top of page
  • Mariel Irvine



In 2014, as part of Morrisons’ annual audit, the company asked senior auditor Andrew Skelton to share the payroll data of almost 100,000 employees with accountants KPMG. Instead he uploaded the data, which included names, salaries, and bank details, to the internet.

In July 2015, Skelton was found guilty of fraud and sentenced to eight years in prison. Crown Prosecutor, David Holderness, said: “The potential loss to his victims and the sheer quantity of potentially compromised data was very significant and could have resulted in employees' identities being stolen.”

Civil trial

Proceedings were issued in the High Court by ten lead claimants on behalf of more than 5000 other employees. They claimed damages for the "upset and distress" caused by the breach and the associated risk of identity theft and financial loss. It was argued that Morrisons were not just vicariously liable for Skelton’s actions, but were directly liable to the claimants for misuse of private information and breach of confidence.


Mr Justice Langstaff found that Morrisons were not directly liable, stating that they had not been proved to have broken any of the data protection principles “save in one respect, which was not causative of any loss.” However, he ruled that the supermarket was vicariously liable for the breach and compensation was payable for the distress caused to the claimants.

He stated there was:

"…a sufficient connection between the position in which Skelton was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons (albeit it was meant to be to KPMG alone), to make it right for Morrisons to be held liable."

Morrisons’ argument that the 1998 Data Protection Act excluded the possibility of vicarious liability was rejected by the judge.

The future

Morrisons have been given leave to appeal. Depending on the outcome of any appeal, there will be a further trial to decide the amount of compensation Morrisons must pay their affected employees.

Irrespective of the outcome of the appeal, this is a good example of organisations being held ever more accountable for the use, misuse, and loss of personal data, irrespective of any fault on their part.

Accountability is one of the key principles of the GDPR that will come into force on 25 May 2018. For further information please contact Mariel Irvine on 020 76082275

4 views0 comments

Recent Posts

See All

Owl phobia

There have been some tantalising decisions associated with vicarious liability since my book was published last November. Some organisations and their insurers have successfully argued against vicario

Vicarious Liability : a practical guide

You may not have noticed I have been quiet for some time. This is an extract from the opening chapter of my book on vicarious liability, published in November. It can be purchased at Wildys, Hammicks


This morning an unfamiliar envelope arrived. It is a letter from Equifax, confirming that some of my personal data has been hacked. The information “included” my name and date of birth, and my “landli

bottom of page