Docsity
Docsity

Prepare for your exams
Prepare for your exams

Study with the several resources on Docsity


Earn points to download
Earn points to download

Earn points by helping other students or get them with a premium plan


Guidelines and tips
Guidelines and tips

Morrisons v Various Claimants: Vicarious Liability & Data Breach Clarification, Study notes of Law

This article discusses the supreme court's judgment in the case of wm morrisons supermarkets plc v various claimants [2020] uksc 12, which addresses the issue of vicarious liability in the context of data breaches. The facts of the case, the trial and appeal decisions, and the court's findings, which may have implications for employers and their liability for employees' wrongdoing. The article also mentions the related case of barclays bank plc v various claimants [2020] uksc 13.

What you will learn

  • What role did the employee's motive play in the Supreme Court's decision regarding Morrisons' vicarious liability?

Typology: Study notes

2021/2022

Uploaded on 09/12/2022

gilian
gilian šŸ‡¬šŸ‡§

4.6

(11)

228 documents

1 / 2

Toggle sidebar

This page cannot be seen from the preview

Don't miss anything!

bg1
WM Morrisons Supermarkets plc v Various Claimants – Understanding the
Misunderstandings about Vicarious Liability
On 1st April 2020 the Supreme Court handed down judgment in the case of WM Morrison
Supermarkets plc v Various Claimants [2020] UKSC 12. The conclusion of the Supreme Court
is a potential narrowing of the law of vicarious liability, and at first glance appears difficult to
reconcile with the earlier case of Mohamud v WM Morrison Supermarkets plc [2016] UKSC
11. Is this a row-back from the case of Mohamud or simply a clarification of how that case has
been misunderstood as the Court suggests? This article briefly summarises the judgment,
focussing on the issue of vicarious liability.
The facts and the decisions of the Courts below
In early 2014 a disgruntled employee of Morrisons, Andrew Skelton, uploaded a file containing
the payroll details of the supermarket chain’s entire workforce to a publicly accessible file-
sharing website. He then sent this file to various national newspapers, claiming to be a
concerned member of the public who had found it online. Skelton had acquired the payroll
details some months prior to these events. As part of his role on Morrisons’ internal audit team,
he had previously been responsible for sending the workforce payroll data to external auditors.
He chose to make the data public to wage a personal vendetta against his employer, as he
had been subject to minor disciplinary proceedings. Skelton was prosecuted for his actions
and sentenced to eight years’ imprisonment.
Over 9,000 employees brought proceedings against Morrisons personally and on the basis of
its vicarious liability for Skelton’s acts. The claims were for breach of statutory duty under the
Data Protection Act 1998 (ā€˜DPA’), misuse of private information, and breach of confidence. A
liability-only trial was ordered for ten lead Claimants.
The trial Judge determined that Morrisons was vicariously liable for Skelton’s acts. He
concluded that the five factors for vicarious liability (as set out in Various Claimants v Catholic
Child Welfare Society [2012] UKSC 56) were all present. The trial Judge applied what he
understood to be the reasoning of Lord Toulson in Mohamud. The Court of Appeal upheld the
judgment of the trial Judge and referred particularly to the ā€œseamless and continuous sequence
of eventsā€ that led to the data disclosure and the irrelevance of Skelton’s motive, again
applying the case of Mohamud.
What did the Supreme Court conclude?
Lord Reed gave the lead judgment, allowing the appeal and finding in favour of Morrisons. At
the outset the Court highlighted that they viewed this case as an opportunity to address the
ā€œmisunderstandingsā€ which had arisen since its decision in the case of Mohamud. Specifically,
the Court found that the trial Judge and the Court of Appeal had misunderstood the case of
Mohamud and the application of its principles in four relevant respects of particular
importance:
1. The disclosure of the data on the internet did not form part of Skelton’s function or ā€œfield
of activitiesā€ in the sense in which those words were used by Lord Toulson in
Mohamud. The disclosure was not an act which Skelton was authorised to do.
2. Although the five factors in Various Claimants v Catholic Child Welfare Society were
present, those factors are concerned with the distinct question of whether, in the case
of wrongdoing committed by someone who was not an employee, the relationship
between the wrongdoer and the defendant was sufficiently akin to employment so as
to be one to which the doctrine of vicarious liability should apply. The five factors are
pf2

Partial preview of the text

Download Morrisons v Various Claimants: Vicarious Liability & Data Breach Clarification and more Study notes Law in PDF only on Docsity!

WM Morrisons Supermarkets plc v Various Claimants – Understanding the Misunderstandings about Vicarious Liability On 1st^ April 2020 the Supreme Court handed down judgment in the case of WM Morrison Supermarkets plc v Various Claimants [2020] UKSC 12. The conclusion of the Supreme Court is a potential narrowing of the law of vicarious liability, and at first glance appears difficult to reconcile with the earlier case of Mohamud v WM Morrison Supermarkets plc [2016] UKSC

11. Is this a row-back from the case of Mohamud or simply a clarification of how that case has been misunderstood as the Court suggests? This article briefly summarises the judgment, focussing on the issue of vicarious liability. The facts and the decisions of the Courts below In early 2014 a disgruntled employee of Morrisons, Andrew Skelton, uploaded a file containing the payroll details of the supermarket chain’s entire workforce to a publicly accessible file- sharing website. He then sent this file to various national newspapers, claiming to be a concerned member of the public who had found it online. Skelton had acquired the payroll details some months prior to these events. As part of his role on Morrisons’ internal audit team, he had previously been responsible for sending the workforce payroll data to external auditors. He chose to make the data public to wage a personal vendetta against his employer, as he had been subject to minor disciplinary proceedings. Skelton was prosecuted for his actions and sentenced to eight years’ imprisonment. Over 9,000 employees brought proceedings against Morrisons personally and on the basis of its vicarious liability for Skelton’s acts. The claims were for breach of statutory duty under the Data Protection Act 1998 (ā€˜DPA’), misuse of private information, and breach of confidence. A liability-only trial was ordered for ten lead Claimants. The trial Judge determined that Morrisons was vicariously liable for Skelton’s acts. He concluded that the five factors for vicarious liability (as set out in Various Claimants v Catholic Child Welfare Society [2012] UKSC 56 ) were all present. The trial Judge applied what he understood to be the reasoning of Lord Toulson in Mohamud. The Court of Appeal upheld the judgment of the trial Judge and referred particularly to the ā€œseamless and continuous sequence of eventsā€ that led to the data disclosure and the irrelevance of Skelton’s motive, again applying the case of Mohamud. What did the Supreme Court conclude? Lord Reed gave the lead judgment, allowing the appeal and finding in favour of Morrisons. At the outset the Court highlighted that they viewed this case as an opportunity to address the ā€œmisunderstandingsā€ which had arisen since its decision in the case of Mohamud. Specifically, the Court found that the trial Judge and the Court of Appeal had misunderstood the case of Mohamud and the application of its principles in four relevant respects of particular importance: 1. The disclosure of the data on the internet did not form part of Skelton’s function or ā€œfield of activitiesā€ in the sense in which those words were used by Lord Toulson in Mohamud. The disclosure was not an act which Skelton was authorised to do. 2. Although the five factors in Various Claimants v Catholic Child Welfare Society were present, those factors are concerned with the distinct question of whether, in the case of wrongdoing committed by someone who was not an employee , the relationship between the wrongdoer and the defendant was sufficiently akin to employment so as to be one to which the doctrine of vicarious liability should apply. The five factors are

not concerned with the question of whether the wrongdoing in question was so connected with the employment that vicarious liability ought to be imposed.

  1. Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting to the external auditor and his wrongful act of disclosing it to the internet, a temporal and causal connection does not in itself satisfy the close connection test.
  2. Whether Skelton was acting - albeit wrongfully - on his employer’s business or for purely personal reasons was highly material. Lord Toulson’s reference to motive in Mohamud had to be read in context. The Court therefore considered the issue of whether Morrisons was vicariously liable for Skelton’s wrongdoing afresh. The Court applied the general test laid down by Lord Nicholls in Dubai Aluminium v Salaam [2003] 2 AC 366 : the question was whether Skelton’s disclosure of the data was so closely connected with acts he was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment. The Court considered what he was authorised to do: Skelton was given the task of collating and transmitting the payroll data to the external auditor. He did that. But even though his employment had given him the opportunity to make the subsequent wrongful disclosure, that alone was not sufficient to impose vicarious liability. Skelton was not engaged in furthering his employer’s business; he was solely pursuing his own interests, his personal vendetta against his employer. Following a review of the case law, and its application here, Skelton’s conduct was not deemed to be so closely connected with the acts he was authorised to do that for the purposes of Morrisons’ liability to third parties, it could fairly and properly be regarded as done by him while acting in the ordinary course of his employment. The Court rejected the appellant’s second ground of appeal: vicarious liability can apply to breaches of obligations imposed by the DPA. However, the circumstances in which Skelton committed his wrongful acts could not result in the imposition of vicarious liability upon Morrisons Where do we go from here? This judgment will provide some reassurance for employers faced with claims springing from the wrongdoing of errant employees. However, each case remains fact specific. In relation to data breaches, there can be no general rule as to whether employers will be held liable for a data breach by an employee. This is an area which is likely to develop in the wake of the GDPR. On the same day as this decision, the Court also handed down judgment in the case of Barclays Bank plc v Various Claimants [2020] UKSC 13 , another case which narrows the scope of vicarious liability. It appears that the Supreme Court may, slowly, be bringing in the net previously cast so wide by Mohamud NIA FROBISHER KAT SHIELDS 08/04/