A Frolic of His Own: Drawing The Line Between ‘Careless’ And ‘Rogue’ Employees for Vicarious Liability Claims in the UK
On April 1, 2020, the United Kingdom Supreme Court, released a decision which considered the circumstances under which an employer is vicariously liable for the conduct of its employees.
The Court clarified their position on limiting vicarious liability where an employee deliberately disseminates personal information to harm the employer, but left the door open for vicarious liability for breach of privacy statutes where the employee was acting in the scope of their employment.
In other words, a company could be liable for a 'careless employee' but not necessarily a 'rogue employee’ in data breach cases.
This case arises from a data breach, which occurred at WM Morrison Supermarkets plc (“Morrisons”). Personal information of over nine thousand former employees (the “Claimants”) was published by one of Morrisons’ employees, Mr. Andrew Skelton (“Mr. Skelton”). Mr. Skelton was a senior auditor on Morrisons’ internal audit team, and released the personal information in retaliation for disciplinary proceedings commenced against him by Morrisons in July 2013.
In the course of his duties, Mr. Skelton was given access to payroll data of approximately 126,000 employees. Mr. Skelton transferred the data anonymously to his personal USB stick and, using a false email account, uploaded the data to a publicly accessible file-sharing website. Alleging to be a concerned member of the public, Mr. Skelton sent CDs containing that data to three UK newspapers. Instead of publishing the data, one of the newspapers notified Morrisons, who, within a few hours, took steps to ensure that the data was removed from the internet, conducted an internal investigation, and informed the police and its employees, undertaking measures to protect their employees’ identities.
The Claimants brought this Action against Morrisons on the basis that it was vicariously liable for Mr. Skelton’s conduct. They alleged that Morrisons breached section 4(4) of the Data Protection Act (“DPA”), and was liable for misuse of private information and breach of confidence.
At Trial, Langstaff J, held that Morrisons was vicariously liable for Mr. Skelton’s breach of statutory duty under the DPA, his misuse of private information, and his breach of his duty of confidence. Morrisons’ argument was threefold; (a) vicarious liability could not attach to a breach of the DPA, where the data controller (Mr. Skelton) processed the data in his own authority and for his own purposes; (b) the DPA excluded vicarious liability for misuse of private information and breach of confidence and could not incorporate these causes of action that are already present at common law, and (c) Mr. Skelton’s wrongful conduct was not committed in the course of his employment.
Langstaff J. rejected all three arguments. He noted that the Directive of the DPA was for the purpose of protecting individuals with regard to the processing of personal data and on the free movement of such data and that the statute should be treated as providing additional protection rather than replacing such protection as already existed under common law. Further, he held that since Morrisons had provided him with the data in order for him to carry out the task assigned to him, the course of events was sufficiently connected to his employment. Morrisons trusted Skelton to deal with the confidential information which was closely related to his task.
The Court of Appeal agreed with the trial judge and dismissed the Appeal, holding that there was nothing in the DPA which excluded vicarious liability for such conduct. Like the trial judge, they agreed that the acts of Mr. Skelton was within the “field of activities assigned to him by Morrisons”. Notably, the Court of Appeal held that Mr. Skelton’s motive in committing the wrongdoing – harm to his employer – was irrelevant. In coming to this conclusion they cited a key case on vicarious liability in the UK, Mohamud, for the proposition that motive is irrelevant where the connection between the employee’s conduct and their employment is an “unbroken sequence of events”.
Reasons of the Supreme Court
The Supreme Court departed from the decision of the Court of Appeal holding that Morrisons could not be held liable for Mr. Skelton’s conduct, finding that the circumstances surrounding Mr. Skelton’s actions did not result in Morrisons being vicariously liable.
The Supreme Court held that the Court of Appeal misunderstood the principles governing vicarious liability in four important respects:
- The disclosure of the data did not form part of Mr. Skelton’s functions or field of activities in that it was not an act which he was authorized to do.
- The case law the Court of Appeal cited, which provided factors to consider in proving vicarious liability, were not concerned with the question of whether the wrongdoing was so connected with the employment that vicarious liability ought to be imposed, but with the more distinct question of whether, in the case of wrongdoing committed by someone who was not an employee, the relationship between the wrongdoer and the defendant was sufficiently akin to employment as to be one to which the doctrine of vicarious liability should
- Although there was a close temporal link and an unbroken chain of causation linking the provision of the data to Skelton for the purpose of transmitting it to the external auditor and his disclosing it on the internet, a temporal or causal connection does not in itself satisfy the close connection test.
- The reason why Mr. Skelton acted wrongfully, i.e. whether he was acting on his employer’s business or for purely personal reasons was highly material.
The Supreme Court applied the close connection test set out in Dubai Aluminum, namely whether Mr. Skelton’s disclosure of the data was so closely connected with acts he was authorized to do that, for the purposes of the liability of his employer to third parties, his wrongful disclosure may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.
However, in applying the test, the Court drew an important distinction between “cases…where the employee was engaged, however misguidedly, in furthering his employer’s business, and cases where the employee is engaged solely in pursuing his own interests: on a ‘frolic of his own’”.
In the present case, it was clear to the Supreme Court that Mr. Skelton was not engaged in furthering his employer’s business when he committed the wrongdoing in question. On the contrary, he was pursuing a personal vendetta, seeking vengeance for the disciplinary proceedings some months earlier. In those circumstances, applying the close connection test, Skelton’s wrongful conduct was not so closely connected with acts which he was authorized to do that, for the purposes of Morrisons’ liability to third parties, it can fairly and properly be regarded as done by him while acting in the ordinary course of his employment.
Implications for Employers
The Supreme Court decision provides clarity on the scope of vicarious liability for an employee’s actions. Importantly, it rejects the notion that an employee’s motives are irrelevant in determining vicarious liability. The Court demands a deeper analysis to determining whether an employees actions are closely connected to his functions and activities as an employee, and limits the availability of vicarious liability where an employee takes action where it is clear they are not engaged in furthering the employers business but pursuing their own agenda.
Employers should be mindful that courts will still apply the close connection test, and employees who are negligent may still attract vicarious liability for their employers where they are engaged in furthering the employers business, however misguided or careless.
WM Morrison Supermarkets plc v Various Claimants
01 April 2020
 UKSC 12,  WLR(D) 204
 Data Protection Act, 1998 c.29, repealed.
 The High Court made a group litigation order in connection to the claims, choosing ten lead Claimants, with the remainder stayed pending judgment of the lead claims. The High Court also separated the trial into two stages; liability and quantum. The within Action was to determine the former. The trial to determine quantum has yet to take place.
 Though the Supreme Court had already decided that no vicarious liability existed, it also ruled that vicarious liability applies to a breach under the DPA, and to the breach at common law or equity, committed by an employee who is a data controller in the course of his employment.
 WM Morrison Supermarkets plc, at para 31.
 WM Morrison Supermarkets plc, at para 47.