This month, in Wm Morrison Supermarkets plc v Various Claimants [2020] UKSC 12, the Supreme Court has overturned judgments of the High Court and Court of Appeal and decided that a supermarket was not vicariously liable for unauthorised breaches of the Data Protection Act 1998 committed by an employee. The Employee in this case, had a grudge against his employer and sent out employee data on the internet, including to National Newspapers.

 This is a significant decision because the settled position is that Employers will be liable for torts committed by an employee under the doctrine of vicarious liability where there is a sufficient connection between the employment and the wrongdoing. There is a two-stage test:

  • Is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?

  • Is the connection between the employment and the wrongful act or omission so close that it would be just and reasonable to impose liability?

In Mohamud v Wm Morrison Supermarkets plc [2016] UKSC 11, the Supreme Court held that the supermarket was vicariously liable for an employee’s unprovoked violent assault on a customer. It found that there was a sufficiently close connection between the assault and the employee’s job of attending to customers, such that the employer should be held vicariously liable.  

In Various Claimants v Catholic Child Welfare Society and others [2012] UKSC 56 (known as the Christian Brothers case), the Supreme Court established five criteria that would usually make it “fair, just and reasonable” to impose vicarious liability on an employer.


This decision will provide welcome confirmation for employers that they will not always be liable for data breaches committed by rogue employees. 

The contents of this post do not constitute legal advice and are provided for general information purposes only