Our website uses cookies to give you the best experience and for us to analyse our site usage. If you continue to use our site, we will take it you are OK about this. Click on More for information about the cookies on our site and what you can do to opt out.

We respect your Do Not Track preference.

UK supermarket chain ‘vicariously liable’ for data leak Angus Jamieson
2 February 2018


Ever wondered what would happen if your employee goes rogue and leaks confidential information? In a recent landmark decision, the High Court in Britain considered just that.

In 2014, Andrew Skelton, an internal auditor at the supermarket chain, Morrisons, published a file containing the personal information of nearly 100,000 fellow employees in an attempt to embarrass the company he worked for. He was found guilty of fraud, securing unauthorised access to computer material and disclosing personal information. The supermarket chain was awarded £170,000 in compensation as a result of the data breach and Mr Skelton was jailed for eight years.

Subsequently, over 5,000 current and former Morrisons employees brought a claim that the data leak had exposed them to potential identity theft and other financial loss. They sought compensation for the distress and loss caused. Morrisons denied liability, arguing that the company was not liable either directly or indirectly for Mr Skelton's criminal misuse of the data and that it had already suffered serious damage as it incurred £2 million costs as a result of the data breach.

But in a controversial decision, the British High Court found that while Morrisons was not liable for breaching data protection laws, it was vicariously liable for the actions of its employee.

Rogue employee

Mr Skelton had been upset by disciplinary procedures he had been subject to for using the the company’s mail room to sell items on eBay. He decided to take revenge by publishing Morrisons’ pay roll data. He did this by publishing the information on a file sharing website and sending the link to three newspapers.

In hearing the claim by Morrisons’ employees, the judge cleared the company of primary liability, ruling it had not breached data protection principles. He said: "Morrisons have not been proved to be at fault by breaking any of the data protection principles [of Britain’s Data Protection Act 1998], and neither primary liability for misuse of private information nor breach of confidentiality can be established."

But the judge said Morrisons was vicariously liable for Mr Skelton’s actions under the extended concept of acting in the course of employment. Vicarious liability means an employer can be liable for the acts or omissions of its employees, provided it can be shown that they took place in the course of their employment.

New Zealand context

This situation might have unfolded differently if it had occurred in New Zealand. Section 126(4) of the Privacy Act protects employers against an employee’s unauthorised release of information, if the employer can prove they have taken reasonable steps to prevent employees from leaking information.

Information privacy principle 5 of the Act might be the new best friend of employers. Principle 5 protects employers who have taken reasonable steps to prevent unauthorised disclosure of personal information.

Possibility of appeal

It is interesting to note that the British privacy legislation has a similar defence to section 126(4) - section 13(3). Morrisons raised section 13(3) as a defence to Mr Skelton’s actions but the Court did not address this argument. Time will tell whether Morrisons will appeal the decision and use this defence again.

The Court concluded its decision by allowing Morrisons to appeal the finding of vicarious liability. We’ll note the outcome of that appeal, as it becomes available.

The implications for British employers for the time being are that they will need to revise their security measures concerning employee and customer information to protect more carefully against the rogue employee.

Image credit: Supermarket via Wikimedia Commons


, , ,



No one has commented on this page yet.

Post your comment

The aim of the Office of Privacy Commissioner’s blog is to provide a space for people to interact with the content posted. We reserve the right to moderate all comments. We will not publish any content that is abusive, defamatory or is obviously commercial. We ask for your email address so that we can contact you if necessary to clarify your comment. Please be respectful of authors and others leaving comments.