The Supreme Court (the highest court in England and Wales) has now reached its decision in the appeal case of Various Claimants v WM Morrisons Supermarkets Plc.
This case resolves around the actions of a disgruntled employee of the Morrisons supermarket chain. BHW first reported this particular case at the beginning of 2018 when it was first ruled on by the High Court. For context, Mr Skelton – a senior IT auditor at Morrisons – was asked to transfer employee data to Morrisons’ external auditor, KPMG. However, Mr Skelton also copied the data to his own personal device and subsequently released this information on a file-sharing website and sent it to three UK newspapers, one of which alerted Morrisons of the data leak. He was sentenced to 8 years imprisonment for fraud and data protection offences. His actions lead to a civil group claim (similar to an American class action) against Morrisons both directly and vicariously for Mr Skelton’s actions while an employee.
Vicarious liability arises where a third party becomes liable for another party’s actions. The most common example of this is when an employee does something in the course of their employment which leads to a claim and the employer becomes liable for the employee’s actions.
In 2018 the High Court first ruled in favour of the claimants on the point of Morrisons’ vicarious liability. The Court felt that there was enough of a connection between Mr Skelton’s wrongful acts concerning the misuse of the data and his employment. This caused ripples throughout the business world as it meant that companies could be liable for the way their employees use private data held by the company and which they have access to throughout the course of their employment.
Appeal Case Outcome
This year, the Supreme Court has overruled the original High Court ruling, on the basis that Mr Skelton was not in fact acting in the ordinary course of his employment when he decided to copy the data on to his personal device nor when he sent it to three UK newspapers and the file sharing website. Mr Skelton was not as Lord Reed said ‘engaged in furthering his employer’s business when he committed the wrongdoing’ and was instead pursing a ‘personal vendetta’.
It should be noted that while this is a positive ruling for employers, the Supreme Court did not rule out the possibility of liability arising as a result of statutory breaches under the Data Protection Act 1998 (now replaced by the 2018 act). However, providing companies put in place the sensible policies and procedures required by the GDPR (including appropriate training and supervision of staff having access to personal data) they should be able to reduce any such risk.
If you have any questions about the GDPR or your businesses obligations in relation to personal data, or have any concerns regarding your company’s liability for data protection issues, please do not hesitate to give Matt Worsnop a call on 0116 281 6235 or email him at firstname.lastname@example.org.