Legal briefing | |

Morrisons data leak case: are there any key takeaways for data controllers?


This week, in what is very much a sign of the times we find ourselves living in, the Supreme Court handed down its long-awaited judgment in the high profile Morrisons data breach litigation via live stream.


By way of recap, the case was a class action brought by staff of WM Morrison Supermarkets plc (Morrisons) against their employer for breach of the (now superseded) Data Protection Act 1998 (DPA), misuse of private information and breach of confidence. The claim was brought after the employees' personal data had been leaked online by Andrew Skelton, an embittered employee in Morrisons' internal audit division. Mr Skelton's actions were enough to put him in jail and to cause six years' worth of legal trouble for Morrisons, culminating in this week's verdict.

The initial action in the High Court resulted in a finding that, whilst Morrisons was not primarily liable for any of the alleged causes of action, it was vicariously liable for Mr Skelton's own breach of statutory duty under the DPA, his misuse of private information, and his breach of confidence, because his actions had been conducted in the course of his employment. Mr Skelton's liability for breach of the DPA arose from the fact that, at the time when he leaked the personal data of Morrisons' staff online, he did so from his own personal USB memory stick which he had loaded the data onto from a work laptop. The High Court held that this made him a data controller in his own right in respect of the leaked data. On appeal by Morrisons, the High Court's judgment was essentially upheld, save that there was no pleaded claim against Morrisons on the ground of vicarious liability for Mr Skelton's breach of the DPA.

What did the Supreme Court decide?

The Supreme Court considered two issues:

  1. Was Morrisons vicariously liable for the acts of Mr Skelton?

  2. If so, did the DPA exclude the imposition of vicarious liability (i) for statutory torts committed by an employee data controller under the DPA; and (ii) for misuse of private information and breach of confidence (this was very much a side issue as the Supreme Court had already made its decision on vicarious liability in the negative at this point, but it decided to address the question all the same).

On the first question (and on the specific facts before it) the Supreme Court ultimately relieved Morrisons of any vicarious liability. On the second question, though, the Supreme Court found that the DPA did not make any such exclusion and therefore an employer could, in the right circumstances, have been liable for breach by an employee of the DPA, where that employee was acting as a separate data controller.

The circumstances here were perhaps unusual. Mr Skelton was pursuing a personal vendetta, using his own equipment to do so and in the process setting himself up as a distinct data controller. Unusual, however, doesn't mean unique and organisations can't afford to be complacent. The risk of an employee who has access to personal data going rogue and leaking that data as an act of revenge against an employer that they bear a grudge against, is very real and whilst, on the facts of this case, Morrisons was found to not be vicariously liable for the actions of Mr Skelton, it expended significant time and resources in defending the action.

What can employers do to mitigate the risk?

Put simply, they need to make sure that they, as data controllers, meet their obligations under the General Data Protection Regulation 2016 (GDPR). The GDPR requires data controllers to implement appropriate technical and organisational measures to ensure a level of security which is appropriate to the risk posed in relation to that personal data. Morrisons escaped primary liability under the DPA because it was able to show that, notwithstanding that Mr Skelton downloaded personal data from his work laptop, it had taken appropriate technical and organisational measures to mitigate the risk of him doing so.

One aspect of taking such measures, is to ensure that you have written and clear data protection and IT policies in place. These should set out expectations in respect of staff data protection compliance and should be supported with regular and appropriate staff training. Processes and procedures should also be put in place to ensure, for example, that personal data is only shared and accessed on a strict need to know basis, with effective security measures in place to ensure that only those who are authorised have access.

It was the former Data Protection Act which was considered in the Morrisons case, but the principles apply to the GDPR regime. Given the increased sanctions for breaches of this type and the possibility of class actions under the GDPR, it is a timely reminder of the importance for businesses of getting their processes and procedures right.

You can read the full judgment here.

For further information, please contact

Back To Top