WM Morrison Supermarkets Plc v Various Claimants

JurisdictionEngland & Wales
CourtCourt of Appeal (Civil Division)
JudgeSir Terence Etherton MR,Lord Justice Bean
Judgment Date22 October 2018
Neutral Citation[2018] EWCA Civ 2339
Date22 October 2018
Docket NumberCase No: A2/2018/0090

[2018] EWCA Civ 2339





[2017] EWHC 3113 (QB)

Royal Courts of Justice

Strand, London, WC2A 2LL



Lord Justice Bean


Lord Justice Flaux

Case No: A2/2018/0090

WM Morrison Supermarkets Plc
Various Claimants

Anya Proops QC and Rupert Paines (instructed by DWF LLP) for the Appellant

Jonathan Barnes and Victoria Jolliffe (instructed by JMW Solicitors LLP) for the Respondents

Hearing dates: 9 and 10 October 2018

Judgment Approved

Lord Justice Flaux

Sir Terence Etherton MR, Lord Justice Bean and



The central issue on this appeal is whether, on the facts, an employer is liable in damages to those of its current or former employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee, who had a grudge against the employer, in breach of the Data Protection Act 1998 (“the DPA”) and in breach of that employee's obligation of confidence.


It is an appeal from the order of Langstaff J dated 1 November 2017 by which he ordered that the appellant, Wm Morrison Supermarkets plc (“Morrisons”), which is the defendant in the proceedings, is liable in damages to the claimants, who are over 5,000 employees or former employees of Morrisons, for the acts of disclosure of their personal information by a former employee, Andrew Skelton.


The appeal concerns whether the Judge was correct to hold that Morrisons is vicariously liable to the claimants for the actions of Mr Skelton.


The Judge himself gave permission to appeal.



It is necessary to describe the factual background in some detail as vicarious liability is highly fact specific. The following, which we gratefully take from the judgment of the Judge, is not as full as the Judge's account but is sufficient for the purposes of the appeal.


At the relevant time Mr Skelton was a senior IT internal auditor employed by Morrisons. Following a disciplinary hearing for an incident involving his unauthorised use of Morrisons' postal facilities for his private purposes, he was given a formal verbal warning on 18 July 2013. Mr Skelton was annoyed by the disciplinary proceedings and the sanction. They left him with a grudge against Morrisons.


On 1 November 2013 KPMG, Morrisons' external auditor, requested a number of categories of data from Morrisons in order to undertake the annual audit. That request included a copy of Morrisons' payroll data. Michael Leighton, of the HR department, copied the data onto an encrypted USB stick. He took the USB stick personally to Mr Skelton, who downloaded the data from the stick onto his laptop computer, which was itself encrypted. Mr Skelton subsequently copied the data onto another encrypted USB stick, which had been supplied by KPMG, and which he returned to KPMG.


On 18 November Mr Skelton, when at work, copied the payroll data onto a personal USB with a view to the later commission of the crime consisting of disclosure of the data.


On 12 January 2014, using the payroll data that he had copied onto his personal USB, Mr Skelton posted a file containing the personal details of 99,998 employees of Morrisons on a file sharing website. He used the initials and date of birth of another employee in a deliberate attempt to frame him. Shortly afterwards, links to the website were also placed elsewhere on the web. The data consisted of the names, addresses, gender, dates of birth, phone numbers (home or mobile), national insurance numbers, bank sort codes, bank account numbers and the salary which the employee in question was being paid.


On 13 March 2014 Mr Skelton, acting anonymously, sent a CD containing a copy of the data to three newspapers in the UK, one of which was the Bradford Telegraph and Argus, a newspaper local to Bradford where Morrisons has its head office. The anonymous sender purported to be a concerned person who had worryingly discovered that payroll data relating to almost 100,000 Morrisons' employees was available on the web. The covering letter with the CD gave a link to the file-sharing site.


The information was not published by any of the newspapers concerned. The Bradford Telegraph and Argus told Morrisons of it. Morrisons was about to announce its annual financial reports. The revelation of the data leak had serious implications for the share value of Morrisons. There was also an immediate concern that the information might be used by outsiders to access the bank accounts of individual employees or used to aid identity theft.


Morrisons' head management was alerted to the disclosure on 13 March 2014. Within a few hours they had taken steps to ensure that the website had been taken down. Morrisons also alerted the police.


Mr Skelton was arrested on 19 March 2014. He was charged with fraud, an offence under the Computer Misuse Act 1990 and under section 55 of the DPA. He was tried at Bradford Crown Court in July 2015, and was convicted. He was sentenced to a term of eight years imprisonment.



The DPA was enacted pursuant to Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”). Provisions in the Directive to which we were referred in the course of oral submissions are set out in Appendix 1 to this judgment.


Relevant provisions of the DPA are set out in Appendix 2 to this judgment.

The proceedings


Following a Group Litigation Order made by Senior Master Fontaine on 24 November 2015, these proceedings were commenced by 5,518 employees of Morisons on 8 December 2015 when a claim form was issued for damages and interest for misuse of private information, breach of confidence and breach of statutory duty owed under section 4(4) of the DPA. The claim form was accompanied by Particulars of Claim. The claimants claimed that Morrisons is primarily liable under those heads of claim but, if not, then Morrisons is liable vicariously for the wrongful conduct of Mr Skelton.


Morrisons served a Defence dated 3 February 2016 denying all liability.


Following directions for a split trial on liability and damages, the trial as to liability took place before the Judge between 9 and 19 October 2017.

The judgment


The Judge handed down a careful, comprehensive and lengthy written judgment on 1 December 2017. The following is a brief summary sufficient to provide a context for the present appeal.


The Judge held (at [51 1] and [65]) that Morrisons was not the data controller at the time of any breach of Data Protection Principles (“DPP”) 1, 2, 3 and 5 in respect of the information later disclosed on the web, and accordingly Morrisons owed no duty to the claimants under the DPA in respect of which it was in breach, unless it were the duty to comply with DPP 7. Mr Skelton was the data controller in respect of that information.


The Judge further held (at [66]) that Morrisons was not directly liable in respect of any breach of confidence or misuse of private information since it was not Morrisons which disclosed the information or misused it. It was Mr Skelton, acting without authority and criminally.


The Judge identified (at [74]) the following six respects in which it was alleged that Morrisons fell short of its obligations under DPP 7 while it was the data controller: failing to manage/mentor Mr Skelton to prevent a grudge developing; failing to monitor Mr Skelton's IT usage so as to identify that Mr Leighton's initial attempt to send the data to Mr Skelton's computer had bounced back (having been intercepted by Morrisons' “quarantine” area, designed to divert for further attention emails that for some reason may be suspicious); failing to identify that Mr Skelton was researching the “TOR” (acronym for “The Onion Router”) network (for software which is capable of disguising the individual identity of a computer which has accessed the internet); failing to deny Mr Skelton access to the data; providing the data to Mr Skelton via a USB stick which was not encrypted; and failing to ensure that Mr Skelton deleted the data from his computer by about 21 November 2013.


The Judge held that, save in relation to the last item — data deletion — Morrisons had provided adequate and appropriate controls in relation to each of those matters. The Judge made the following particular findings, among others, on those particular matters. He said (at [95]) that the incident for which Mr Skelton was disciplined did not itself suggest that Mr Skelton was not to be trusted. The Judge found (at [96]) that the technological and organisational measures current in 2013 and 2014 at their best could not altogether prevent the risk posed by a rogue employee who was trusted and had given no reason to doubt his trustworthiness. The Judge said (at [97]) that no one in employment at Morrisons knew, nor ought they to have known, that Mr Skelton bore a grudge against Morrisons, and was not to be trusted with data. The Judge found (at [97]) that, even if a senior manager had been aware that the email sent by Mr Leighton to Mr Skelton, attaching the payroll data, had bounced back, it would not have alerted Morrisons to the risk which Mr Skelton posed to the data.


The Judge dismissed (at [99]–[110]) the allegation that Morrisons should have been aware that Mr Skelton was attempting to research the TOR network on the grounds that it was not feasible, sensible or practicable for Morrisons to have implemented a system that could proactively have detected that Mr Skelton was researching the TOR network when he did, and, moreover, any such system would probably...

To continue reading

Request your trial
7 cases
  • Lloyd v Google LLC
    • United Kingdom
    • Supreme Court
    • 10 November 2021
    ...to other employees. Of around 100,000 affected employees, fewer than 10,000 opted to join the group action: see Various Claimants v Wm Morrisons Supermarkets plc [2017] EWHC 3113 (QB); [2019] QB 772 (reversed on the issue of vicarious liability by the Supreme Court: [2020] UKSC 12; [202......
  • BT Group Plc v Justin Le Patourel
    • United Kingdom
    • Court of Appeal (Civil Division)
    • 6 May 2022
    ...fewer than 10,000 opted to join the group action: see Various Claimants v Wm Morrisons Supermarkets plc [2017] EWHC 3113 (QB); [2019] QB 772 (reversed on the issue of vicarious liability by the Supreme Court: [2020] UKSC 12; [2020] AC 989). During the period of more than 12 years in whi......
  • London Borough of Haringey v FZO
    • United Kingdom
    • Court of Appeal (Civil Division)
    • 18 February 2020
    ...of duty may well be regarded as less relevant today than they were even at the time of Lister's case. As was noted in Wm. Morrison Supermarkets plc v Various Claimants [2018] EWCA Civ 2339 (at [71]) “… the time and place at which the act or acts occurred will always be relevant, though not......
  • Darren Lee Warren v DSG Retail Ltd
    • United Kingdom
    • Queen's Bench Division
    • 30 July 2021
    ...the actions of a third party in causes of action for BoC and MPI arose for decision in Various Claimants v Wm Morrison Supermarkets plc [2019] QB 772. In that case a wrongdoer employee copied personal data of Morrisons' employees and later disclosed it online. The Claimants, individuals wh......
  • Request a trial to view additional results
12 firm's commentaries
  • Who Guards The Guards? A Company's Liability In The Event Of A Trusted Employee Publishing Personal Data Without Authorisation
    • United Kingdom
    • Mondaq UK
    • 26 November 2019
    ...important data such as payroll data. The case is Wm Morrison Supermarkets plc v Various Claimants; the Court of Appeal judgment is [2018] EWCA Civ 2339 and the first instance judgment is [2017] EWHC 3113 Originally published November 11, 2019. Visit us at mayerbrown.com Mayer Brown is a glo......
  • Court Of Appeal Confirms Supermarket Vicariously Liable For Data Breach By Rogue Employee
    • United Kingdom
    • Mondaq UK
    • 2 November 2018
    ...however, as Morrison has indicated their intention to appeal to the Supreme Court. WM Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2339 - click here to read the *the case was decided under the DPA 1998. This has now been replaced by the GDPR and the Data Protection Act 2018......
  • Employer vicariously liable for rogue employee’s data breach
    • United Kingdom
    • JD Supra United Kingdom
    • 30 November 2018
    ...The retailer has said it will seek permission to appeal to the Supreme Court: WM Morrison Supermarkets PLC v Various Claimants [2018] EWCA Civ 2339 This group litigation followed the intentional disclosure by a disgruntled rogue employee, Mr Skelton, of the personal details of nearly 100,00......
  • The insider threat and data protection
    • United Kingdom
    • JD Supra United Kingdom
    • 13 November 2018
    ...when considering data breach risk, following the Court of Appeal's judgment in WM Morrison Supermarkets Plc v. Various Claimants [2018] EWCA Civ 2339, the "insider threat" should be at the forefront of our Below, we offer our views on the Morrisons case and some practical tips on how to mit......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT