Case ID: UKSC 2018/0213

Hearing Date 6 and 7 November 2019

Justices: Lady Hale, Lord Reed, Lord Kerr, Lord Hodge, Lord Lloyd-Jones

Facts (taken from Supreme Court Case Summary)

In November 2013, an employee of the appellant, Mr Skelton, downloaded payroll data he was entrusted with at work onto a personal USB stick and took it home. In January 2014 he uploaded the data onto a file-sharing website and later sent it to newspapers. He was motivated by a grudge against the appellant. He was arrested, convicted of a number of offences and sentenced to 8 years’ imprisonment. Over 5,500 employees, whose personal data has been disclosed, issued a claim against the appellant claiming damages for breach of the DPA and/or for the misuse of private information and/or breach of confidence either by the appellant directly, or by Mr Skelton, in respect of whose acts the appellant was alleged to be vicariously liable.


  1. Whether the Data Protection Act 1998 (“the DPA”) excludes the application of vicarious liability to a breach of that Act, or for the misuse of private information or breach of confidence.
  2. Whether the Court of Appeal erred in concluding that the disclosure of data by the appellant’s employee occurred in the course of his employment, for which the appellant should be held vicariously liable.


As 11KBW, the set representing Morrisons, states: “The appeal raises novel and important issues concerning employers’ liability for data breaches as a result of the actions of their employees, and the interrelationship of the statutory data protection regime with the common law. The Supreme Court’s decision is likely to be a landmark in the law of both employer’s vicarious liability and data protection.”

Andrew Moir, head of Herbert Smith Freehills’ global cyber security practice commented: “If the Court of Appeal’s decision stands it will likely pave the way for future data breach related class actions – even if the individual quantum is modest, the numbers of individuals affected by data breaches is often significant enough to make such claims viable”.

 Vicarious Liability

The test for vicarious liability, set out in Mr A M Mohamud (in substitution for Mr A Mohamud (deceased) (Appellant) v WM Morrison Supermarkets plc (Respondent) [2016] UKSC 11 heard by Lord Neuberger, Lady Hale, Lord Dyson, Lord Reed and Lord Toulson on 12 and 13 October 2015, judgment given on 2 March 2016, has two limbs (both of which must be satisfied) as follows:

  1. First, is there a relationship between the primary wrongdoer and the person alleged to be liable which is capable of giving rise to vicarious liability?
  2. Second, is the connection between (a) the relationship between the primary wrongdoer and the person alleged to be liable, and (b) the wrong act or default of the primary wrongdoer, such as to make it just and reasonable to hold the person legally responsible to the claimant for the consequences of the wrongdoer’s conduct. In considering this limb, the first question is:
  • What functions or “field of activities” had been entrusted by the employer to the employee (or, broadly, what is the nature of the job?);

And the second questions is:

  • Whether there was sufficient connection between the position in which the employee was employed and the wrongful conduct so as to make it just and reasonable for there to be vicarious liability (emphasis added)

Relationship between statute and common law

If the statute does not cover something which is addressed by common law, then the common law will apply.

If the statue is silent as to the common law, but there is a clear conflict between the statute and the common law, then the statute takes precedence.

If there is not a clear conflict, it will be a matter of ordinary statutory interpretation. For example, if a statute provides a particular remedy for a given cause of action, and does not expressly exclude another remedy which is available under common law,  the court must determine whether Parliament intended to exclude the common law remedy. See for example Southern Gas v Thames Water [2018] EWCA Civ 33.


Andrew Moir
Andrew Moir
Partner and Global Head of Cyber Security, London
+44 20 7466 2773
Kate Macmillan
Kate Macmillan
Consultant, London
+44 20 7466 3737