A Morrisons employee who had access to payroll data copied and disclosed employee information online after a workplace grievance. Thousands of employees sued Morrisons, arguing the supermarket was vicariously liable for his misuse of their data.
Selected cases
UK Supreme Court · [2020] UKSC 12
WM Morrison Supermarkets plc v Various Claimants
The UK Supreme Court considered employer vicarious liability after a rogue employee disclosed payroll data.
UK Supreme Court1 Apr 2020
Plain-English explainers, not legal advice. Use the linked official source for section-level detail, and get advice for your situation.
Get legal helpStart here
Quick read
- The decision helped employers on vicarious liability, but it is not a reason to relax data security.
- The UK Supreme Court considered employer vicarious liability after a rogue employee disclosed payroll data.
Use this to check
- Limit payroll and HR data access
- Log and monitor sensitive exports
- Prepare for privacy, employment and reputational fallout even where a rogue employee acts alone
Decision snapshot
What happened
- A Morrisons employee who had access to payroll data copied and disclosed employee information online after a workplace grievance.
- Thousands of employees sued Morrisons, arguing the supermarket was vicariously liable for his misuse of their data.
What the court had to decide
- The issue was whether the employee's wrongful disclosure was so closely connected with his employment that Morrisons should be vicariously liable.
What the court decided
- The Supreme Court allowed Morrisons' appeal.
- The employee was pursuing a personal vendetta, and his wrongful disclosure was not sufficiently connected with authorised acts to make the employer vicariously liable on those facts.
Practical impact
Practical read
- The decision helped employers on vicarious liability, but it is not a reason to relax data security.
- Businesses still need access controls, audit trails, incident response and careful handling of staff data.
Useful next steps
- Limit payroll and HR data access
- Log and monitor sensitive exports
- Prepare for privacy, employment and reputational fallout even where a rogue employee acts alone
How businesses should read it
The decision helped employers on vicarious liability, but it is not a reason to relax data security. Businesses still need access controls, audit trails, incident response and careful handling of staff data.
Key takeaways
- Limit payroll and HR data access
- Log and monitor sensitive exports
- Prepare for privacy, employment and reputational fallout even where a rogue employee acts alone