Morrisons liable for the leak of personal data by its senior IT auditor
Written by Samuel O'Toole on 08 December 2017« Return to Reading Room
In a landmark ruling, Various Claimants v Wm Morrisons Supermarket plc  EWHC 3113 (QB), the Honourable Mr Justice Langstaff found that Morisons were vicariously liable for the actions of its senior IT auditor, Andrew Skelton.
Vicarious liability is a principle that is enshrines into the law of England and Wales. In short, it provides that an employer is liable for the actions of its employees when said employees are acting within the course of employment.
The case is a landmark decision because it is thought to be the first data leak class action in the UK and the first case to apply vicarious liability principles to data protection. It revolved around the supermarket’s decision to entrust Mr Skelton to pass on payroll information of approximately 100,000 employees to an external auditor - an annual audit task.
Things didn’t go so well for the audit when Mr Skelton uploaded a copy of the data to the internet, it should also be noted that Mr Skelton was criminally convicted for this action. However, the present case was concerned with 5,518 employees that sued Morisons for a breach of the Data Protection Act 1998, misuse of private information and breach of confidence. The claim was based on the principle that Morissons were vicariously liable for Mr Skelton’s actions.
The Honourable Mr Justice Langstaff found that whilst Morisons were not at fault that on application of the principle of vicarious liability, based on the fact that there was sufficient connection between Morisons and Mr Skelton, Morisons were liable for Mr Skelton’s actions. He went on to explain that although there was not a finding of a misuse of private information or breach of confidence the principle of vicarious liability would equally apply if there was a breach.
Want to speak
Complete the form below and we’ll call you back free of charge.