Morrisons tells top court it's not liable for staffer who nicked payroll data of 100,000 employees

Brit supermarket Morrisons is arguing in the Supreme Court that it shouldn't be held vicariously liable for the actions of a rogue employee who stole and leaked the company's payroll.

In a world where nobody's quite sure where data protection law ends and traditional civil law torts begin, the outcome of the case may well determine for years to come whether companies should be blamed and made to pay compensation if one of their employees breaks the law.

Morrisons is fighting off a lawsuit from around 5,000 current and former employees as it tries to overturn an earlier Court of Appeal ruling.

Arguing on Morrisons' behalf yesterday, Lord Pannick QC, the UK Supreme Court's favourite barrister*, said: "In relation to vicarious liability, we say the legal test is whether there is a sufficiently close connection between the wrongful conduct of the employee and what he was employed to do, assessed by ref to job function, time, when did he carry out the acts, the geography, where did he carry out the acts and motive."

At the heart of the case is a deceptively simple question: was former Morrisons auditor Andrew Skelton acting "in the course of his employment" when he copied nearly 100,000 people's payroll data to a USB stick and dumped it on a hidden Tor site? The supermarket, naturally, argues that he wasn't – and therefore shouldn't be held liable for his actions.

If Skelton's actions formed an "unbroken thread", as Lord Pannick put it, between what he was authorised to do as an employee and things that were not part of his job description, that will be enough to hold the supermarket liable for his criminal actions – prompting a hefty series of payouts.

"It's not sufficient for the claimants to show that the employment provided the opportunity for the wrongdoing," insisted the barrister, who went on to describe a number of past cases where employees had done wrong and their employers hadn't been held liable. Broadly, he was saying, this is what other courts found in similar circumstances so why should Morrisons be held vicariously liable now?

"When Mr Skelton downloaded the data onto his personal USB he had metaphorically taken off his uniform. He wasn't acting or purporting to act on behalf of his employer or for the purpose of his employment," added Lord Pannick, who also argued that the Data Protection Act 1998 (which applied when the original incident happened) excludes vicarious liability for Morrisons in this case.

Lady Hale, president of the Supreme Court – wearing a purple jumper with a poppy brooch – commented: "There was a series of thefts from judges' rooms in the Royal Courts of Justice some years ago. That was an employee of the RCJ using the pass that he had in order to get into the judges' rooms and steal things. I don't think anybody's suggesting the courts and tribunals service was vicariously liable."

Up against Lord Pannick is barrister Jonathan Barnes of legal chambers 5RB. He will argue that the Data Protection Act 1998 doesn't exclude vicarious liability for Morrisons and will say that the Court of Appeal's previous findings should be upheld in full.

The case continues today and The Register will be covering the claimants' legal arguments in full. ®

Bootnotes

* Lord Pannick was the lawyer who convinced the Supreme Court to rule that Prime Minister Boris Johnson had broken the law by advising the Queen to dissolve Parliament.

** A Twitter thread of legal commentary on Lord Pannick's submissions by media law barrister Greg Callus can be found here.