This was the trial of liability in a group action concerning the disclosure of the personal data of 99,998 employees of Morrisons Supermarket, by a rogue employee, Andrew Skelton.
Mr Skelton had been employed as a senior IT auditor by the Defendant. External auditors (KPMG) had requested a copy of the Defendant’s payroll data. That data was extracted from the Defendant’s internal database and provided to Mr Skelton on an encrypted USB memory stick, from where it was transferred to Mr Skelton’s work laptop before being passed on to KPMG. Later, Mr Skelton published the data to a file sharing website. It was republished elsewhere online, and sent in CD form to three newspapers, one of which alerted Morrisons to the leak.
Mr Skelton was convicted in 2015 of an offence under the Computer Misuse Act 1990 and also of the offence under section 55 of the Data Protection Act 1998 (“DPA”). In his sentencing remarks, the Honorary Recorder of Bradford found that Mr Skelton had been motivated by a grudge against his employer following an earlier internal disciplinary matter.
The civil proceedings were brought by 5,518 employees of the Defendant, who claim compensation for breach of statutory duty under section 4(4) of the DPA, as well as for misuse of private information and breach of confidence.
The trial concerned two issues of liability: whether the Defendant was itself liable in respect of the disclosure, and, secondly, whether it was vicariously liable for the acts of its employee.
Langstaff J dismissed the claim as it related to the Defendant’s primary liability: it had not been shown to be in breach of any of the data protection principles (save in one respect which was not causative of loss) and neither primary liability for misuse of private information nor breach of confidentiality could be established .
However, the Judge rejected arguments by the Defendant that an employer could not be held vicariously liable under the DPA, and that the effect of the DPA was to exclude vicarious liability for misuse of private information and breach of confidence. He held the Defendant vicariously liable in respect of the acts of its employee  while granting leave to appeal on that point .
Primary liability under the DPA
The Judge accepted the Defendant’s submission that, when he disclosed the data online, Mr Skelton was acting for himself, as a data controller, and the Defendant was not a data controller in respect of that processing . There was nothing in the Data Protection Directive, in Langstaff J’s view, which required that a data controller be held liable for any disclosure by a person who is not acting on behalf of the data controller in making it . Save for the alleged breach of DPP7, the acts said to breach the DPA were Mr Skelton’s, not the Defendant’s and the Defendant did not, as data controller, offend against those principles .
Similarly, there was no primary liability in respect of breach of confidence or misuse of private information: it was not the Defendant that disclosed the information or misused it, it was Mr Skelton acting without authority and criminally .
The seventh data protection principle (DPP7)
The requirement to take “appropriate measures” under DPP7 required a balance “to be struck between significance of the cost of preventative measures and the significance of the harm that might arise if they are not taken”. Assessing the significance of harm involved considering a “combination of the nature of the harm and the importance of the data to be safeguarded” . Although DPP7 does not refer to a requirement of reasonable care, in Langstaff J’s view there is “a resonance here of the common law approach to the tort of negligence”.
When considering what measures were appropriate, economies of scale were a relevant factor. In the case of a large corporate employer “the magnitude of the risk is greater; the cost per head of guarding against it is less” .
After assessing the systems put in place by the Defendant, Langstaff J concluded that there was no failure, generally, to provide adequate and appropriate controls .
Langstaff J dismissed an argument that the Defendant should have conducted routine monitoring of employee internet use, which might have highlighted suspicious conduct by Skelton (such as researching the TOR network). In his view, such monitoring was impracticable, disproportionately costly , and would probably amount to an unlawful interference with employees’ Article 8 rights .
The only questions which remained were whether, given what was known about Mr Skelton, it was appropriate for him to have been the recipient of the payroll data and whether, in his case, deletion from his computer after the data was transferred to KPMG should have been more carefully checked .
In both cases, the Claimants argued that the Defendant ought to have been more cautious given the earlier (unrelated) disciplinary action taken against him. Langstaff J rejected these arguments: on the evidence, there was no reason for supposing that the incident showed Skelton could not be trusted .
Langstaff J did find that the Defendant fell short of the requirements of DPP7 in failing to operate an organised system for the deletion of data (such as the payroll data) which had been held outside its normal secure repository, or to provide any failsafe system to ensure deletion (such as managerial checks) . Langstaff J rejected the Defendant’s view that managerial checks on deletion would have been regarded as indicating a lack of trust in an employee: this would not be the position had the Defendant created a culture in which such checks were expected of managers and this was understood by staff .
However, this would not have safeguarded against an individual who was determined to leak data, as in this case. To the extent that the Defendant fell short of DPP7 “this failure neither caused nor contributed to the disclosure which occurred” .
Accordingly, primary liability for breach of DPP7 was not established.
Before reaching his conclusions on vicarious liability, Langstaff J first considered two preliminary arguments raised by the Defendant in the data protection context:
1) That the DPA does not recognise any form of vicarious liability for the unauthorised acts of employees
The Defendant relied on the existence of DPP7 as indicating that an employer may only be held liable under the DPA for the acts of employees where the employer’s own failure to take appropriate measures has been causative of the breach. The Defendant further argued that, since the DPA imposes no obligations on a data controller’s employees or agents acting as such, there can be no primary civil liability for which the employer can be held vicariously liable .
These arguments were rejected by Langstaff J, relying on the principle in Majrowski v Guy’s & St Thomas’ NHS Trust  EWCA Civ 251 that vicarious liability will be applicable where an employee commits a breach of statutory duty “unless the statute expressly or impliedly indicates otherwise” . Excluding vicarious liability under the DPA, would tend to defeat the rights of data subjects in cases where an employee decides to misuse data. This would not be compatible with the Directive .
2) That Parliament intended the DPA to occupy the entirety of the field of liability for data as defined in the Act such that there was no space for actions for misuse of private information or breach of confidence to operate.
This argument, in Langstaff J’s view, was more persuasive. However, the DPA was the implementing measure for a Directive which sought to provide a minimum EU-wide standard of protection. It is open to member states to augment that protection. Furthermore, these were causes of action which existed at the time the legislation was introduced: “in such circumstances, if the common law were intended no longer to operate, the expectation would be that Parliament would say so in terms” .
Having rejected these preliminary arguments, Langstaff J considered the application of the test as described by Lord Toulson JSC in Mohamud v Morrisons Supermarkets Plc  UKSC 111, which required the court to consider first the nature of the employee’s job and, secondly “whether there was sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice” (Mohamud at 44-45).
In Langstaff J’s view, there was an “unbroken thread that linked [Skelton’s] work and the disclosure” . The Defendant had deliberately entrusted Skelton with the data, and had taken “the risk that they might be wrong in placing the trust in him” . His role was to disclose the data to a third party (KPMG) and his decision to disclose it online was closely connected to that task . He had therefore acted as an employee when he received that data and “the chain of events from then until disclosure was unbroken”. The fact that the disclosures were made from Mr Skelton’s home, by use of his personal equipment, on a Sunday did not disengage them from his employment . Having regard to these factors, In Langstaff J’s view, it was right for the Court to hold the Defendant liable .
In discussing vicarious liability, Langstaff J questioned the obiter comments of Nicol J in Axon v Ministry of Defence  EMLR 20 - insofar as they appeared to conflate consideration of the nature of the employee’s job (the first element in the Mohamud test) with the distinct question of the obligations (including obligations of confidentiality) which applied to the employee when performing that job. In other respects, Langstaff J was fortified in his conclusion by Nicol J’s comments in Axon .
Langstaff J concluded his judgment by expressing some concern at the fact that, as Skelton’s intentions were to harm the Defendant, his conclusions on vicarious liability in the context of the claim might “seem to render the court an accessory in furthering his criminal aims” . Having expressed this discomfort, he granted the Defendant leave to appeal his conclusions on vicarious liability.
The judgment is available here.