The UK Supreme Court has handed down its judgment in the case of a claim brought against Morrisons supermarkets by various former and current employees. The claim relates to a data breach which occurred in 2014.
Morrisons employed Andrew Skelton as part of the internal audit team. In late 2013 he had the task of sending the entire payroll to external auditors, as he had done the year before. However, this time he made a personal copy.
Mr Skelton was apparently motivated by a grudge against Morrisons which related to previous disciplinary action taken against him, he placed the copied data on a publicly available file sharing platform and sent it anonymously to three national newspapers. The newspapers did not publish and one alerted Morrisons. Mr Skelton was subsequently prosecuted and imprisoned.
The case before the Supreme Court
Various employees and former employees of Morrisons brought a civil claim against Morrisons in respect of the loss of their data. This relied on a legal concept of vicarious liability. This means that an employer can be held liable for the tortious acts of its employees if they are committed in the course of their employment. This is easy to understand where, for instance, a delivery driver crashes their company van causing damage while out delivering, or an NHS trust is held responsible for the mistake of a doctor during an operation. The claimants were successful in the High Court and the Court of Appeal. Morrisons appealed to the Supreme Court.
Morrisons were successful in the Supreme Court. The acts of Mr Skelton were held to have failed the “close connection” test of whether the wrongful conduct was so closely connected with the acts the employees was authorised to do that it was fair and reasonable to hold the employer liable for those acts.
The online disclosure of the data was not within the field of activity for which Mr Skelton was employed. He could not be said to have been furthering the business of his employer. In fact he acted against his then employer in furtherance of his grudge.
This decision gives no grounds for employers to be complacent. It is still perfectly possible for an employer to be held liable for the data breaches of an employee, particularly where those breaches occur firmly in the course of the employee carrying out their normal role.
For all employment law related advice, please contact us on 01792 468684 or email firstname.lastname@example.org.