Andrew Skelton, a disaffected employee of Morrison’s Supermarkets, was subjected to disciplinary proceedings for minor misconduct, following which he was given a verbal warning. Skelton was a senior auditor in Morrison’s internal audit team, and his revenge – for which he was subsequently jailed for eight years – was to upload a file containing the personal data of 98,998 of its employees to a publicly-accessible file-sharing website, with links to the data posted on other websites, and to send CDs containing the file – anonymously – to three UK newspapers. The data included the name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff [1-8].

The claimants brought proceedings against Morrison’s for an alleged breach of the statutory duty under s.4(4) Data Protection Act 1998 (misuse of private information and breach of confidence) on the basis that Morrison’s was vicariously liable for Skelton’s conduct [9]. The Court of Appeal found for the claimants.

In a unanimous judgment in WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, however, the Supreme Court held that Morrison’s was not vicariously liable for Skelton’s wrongdoing. Continue reading →