Arbitration, Litigation & Commercial
Vicarious Liability – Relief for Employers: UK Supreme Court Landmark Judgment
14 June 2020
In WM Morrison Supermarkets plc v Various Claimants  UKSC 12, the UK Supreme Court clarified the scope of vicarious liability. The crux of this judgment is that an employer is not vicariously liable for its employee’s wrongdoings which he commits maliciously engaging “solely in pursuing his own interests”, completely divorced from furthering his employer’s business.
Mr Skelton, a senior auditor in Morrisons’ internal audit team, led by his personal vendetta and grudge against Morrison, secretly copied the data of thousands of its employees from his work laptop on to a personal USB stick and disclosed it to the public.
9,263 of its employees or former employees brought proceedings against Morrisons for its own alleged breach of the statutory duty created by section 4(4) of the DPA, misuse of private information, and breach of confidence and sought damages.
The High Court held that Morrison was vicariously liable for Skelton’s breach of statutory duty under the DPA, his misuse of private information, and his breach of his duty of confidence. Morrisons’ appeal to the Court of Appeal was dismissed. Both courts based their decisions on the principles in Mohamud v Wm Morrison Supermarkets plc  AC 677.
Morrisons appealed to the Supreme Court. The Supreme Court upheld its appeal. It found that the High Court and Court of Appeal had “misunderstood the principles governing vicarious liability in a number of relevant respects.” 
The Supreme Court articulated the relevant question as whether “Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.”  The Court answered this question in negative for the following reasons:
- “First, the disclosure of the data on the Internet did not form part of Skelton’s functions or field of activities […..] it was not an act which he was authorised to do”. 
- “[T]he reason why Skelton acted wrongfully was not irrelevant: on the contrary, whether he was acting on his employer’s business or for purely personal reasons was highly material.” 
- There is a distinction ‘between “cases … where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’, in the language of the time-honoured catch phrase.” [para 32 of Dubai Aluminium  2 AC 366] In the present case, it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances, applying the test laid down by Lord Nicholls in Dubai Aluminium in the light of the circumstances of the case and the relevant precedents, Skelton’s wrongful conduct was not so closely connected with acts which he was authorised to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.’ 
Regarding the remaining issue of whether the DPA excludes vicarious liability for breaches of its own provisions, committed by an employee as a data controller, or for misuse of private information and breach of confidence, the Supreme Court observed that “[h]aving concluded that the necessary conditions for the imposition of vicarious liability do not exist in this case, it is not strictly necessary for the court to go on to consider those issues. They have however been fully argued, and it is therefore desirable that the court should express its view.” 
The Supreme Court concluded that “applying the orthodox principles of statutory interpretation explained by Lord Nicholls in Majrowski, since the DPA neither expressly nor impliedly indicates otherwise, the principle of vicarious liability applies to the breach of the obligations which it imposes, and to the breach of obligations arising at common law or in equity, committed by an employee who is a data controller in the course of his employment, as explained in Dubai Aluminium.”