Morrisons v Various Claimants

[2020] UKSC 12

Case details

Neutral citation: [2020] UKSC 12
Court: Supreme Court of the United Kingdom
Judgment date: 1 April 2020
Subjects: Vicarious liabilityData protectionPrivacyTort
Keywords: close connection testvicarious liabilityData Protection Act 1998scope of employmentintentional wrongdoingmisuse of private informationbreach of confidenceMohamud
Outcome: allowed

Case summary

The Supreme Court allowed the appeal and held that Morrisons is not vicariously liable for the deliberate disclosure of employee payroll data by a senior auditor, Mr Skelton. The court reaffirmed the "close connection" test for vicarious liability as articulated in Dubai Aluminium Co Ltd v Salaam and explained that Mohamud v WM Morrison Supermarkets plc was misread by the courts below: the exercise in Mohamud must be read in context and does not convert every temporal or causal link into a sufficient basis for vicarious liability. The court found that Skelton acted on a personal vendetta and not in the course of his employment, so his disclosure was not so closely connected with authorised acts (the collation and transmission of payroll data to KPMG) as to render Morrisons liable. The court also considered the Data Protection Act 1998 and held that the Act does not, expressly or impliedly, exclude the principle of vicarious liability, but that point was not decisive because the factual test for close connection was not met in this case.

Case abstract

This case concerned claims by 9,263 current or former employees that Morrisons was liable for the publication of their payroll data on the internet by an employee, Mr Andrew Skelton. The claimants pleaded breach of the statutory duty under the Data Protection Act 1998 (including reference to section 4(4)), misuse of private information and breach of confidence, and asserted that Morrisons was vicariously liable for Skelton's conduct.

Background and procedural history:

Skelton, a senior internal auditor, was given access to full payroll data to collate and transmit it to Morrisons' external auditors, KPMG.
Between November 2013 and January 2014 he made a private copy of the data and, acting from home and using anonymising tools and a false account, uploaded the data to publicly accessible websites and sent copies to newspapers. He was later convicted and imprisoned.
The claimants sued Morrisons for damages for distress and related loss. The High Court (Langstaff J) held Morrisons vicariously liable; the Court of Appeal dismissed Morrisons' appeal; the case proceeded to the Supreme Court.

Issues:

Whether Morrisons was vicariously liable for Skelton's conduct.
If so, whether the Data Protection Act 1998 excludes vicarious liability for (a) statutory torts under the DPA and (b) misuse of private information and breach of confidence.

Court's reasoning and conclusion:

The court re-stated that the governing test is the close connection test from Dubai Aluminium: whether the wrongful conduct was so closely connected with acts the employee was authorised to do that it may fairly and properly be regarded as done in the ordinary course of employment.
The court explained that Mohamud must be read in full context and does not permit treating mere temporal or causal sequence, or the fact that opportunity was provided by employment, as alone sufficient for vicarious liability.
Applying the test, the court concluded Skelton was pursuing a personal vendetta and his wrongful disclosure was not an act in furtherance of his employer's business; it was a classic 'frolic of his own'. Mere opportunity given by employment to commit the wrongdoing was insufficient.
The court further considered the DPA and concluded that it does not expressly or impliedly exclude vicarious liability, but that question was ultimately unnecessary to resolve on the facts because the close connection test failed.

Relief sought: damages for statutory breach and for misuse of private information and breach of confidence; vicarious liability was the principal issue determining Morrisons' exposure.

Held

The appeal was allowed. The Supreme Court held that Morrisons was not vicariously liable for Skelton’s deliberate disclosure because his conduct was not so closely connected with acts which he was authorised to do that it could fairly and properly be regarded as done in the ordinary course of his employment. The court clarified that Mohamud was misread by the courts below and reaffirmed the close connection test from Dubai Aluminium. The court also held that, as a matter of statutory interpretation, the Data Protection Act 1998 does not expressly or impliedly exclude vicarious liability, but that issue was not decisive on these facts.

Appellate history

High Court (Langstaff J): claimants succeeded in establishing vicarious liability [2017] EWHC 3113 (QB). Court of Appeal (Etherton MR, Bean and Flaux LJJ): appeal dismissed [2018] EWCA Civ 2339. Supreme Court: appeal allowed [2020] UKSC 12.

Cited cases

Majrowski v Guy's and St Thomas' NHS Trust, [2006] UKHL 34 positive
Dubai Aluminium Co Ltd v Salaam, [2002] UKHL 48 positive
Lister and Others v. Hesley Hall Limited, [2001] UKHL 22 positive
Joel v Morison, (1834) 6 C & P 501 positive
Warren v Henlys Ltd, [1948] 2 All ER 935 negative
Morris v C W Martin & Sons Ltd, [1966] 1 QB 716 positive
Kooragang Investments Pty Ltd v Richardson & Wrench Ltd, [1982] AC 462 positive
Attorney General of the British Virgin Islands v Hartwell, [2004] UKPC 12 positive
Bernard v Attorney General of Jamaica, [2004] UKPC 47 positive
Brown v Robinson, [2004] UKPC 56 positive
Various Claimants v Catholic Child Welfare Society (Christian Brothers), [2012] UKSC 56 neutral
Mohamud v WM Morrisons Supermarkets plc, [2016] UKSC 11 mixed
Bellman v Northampton Recruitment Ltd, [2018] EWCA Civ 2214 positive
Fashion ID GmbH & Co KG v Verbraucherzentrale NRW eV (Case C-40/17), Case C-40/17 neutral

Legislation cited

Data Protection Act 1998: Section 13
Data Protection Act 1998: Section 4
Data Protection Act 1998: Schedule 1 (Data Protection Principles)