Morrisons, the supermarket chain, has been held liable for a disgruntled employee’s wilful breach of data protection legislation.
Mr Skelton was employed by Morrisons as a senior IT internal auditor. This role gave him access to sensitive personal data relating to the company’s staff. He also sold a legal slimming drug on the internet in his spare time. In summer 2013, Morrisons subjected Mr Skelton to a disciplinary procedure on the basis that his use of the company’s post room to send the slimming drug had caused alarm when fellow employees thought it was an illicit substance. Mr Skelton remained in his role despite this.
In November 2013, Mr Skelton was asked to send sensitive payroll-related employee data to KPMG (Morrisons’ external auditors). Mr Skelton downloaded the encrypted data on to his work computer before copying it on to a new USB stick for KPMG. He then made a copy for himself on a personal USB stick. In January 2014, using the files he had uploaded to his USB stick, he posted personal details of 100,000 Morrisons employees on to a file sharing website.
In March 2014, Mr Skelton was arrested and charged with fraud, computer misuse offences and data protection offences. He was convicted and sentenced to eight years’ imprisonment.
A group claim was brought against Morrisons by a number of the workers whose personal data had been shared online by Mr Skelton. They argued that not only was Morrisons liable itself for the data breach, but it was also vicariously liable for Mr Skelton’s breaches in its capacity as his employer.
The High Court held that Morrisons was not liable itself for breaches of data protection legislation, as it had not been the controller of the data once it left its servers. However, it held that Morrisons was vicariously liable for Mr Skelton’s breaches despite his actions seemingly having been deliberate and motivated by spite. There was held to be a sufficient connection between Mr Skelton’s actions and his employment with Morrisons, given that his access to the data was obtained through his job – indeed, Morrisons had entrusted him with the data as part of his role, and in doing so, it took the risk that he would misuse it. It was Mr Skelton’s duty to disclose the data and he did so, albeit in an unauthorised way. Mr Skelton’s motive was not relevant to the finding of vicarious liability.
This judgment appears to be heavily motivated by the policy consideration of ensuring that victims of data protection breaches have a means of redress. Indeed, the High Court acknowledged that Morrisons had a number of appropriate measures in place to protect the data on its servers from misuse, but held it liable in any event.
Various claimants v WM Morrisons Supermarket plc  EWHC 3113