News
Print Article

It is not vicarious……a recap on the 2020 Morrisons Ruling

11/11/2021

The Supreme Court gave [01.04.2020] its verdict on a landmark data breach case involving Morrisons supermarkets.

The ruling was that Morrisons was not liable for the criminal act of an employee who leaked payroll data (and therefore personal data) of thousands of staff members.

Speed read

  1. “The Court of Appeal had held that the motive of the employee was ‘irrelevant’ and that Morrisons was responsible for the fact that he deliberately uploaded the data of around 100,000 members of staff to a publicly accessible website.
  2. The Supreme Court has however said this was wrong and that Morrisons was not liable for its employee’s deliberate acts.
  3. “The test is whether an employee’s wrongdoing is so closely connected with the acts they are authorised to do, such that it can be properly regarded as being done by their employer.
  4. In this case, the employee was pursuing a personal vendetta and Morrisons was not responsible for the subsequent fall out.

Some background

THE CASE CENTRES ON A SENIOR IT INTERNAL AUDITOR WHO WAS EMPLOYED BY MORRISONS. 

  1. He was given an oral warning for misusing his employer's postal facilities
  1. And to get his own back, he copied data containing information about nearly 100,000 members of staff, which he (anonymously) then placed on a file-sharing website.
  2. The data consisted of the employees names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers and salary details.

THE IT EMPLOYEE

  1. Was convicted of fraud, an offence under the Computer Misuse Act 1999 and under section 55 of the Data Protection Act 1998.
  1. He was imprisoned for eight years. Over 5,500 employees brought a joint action against Morrisons seeking damages for the misuse of their personal information.

COMMENT

  1. Whilst none appeared to have suffered any direct financial loss they claimed for distress, anxiety, upset and damage. 
  2. One thing to bear in mind is that financial loss is no longer needed to make a claim under the data protection legislation and these things can be claimed without the need to show financial loss. 
  3. The employees alleged that Morrisons was primarily liable for the breach and, alternatively, it was vicariously liable for the wrongful conduct of its employee.
  4. The Court of Appeal originally ruled that Morrisons was not responsible for the breach but said it was vicariously liable for the deliberate and criminal breaches of payroll data.
  5. However The Supreme Court has overturned this judgment

Expert Opinion

  1. “The key question for the courts here is was the wrongdoing done ‘in the course of employment’?
  2. “The Court of Appeal had held that the motive of the employee was ‘irrelevant’ and that Morrisons was responsible for the fact that he deliberately uploaded the data of around 100,000 members of staff to a publicly accessible website. The Supreme Court has however said this was wrong and that Morrisons was not liable for its employee’s deliberate acts.
  3. “The test is whether an employee’s wrongdoing is so closely connected with the acts they are authorised to do, such that it can be properly regarded as being done by their employer. In this case, the employee was pursuing a personal vendetta and Morrisons was not responsible for the subsequent fall out.
  4. “Employers will welcome this decision and will be reassured that they won’t usually be responsible for the actions of any member of staff who deliberately inflicts harm on it or their staff. For a while, it had looked as though the scope of vicarious liability was becoming enormously (and dangerously) wide.”

Glenn Hayes – Partner - https://www.irwinmitchell.com/news-and-insights/newsandmedia/2020/april/morrisons-wins-data-breach-case-in-the-supreme-court

General

The Team

Meet the team of industry experts behind Comsure

Find out more

Latest News

Keep up to date with the very latest news from Comsure

Find out more

Gallery

View our latest imagery from our news and work

Find out more

Contact

Think we can help you and your business? Chat to us today

Get In Touch

News Disclaimer

As well as owning and publishing Comsure's copyrighted works, Comsure wishes to use the copyright-protected works of others. To do so, Comsure is applying for exemptions in the UK copyright law. There are certain very specific situations where Comsure is permitted to do so without seeking permission from the owner. These exemptions are in the copyright sections of the Copyright, Designs and Patents Act 1988 (as amended)[www.gov.UK/government/publications/copyright-acts-and-related-laws]. Many situations allow for Comsure to apply for exemptions. These include 1] Non-commercial research and private study, 2] Criticism, review and reporting of current events, 3] the copying of works in any medium as long as the use is to illustrate a point. 4] no posting is for commercial purposes [payment]. (for a full list of exemptions, please read here www.gov.uk/guidance/exceptions-to-copyright]. Concerning the exceptions, Comsure will acknowledge the work of the source author by providing a link to the source material. Comsure claims no ownership of non-Comsure content. The non-Comsure articles posted on the Comsure website are deemed important, relevant, and newsworthy to a Comsure audience (e.g. regulated financial services and professional firms [DNFSBs]). Comsure does not wish to take any credit for the publication, and the publication can be read in full in its original form if you click the articles link that always accompanies the news item. Also, Comsure does not seek any payment for highlighting these important articles. If you want any article removed, Comsure will automatically do so on a reasonable request if you email info@comsuregroup.com.