In the recent English Court of Appeal decision of WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339, the English Court of Appeal dealt with the issue of whether “an employer is liable in damages to those of its current or former employees whose personal and confidential information has been misused by being disclosed on the web by the criminal act of another employee, who had a grudge against the employer, in breach of the Data Protection Act 1998 ("the DPA") and in breach of that employee's obligation of confidence.”1

Brief facts. In brief, what happened was that Mr. Skelton, a senior IT internal auditor employed by Morrisons, developed a grudge against Wm Morrison Supermarkets plc (“Morrisons”) after a disciplinary hearing.2 Mr. Skelton copied the payroll data of Morrisons onto a personal USB.3 Mr. Skelton then used the payroll data to post a file containing personal details of 99,998 employees of Morrisons onto a file sharing website (using the details of another employee). These personal details included the employees’ names, national insurance numbers, bank account numbers, etc.4 Mr. Skelton also sent a CD containing a copy of the data to three newspapers in the United Kingdom.5 Mr. Skelton was subsequently arrested and convicted.6

The proceedings in WM Morrisons was commenced by 5,518 employees of Morrisons, claiming for damages and interest for misuse of private information, breach of confidence and breach of statutory duty under s. 4(4) of the Data Protection Act 1998. At first instance, the judge held that Morrisons was vicariously liable for the actions of Mr. Skelton.

Vicariously liable. On appeal, the English Court of Appeal upheld the first instance judge’s analysis, holding that Morrisons was vicariously liable. It bears noting that the English Court of Appeal specifically rejected the following arguments:

1. The English Court of Appeal specifically rejected the argument that the Data Protection Act 1998 has by necessary implication excluded an employer’s liability at common law for an employee’s misuse of private information and breach of confidence.7

2. The English Court of Appeal also rejected the argument that since Mr. Skelton’s motive in committing the acts was to harm his employee,8 imposing vicarious liability on Morrisons would render the court an accessory in further Mr. Skelton’s criminal aims.

Importance of data safety. While WM Morrison has not been applied in Singapore, it should ring alarm bells for employers about the potential implications that may arise if an employee with access to sensitive data distributes those data. Employers should not assume that their only obligation in relation to personal data is set out in the Personal Data Protection Act 2012, as WM Morrison stands for the proposition that there may be an independent common law action if it so happens that there has been a breach of confidence.

Insurance. Prudent employers would do well to ensure that there are rigorous measures in place to ensure that personal data are appropriately secured, and to take note of the English Court of Appeal’s suggestion that “[t]he solution is to insure against such catastrophes; and employers can likewise insure against losses caused by dishonest or malicious employees”.9

This publication is not intended to be, nor should it be taken as, legal advice; it is not a substitute for specific legal advice for specific circumstances. You should not take, nor refrain from taking, actions based on this publication. Chancery Law Corporation is not responsible for, and does not accept any responsibility for, any loss or damage that may arise from any reliance based on this publication.