This site would like to set some non-essential temporary cookies. Some cookies we use are essential to make our site work.
Others such as Google Analytics help us to improve the site or provide additional but non-essential features to you.
No behavioural or tracking cookies are used.
To change your consent settings, read about the cookies we set and your privacy, please see our Privacy Policy

Data Protection Leader
Back to Contents

Volume: 14 Issue: 12
(december 2017)

litigation employment data breach


UK: High Court issues judgement in Morrisons' class action

The Honourable Justice of the High Court of Justice’s (‘the High Court’) Queen’s Bench Division, Brian Langstaff, issued, on 1 December 2017, his decision in relation to the class action in Various Claimants v. Wm Morrisons Supermarket PLC, addressing whether Morrisons could be held liable for the criminal actions of Andrew Skelton, who maliciously disclosed personal data of co-employees. The High Court determined that although the Data Protection Act 1998 would not impose primary liability on Morrisons, vicarious liability could be established, i.e. the liability for which employers, without personal fault, are held responsible for the wrongs committed by their employees.

David Lorimer, Associate at Fieldfisher LLP, said, “What is interesting about this case is that it emphasises that cyber risks don’t just come from external hackers, but can also come from internal, trusted employees. It is the first time a court has held that employers will be vicariously liable for breaches of data protection laws by rogue employees.”

The High Court held that primary liability could not be established since Morrisons did not directly misuse any personal data, nor authorise or permit its misuse by any carelessness on its part. However, the High Court justified Morrisons’ vicarious liability on the basis of the principle of social justice under common law, finding there was a “sufficient connection between the position in which Skelton was employed and his wrongful conduct, put in the position of handling and disclosing the data as he was by Morrisons” and rejecting the argument that the Data Protection Act, by its terms, would exclude such liability.

Search Publication Archives

Our publication archives contain all of our articles, dating back to 2004.
Can’t find what you are looking for?
Try an Advanced Search

Log in to data protection leader
Subscribe to data protection leader
Register for a Free Trial to data protection leader
data protection leader Pricing

Social Media

Follow data protection leader on TwitterView data protection leader LinkedIn Profiledata protection leader RSS Feed