Supreme Court decides employer is not vicariously liable for employee’s data protection breach- W M Morrison Supermarkets plc v Various Claimants

On 1 April 2020 the Supreme Court (SC) overturned the judgments of the High Court and Court of Appeal, deciding that Morrisons, as the employer, was not vicariously liable for its employee’s breaches under the Data Protection Act 1998 (DPA). The SC also considered whether vicarious liability is excluded from the breaches under the DPA.


Vicarious liability arises when one party is held liable in damages for the wrongdoing committed by another party – commonly arising in the employer – employee relationship. The test for vicarious liability asks:

  • Is there a relationship between the parties capable of giving rise to vicarious liability?
  • Is there a close connection between the employment and wrongdoing, so that it would be just and reasonable to impose liability?

The employee worked in the internal audit team at Morrisons and was tasked with transmitting payroll data to external auditors. The employee kept a personal copy of this data and, following disciplinary proceedings for an unrelated matter, the employee uploaded the data to a publicly accessible filesharing website. The employee subsequently sent a copy of the data to three newspapers, posing as a concerned member of the public who had discovered the leak online. The newspaper alerted the employer, who immediately informed the police and took steps to have the data removed from the website. The employee was prosecuted and imprisoned.

A group of 5,000 employees whose data had been leaked brought legal proceedings against the employer on the basis of vicarious liability, claiming breach of statutory duty under the DPA, misuse of private information and breach of confidence. The High Court found that the employer was vicariously liable for each claim and the Court of Appeal dismissed the appeal.


The SC held that there was no vicarious liability, finding that the second element of the test had not been satisfied. There was not a sufficiently close connection between the employee’s employment as an auditor and the wrongdoing – the data breach. The employee had acted outside of his job description, without authorisation and for ‘purely personal reasons’. It was not therefore deemed just and reasonable to impose liability on the employer.

The argument that the DPA excludes vicarious liability was also rejected.

Implications for employers

This is a welcome judgment for employers (and insurers), who may have peace of mind that the employer in this case was not held vicariously liable in potentially vast sums in damages for the personal vendetta of one employee.

Employers should note the courts’ reluctance to totally exclude vicarious liability under the DPA. This means that employers could in principle be vicariously liable for breaches of the DPA by their employees. Employers are advised to undertake regular reviews of their data protections policies. 

The law and practice referred to in this article or webinar has been paraphrased or summarised. It might not be up-to-date with changes in the law and we do not guarantee the accuracy of any information provided at the time of reading. It should not be construed or relied upon as legal advice in relation to a specific set of circumstances.

The Legal 500 - The Clients Guide to Law Firms

UK Chambers logo

Best Companies - One to watch logo

Cyber Essentials Certification Logo