employees, there has to be sufficient connection between their job and the wrongful conduct. In WM Morrison Supermarkets plc v Various Claimants, the Court of Appeal held that there was no exception to the rule of vicarious liability where the employee’s motive was to cause financial or reputational damage to the employer by causing harm to a third party.

Basic facts

Following a disciplinary hearing in July 2013 for unauthorised use of Morrisons postal facilities, Mr Skelton, a senior IT auditor, was given a formal verbal warning. This left him with a grudge against the employer. 

In November 2013 Morrisons’ auditors requested data including payroll data to undertake the annual audit.  The payroll data was provided to Mr Skelton on an encrypted USB which he downloaded onto his laptop. He then copied the data onto another encrypted USB which he provided to the employer’s auditors. 

However, he also copied the payroll data onto a personal USB and in January 2014, just before the company’s financial reports were to be announced, he posted a file containing personal details (including bank details) of almost 100,000 company employees on a file sharing website. In March 2014 he sent the data to three newspapers who did not publish it but instead contacted Morrisons.

A large number of employees issued proceedings against Morrisons claiming damages and interest for misuse of private information, breach of confidence and breach of statutory duty owed under section 4 of the Data Protection Act 1998 (DPA).

Decision of High Court

At the High Court the claimants argued that Morrisons was both primarily liable and vicariously liable for the wrongdoings of Mr Skelton. It held that Morrisons was not the data controller at the time of any breach of the DPA and that it was not directly liable for breach of confidence or misuse of the information since it was Mr Skelton who had disclosed or misused it.

However, it found that the supermarket was vicariously liable for the actions of Mr Skelton.  It rejected Morrisons argument that vicarious liability was excluded by the DPA because Mr Skeleton was the data controller.  Nor was it the case that the effect of the DPA was to exclude any scope for vicarious liability under the common law claims for misuse of information or breach of confidence. 

As regards the law on vicarious liability the court held that there was a sufficient connection between the job Mr Skelton did and his wrongful conduct.  Morrisons had put him into the position of handling and disclosing data.  Together this was sufficient for them to be vicariously liable for a breach of duty under the DPA and the common law claims of misuse of information and breach of the duty of confidence.

However the judge was concerned as to whether the court could be seen as an accessory to Mr Skelton’s criminal acts in circumstances when his wrongdoing was specifically aimed at Morrisons against whom the claimants were now seeking to claim.  On that basis he gave permission for Morrisons to appeal.

Decision of Court of Appeal

Dismissing the appeal, the Court held that the “close connection test” was satisfied when Mr Skelton improperly downloaded the employees’ data at work onto his personal USB stick. The fact that the harm was done several weeks later at his home, using his own computer, on a Sunday, was irrelevant. This was deliberate wrongdoing by an employee.

Although this was the first case where the wrongdoing was aimed at harming the employer rather than achieving a benefit for the wrongdoer or to inflict injury on a third party, the Court held that motive was irrelevant.  As such, there was no exception to the rule of vicarious liability where the motive was to cause financial or reputational damage to the employer by causing harm to a third party.

Rejecting the employer’s argument that this placed an enormous burden on them (and other innocent employers in the future), the Court pointed out that if it were to uphold Morrisons argument then this would place employees at a disadvantage. For instance, if Mr Skelton had misused the data in order to steal a large sum of money from an employee’s bank account, that person would then have no remedy except pursuing a claim against Mr Skelton himself. Employers, on the other hand, had a solution which was to insure themselves against the possibility of the actions of rogue employees such as Mr Skelton.


The case is a reminder to employers that they may be vicariously liable for the actions of employees irrespective of the motive of the employee. This case was brought under the old DPA 1998 which has since been repealed and replaced by the DPA 2018 and the General Data Protection Regulations which came into force on 25 May 2018. It is still relevant under the new regulations where the fines for breaches of the DPA and GDPR are considerably higher.