Employer not vicariously liable for mass data breach by rogue employee, Supreme Court rules

United KingdomScotland

In WM Morrisons Supermarket PLC v Various Claimants [2020] UKSC 12, the Supreme Court has overturned the Court of Appeal decision that an employer can be vicariously liable to multiple claimants for a mass data breach committed by a rogue employee, reversing the first successful class action arising from such a breach.


A senior internal IT auditor employed by Morrisons copied the payroll data pertaining to almost 100,000 employees onto his own USB drive. The data included sensitive personal data. The employee subsequently uploaded the data onto a file sharing site in the name of an employee against whom he bore a grudge and told three newspapers anonymously that the personal data had been made available on the web. Having been alerted to the data breach, Morrisons swiftly took steps to ensure the takedown of the website and alerted the police. The employee was charged with fraud and offences under the Computer Misuse Act 1990 and the Data Protection Act 1998 (DPA). He was sentenced to a term of eight years’ imprisonment.

This claim involved a class action by over 5,000 Morrisons employees whose data had been disclosed in the breach. The claimants sought compensation against Morrisons for:

  1. Breach of statutory duty under the DPA;
  2. The common law tort of misuse of private information; and
  3. The equitable wrong of breach of confidence.

The claimants submitted that Morrisons should be found primarily liable under each of the three heads, oralternatively, that Morrisons were at least vicariously liable.

The High Court and Court of Appeal

The Court of Appeal upheld the first instance finding that the statutory regime imposed by the DPA did not exclude either the application of vicarious liability or the causes of action for misuse of private information and breach of confidence. The common law remedies were not incompatible with the statutory scheme, and so it could not be said that Parliament had not intended them to coexist. There was no express exclusion of the common law remedies and no specific provision in the DPA addressing these particular circumstances. Moreover, an exclusion of vicarious liability would be inconsistent with the objectives of the DPA, namely the protection of privacy and the provision of an effective remedy for its infringement.

The Court of Appeal also upheld the High Court’s finding that vicarious liability attached. The Court of Appeal held that the acts were “within the field of activities assigned to the employee”. There was an “unbroken thread that linked the employee’s work to the disclosure: what happened was a seamless and continuous sequence of events”.

The Supreme Court

Lord Reed gave the only judgment in the Supreme Court, which unanimously allowed the appeal.

In relation to the claim of vicarious liability, Lord Reed confirmed that the key test was whether the wrongful conduct was so closely connected with the acts the employee was authorised to do that it may fairly and properly be regarded as being done by the employee while acting in the course of his employment - the “close connection test”.

However, Lord Reed disagreed with the lower courts’ application of this test to the facts. It was held that the posting of the data on the Internet was not part of the employee’s “field of activities”. He had done this without authority for personal reasons, to pursue a vendetta, with no intention to further the interests of his employer or to perform his duties under his contract of employment. It was not enough that he was simply given the opportunity to commit his wrongful acts in the course of his employment.

This decision strictly disposed of the matter, but Lord Reed went on to consider Morrisons’ argument that the DPA excluded an employer’s vicarious liability for an employee’s acts where these constituted a breach of the statute. The argument was also that this principle applied to common law claims based on the same facts. Lord Reed rejected this argument: there was nothing in the statute to this effect, and no such conclusion could be implied from it.


The decision represents a rebalancing of the law. It delimits the scope of vicarious liability for the future and provides useful guidance to distinguish between wrongful acts performed within employees’ “field of activities” and those which are “frolics” of their own. The judgment helpfully confirms that the opportunity to commit a wrongful act is not itself sufficient to impose vicarious liability. The motive of the wrongdoer is also confirmed as a key consideration. An employer will be liable for the wrongful acts of an employee endeavouring to further the employer’s business, but not for an employee pursuing personal interests. So, for example, a police force may be vicariously liable for a police officer injuring a bystander when firing his police issue firearm while on duty, but not if the firearm is discharged as part of a personal vendetta. An employer may be liable for an assault by a petrol station attendant employee if carried out while rendering service to a customer, but not for an assault in response to a complaint about being assaulted. While clear job descriptions and records showing what an employee is authorised, trained or certified to do within his employment may assist, cases of vicarious liability are more likely to involve situations outside of those boundaries and may be decided on wider issues.

Under the DPA, a company which acts as a controller of data owes certain responsibilities to data subjects to protect them from unauthorised disclosure to third parties and should put in place systems and protocols to ensure that, as far as possible, this does not take place. The present decision provides useful guidance on the circumstances in which, having discharged its duties as a controller, the company might still be vicariously liable to data subjects when an employee circumvents those systems and protocols. The decision suggests that no vicarious liability will arise where the disclosure of data is solely for the employee’s personal gain or gratification. It does not necessarily assist an employer whose employee misguidedly circumvents systems for an innocent purpose in connection with something that he is employed to do.