WM Morrison Supermarkets Plc v Various Claimants

JurisdictionEngland & Wales
CourtSupreme Court
JudgeLord Lloyd-Jones,Lord Hodge,Lord Kerr,Lord Reed,Lady Hale
Judgment Date01 Apr 2020
Neutral Citation[2020] UKSC 12

[2020] UKSC 12

Supreme Court

Hilary Term

On appeal from: [2018] EWCA Civ 2339


Lady Hale

Lord Reed

Lord Kerr

Lord Hodge

Lord Lloyd-Jones

WM Morrison Supermarkets plc
Various Claimants


Lord Pannick QC

Anya Proops QC

Rupert Paines

Gayatri Sarathy

(Instructed by DWF Law LLP (Manchester))


Jonathan Barnes

Victoria Jolliffe

(Instructed by JMW Solicitors LLP (Manchester))

Heard on 6 and 7 November 2019

Lord Reed

( with whom Lady Hale, Lord Kerr, Lord Hodge and Lord Lloyd-Jones agree)


This appeal is primarily concerned with the circumstances in which an employer is vicariously liable for the conduct of its employees, and provides the court with an opportunity to address the misunderstandings which have arisen since its decision in the case of Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11; [2016] AC 677. It also raises an important question about the Data Protection Act 1998 (“the DPA”).

The facts

The appellant, Morrisons, is a company which operates a chain of supermarkets. The respondents are 9,263 of its employees or former employees. I shall refer to them as the claimants. Personal information about them was published on the Internet by another of Morrisons' employees, Mr Andrew Skelton.


At the material time, Skelton was a senior auditor in Morrisons' internal audit team. In July 2013 he was subject to disciplinary proceedings for minor misconduct and was given a verbal warning. Following those proceedings, he harboured an irrational grudge against Morrisons, which led him to make the disclosures in question.


Morrisons' accounts are subject to an annual external audit. In preparation for the audit, on 1 November 2013 the auditors, KPMG, requested payroll data from Morrisons in order to test their accuracy. The head of Morrisons' internal audit team delegated the task of collating and transmitting the data to Skelton. He had also performed that task in 2012. To enable him to carry out the task, he was given access to the payroll data relating to the whole of Morrisons' workforce: around 126,000 employees. These consisted of the name, address, gender, date of birth, phone numbers, national insurance number, bank sorting code, bank account number and salary of each member of staff.


On 9 October 2013 Skelton had searched, using his work computer, for “Tor”, a software which is capable of disguising the identity of a computer which has accessed the Internet. On 7 November he made an internal request for the payroll data. On 14 November he obtained a pay-as-you-go mobile phone, which could not be traced back to him.


On 15 November 2013 the payroll data was provided to Skelton so that he could carry out his task. On a date between then and 21 November, he transmitted the data to KPMG as he had been instructed to do. On 18 November, he surreptitiously copied the data from his work laptop on to a personal USB stick. On 8 December he used the username and date of birth of a fellow employee, Mr Andrew Kenyon, to create a false email account, in a deliberate attempt to frame him. Mr Kenyon had been involved in the disciplinary proceedings earlier that year. The email account was linked to the pay-as-you-go phone. He then deleted the data from his work laptop.


On 12 January 2014 Skelton uploaded a file containing the data of 98,998 of the employees to a publicly accessible file-sharing website, with links to the data posted on other websites (“the disclosure”). The file was created from the personal copy of the data which he had made on his USB stick on 18 November. He made the disclosure when he was at home, using the mobile phone, the false email account and Tor. Having made the disclosure, he deactivated the email account, and on 12 March deleted the data and the file from the USB stick.


On 13 March 2014, the day on which Morrisons' financial results were due to be announced, Skelton sent CDs containing the file anonymously to three UK newspapers. He purported to be a concerned member of the public who had found the file on the file-sharing website. The newspapers did not publish the data. Instead, one of them alerted Morrisons. Within a few hours, Morrisons had taken steps to ensure that the data was removed from the Internet, instigated internal investigations, and informed the police. It also informed its employees and undertook measures to protect their identities. Skelton was arrested a few days later. He was subsequently convicted of a number of offences and sentenced to eight years' imprisonment. It was noted that Morrisons had spent more than £2.26m in dealing with the immediate aftermath of the disclosure. A significant element of that sum was spent on identity protection measures for its employees.

The proceedings below

The claimants brought proceedings against Morrisons for its own alleged breach of the statutory duty created by section 4(4) of the DPA, misuse of private information, and breach of confidence. The claims are also brought on the basis that Morrisons is vicariously liable for Skelton's conduct. The particulars of claim do not specify the respects in which that conduct is alleged to have been wrongful on his part, but the claimants' argument before the judge was that vicarious liability arose under the same three heads: breach of the DPA, misuse of private information and breach of confidence. The claims are for damages in respect of alleged “distress, anxiety, upset and damage”.


The High Court made a group litigation order in connection with the claims. Ten lead claimants were selected, with the remainder of the claims being stayed pending judgment. The claimants' solicitors have provided details of the circumstances of each of the lead claimants, so far as considered relevant to the quantification of damages. These describe how the disclosure caused the claimants to experience feelings of anxiety and anger. The trial of liability was separated from the trial of quantum, which has not yet taken place.


The trial judge, Langstaff J, rejected the contention that Morrisons was under a primary liability in any of the respects alleged, but held that it was vicariously liable for Skelton's breach of statutory duty under the DPA, his misuse of private information, and his breach of his duty of confidence: [2017] EWHC 3113 (QB); [2019] QB 772. He rejected Morrisons' argument that vicarious liability could not attach to a breach of the DPA by Skelton as the data controller of the data copied on to his USB stick and subsequently disclosed by him, holding that the object of Directive 95/46/EC of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data (“the Directive”), transposed by the DPA, was the protection of data subjects, and that if vicarious liability did not apply, the purpose of the Directive would be defeated. He also rejected Morrisons' argument that the DPA excluded vicarious liability for misuse of private information or breach of confidence, holding that since the purpose of the Directive, and therefore of the DPA, was the protection of data subjects, it should be treated as providing additional protection rather than as replacing such protection as already existed under domestic law.


Finally, he rejected Morrisons' argument that Skelton's wrongful conduct was not committed in the course of his employment, holding that Morrisons had provided him with the data in order for him to carry out the task assigned to him, and that what had happened thereafter was “a seamless and continuous sequence of events … an unbroken chain” (para 184). That language was taken from the judgment of Lord Toulson in ( Mohamud [2016] AC 677, para 47). He added that Morrisons trusted Skelton to deal with confidential information, and took the risk that it might be wrong in placing that trust in him. His role in respect of the payroll data was to receive and store it, and to disclose it to “a third party”. That “in essence” was his task: the fact that he disclosed it to others than KPMG was not authorised, but was nonetheless “closely related” to what he was tasked to do. The five factors listed by Lord Phillips in Various Claimants v Catholic Child Welfare Society [2012] UKSC 56; [2013] 2 AC 1, para 35, were all present. The judge concluded ( [2019] QB 772, para 195):

“Adopting the broad and evaluative approach encouraged by Lord Toulson JSC in Mohamud's case [2016] AC 677 I have therefore come to the conclusion that there is a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable ‘under the principle of social justice which goes back to Holt CJ’.”

The latter quotation was taken from Lord Toulson's judgment in Mohamud, para 45.


Morrisons' appeal to the Court of Appeal (Sir Terence Etherton MR, Bean and Flaux LJJ) was dismissed: [2018] EWCA Civ 2339; [2019] QB 772. The court stated at para 37 that there was no pleaded claim against Morrisons on the ground of vicarious liability for Skelton's breach of the DPA. It was conceded that the causes of action for misuse of private information and for breach of confidence were not excluded by the DPA. The court considered that there was nothing in the DPA which excluded vicarious liability for such conduct.


In relation to the question whether, on the facts, Morrisons were vicariously liable for Skelton's wrongdoing, the court found at para 72 that “[t]he tortious acts of Mr Skelton in sending the claimants' data to third parties were in our view within the field of activities assigned to him by Morrisons”. Like the judge, the court also emphasised at para 74...

To continue reading

Request your trial
10 cases
  • Barclays Bank Plc v Various Claimants
    • United Kingdom
    • Supreme Court
    • 1 April 2020
    ...generally known as Christian Brothers, at para 19. The question raised by the current case, and by the parallel case of WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, is how far that move can take it. Two elements have to be shown before one person can be made vicariously......
  • SKX v Manchester City Council
    • United Kingdom
    • Queen's Bench Division
    • 31 March 2021
    ... [2016] AC 660; Armes; and the Barclays Bank case. (There is another recent Supreme Court case on vicarious liability, WM Morrisons Supermarkets Plc v Various Claimants [2020] UKSC 12; [2020] AC 989, but that case is not concerned with the type of relationships that might give rise to vic......
  • JXJ v The Province of Great Britain of the Institute of Brothers of the Christian Schools (“the de la Salle Brothers”)
    • United Kingdom
    • Queen's Bench Division
    • 17 July 2020
    ...2020: Various Claimants v Barclays Bank [2020] UKSC 13, [2020] 2 WLR 960 and William Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, [2020] ICR 874. In the Barclays case, at [1], Lady Hale (with whom the other members of the Court agreed) said this: “Two elements have to b......
  • AB v Chethams School of Music
    • United Kingdom
    • Queen's Bench Division
    • 26 May 2021
    ...of Appeal, 18.2.20, upholding the judgment of Cutts J at [2018] EWHC 3584 (QB)) ( FZO); Various Claimants v Wm Morrison Supermarkets plc [2020] UKSC 12 [2020] AC 989 (Supreme Court, 1.4.20) ( Morrisons 2020). In Mohamud the Supreme Court decided that Morrisons supermarket was vicariously ......
  • Request a trial to view additional results
13 firm's commentaries
  • Cybersecurity Comparative Guide
    • United Kingdom
    • Mondaq UK
    • 28 July 2020
    ...that an employer may not be considered either directly or vicariously liable for employees' data breaches (Various Claimants v Morrisons [2020] UKSC 12). 2.3 What defences are available to companies in response to governmental or private Section 2(3) of the Official Secrets Act 1989: It is ......
  • Data Privacy Comparative Guide
    • United Kingdom
    • Mondaq UK
    • 12 November 2020
    ...to privacy, such as employment rights12.3 Have there been any recent cases of note? WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12: This was originally a High Court judgment against Morrisons which found that a company can be held vicariously liable in respect of data breac......
  • Vicarious Liability for Employee’s Data Breach: Key Takeaways from the U.K. Supreme Court’s Judgment
    • United Kingdom
    • JD Supra United Kingdom
    • 9 April 2020
    ...1, 2020, the U.K. Supreme Court handed down its judgment in the case of WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the first class action-type claim concerning a data breach in the U.K.. In this alert, we set out the key takeaways of this important judgment, which clar......
  • UK Supreme Court Says Employer Not Vicariously Liable for Employee’s Data Protection Breach
    • United Kingdom
    • JD Supra United Kingdom
    • 7 April 2020
    ...can take some comfort in the UK Supreme Court’s judgment – in WM Morrison Supermarkets plc (Appellant) v Various Claimants (Respondents) [2020] UKSC 12 – which held that Morrisons was not liable for the actions of a rogue employee who uploaded personal data of almost 100,000 employees to a ......
  • Request a trial to view additional results

VLEX uses login cookies to provide you with a better browsing experience. If you click on 'Accept' or continue browsing this site we consider that you accept our cookie policy. ACCEPT