WM Morrison Supermarkets plc v Various Claimants is the first ever class action brought under data protection legislation, with the claimants being some of the employees affected by the breach.  An employee of Morrisons who worked in their internal audit team, Andrew Skelton, copied and kept payroll data for the company's entire workforce when he was tasked with transmitting it to external auditors.  He bore a grudge against his employer having been issued with a verbal warning for minor misconduct.  In 2014 he uploaded the data to a publicly accessible file sharing website and anonymously sent copies to three UK newspapers.  One of the papers alerted Morrisons who took immediate steps to have the data removed from the internet and alerted the police.  Skelton was subsequently prosecuted and imprisoned.   

Some of the affected employees brought claims for breach of statutory duty under the Data Protection Act ("DPA"), misuse of private information and breach of confidence.  They were successful in the High Court where the judge concluded that while Morrisons bore no primary responsibility they were vicariously liable for Mr Skelton's conduct, on the basis that he had been acting in the course of his employment.  An appeal by Morrison's to the Court of Appeal was subsequently unanimously dismissed. 

To what will undoubtedly be sighs of relief from employers around the country, the Supreme Court has unanimously allowed the appeal, the focus of which was the employer's vicarious liability for Mr Skelton's actions.  The Supreme Court held that Skelton was authorised by Morrisons to transmit payroll data to auditors.  His subsequent disclosure of the data was not so closely connected to that task that it could be properly regarded as done while acting in the ordinary course of his employment - the fact the employment gave him the opportunity to commit the wrongful act was not sufficient to warrant the imposition of vicarious liability.  The fact that Mr Skelton was pursuing a personal vendetta and not furthering his employer's business was also highly material.  On this basis the appeal was allowed.

Morrisons had also argued that the DPA excluded imposition of vicarious liability for either statutory or common law wrongs. The Court was not persuaded on this point finding that the imposition of a statutory liability upon a data controller was not inconsistent with the imposition of common law vicarious liability upon his employer, either for the breach of duties imposed by the DPA or for breaches of duties arising under the common law.  However given their finding that Morrison's was not in any case vicariously liable for the acts of Mr Skelton, this did not have any impact on the final outcome of the appeal.   

This case rather turns the tide on recent decisions relating to vicarious liability which were tending to widen its scope.  The potential for high value class actions where there has been a significant breach of data protection legislation (which would now be covered by the General Data Protection Regulation rather than the DPA) - something which we seem to hear about with increasing regularity - has been significantly restricted in consequence of this decision.