Main menu


+44 (0)151 600 3000


+44 (0)161 836 8800


+44 (0)1772 823 921

Search form

Search form


Morrisons Vicariously Liable for Employee’s Deliberate Payroll Data Protection Breach

Morrisons Vicariously Liable for Employee’s Deliberate Payroll Data Protection Breach
Tuesday 5th December 2017

Companies around the UK may be shocked to find out that they could be held responsible for data leaks by their employees, even where a court has ruled that the company itself has done nothing wrong.

In a landmark decision last week, the first data-breach class action in the UK, Morrisons, the fourth largest supermarket group in Britain, has been held liable for the actions of a former employee who stole the payroll information of thousands of employees and uploaded it to the internet.


In 2014, Andrew Skelton, an IT auditor at Morrisons’ headquarters was tasked with providing a copy of the company’s payroll data to their auditors, KPMG. Whilst the file was stored on his computer, Mr. Skelton made an illicit copy which he transferred to his personal USB stick. Mr. Skelton later uploaded this data to a file-sharing site and sent CD copies of it to two local newspapers in Yorkshire. It is believed that Mr. Skelton was motivated by his anger at Morrisons in respect of recent disciplinary proceedings that had been taken against him on an unrelated matter.

5,518 former and current workers of Morrisons brought the claim against the company alleging that Morrisons was either directly liable for not complying with the data protection principles in the Data Protection Act 1998 (DPA), or that Morrisons was responsible for Mr. Skelton’s breach of the act as his employer.

Direct liability

The claimants first argument was that Morrisons itself was in breach of principles 1-7 of the DPA. Mr. Justice Langstaff dealt with principles 1-6 first and disposed of them quickly on the grounds that any breach of those principles was committed by Mr. Skelton acting as the data controller of his own copy of the payroll data, Morrisons therefore could not be directly liable.

The seventh data protection principle requires data controllers to have in place “appropriate technical and organisational measures” to prevent unauthorised use of personal data. The claimants argument was that it was inappropriate for Morrisons to have trusted Skelton due to his recent disciplinary proceedings, and that they should have had some organisational measure in place to prevent him being tasked with handling such vast amounts of highly sensitive data.

The judge rejected this argument. Whilst Langstaff J accepted that there clearly were minimum standards that had to be in place, he ruled that a balance must be struck between the risk presented to personal data and the availability and cost of minimising that risk. Mr. Skelton’s previous infraction was only a minor issue and gave no reason to exclude Skelton from particular types of work. Skelton was a trusted employee and had given no real reason to doubt his trustworthiness.

Though he did find a small ‘non-material’ breach relating to a failure to delete the data from a laptop after Mr. Skelton had already taken a copy of them, this was not taken into account as there was no connection between the failure to delete and the loss caused to the claimants. The judge’s ruling was therefore that Morrisons had committed no material breaches of the data protection principles and in particular, had not failed to have organisational measures in place to protect personal data from unauthorised or unlawful disclosure.

Vicarious liability

This was the first case since the DPA came into force to consider the issue of vicarious liability. The doctrine of vicarious liability allows for someone to be held responsible for the act or omission of another, it can commonly arise in the employment context when employers are held to be responsible for the acts of their employees.

The judge followed the 2-limb test for vicarious liability as it had been stated in another case involving Morrisons, the Supreme Court decision Mohamud v William Morrison Supermarkets plc. The test is:

1.             Taken broadly, what was the nature of the position, task or job of the employee? and

2.             Given the nature of the position, task or job was there sufficient connection between that and the wrongful conduct?

In applying the test, the judge found that Mr. Skelton’s ‘task’ had been to receive and store a copy of the data and then transmit it to a third party (KPMG). Therefore, said Justice Langstaff, his act was clearly an improper mode of performing this task and so was sufficiently connected to the task to make Morrisons liable.

The question as the judge saw it, was “not whether Morrisons did wrong, but whether, when Skelton did, his acts were closely connected with his employment.”


The judgment is clearly a very worrying one for employers. Every employer will hold some personal data in relation to their employees and most will hold significant amounts of sensitive data. As Mr. Justice Langstaff himself recognised in his judgment, there can be no 100% effective system to prevent data breaches occurring, and a particular threat is posed by employees who are trusted with access to personal or sensitive data and yet choose to abuse that trust and commit breaches of the DPA.

This judgment leaves employers exposed to such rogue employees. Even in situations where the employer has taken all possible precautions and put the best protective measures in place, it appears that following this decision, the unauthorised acts of an employee that appeared trustworthy may still lead to significant liability for the employer.

It is also possible that the Information Commissioner’s Office (ICO) could investigate the matter not only in relation to the non-material breach relating to failure to delete data, but also generally. If they do, the ICO has the power to levy additional fines on Morrisons and to require the company to enter into binding undertakings to comply fully with data protection legislation going forward. Although the ruling by the judge that Morrisons did not materially breach any of the data protection principles in the DPA may lessen any sanction imposed by the ICO. However, this point will always turn on the actual facts of the case and it seems a little surprising (and counter-intuitive) that an employee was able to leak this data and at the same time for it to be considered that Morrisons had the appropriate organisational measures in place to protect personal data and not materially be in breach of data protection principles.

Under the General Data Protection Regulation (GDPR) coming into force in May 2018, such fines could be up to €20 million or 4% of annual global turnover (whichever is highest). The GDPR also incorporates a new principle of accountability, requiring data controllers (such as Morrisons in this case) to demonstrate compliance with the GDPR by showing the supervisory body (the ICO in the UK) how the data controller complies on an ongoing basis with GDPR, including through evidence of effective internal compliance measures. Where there has been a breach, such as in the present case, it could prove very difficult for data controllers to prove that their internal compliance measures are effective.

The judgment dealt only with the issue of liability and it remains to be seen what damages will eventually be awarded to the claimants. Additionally, the judge, as well as being firm in ruling that Morrisons had no direct liability in this case, has also granted leave to Morrisons to appeal the ruling on vicarious liability.

In the meantime, employers should seek to ensure that their organisational and technical systems make it as difficult as possible for any rogue employee to steal personal data. It now appears that the only sure defence is preventing the breach in the first place.

This article is part of a series produced between November and December 2017 for Brabners Data Protection Month – you can find all of our data protection articles on our Data Protection Month page.