A law firm which offers more

Call us: 0113 246 0622

Morrisons’ rogue employee decision – data controllers breathe a collective sigh of relief


The Supreme Court has overturned a 2018 Court of Appeal decision which held that Morrisons was liable for a data breach caused by a rogue employee. The Court of Appeal decision had received mixed responses. Although the decision arguably maintained the status quo in terms of vicarious liability (that employers are legally responsible for the actions of their employees, even where an employee’s actions are contrary to the instructions of the employer, or even criminal) it sat awkwardly from a data protection perspective. In fact, the Information Commissioner’s Office (“ICO”), the regulatory authority for data protection in the UK, urged the Court of Appeal, in May 2018, to find in favour of Morrisons.

This blog explains the decision taken by the Supreme Court and focusses on the data protection implications for employers.

The Morrisons case

The facts surrounding the case together with a summary of the Court of Appeal case are set out in detail in an earlier Clarion blog, written by David Williams, Partner in our Dispute Resolution and Litigation Team. 

In brief, Mr Skelton was an employee of Morrisons who was aggrieved by disciplinary action taken against him by his employer. In an act of personal revenge, Mr Skelton copied payroll data from his laptop on to his personal memory stick and posted the personal details (including names, addresses, bank details, salaries and national insurance numbers) of over 100,000 of his colleagues on to a file sharing website, and shared the information with three newspapers. Within a few hours, the website was taken down and police alerted.

The Supreme Court decision

The Supreme Court held that Morrisons should not be liable for the actions of Mr Skelton, focussing on the motivation behind the actions taken by Mr Skelton. Lord Reed said that “Skelton was not engaged in furthering Morrisons’ business when he committed the wrongdoing… on the contrary, he was pursuing a personal vendetta, seeking revenge for disciplinary proceedings a month earlier”.

Morrisons’ case was assisted by the following points, amongst others:

Impact on Employers

Many employers will be breathing a big sigh of relief. If the Supreme Court had decided in favour of the employees, Morrisons would have been liable to those 100,000 employees for issues they suffered arising from breach of their data and, with a class action gaining ever more litigants, the sums payable by Morrisons to those employees could have been significant.

It is important, however, that organisations do not become complacent as a result of the ruling. The decision could have been very different if Morrisons had not taken the necessary steps to ensure adequate and appropriate controls were in place in respect of the personal data it processes. It remains important for all organisations to take the following steps:

If you have any questions about your organisation’s compliance with GDPR, or if you would like a free of charge internal process map for dealing with GDPR breaches and subject access requests, please contact Florence Maxwell or Matthew Hattersley.

Disclaimer: Anything posted on this blog is for general information only and is not intended to provide legal advice on any general or specific matter. Please refer to our terms and conditions for further information. Please contact the author of the blog if you would like to discuss the issues raised.