WM Morrison Supermarkets plc v Various Claimants – Supreme Court clarifies the test for vicarious liability

In a much-anticipated decision, the Supreme Court addresses the scope of an employer’s vicarious liability for acts by its employees, in particular the “misunderstandings” that have arisen since its previous landmark decision in Mohamud v WM Morrison Supermarkets plc [2016] UKSC 11.


The case arose from criminal acts by a disgruntled employee, Andrew Skelton, a senior internal IT auditor.

In order to carry out his role, Mr Skelton was a ‘super user’ meaning he had access to Morrisons’ database of employee personal information including names, addresses, dates of birth, phone numbers, NI numbers, bank sort codes, bank account numbers and salaries.

In January 2014, he uploaded the data onto a file-sharing website and later sent it to newspapers under the guise of a concerned member of the public. As part of an elaborate scheme, he used IP-blocking software and an untraceable mobile phone in an attempt to mask his identity. The newspapers did not publish the data but instead alerted Morrisons.

Mr Skelton’s motivation was found to have been an irrational grudge against his employer dating back to July 2013 when he was subject to disciplinary proceedings for minor misconduct. At that time, he had been using Morrisons’ mail room, without permission, to send and receive packages relating to a personal business venture selling health supplements. Unfortunately, a package of the supplement – which took the form of a white powder – broke open, causing significant panic and disruption to Morrisons’ mail room until the nature of the substance could be determined. As a result, Mr Skelton was given a verbal warning. Thereafter, he harboured a vendetta which led him to make the disclosures in question in an attempt to damage the company’s reputation.

Mr Skelton was prosecuted under the Computer Misuse Act 1990 (“CMA”) and Data Protection Act 1998 (“DPA”) for various crimes of fraud and misuse of personal information. He was convicted and sentenced to 8 years’ imprisonment.

The claims

Around 100,000 of Morrisons’ employees were affected. Owing to the company’s swift action, there was no evidence of financial loss to the claimants, however, some 9,263 of its current and former employees brought claims against the company for distress, anxiety and upset.

The basis of the claims was that:

  • Morrisons was primarily liability for breach of statutory duty under the DPA, misuse of private information, and breach of confidence; and/or
  • Morrisons was vicariously liable for Mr Skelton’s conduct under the same three heads.

At first instance

Before Langstaff J at first instance, it was held that Morrisons was not primarily liable since it was not the data controller at the time – Mr Skelton was. Moreover, save in one respect, Morrisons had provided adequate controls and, whilst organisational measures alone could not altogether prevent the risk of a rogue employee, Morrisons’ procedures were appropriate. The ‘white powder’ incident did not by itself suggest that Mr Skelton ought not to be trusted with personal information. In conclusion, Morrisons did not directly misuse, authorise or carelessly permit the misuse of any personal information. The question of primary liability was not taken up on appeal.

However, it was found that Morrisons was vicariously liable for the acts of Mr Skelton. Langstaff J held:

  • First, the DPA did not preclude vicarious liability in respect of the three heads advanced (breach of statutory duty, misuse of private information and breach of confidence).
  • Second, Mr Skelton’s conduct was committed in the course of his employment. Morrisons had trust Mr Skelton, provided him with the data in order for him to carry out his role as senior auditor and took the risk that it might be placing it in the wrong hands. What happened after was a “a seamless and continuous sequence of events … an unbroken chain”. These words were adopted from the earlier decision of Lord Toulson in Mohamud. Mr Skelton’s task was to disclose the data to third parties. The fact that he disclosed it to third parties other than the external auditors, KPMG, was nonetheless “closely related” to what he was tasked to do.

In reaching its decision, Langstaff found that the five factors listed by Lord Phillips in Various Claimants v Catholic Child Welfare Society [2012] UKSC 56 were relevant and present.

Langstaff concluded:

“Adopting the broad and evaluative approach encouraged by Lord Toulson JSC in Mohamud’s case [2016] AC 677 I have therefore come to the conclusion that there is a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable ‘under the principle of social justice which goes back to Holt CJ’.”

The Court of Appeal

Morrisons appealed to the Court of Appeal (Sir Terence Etherton MR, Bean and Flaux LJJ). The appeal was dismissed.

In relation to the question whether, on the facts, Morrisons were vicariously liable for Mr Skelton’s wrongdoing, the Court found that the tortious acts of Mr Skelton in sending the claimants’ data to third parties was “within the field of activities assigned to him by Morrisons”.

Agreeing with Langstaff J, the Court of Appeal also emphasised that the relevant facts constituted a “seamless and continuous sequence” or “unbroken chain” of events.

Although it was an unusual feature of the case that Skelton’s motive in committing the wrongdoing was to harm his employer, the Court of Appeal concluded that Lord Toulson had said in Mohamud that motive was irrelevant.

Therefore, Morrisons was vicariously liable for Mr Skelton’s conduct.

Issues for the Supreme Court

Morrisons appealed again to the Supreme Court.

The Court heard oral argument in November 2019 and handed down its unanimous decision on 1 April 2020.

It upheld Morrisons’ appeal.

The issues before the Supreme Court were:

  • Was Morrisons vicariously liable for Mr Skelton’s conduct?
  • If the answer to the above is ‘yes’:
    • does the DPA exclude the imposition of vicarious liability for statutory torts committed by an employee data controller under the DPA?
    • does the DPA exclude the imposition of vicarious liability for misuse of private information and breach of confidence?

Supreme Court decision

The starting point is Lord Toulson’s judgment in Mohamud, which was not intended to change the law of vicarious liability but rather to follow existing precedents.

One such authority is Dubai Aluminium Co Ltd v Salaam [2003] 2 AC 366. Lord Nichols explained the existing “close connection” test: is the wrongful conduct was so closely connected with acts the employee was authorised to do that for the purposes of the liability of the employer to third parties, it may fairly and properly be regarded as done by the employee while acting in the ordinary course of his employment?

Importantly, Lord Nichols had identified the “general principle” but each case required consideration of the particular circumstances of that case. The Supreme Court repeated and endorsed the relevant paragraphs where Lord Nichols had addressed that point in Dubai Aluminium:

“[25] the ‘close connection test focuses attention in the right direction. But it affords no guidance on the type or degree of connection which will normally be regarded as sufficiently close…

[26] This lack of precision is inevitable… Essentially the court makes an evaluative judgment in each case, having regard to all the circumstances and, importantly, having regard also to the assistance provided by previous court decisions.”

The Supreme Court adopted Lord Toulson’s summary of the law as expressed in “the simplest terms” in Mohamud, which in turn had adopted Lord Nichol’s approach in Dubai Aluminium. Therefore, in deciding whether an employer is vicariously liable, the Court must ask and answer two questions:

  1. What functions or “field of activities” the employer had entrusted to the employee; and
  2. Whether there was “sufficient connection between the position in which he was employed and his wrongful conduct to make it right for the employer to be held liable under the principle of social justice which goes back to Holt CJ”.

As to the question of what constitute as “an unbroken sequence of events” or “a seamless episode”, Lord Toulson in Mohamud had not been speaking of a temporal or causal connection between the various events. Instead, he was focussed on the “capacity” in which the employee was acting when the events took place. The employee in Mohamud was “purporting to act about his employer’s business” and was acting throughout the entire episode in the course of his employment; it was “not something personal”. The same was not true of Mr Skelton.

As to the question of whether “motive is irrelevant”, the Supreme Court cautioned against reading Lord Toulson’s comment out of context. In Mohamud, the Court had plainly considered whether the employee was going about his employer’s business (rather than pursuing private ends) as supporting the existence of a close connection between his field of activities and the commission of the tort. To that extent, it appeared that determining the motive of the employee had formed part of the Court’s considerations when deciding the question of whether there was a close connection. In saying “motive is irrelevant”, Lord Toulson intended to convey only that, having already reached the above conclusion, the reason why the employee had become so enraged as to assault the motorist could not make a material difference.

The Courts below had misunderstood the principles in several respects (see para. 31):

  1. First, the online disclosure of the data was not part of Skelton’s “field of activities”, as it was not an act which he was authorised to do.
  2. Second, the satisfaction of the factors referred to by Lord Phillips in Various Claimants v Catholic Child Welfare Society was not to the point: those factors were relevant to whether, where the wrongdoer was not an employee, the relationship between wrongdoer and defendant was sufficiently akin to employment for vicarious liability to subsist. They were not concerned with whether employees’ wrongdoing was so closely connected with their employment that vicarious liability ought to be imposed.*
  3. Third, a temporal or causal connection alone does not satisfy the close connection test.
  4. Fourth, it was highly material whether Skelton was acting on his employer’s business or for purely personal reasons.

*For further information on the Supreme Court’s recent clarification of this point, see our related article discussing the case of Barclays Bank plc v Various Claimants [2020] UKSC 13, handed down on the same day as the decision in Morrisons

Applying the reasoning to the present case, Morrisons was not vicariously liable for Mr Skelton’s conduct since:

  • Skelton was authorised to transmit the payroll data to the auditors. His wrongful disclosure of the data was not so closely connected with that task that it can fairly and properly be regarded as made by Skelton while acting in the ordinary course of his employment.
  • On long-established principles, the fact that his employment gave him the opportunity to commit the wrongful act is not sufficient to warrant the imposition of vicarious liability.
  • An employer is not normally vicariously liable where the employee was not engaged in furthering his employer’s business, but rather was pursuing a personal vendetta.
  • The “close connection” test elucidated by Lord Nicholls in Dubai Aluminium, in light of the cases that have applied it and on the particular facts of the present appeal, is not satisfied.

Whilst consideration of the second issue – whether the DPA excluded vicarious liability – was not strictly necessary owing to the decision above, the Supreme Court thought it desirable to express its view. It found Morrisons’ argument to be unpersuasive. The DPA is silent about the position of a data controller’s employee and the imposition of a statutory liability upon a data controller is not inconsistent with the imposition of a common law vicarious liability upon his employer. By way of comparison, the fault-based liability of a negligent employee at common law and the strict, vicarious liability of his employer is no more anomalous than a situation (as in the present example) where the employee’s liability arises under statute rather than at common law.

Appeal dismissed.



David Sanderson of 12KBW appeared in the case of Bellman v Northampton Recruitment Ltd [2018] EWCA Civ 2214, cited with approval at paragraph 45 of the Supreme Court’s judgment. 

Bellman v Northampton BELLMAN JUDGEMENT