News and Events

Employment Law Case Update: Various Claimants v WM Morrisons Supermarket plc

  • Posted

Mr Skelton, a senior auditor for Morrison’ headquarters in Bradford, regularly handled sensitive information, and required to exercise diplomacy and sensitivity. 

He also handled slimming drugs, bought from a wholesaler, re-packaging them into smaller quantities to sell on e-Bay. Supplying the drug – Phenylalanine - is not unlawful.  In May 2013, an envelope he’d posted opened in the post room at Morrisons, revealing white powder.  Police were called.  Mr Skelton was arrested and suspended. A month later, when laboratory results confirmed the drug was not illegal Mr Skelton was permitted to return to work on July 3rd.  On July 9th Mr Skelton faced a disciplinary hearing over the incident, following which, on July 18, he was given a formal verbal warning.

Mr Skelton felt Morrisons' initial reaction to the incident had been excessive.  Seemingly in retaliation, in January 2014 he placed personal details of 99,998 employees on a file sharing website and copied to national and local newspapers.  The leak contained employees’ names, addresses, birthdates, phone numbers, National Insurance numbers, bank account and salary details.  In July 2015, Mr Skelton was found guilty of fraud, securing unauthorised access to computer material and disclosing personal data. He was jailed for eight years. 

5,518 employees brought claims against Morrisons on the basis that the supermarket had both primary liability for its own acts or omissions, as well as secondary (vicarious) liability for the actions of one of its employees harming fellow workers.  The claimants were seeking compensation for the upset and distress caused.  Morrisons denied liability in the case.

On 1st December 2017, the High Court handed down the much anticipated judgement on liability - that a data controller, Morrisons in this case, can be held to be vicariously liable for the actions of a rogue employee, even where it exercised adequate and appropriate controls.  This means the remaining 94,000 employees whose data was leaked may now claim compensation.

This decision has enormous implications for those who process data using employees or agents: even if data controllers take the utmost care in vetting employees and safeguarding their data, the actions of a rogue employee can still open them up to potentially enormous financial liability. With the upcoming introduction of the General Data Protection Regulations (GDPR) in May 2018 this should be a natural part of the process in preparing for this radical change in data protection laws.  For more details on GDPR, contact us to find out more about our specific masterclasses and training events.

This article is from our weekly Employment Law Newsletter published on 11/01/2018.  If you would like to receive this newsletter directly and be kept up to date with recent cases and Employment Law news, email


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.