ICAEW.com works better with JavaScript enabled.

Case law: Employer was vicariously liable for employee's unlawful publication of its confidential data online

Employers should ensure employees are aware of any limits and restrictions on what they may do in the course of their employment, to reduce the risk of any wrongful conduct at work making the employer vicariously liable for the employee's wrongful acts, a recent ruling makes clear.

December 2018

This update was published in Legal Alert - December 2018

Legal Alert is a monthly checklist from Atom Content Marketing highlighting new and pending laws, regulations, codes of practice and rulings that could have an impact on your business.

A senior IT manager had a grudge against his employer. He deliberately published personal details of nearly 100,000 of his fellow employees online, and sent them to three newspapers. Around 5,500 of those employees claimed breach of statutory duty by the employer under UK data protection law, misuse of private information and breach of confidence.

The High Court found that the employee had been given access to the details as part of his job as it was needed for an audit, but he had carried out the breaches at home on his own PC, outside working hours, with the deliberate intention of harming the employer. The employer was not therefore directly liable for the breaches.

However, the employer was held to be vicariously liable for the employee's wrongful actions as he had carried them out while 'acting in the course or scope of his employment' - his actions were sufficiently closely connected to his authorised duties. The Court said the data had been entrusted to the employee, and he had received and copied it as part of his job. The breach was therefore part of a seamless and continuing sequence of events (even though copying the data and posting it to the internet took place several months apart), creating a sufficiently close connection between his duties and his wrongful conduct.

The Court of Appeal has now upheld the High Court's ruling. Even though the employee's motive for committing the breach was deliberately to harm his employer, making the employer vicariously liable for it meant that the Court had indirectly helped the employee achieve his aim.

The appeal judges recommended that employers take out insurance against breach of data protection laws by their employees.

Operative date

  • Now


  • Employers should ensure employees are aware of any limits and restrictions on what they are allowed to do, to reduce the risk of them acting wrongly in the course of their employment and create a vicarious liability for their employer.

Case ref: WM Morrison Supermarkets Plc v Various Claimants [2018] EWCA Civ 2339

Disclaimer: This article from Atom Content Marketing is for general guidance only, for businesses in the United Kingdom governed by the laws of England. Atom Content Marketing, expert contributors and ICAEW (as distributor) disclaim all liability for any errors or omissions.

Copyright © Atom Content Marketing