Morrisons PLC Upheld by the Court of Appeal

Decision of the High Court in Various Claimants v Vm Morrisons Supermarket PLC Upheld by the Court of Appeal

Morrisons has lost its challenge to the Court of Appeal against a 2017 ruling which established it was vicariously liable for the actions of an disgruntled ex-employee who deliberately commited a data breach that saw approximately 100,000 of his co-workers’ personal data posted online. Morrisons’ management took action within a few hours of being notified of the breach to have the data taken down.


In January 2014 Mr Andrew Skelton, a senior internal auditor at Morrisons Head Office, leaked data of his co-employees which included their names, addresses, phone numbers, National Insurance Numbers and bank account details. The data was initially posted on a file sharing website online, with links to access the data posted across the internet. A disk containing the data was then subsequently sent to various UK newspapers. The newspapers did not publish the data, and instead they informed Morrisons of the data leak, sparking immediate concern.

In July 2015, Mr Skelton was charged and convicted with offences under the Computer Misuse Act 1990 and the Data Protection Act 1998. He was sentenced to eight years imprisonment, which he is still serving.

More than 5,500 employees then brought a claim against Morrisons in respect of their data that was leaked.


The employees lodged an application for a Group Litigation Order in 2015. The key issue for determination by the High Court was whether an employer is liable, directly and/or vicariously, for the criminal actions of a rogue employee in disclosing personal details of fellow employees under the Data Protection Act 1998 (DPA 1998) (which was applicable at the time).

A trial to determine the issue of Morrisons’ liability for the data leak took place in October 2017. Judgment was handed down on 1 December 2017 and in a ground-breaking ruling, the High Court found that Morrisons were legally responsible for the data leak. The High Court established there was an adequately close connection between Mr Skelton’s employment and his wrongful conduct in order for Morrisons to be held liable for his actions. Effectively it was the Courts view that when the employee was given access to the data it was in his capacity as an employee, nothing else was done until the data was released and therefore there was no break in the chain of events. Morrisons took the risk of placing trust in the employee.

The Court recognised that although Morrisons did not directly misuse any of the data subjects personal information, authorise its misuse, or permit it by any carelessness on their part, they were still vicariously liable for the breach.

Morrisons appealed the decision to the Court of Appeal, which by its Judgment given on 22 October 2018, upheld the original High Court decision. In concluding remarks, the Court stated: “we agree with the Judge that Morrisons was vicariously liable for the torts commited by Mr Skelton against the claimants.”

The Court clearly had the effects of giving such a Judgment in mind, reasoning that “suppose he [Mr Skelton] had misused the data so as to steal a large sum of money from one employee’s bank account. If Morrisons’ arguments are correct, then (save for any possible claim against the bank) such a victim would have no remedy except against Mr Skelton personally”. Practically, the Court go on to say that businesses are able to obtain insurance against such matters, which although they state is not a reason to impose liability, is a “valid answer to the Doomsday or Armageddon arguments put forward by Ms Proops on behalf of Morrisons.”

Despite not getting leave to appeal the decision from the Court of Appeal, Reports indicate that Morrisons will seek leave to appeal to the Supreme Court.

Going Forward

This case clearly has widespread implications for businesses across the country, and the detailed scrutiny of Morrisons’ processes in the Judgment shows how important it is for businesses to correctly retain employee data, and have correct procedures in place to ensure it remains safe.

Having correct measures and policies in place, as well as ensuring staff are adequately trained, will mitigate any potential exposure of employers to sanctions under the General Data Protection Regulations (GDPR). Since GDPR came into force in May this year, the fines businesses face are severe, with a potential exposure to the greater of €20,000,000 or 4% of the organisation’s annual turnover. The problem with the decision is that it makes it difficult to understand what organisations can do to protect themselves if they find themselves in similar situations. Do employers need to increase background checks or monitoring of staff? We are interested to see what the outcome of any further appeal may be.

If you would like any assistance ensuring your business has measures and policies in place, or want to discuss any potential implications this ruling may have, then contact the Employment Team who will be able to assist.