A recent ruling has made Morrisons vicariously liable for the rogue behaviour of an employee who stole over 100,000 employee payroll records.

Andrew Skelton was a senior auditor for Morrisons at the time of the data breach.  He had recently been officially warned about using corporate mailroom facilities for sending personal ebay packages. Mr Skelton was sentenced to eight years imprisonment in July of this year for the data breach.

A couple of interesting points stand out from this landmark judgement, which went all the way to the UK Court of Appeal, where the original ruling was upheld against Morrisons:

Firstly, the intent of the records theft was irrelevant – it didn’t matter whether the motive was personal gain for the data thief, or reputational damage caused to Morrisons.

Secondly, the Information Commissioners Office had originally found that no action was required under the Data Protection Act 1998 – the relevant legislation in force at the time of the offence: it took a class action under UK Common Law, brought by 5,000 of the impacted employees, to establish that Morrisons shared culpability with Mr Skelton.

Despite the fact that there was no commentary in the DPA for the specific circumstances of this case, the stricter definition of liability in the UK Common Law of Tort applied.  This suggests that there is still plenty of room for interpretation of data protection legislation – current and historical.

Remediation of the breach (including costs for the appeal) has cost Wm. Morrison £2,000,000 so far.  Damage to Morrisons reputation will be harder to quantify.

This case should concern organisations who’ve based their data governance purely around the specific requirements of recent data protection legislation.  This will raise serious concerns about data protection policies and controls for both employers and employees action as data controllers and processors.  It would not be unreasonable to foresee further rulings of this type, whether under previous DPA legislation or the current General Data Protection Regulation. Now, more than ever, it will be necessary for employers and employees to follow the spirit of the law, not just the letter…


With thanks to the Yorkshire Post and Herbert Smith Freehills for their research.



Leave a Reply