Rogue employees and Data Protection

Underlining the importance of data security, the High Court has held an employer vicariously liable for the criminal actions of a rogue employee in breach of the Data Protection Act.

13 Mar 2018
"Person typing on laptop.

Andrew Skelton, a senior IT auditor at Morrisons, deliberately posted personal data – including names, addresses and bank details – of almost 100,000 Morrisons employees on the internet. He also sent the information to three newspapers. Both were in retaliation to a formal verbal warning he had received.

In the criminal proceedings (in which Mr Skelton was sentenced to eight years' imprisonment) the Recorder noted that "One would think that any sensible, reasonable person would have just put that behind them and got on with life and got on with their job. That was not your reaction".

Following the leak, over 5,500 employees brought claims against Morrisons under the Data Protection Act for misuse of private information and breach of confidence. Mr Skelton had published the personal information from his home, on his personal computer, and outside of working hours. His actions were deliberate: he had set out to harm Morrisons.

Nonetheless, the High Court held there was a sufficient connection between his employment and his wrongful conduct to find Morrison's vicariously liable for his actions. Morrisons has appealed to the Court of Appeal.

Employers should review their IT security measures and update their processes and policies. This will be necessary anyway to reflect the requirements of the GDPR.


Our lawyers are experts in their fields. Through commentary and analysis, we give you insights into the pressures impacting business today.