A senior employee of Morrisons, who had held a grudge against them after previous disciplinary proceedings, published the payroll details of nearly 10,000 employees on the internet. More than 5,000 of these employees (the Claimants) were seeking to hold that Morrisons were liable for the data breach under the Data Protection Act and that they were vicariously liable for the actions of the employee.

The court held that Morrisons were not liable under the Data Protection Act for having broken the data protection principles because they did not, as data controller, themselves offend against those principles. The acts said to break those principles were those of a third party, and not their own. Similarly, the assertion that there was direct liability in respect of breach of confidence or misuse of private information also failed: it was not Morrisons that disclosed the information or misused it: it was a third party, acting without authority and criminally. However, the court came to the conclusion that there was a sufficient connection between the position in which the employee was employed and his wrongful conduct, put into the position of handling and disclosing the data as he was by Morrisons and so secondary vicarious liability was established. Crucially, the point which most troubled the court in reaching these conclusions was the submission that the wrongful acts of the employee were deliberately aimed at the party whom the Claimants were seeking to hold responsible, such that to reach the conclusion they had may seem to render the court an accessory in furthering his criminal aims. Leave was granted to Morrisons to appeal the conclusion as to vicarious liability. [

Read the full text of the judgment on Bailii

](http://www.bailii.org/ew/cases/EWHC/QB/2017/3113.html)