In a judgement issued on 1st April 2020, the Supreme Court held that Morrisons (i.e WM Morrison Supermarkets plc) was not vicariously liable for the actions of its employee when, motivated by vengeance against Morrisons, he placed the personal data of thousands of Morrisons employees onto a public file sharing site. The judgement contains a long discussion of the case law on vicarious liability which will be of most interest to employment lawyers. The key vicarious liability point was that the employee’s bad motive was highly relevant. There is, however, a key data protection point which is that, despite the conclusion on the facts that Morrisons was not vicariously liable, there was nothing in the DPA 1998 which excluded the operation of vicarious liability. On the basis that a similar conclusion is likely to be reached in relation to the Data Protection Act 2018, there is still the distinct possibility that, in the future, on a different set of facts, an employer will find itself vicariously liable for a data protection breach committed by its employee.