Vicarious Liability (part deux): Data Protection

Friday 26th October 2018

Providing us with a vicarious liability double bill, the Court of Appeal has handed down its judgement in Various Claimants v WM Morrison Supermarkets PLC, holding that the supermarket should be held liable for the deliberate and wrongful disclosure of personal information perpetrated by an employee.


As outlined above, vicarious liability requires a sufficient connection between the employment and the wrongful act. The claim against was brought under DPA 1998, though it is anticipated that the same result would be reached applying the GDPR and DPA 2018 regime.


A senior internal auditor (‘S’) became disaffected with Morrisons following a disciplinary hearing.

In the course of his employment, S was authorised to access some personal (including sensitive personal) data about fellow employees. In late 2013 Morrisons was asked by its external auditors for various data, and S was asked to handle the transfer between the two companies

The data was stored securely, and was extracted onto an encrypted USB stick for transfer. S did not have permission to access the data. He copied it onto his work computer before passing the data onto the auditor as required. Crucially however, he did not delete it from his computer, and in early 2014 he uploaded personal information to the internet, posting it under the name of a fellow employee.

Decision and comment

In finding against Morrisons, the Court confirmed that the statutory data protection regime exists to supplement, not exclude, vicarious liability. It may also be worth noting that the result would have been the same for claims brought for breach of the duty of confidence or misuse of private information.

Further, inasmuch as S had deliberately set out to damage Morrisons, rather than achieve some benefit for himself, the Court of Appeal has applied the view that motive is irrelevant in a claim for vicarious liability.

Given that this was a deliberate act, there was little Morrisons could have done to mitigate the breach. Nonetheless, it still faces a class action claim. The fear for organisations will be that a data protection perfect storm is brewing: increased statutory protection under the GDPR, greater public awareness of data protection issues, and now the possibility of a strict liability regime for vicarious liability for data breaches. It will be interesting to see whether the floodgates do in fact open. In the meantime organisations would be advised to check the extent of their cyber insurance.

Morrisons has said it intends to appeal to the Supreme Court, so we may return to this case again.