The UK Supreme Court Rules on Vicarious Liability for Acts of Employees

April 01, 2020


In WM Morrisons Supermarkets plc v Various Claimants the Supreme Court today issued an important judgment clarifying the scope of vicarious liability of employers for the wrongful acts of their employees: Morrisons was found not to be liable for its employee disclosing colleagues’ confidential and personal payroll data publicly because his actions were not done in the ordinary course of his employment but were motivated by a personal vendetta.


The case arose from the actions of a senior auditor, who apparently held a grudge against the employer following a previous disciplinary issue. The employee in question disclosed publicly the personal and confidential data of some 126,000 Morrisons employees. Whilst in the course of his duties he sent the data in question to the employer’s auditors, he also made a copy of the data which he uploaded to a publicly accessible file-sharing website and posted links to the data on other websites. This was done in a way which concealed his identity and suggested that a colleague involved in the prior disciplinary was responsible. The data included details of each employee’s name, address, gender, date of birth, phone number, national insurance number, bank sort code, bank account number and salary. Subsequently, on the day when Morrisons was due to publish its annual financial results, he also sent copies of the data on CD to three UK newspapers, claiming to be a concerned member of the public who had found the data on the file-sharing website.

Having been alerted to the issue by the newspapers in question, which did not publish the material sent to them, Morrisons acted promptly to remove the data and protect the identities of their employees. The individual responsible was sentenced to 8 years’ imprisonment for his criminal actions contrary to the Data Protection Act 1998, the applicable legislation at the time. 9,263 Morrisons employees brought a civil claim against Morrisons for breach of the DPA, misuse of private information and breach of confidence, on the basis that Morrisons was vicariously liable for the employee’s actions.

Vicarious Liability

An employer can be vicariously liable for wrongful acts committed by one of its employees where there is a sufficient connection between those wrongful acts and the employee’s employment. Only in relation to discrimination claims based on vicarious liability can the employer have the defence that it has taken all reasonable steps to prevent the acts of discrimination for which it is alleged to be vicariously responsible. The concern which the Morrisons case addressed was that the operation of the principles of vicarious liability could mean that employers would be responsible for misdeeds of employees they could have done nothing to prevent.

High Court and Court of Appeal

The High Court and Court of Appeal both found that Morrisons was not directly liable for the auditor’s actions, because the data had not been disclosed on Morrisons’ behalf and was not the result of Morrisons’ failure to apply security measures to the payroll data it controlled. However, the High Court and Court of Appeal both found that it was vicariously liable for those actions. The High Court considered that the employee’s actions were done “within the course of his employment” and the Court of Appeal considered that they were within the “field of activities” assigned to him by his employer, holding that his motive was irrelevant.

The Supreme Court

The Supreme Court allowed Morrisons’ appeal holding that vicarious liability can, in principle, apply to cases relating to data protection, but that, on these facts, vicarious liability was not established.

The Supreme Court clarified that the test for establishing whether an employer is vicariously liable for the actions of its employees is whether the wrongful conduct is so closely connected to the acts which the employee was authorised to do that, for the purposes of the liability of his employer to third parties, his wrongful acts may fairly and properly be regarded as done by him while acting in the ordinary course of his employment.

Moreover, the Supreme Court did not agree with the Court of Appeal’s view that the individual’s motives were not irrelevant. It considered that whether he was acting on Morrisons’ business or for purely personal reasons was highly material.

In this case, the “connecting factor” between the individual’s employment and his actions in publishing the data was the fact that he could not have disclosed the data had it not been given to him in the course of his employment. The Supreme Court held that an employer would not be vicariously liable for its employee’s actions where the employee was merely taking advantage of circumstances or an opportunity which their employment provided to them. In this case the employee was considered to have been “undertaking an independent venture” by taking advantage of the fact that he was provided with the data in the course of his employment. He was not furthering Morrisons’ business by his actions - rather, he was pursuing his own personal vendetta. Personal vengeance took the employee’s actions outside the scope of the conduct for which the employer could be held responsible.


For the Supreme Court to have clarified the scope of vicarious liability in this way is good news for employers, not least as it demonstrates that they may be able to argue that they are not responsible for the actions of an employee who truly “goes rogue.” Whilst this decision helpfully confirms that, where an employee is “on a frolic of his own” the employer will not be liable for the employee’s actions, each case needs nonetheless to be considered on its own facts. For example, the Supreme Court did note a contrasting situation where vicarious liability had correctly been established – a previous case, Bellman, in which an employer’s managing director punched a colleague after a work Christmas party in the context of the managing director asserting his authority over his subordinates in relation to a decision of his that was being debated in the lead up to the assault.

This decision does highlight the need to ensure that employees are properly supervised, trained and monitored as appropriate in relation to their conduct. This is particularly the case in relation to their responsibilities under data protection legislation to which, as the Supreme Court indicated, the principles of vicarious liability apply. Employers should ensure that: they comply with their security obligations in relation to such data; that employees have been trained on GDPR when processing personal data in the course of their employment, and that they have appropriate policies and procedures in place to minimise the risk of claims either of direct or vicarious liability.

Subscribe to Dechert Updates