THE Supreme Court has ruled Morrison's is not liable for a former worker who leaked the personal details of thousands of employees online.

The supermarket giant brought a Supreme Court challenge in a bid to overturn a ruling which gave the go-ahead for compensation claims by thousands of employees whose personal details were posted on the internet.

A panel of five justices ruled Morrison's is not legally responsible for the actions of Andrew Skelton, who shared the data on the internet and also sent it to national newspapers.

At a hearing in November last year, Lord Pannick QC, representing the supermarket chain, said Skelton leaked the data "because of a grudge against Morrisons and in order to damage Morrisons".

The Supreme Court said: "The judge said employers could only be held liable for the actions of employees if they were "closely connected with their duties at work.

He said: "In the present case, Skelton was not engaged in furthering Morrisons' business when he committed the wrongdoing in question.

"On the contrary, he was pursuing a personal vendetta, seeking revenge for the disciplinary proceedings a month earlier.

"In these circumstances, applying the established approach to cases of this kind, his employer is not vicariously liable."

A statement issued by Morrisons after the ruling said: "The theft of data happened because a single employee with legitimate authority to hold the data, also held a secret and wholly unreasonable grudge against Morrisons and wanted to hurt the company and our colleagues.

"We are pleased that the Supreme Court has agreed that Morrisons should not be held vicariously liable for his actions when he was acting alone, to his own criminal plan and he's been found guilty of this crime and spent time in jail.

"A court has already found that Morrisons was not responsible for any direct wrongdoing in respect of this data theft.

"We also know that many colleagues appreciated the way we got the data taken down quickly, provided protection for their bank accounts and reassured them that they would not, in any circumstances, be financially disadvantaged.

"In fact, we've seen absolutely no evidence of anyone suffering any direct financial loss."

The decision overturns previous rulings in the High Court and Court of Appeal, which held that Morrisons was vicariously liable for Skelton's actions.

The latest round of the litigation at the Supreme Court followed a blow for Morrisons at the Court of Appeal in October last year, when three leading judges upheld a 2017 High Court finding on the issue of liability.

Nick McAleenan, a partner and data rights specialist at JMW Solicitors who represented the claimants, said his clients were "disappointed" but felt it was a win for "the data rights of everyone in the UK".

Mr McAleenan said: “My clients entrusted their personal information to their employer, Morrisons, in good faith. When their information was subsequently uploaded to the internet by a fellow employee, it caused an enormous amount of upset and distress to tens of thousands of people.

“The Supreme Court’s decision now places my clients, the backbone of Morrisons’ business, in the position of having no legal avenue remaining to challenge what happened to them.  

“My Clients are of course hugely disappointed by the decision, which contradicts two earlier unanimous findings in their favour.

“The Supreme Court effectively decided that where a wrongdoer leaks data with the specific intention to harm their employer, the employer may not be held vicariously responsible. The Claimants, of course, respect the decision, but the troubling part of this conclusion is that the wrongdoer in this case also wanted to damage his own colleagues, not just Morrisons, and he did so in dramatic fashion.

“However, importantly, the Supreme Court also ruled that the Claimants had won part of the appeal. For the first time, the Supreme Court has established the legal principle that employers can now be legally responsible for data breaches caused by their employees - under the law of vicarious liability. This is very significant because most data breaches are caused by human error. This ruling enhances the protection of data for millions of people in this country who are obliged to hand over their own information to businesses every single day. It will raise standards.

“Morrisons’ staff have lost their claim, but through their legal action they have enhanced the data rights of everyone in the UK.”