Skip to main content

Morrisons held vicariously liable for employee data leak

04 December 2017

The High Court has found Morrisons to be vicariously liable for the actions of a rogue employee who intentionally disclosed the personal details of over 100,000 staff at Morrisons. The judgment will be of interest to data controllers and to customers and employees whose personal data is compromised by data breaches. It is the first group litigation in respect of a data breach to be decided by the English courts.


Andrew Skelton was an internal auditor employed by Morrisons. Mr Skelton copied Morrisons’ master payroll file and went on to release the data of over 100,000 employees online. Mr Skelton was subsequently convicted for criminal misuse of the payroll data and sent to prison. During his trial, it was revealed that Mr Skelton’s actions were an elaborate revenge campaign against Morrisons after he was subject to internal disciplinary proceedings in early 2013.

The claims

Over 5,500 employees took group action against Morrisons seeking damages for the distress arising from the disclosure of their personal data. The action included claims for direct liability for the disclosure (under the Data Protection Act, common law principles and equity); alternatively on the basis that Morrisons was liable under common law vicarious liability principles.

The decision

In a 200 paragraph judgment, Langstaff J held that Morrisons was not directly liable for the actions of its employee. However, the Judge held that Morrisons was vicariously liable for the actions of Skelton. In doing so, the Judge expressed his concern that as Skelton’s intention was to cause harm to Morrisons, the decision might have the unintended effect of furthering Skelton’s aims. Accordingly the Judge granted Morrisons permission to appeal his decision on vicarious liability.

While the Judge did not think his decision would open the floodgates for further group litigation (this being the first case of its kind in the 20 years following the introduction of the Data Protection Act), data controllers with employees will be concerned by the implications of this judgment and the possibility of increases in group litigation as a result.

Morrisons are reportedly appealing the decision and no doubt data controllers, and their insurers, will be watching this case closely.

Back To Top