In a landmark decision today, the United Kingdom Supreme Court has overturned previous rulings, and held that Morrisons was not vicariously liable for the actions of a member of staff who unlawfully disclosed the personal data of thousands of the company's other employees. In siding with Morrisons, the Supreme Court has not given as much attention as one might expect to the underlying data protection law, but focused on the more general issues relating to the law of vicarious liability. The Court held that the wrongful conduct of the employee in question was not so closely connected to the acts he was authorised by Morrisons to do, that those acts could be said to be done by him in the course of his employment.
Commenting on the case, Partner Adam Rose, said "With this judgment, employers – and the insurance sector (which might have been asked to cover a lot of the risk) – can breathe a sigh of relief that they will not be vulnerable to expensive claims arising from the unauthorised actions of rogue employees. They must still comply with the security requirements of GDPR, but – as long as they have done so – they shouldn't find themselves defending an action in which they were also arguably a victim".