The High Court judgment in Various Claimants v WM Morrisons Supermarket PLC illustrates how employers can be held liable for wrongful disclosure of personal data by their employees.


The case concerned supermarket chain Morrisons, which had a rogue internal auditor. Aggrieved at the outcome of an internal disciplinary process, the auditor disclosed payroll data on the Internet relating to approximately 100,000 colleagues. He was tracked down, charged and sentenced to eight years' imprisonment. However, the question arose as to whether Morrisons was liable to the employees whose information had been leaked?

Some 5,500 employees joined together and brought a claim against Morrisons for:

  • breach of the Data Protection Act 1998;
  • misuse of private information; and
  • breach of confidence.

This type of claim was not envisaged when the Data Protection Act was drafted. However, it became possible in 2015 when the Court of Appeal ruled that damages could be claimed without proof of monetary loss (Vidal-Hall v Google (2015) EWCA Civ 311). This decision enabled claims to be pursued merely on the basis of distress.


In this case, there were two issues:

  • Was Morrisons directly liable for the wrongdoing?
  • Was Morrisons vicariously (ie, indirectly) liable for the wrongdoing?

The employees claimed that Morrisons was data controller at all relevant times in relation to the payroll data and that the company was automatically and directly liable once it had been shown that the data was misused. They also claimed that Morrisons had breached the data protection principle which required it to take appropriate security measures against unlawful processing and loss of data.

The High Court rejected both of these lines of argument, holding that once the auditor had taken the data and started determining how it was used, he was acting as data controller. In addition, Morrisons had upheld its security obligations, except in one minor respect which neither caused nor contributed to the data disclosure.

The court then considered vicarious liability, which may arise without fault on the employer's part. Morrisons would be liable if the internal auditor had acted in the course of his employment. There were three strong arguments that he had not done so:

  • He was acting as data controller.
  • He was not performing his duties as an employee when disclosing and using the data.
  • The disclosure was intended to take revenge on Morrisons, rather than to benefit it.

Despite these arguments, the High Court concluded that the auditor had acted in the course of his employment. Morrisons had entrusted him with the payroll data and it was not something to which he obtained access merely by being at work. Dealing with the data was a task specifically assigned to him. The auditor had acted for his own purposes; however, a seamless and continuous thread linked his work to the disclosure. His role was to receive the payroll data, store it and disclose it to KPMG as auditors. Although his disclosure to others was unauthorised, it was closely related to the tasks that he was employed to perform.

The upshot was that although Morrisons was not directly liable to the employees, it was indirectly liable despite being one of the victims. The judgment concerned liability, rather than the amount of compensation. Morrisons will appeal to the Court of Appeal. If unsuccessful, it will be liable to compensate the 5,500 employees who brought the claim and likely also the 95,000 employees who have not claimed. Even if compensation for distress is limited to a few hundred pounds for each employee, the total cost could be substantial.


As Morrisons was not liable as data controller, it was not in breach of data protection legislation. In similar situations, the information commissioner would not prosecute or take enforcement action against the employer.

Following the reasoning in the High Court judgment, a data processor (eg, a cloud provider or payroll company) with a rogue employee would also be vicariously liable. While data processors are not liable to individual data subjects, the position will change in May 2018 with the EU General Data Protection Regulation.

Although the court ruled against Morrisons, it was troubled by the fact that the auditor's wrongful and criminal acts were deliberately aimed at the company as acts of revenge, and that the indirect effect of its decision was to further those wrongful and criminal aims.

Employers may be liable for the wrongful acts of rogue employees. The risk can be managed to some extent by careful selection of employees; however, this is no guarantee. It may be that insurance provides the best way to spread the risk.

For further information on this topic please contact Steven Lorber at Lewis Silkin by telephone (+44 20 7074 8000‚Äč) or email ([email protected]). The Lewis Silkin website can be accessed at www.lewissilkin.com.