Morrisons win over Supreme Court in data breach appeal
03 April 2020
- In 2014, Andrew Skelton, a former employee of Morrisons, shared the personal data of almost 100,000 employees to various websites and newspapers. The data included names, addresses, bank account numbers and sort codes, salaries and more.
- Morrisons was found liable for the actions of Mr Skelton, even though he personally was tried and convicted in a criminal case.
- On 1 April 2020, Morrisons successfully appealed to the Supreme Court over their liability for the data breach.
- The Supreme Court held that Mr Skelton was not conducting work business when he committed the illegal data breach and so, the company could not be held liable for his actions.
- This came after contemplating the outcome of much previous case law and the factors which must be considered before an employer can be held liable for the actions of an employee or contractor. This is referred to as the “close connection test”.
- Lord Reed, Supreme Court president, giving the ruling by video link, said that Morrisons was not vicariously liable for damages, stating:
“In the present case, it is abundantly clear that Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier.”
View the full judgement here.
Aspire comment
This is a very positive result for the supermarket chain and will be well received by many. Following the introduction of GDPR, we’ve seen many businesses found liable for data breaches. The ruling of this case will give leeway to other business who face GDPR liabilities as a result of an individual employee’s criminal actions. This should come as a huge relief.
If you are concerned about GDPR, handling data or your data retention policy, give us a call today on 0121 445 6178 or email enquire@aspirepartnership.co.uk to speak to an advisor.
See our previous news