Pub in breach of privacy, confidence and data laws over oral disclosure of contact details

In this case, a pub manager was tricked by an employee’s ex-partner into orally disclosing an emergency contact number, which the ex-partner then used to abuse the employee verbally. The fact that the details had been recorded in a secure personnel file made them private and confidential, but also personal data, which were unlawfully processed when disclosed orally.

Background

The claimant, Ms Danielle Raine, was employed by the defendant, JD Wetherspoon, at one of its pubs for around 18 months ending just before Christmas in 2018. During her employment, she provided the defendant with contact details, including her mother’s mobile number, which was provided as an emergency contact. Those details were stored by the defendant in paper form in her personnel file, which was marked “Strictly Private and Confidential” and kept in a locked filing cabinet in the manager’s office.

Over the course of 2018, Ms Raine was subjected to serious violence and harassment offences by her partner at the time, Ryan Fletcher, who was ultimately convicted and sentenced to two-and-a-half years in prison. Following his arrest in the autumn of 2018, she changed her mobile number so that Mr Fletcher could no longer contact her. She made the defendant aware over the course of three separate formal meetings with her manager that she had suffered harm and assault at the hands of her ex-partner, and that she was scared about the possibility of further contact.

Soon after her employment ended, Mr Fletcher – while on remand – contacted the pub where she had previously worked, posing as a police officer needing to contact her urgently. The defendant had provided training to its staff relating to the illegal practice of “pretexting”, requiring staff not to accept the credentials of any person claiming to be an authority figure without proof, and to refer any request for information to the head office. In this instance, however, a manager at the pub instructed an employee to disclose Ms Raine’s mother’s mobile number orally to Mr Fletcher over the phone.

Mr Fletcher then called Ms Raine’s mother under the same guise. After persuading her mother to hand over the phone to Ms Raine, he proceeded to threaten and verbally abuse Ms Raine, causing shock, upset and panic.

Claim

Ms Raine brought a claim for misuse of private information, breach of confidence, and breach of duties owed under the Data Protection Act 2018 (DPA) and the General Data Protection Regulation in the form retained in UK law (GDPR). The claim was heard in the County Court by Recorder Richard Hartley KC.

The County Court found in the claimant’s favour in relation to misuse of private information and breach of confidence, but dismissed the claim for breach of data protection law. Ms Raine was awarded damages of £4,500 for personal injury, on the basis that the defendant’s actions had exacerbated her existing psychological conditions. She was also awarded costs, consisting of 100% of the success fee under the conditional fee arrangement between the claimant and her solicitors.

Appeal

The defendant appealed to the High Court, bringing 12 grounds of appeal in relation to misuse of private information, breach of confidence, the award and quantum of damages for personal injury, and the success fee. By way of a respondent’s notice, the claimant also challenged the County Court’s decision to dismiss the claim for beach of data protection law.

Decision

The King’s Bench Division heard the appeal, and Mr Justice Bright handed down his judgment on 27 June 2025.

Misuse of private information

Bright J set out the two-stage test for determining liability for misuse of private information, as reiterated by the Supreme Court in ZXC v Bloomberg^[2]:

1. Did the claimant objectively have a reasonable expectation of privacy in the relevant information?
2. If so, conducting a balancing exercise between Article 8 (the right to privacy) and Article 10 (the right to freedom of expression), was that expectation of privacy outweighed by the publisher’s right to freedom of expression?

The defendant raised numerous grounds of appeal relating to this cause of action, first arguing that Ms Raine’s mother’s mobile number was neither the claimant’s information nor information in which the claimant had a reasonable expectation of privacy.

Bright J rejected the argument that the information belonged only to the claimant’s mother, not to the claimant herself. He found it irrelevant that the claimant did not personally own the mobile number or the phone to which it related. The relevant information was the knowledge of the digits. The claimant received the mobile number from her mother and provided the information, as an employee, to the defendant. She did so specifically for inclusion in her personnel file, and so that in an emergency her employer could contact her via her mother. The defendant owed duties to the claimant in relation to the mobile number and, accordingly, the information was the claimant’s information as between her and the defendant.

Bright J also found it incontrovertible that the claimant had a reasonable expectation of privacy in her mother’s mobile number. The information was kept in a file labelled “Strictly Private and Confidential”, which itself was stored in a locked filing cabinet. It was, therefore, clearly private when it was given to the defendant, and it was intended to remain private.

The defendant did not rely on freedom of expression as a defence, so no defence arose for the second stage of the two-stage test.

Instead, the defendant raised an alternative argument that it is impossible, as a matter of legal principle, for a data security duty to exist outside the DPA/GDPR. The defendant relied primarily on the case of Warren v DSG Retail Ltd^[3],  where the court found that a retailer who held customers' personal data did not disclose or misuse the personal data when its security was breached and a third-party hacker accessed the data.

Bright J rejected this argument on two grounds.

• First, the judgment in Warren v DSG makes clear that claims in misuse of private information and breach of confidence are distinct from one another in their nature and essential ingredients, and both are also distinct from the nature and essential ingredients of a claim under the DPA/GDPR.
• Secondly, the facts of this case were materially different from those in Warren v DSG: the defendant in the present case positively disclosed the private information to a third party, thereby misusing it, whereas in Warren v DSG it was criminal third-party hackers who disclosed the relevant information.

Finally, the defendant raised an argument that there was no misuse in this case because the third party misappropriated the information unlawfully (i.e. by deception). That was also dismissed by Bright J in light of the facts of the case. The positive disclosure of the information by the defendant to Mr Fletcher constituted a positive act of misuse.

Accordingly, Bright J upheld the Recorder’s finding of liability for misuse of private information.

Breach of confidence

Bright J noted that the three requirements for liability for breach of confidence can be summarised as follows^[4]:

1. The information must have the "necessary quality of confidence about it".
2. The information must have been imparted in circumstances importing an obligation of confidence.
3. There must be an unauthorised use or disclosure of the information.

The defendant raised many of the same defences under this head of claim as for misuse of private information. Those were dismissed by Bright J for the same reasons, without further elucidation.

Bright J concluded that all three requirements for breach of confidence were satisfied in the circumstances.

• As to the first two requirements, an employer’s duty of confidence could apply to Ms Raine’s mother’s mobile number in the circumstances, and the relationship between employee and employer can give rise to obligations of confidence.  
• As to the third requirement, the defendant argued that Ms Raine must have consented to disclosure of the information to the police or emergency services. Yet Bright J considered the test to be met, as she had certainly not authorised the defendant to disclose her mother’s mobile number to Mr Fletcher, especially in such circumstances.

Accordingly, Bright J concluded that all three requirements for liability were met, and he dismissed the defendant’s appeal under this head of claim.

Breach of duties under the DPA/GDPR

The County Court had dismissed the data protection claim on the basis that communication of the data by purely oral means was not sufficient, citing Scott v LGBT Foundation^[5].

Bright J, however, overturned the County Court’s decision, considering that Scott had not been properly applied. In Scott, the information had only ever been communicated orally and was never recorded or stored in any form by the defendant: the information existed only in human memory. As such, there was neither any record, nor processing, of the data under the relevant legislation. By contrast, in this case, a physical record of the information had been stored in the personnel file, and there was processing of the information when it was communicated internally in writing and then orally disclosed to Mr Fletcher.

Accordingly, Bright J confirmed that oral disclosure can constitute processing of personal data.

Damages, quantum and success fee

As regards damages, Bright J dismissed the defendant’s appeal that the County Court had erroneously substituted personal injury, as the normal measure of loss, for pain, suffering and loss of amenity. He also dismissed the defendant’s appeal as to quantum on the ground that the damages were not so high as to be perverse.

Finally, Bright J noted that the success fee arose under a conditional fee arrangement that was entered into before the rules on recoverability changed on 6 April 2019, and so the ruling on this point would have no significance to any future case. Nevertheless, Bright J upheld the findings of the County Court to award Ms Raine 100% of the success fee, noting that the decision was not wrong in principle and was subject to judicial discretion.

Comment

This case serves as a useful reminder of the dangers of “pretexting”, whereby a perpetrator fabricates a pretext to elicit sensitive information, and of the legal consequences for the discloser in divulging private information to any unverified third party.  

The fact that the defendant divulged sensitive employee information only because the defendant was deceived into doing so did not constitute a valid defence under any of the three heads of claim. Regular training of staff, combined with policies and procedures around combating “pretexting” might help businesses to combat the risk of mistakenly divulging information to malicious third parties. Yet the actions of the defendant in this case show that, even with training in place, pretexting can be difficult to identify and guard against.

The case is also helpful in delineating the legal difference between being hacked by a malicious third party, and being tricked by a malicious third party into divulging private information. Bright J’s judgment clarifies that positively disclosing private information – whether or not as a result of deceit – is likely to be considered a misuse of private information and breach of confidence. In contrast, a failure to keep private information secure from hackers or thieves is unlikely to be sufficient for the purposes of misuse of private information or breach of confidence, although it may be actionable under the GDPR.

Finally, the judgement is notable in explicitly asserting that oral disclosure of personal data can constitute “processing” under Article 4(2) of the GDPR.  While this follows judgments in Holyoake v Candy (UK)^[6] and Endemol Shine Finland Oy (European)^[7], Bright J helpfully distinguished between oral disclosure of recorded data (which can constitute processing under the GDPR) from oral disclosure of non-recorded data (which, as the court found in Scott, is not engaged by the GDPR). The key point in this respect is that the provisions of the GDPR only relate to information that is retained in an electronic or manual form – not information that is stored only in the memory of individuals.

Article written for Entertainment Law Review.