Protecting your organisation

In light of the Court of Appeal's decision, organisations that process personal data should consider these three issues:

  1. Insurance: The Court of Appeal stated that "insurance is a valid answer" to actions of rogue actors within the organisation. Organisations will need to carefully consider the insurance available to protect the organisation against rogue actors. Any business should ensure that they have adequate insurance to cover the potential risks that they may face. You should ensure the policy covers the breadth or foreseeable risks, be it from innocent mistake to malicious acts both within and outside the business. Consider whether your risk assessments are kept up to date, against constantly changing technological developments and increasingly advanced threats, and review your policy regularly to be sure that it best protects your needs.  
  2. Security measures: Organisations will need to implement and maintain technical and organisational measures (including employee monitoring technology) to protect against the risks posed by rogue actors. Such technology will need to be deployed in a way which complies with the requirements of law (including the Investigatory Powers Act 2016). 
  3. Maintain a watching brief: This matter is unlikely to end in the Court of Appeal. A spokesman for Morrisons said: "We believe we should not be held responsible so that’s why we will now appeal to the Supreme Court.”


UK supermarket WM Morrison was the subject of a data breach in 2014 when a disgruntled employee, Mr Skelton, downloaded and months later, in an act of malice against Morrisons, published online personal information relating to approximately 100,000 employees. Was Morrisons vicariously liable to employees for the breach? The Court of Appeal has recently looked at this question.

High Court decision

The High Court held that Morrisons had not breached the Data Protection Act 1998 (DPA) because adequate safeguards were in place to protect the personal data. However, Morrisons was held to be vicariously liable for the actions of Mr Skelton.

The appeal

Morrisons' appealed centred on the following points:

  • The duty under the DPA to take "appropriate" measures to protect personal data, and take "reasonable steps" to ensure the reliability of the relevant employees, in contrast to the strict liability position imposed by vicarious liability. Specifically, it was argued that, in finding Morrisons vicariously liable, the court had contravened the DPA, and in doing so the intentions of Parliament in drawing up the relevant legislation
  • Whether the actions of Mr Skelton were sufficiently connected to his employment that a finding of vicarious liability should stand.
  • Mr Skelton's motivation, in that he wished to harm Morrisons, was inconsistent with a finding of vicarious liability.

Why did the appeal fail? 

The Court of Appeal did not accept that, in finding Morrisons vicariously liable, the court had contradicted the DPA: "the vicarious liability of an employer for misuse of private information by an employee and for breach of confidence by an employee has not been excluded by the DPA". Nor was it accepted that the DPA's intention had been to circumvent vicarious liability, Instead, The Court of Appeal found that, had Parliament intended 'such a substantial eradication of common law and equitable rights, it might have been expected to say so expressly'.

In addressing the second point of appeal the Court of Appeal were satisfied that, while Mr Skelton's act of distributing personal data was not performed while at work, it was his working practices which had allowed him to be in a position to do so. The Court of Appeal accepted that there had been numerous cases where employers had been vicariously liable for torts committed away from the workplace.     

Finally, in considering the impact of Mr Skelton's motivation for his actions, the Court maintained that the motive for causing harm to a third party was irrelevant to the merits of the case.