Victoria Hordern writes for Privacy Laws & Business: Is Morrisons to blame for actions of an employee with a grudge?

Victoria Hordern, partner and head of our Data Privacy team, has recently written an article for Privacy Laws & Business. In the article Victoria discusses what the UK Supreme Court’s decision in Morrisons tell us about liability under data protection law.

Data Privacy

The article focuses on an incident where a Morrisons’ employee maliciously uploaded payroll data of Morrisons onto the Internet where his actions were motivated by a grudge against his employer following an incident where he was disciplined.

Victoria goes on to consider in what circumstances should an employer be vicariously liable for the actions of an employee where those actions have an impact on other individuals’ data protection rights. This was the core question that the UK courts were considering as part of the series of decisions which culminated in the Supreme Court’s judgment published in early April where the Supreme Court ruled that Morrisons was not vicariously liable.

The article discusses how many employers were concerned by the implications of the lower court rulings which held that an innocent employer was vicariously liable for the criminal actions of an employee. Victoria goes onto conclude that the Supreme Court’s decision may allow employers to breathe easier in the short term but there’s no guarantee that employers would never face vicarious liability for data protection breaches in the future.

This article was first published in PL&B UK Report, May 2020, see

This information is necessarily of a general nature and doesn’t constitute legal advice. This is not a substitute for formal legal advice, given in the context of full information under an engagement with Bates Wells.

All content on this page is correct as of May 15, 2020.