Various Claimants v Wm Morrison Supermarkets plc
[2018] EWCA Civ 2339; [2019] 2 WLR 99, Court of Appeal

Data protection – Personal data – Defendant’s employee publishing personal details of claimants on internet – Breach of confidence and misuse of private information – Vicarious Liability – Data Protection Act 1998

Facts of the case
Mr Skelton, an internal auditor of Morrisons, which is the defendant company, received payroll data, which consisted of personal information of the defendant’s employees, from another employee for the sole purpose of passing it to external auditors. However, Mr Skelton, intending to cause harm on the defendant due to a grudge held, unlawfully copied the data and published it on a file-sharing website to which links were published elsewhere on the internet. The claimants, who are the employees of the defendant whose personal data had been disclosed, brought claims on primary and vicarious liability against the defendant for damages. The Judge allowed the claims on vicarious liability, but dismissed the claim on primary liability. The defendant appealed on the following grounds:

  1. On its proper interpretation, the Data Protection Act 1998 (“DPA”) excludes the application of vicarious liability.
  2. On its proper interpretation, the DPA excludes the application of causes of action for misuse of private information and breach of confidence and/or imposition of vicarious liability for breaches.
  3. The judge was wrong to conclude (a) that the wrongful acts of Mr Skelton occurred during the course of his employment by Morrisons, and accordingly, (b) that Morrisons was vicariously liable for those wrongful acts

Whether the Judge was correct to hold that the defendant is vicariously liable to the claimants for the actions of Mr Skelton.

The court found that the defendant was vicariously liable for the torts committed by Mr Skelton against the claimants. Therefore, the defendant’s appeal was dismissed.

Application in Malaysia
In Malaysia, the Act regulating the processing of personal data is the Personal Data Protection Act 2010 (“PDPA”). The PDPA, similar to the United Kingdom’s Data Protection Act 1998 (“UK Act”), provides a statutory duty for the person controlling the data to comply with personal data protection principles, though not as explicit as that stated in Section 4(4) of the UK Act.

It is interesting to note that unlike the UK Act, the PDPA provides for the liability of an employer, for breaches of the PDPA by an employee. This is depicted in Section 133(2) of the PDPA. Therefore, the first and second ground of appeal in the case above would not have arose in Malaysia given the clear reading of the statute which states that an employer can be held vicariously liable for the breaches of its employee. In addition, this supports the decision of the case above in that the intention of an employee in committing the breach is irrelevant. As long as the employee commits a breach under the PDPA, the employer can be held liable.

In conclusion, the case above provides a clear view on the liability of an employer in regards to data breaches committed by an employee. Since there has yet to be any decided cases on this issue, the case above may provide some guidance to the Malaysian courts in instances the courts are faced with such matter.

To read the full case, click here.

For more insights into this area of law please contact our Partners in Employment & Industrial Relations Practice Group: P Jayasingam, Wong Keat Ching & Thavaselvi Pararajasingam