Employer liable for employee’s malicious disclosure of personal data

Was an employer liable for the criminal actions of a vindictive employee who deliberately disclosed other employees’ personal data on the internet?

Yes, according to a ruling of the Court of Appeal.


Mr Skelton worked for Morrisons as a senior IT auditor.  He was entrusted with collating the payroll data requested by KPMG as part of its audit. He provided KPMG with the information but also copied the information to a USB stick which he took home. He used his home computer to post the data on the internet and sent a CD containing a copy of the data to newspapers in Bradford where Morrisons had its head office. The data contained names, addresses, gender, dates of birth, phone numbers, national insurance numbers, bank sort codes, bank account numbers, and salaries of nearly 100,000 Morrisons’ employees. His motive for his actions was found to be malicious as he had a grudge against Morrisons because of a verbal warning he had received. Skelton was arrested and later sentenced to 8 years in prison for an offence under the Data Protection Act 1998 (DPA) arising from the disclosure of the employees’ personal data.


In a group litigation claim, 5,518 employees sued Morrison for breach of the DPA. The basis of the claim was that Morrisons were directly liable for their own breaches of the DPA and/or vicariously liable as Skelton’s employer for his actions.

High Court decision (upheld by Court of Appeal)

Morrisons did not infringe the DPA

The High Court rejected the claim that Morrisons were personally liable for the breaches of the DPA. It ruled that Morrisons did not misuse any personal data belonging to the claimants. Nor did they authorise its misuse, or permit it by any carelessness on their part.

But Morrisons were vicariously liable for Skelton’s acts

However, Skelton’s wrongful acts were found to be sufficiently connected to his employment resulting in Morrisons being vicariously liable as Skelton’s employer for those acts. There was a sufficient connection because:

  • an unbroken thread linked Skelton’s employment to the disclosure;
  • Morrisons entrusted Skelton with the data during the course of his employment; and
  • Morrisons tasked Skelton with receiving, storing and disclosing the data meaning that his actions (albeit unlawful) were closely related to the task he was given.

The fact that Skelton unlawfully disclosed the data from a personal computer, at home and outside his working hours was insufficient to break the chain of events.


The result of this case will alarm employers. The ruling was that Morrisons were vicariously liable for a deliberate data breach carried out by a rogue employee, out of working hours and at home on a personal computer even though they had complied with their own obligations under the DPA and common law. The Court of Appeal thought the solution for employers in similar cases was to take out insurance to safeguard against liability.

Morrisons have indicated their intention to appeal this judgment to the Supreme Court.

Wm Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339 (22 October 2018)


This article is not a substitute for legal advice. The information may be incorrect or out of date and does not constitute a definitive or complete statement of the law. This article is not intended to constitute legal advice in any specific situation. Readers should obtain legal advice and not rely on the information in this article.