Skip to main content
Legal case

Spreading the net on vicarious liability

The Court of Appeal has confirmed that an employer can be vicariously liable for the wrongful acts by its employees done with the intention of harming…

WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339

Executive summary

The Court of Appeal has confirmed that an employer can be vicariously liable for the wrongful acts by its employees done with the intention of harming the employer company itself.

The Facts

Mr. Skelton was employed by Wm Morrison Supermarkets Plc (“the appellant”) as a senior auditor. He had previously been disciplined by his employer for an isolated incident. During the course of an external audit, Mr. Skelton had legitimately obtained personal details, including payroll data for 99,998 employees. In addition to forwarding the information on to external auditors as required, whilst at work Mr. Skelton also downloaded the payroll information (which included names, addresses, bank account details and salary information) on to a personal USB. Some two months later, whilst at home during the weekend, he posted the information on a file-sharing website. Mr. Skelton was subsequently convicted of fraud and sentenced to eight years imprisonment. A group action on behalf of 5,518 employees was issued, alleging that the appellant was primarily liable for breaches of the Data Protection Act (“DPA”) and also vicariously liable for the wrongful acts of Mr. Skelton.

On 1 November 2017, Longstaff J found that the appellant was not directly liable but was vicariously liable for Mr. Skelton’s actions. Permission to appeal was however granted. The appellant appealed against the finding of vicarious liability on the grounds that the trial judge should have held that the DPA excluded the doctrine of vicarious liability; that the DPA excluded data misuse as giving rise to vicarious liability and/or that the judge was wrong to find that the material acts occurred during the course of the claimant’s employment, given they occurred outside of the workplace and outside of work hours. The Court of Appeal (comprising the Master of the Rolls, Lord Justice Bean and Lord Justice Flaux) handed down their judgment on 22 October 2018.


In respect of the first two grounds of the appeal, the court held that the DPA had not impliedly excluded vicarious liability. Any such intention to exclude it had not been expressed by Parliament, and in any event, the DPA was silent about an employer’s liability where its employee was the data controller (as here). Therefore the imposition of vicarious liability in these circumstances would not be at odds with the statutory framework.

Dealing with the third ground of appeal, the court agreed that the claimants’ causes of action were already established when Mr. Skelton improperly downloaded the personal data at work. In any event, whilst the time and place when a tortious act occurred will always be relevant, it is not conclusive and there are numerous authorities imposing vicarious liability for acts occurring away from the workplace. The court was keen to stress that the issue was not determined by whether the act was done ‘on the job’ but by whether the act was ‘within the field of activities assigned to the employee’. Obtaining and sending data onto third parties was “within the field of activities” assigned to Mr. Skelton.

There was an “unbroken chain” chain of events from Mr. Skelton first downloading the data and then taking steps to cover his tracks before posting the details online. There was no disconnection in time, place or nature from his employment in doing what he did. In the court’s opinion, the motive for the wrongdoer is irrelevant to the imposition of vicarious liability and this equally applies where the motivation is to harm the very same employer.

The court was also unconvinced by the argument that to impose vicarious liability against the appellant would expose them and other innocent employers to an enormous burden given the number of claimants involved. To not impose liability in these circumstances would leave those claimants without any real remedy save against Mr. Skelton personally. In the court’s opinion, whilst data breaches are increasingly prevalent and expose employers to potentially ruinous amounts “the solution is to insure against such catastrophes”. In the circumstances the court had no hesitation in upholding the original finding of vicarious liability and dismissing the Appeal.


As the Court of Appeal pointed out, the novelty of this case is that it appears to be the first reported decision where the courts have had to determine whether an employer can be vicariously liable in circumstances where the motivation for the tortious act giving rise to vicarious liability was to harm the very same employer, rather than delivering a benefit to the tortfeasor. Given this decision follows hot on the heels of Bellman v Northampton Recruitment (quoted in this judgment), and other recent authorities which have sought to push the boundaries of where and when a tortious act can be capable of giving rise to vicarious liability, the Court of Appeal’s decision on this novel point is perhaps not surprising.

The Court of Appeal acknowledged that “vicarious liability is highly fact-specific”, and therefore it is difficult to ascertain how wide the ramifications of this judgment will extend. However what is surprising in this judgment is to see the Court of Appeal so openly express that insurance resolves any injustice to employers in matters of vicarious liability. If followed through to its natural conclusion, it is increasingly difficult to see when a defendant employer will NOT be held vicariously liable for actions by its staff against innocent claimants. The perceived increasing willingness of the courts to impose vicarious liability for wrongful acts, even if only tenuously linked to a tortfeasor’s work, outside of their place of work or outside of work time, is a troubling development for employers and their insurers. All employers can realistically do is ensure that they have appropriate insurance, and robust HR procedures and processes in place to minimise the likelihood of ‘rogue employees’. A further appeal is expected.


For further information or assistance on any of these issues please contacts:

Peter Forshaw, Partner
0151 242 7935

Share on Twitter