WM Morrison Supermarkets Plc v Various Claimants: Vicarious Liability and Data Protection Act Implications

WM Morrison Supermarkets Plc v Various Claimants: Vicarious Liability and Data Protection Act Implications

Introduction

The case of WM Morrison Supermarkets Plc v Various Claimants ([2020] UKSC 12) addresses critical issues surrounding vicarious liability of employers for the misconduct of their employees, particularly in the context of data protection. This judgment marks a significant precedent in delineating the boundaries of employer liability under the Data Protection Act 1998 (DPA) and common law principles. The Supreme Court's decision clarifies the extent to which employers can be held accountable for deliberate wrongdoing by their employees, especially when such actions are intended to harm the employer itself.

Summary of the Judgment

The claimants, comprising 9,263 current and former employees of WM Morrison Supermarkets, alleged that the company's employee, Mr. Andrew Skelton, unlawfully disclosed sensitive payroll data online, resulting in significant distress and financial loss to the employees. The High Court and the Court of Appeal previously held Morrisons vicariously liable for Skelton's actions under both the DPA and common law principles of misuse of private information and breach of confidence.

However, the Supreme Court overturned these decisions, holding that Morrisons was not vicariously liable for Skelton's misconduct. The key reasoning was that Skelton's wrongful disclosure was not closely connected with his authorized duties and was instead a personal vendetta against his employer. Consequently, the Supreme Court allowed Morrisons' appeal, establishing that employers are not liable for employees' actions that are intended to harm the employer and fall outside the scope of their employment.

Analysis

Precedents Cited

The judgment extensively references several landmark cases to frame its reasoning:

  • Mohamud v WM Morrison Supermarkets Plc [2016] UKSC 11 – Established the "close connection" test for vicarious liability.
  • Lister v Hesley Hall Ltd [2001] UKHL 22 – Developed the concept of a "close connection" between the employee's duties and wrongful acts.
  • Dubai Aluminium Co Ltd v Salaam [2002] UKHL 48 – Reinforced the close connection test and emphasized the principle of social justice.
  • Joel v Morison (1834) 6 C & P 501 – Differentiated between acts within and outside the course of employment.
  • Attorney General of the British Virgin Islands v Hartwell [2004] UKPC 12 – Highlighted limitations of vicarious liability regarding personal vendettas.

These precedents collectively underscore the necessity for a substantial connection between the employee's authorized duties and their wrongful conduct for vicarious liability to be applicable.

Legal Reasoning

The Supreme Court's analysis centered on whether Skelton's unauthorized disclosure of payroll data was sufficiently connected to his official duties. The court reiterated the "close connection" test, which requires that the wrongful act must be so closely linked to what the employee was authorized to do that it can be fairly regarded as being done within the scope of employment.

Key points in the court's reasoning include:

  • Scope of Employment: Skelton was tasked with collating and transmitting payroll data to external auditors. However, his act of leaking the data online was a deliberate act to harm Morrisons, not to serve any legitimate business purpose.
  • Intention and Motive: Skelton's motive was a personal vendetta stemming from disciplinary actions, which the court deemed irrelevant to the question of vicarious liability.
  • Connection to Authorized Duties: The Supreme Court found that the act of disclosure was not an extension or misuse of his authorized duties but a separate, wrongful act intended to damage his employer.

The court emphasized that vicarious liability is not a tool for holding employers accountable for employees' personal misconduct intended to harm the employer. The lack of a direct connection between Skelton's authorized tasks and his wrongful disclosure meant that Morrisons could not be held vicariously liable.

Impact

This judgment has profound implications for employers and the scope of vicarious liability:

  • Clarification of Vicarious Liability: Reinforces the necessity for a clear connection between employment duties and wrongful acts, limiting employer liability to acts within the scope of employment.
  • Data Protection Implications: Establishes that breaches of data protection laws by employees may not automatically implicate employers unless the wrongful act is closely connected to authorized duties.
  • Risk Management: Encourages employers to implement robust internal controls and monitoring to prevent and address employee misconduct, understanding that not all breaches will result in vicarious liability.
  • Legal Certainty: Provides clearer boundaries for both employers and employees regarding responsibilities and liabilities, reducing uncertainty in similar future cases.

Additionally, this case sets a precedent that intentional misconduct aimed at harming the employer falls outside the ambit of vicarious liability, potentially influencing judgments in cases involving internal data breaches and disgruntled employees.

Complex Concepts Simplified

Vicarious Liability

Vicarious liability is a legal principle where an employer can be held responsible for the actions of their employees performed within the scope of their employment. This does not require the employer to have been at fault, but rather that the employee's wrongful act is connected to their job duties.

Close Connection Test

The close connection test determines whether an employee's wrongful act is sufficiently related to their employment duties to hold the employer liable. It involves assessing whether the act was within the "field of activities" assigned to the employee and whether it is fair to hold the employer responsible based on the relationship between the act and the employment.

Data Protection Act 1998 (DPA)

The Data Protection Act 1998 regulated the processing of personal data in the UK before being replaced by the Data Protection Act 2018. It implemented the EU's Directive on data protection provisions, aiming to protect individuals' privacy and personal information.

Misuse of Private Information

Misuse of private information refers to unauthorized use or disclosure of personal data by individuals or organizations. In this case, Skelton's unauthorized release of employee payroll data constituted misuse.

Breach of Confidence

A breach of confidence occurs when someone discloses information that was shared in confidence without authorization, leading to potential harm or loss. Skelton's actions fell under this category as he disclosed confidential employee information without consent.

Conclusion

The Supreme Court's decision in WM Morrison Supermarkets Plc v Various Claimants reinforces the boundaries of vicarious liability, emphasizing that employers are not automatically liable for all employee misconduct. The judgment clarifies that for vicarious liability to apply, there must be a significant connection between the employee's job duties and their wrongful actions.

By distinguishing between authorized duties and personal vendettas, the court provides critical guidance for both employers and legal practitioners in assessing liability in cases of employee misconduct. This case underscores the importance of understanding the scope of employment and ensures that the principle of social justice, as rooted in historical legal doctrines, continues to be applied judiciously in modern contexts.

Case Details

Year: 2020
Court: United Kingdom Supreme Court

Comments