A recent High Court judgment has highlighted the importance of understanding the risks of verbal disclosure of personal data. This is especially relevant where data could be obtained through deception, known as pretexting. The case is a stark reminder of the potential consequences of disclosing personal data without taking appropriate precautions.

The facts

The claimant had been an employee of JD Wetherspoon plc and had provided her personal information to them, including her contact details and her mother’s as an emergency contact. The employer marked the information as “Strictly Private and Confidential” and kept it in a locked cabinet. During her employment, the claimant suffered serious domestic violence from her ex-partner, who was later convicted and sentenced to two and a half years’ imprisonment. Wetherspoon was aware of these circumstances.

The claimant’s employment later ended and, while her ex-partner was on remand, he called Wetherspoon pretending to be a police officer and said that he needed to contact the claimant urgently. Wetherspoon, ignoring existing guidance on how to manage pretexting attempts, provided him with the claimant’s mother’s contact details. The abuser later used this to contact the claimant and verbally abuse her, causing significant distress.

County court decision

The claimant brought claims against Wetherspoon in the county court for misuse of private information, breach of confidence, and breach of duties owed under the Data Protection Act 2018 (the DPA) and the General Data Protection Regulations (GDPR). She succeeded at the first instance on the first two claims (misuse of private information and breach of confidence), but not on the third claim (breach of duties owed under the DPA and GDPR). Wetherspoon subsequently appealed the findings against them and the claimant challenged the decision on the third claim.

The claimant claimed damages for personal injury (post-traumatic stress disorder, anxiety and depression) and the county court awarded her £4,500 and 100% of the success fee due under her conditional fee arrangement.

Appeal to the High Court

On appeal to the High Court, the judge dismissed Wetherspoon’s appeals.

Wetherspoon sought to argue that they did not know the claimant’s circumstances following the termination of her employment. The judge rejected this and found that the end of her employment had no bearing on the relationship the claimant had with her ex-partner, especially following the conversations the claimant had had with a manager, in which she expressed fear of her ex-partner. The judge also put significant weight on the fact that Wetherspoon trained its staff on the necessary precautions in relation to pretexting. As a result, the judge agreed that although Wetherspoon genuinely intended to help the claimant, believing that the caller was a police officer, they had failed to act reasonably in all the circumstances.

The judge also rejected Wetherspoon’s arguments that the phone number of the claimant’s mother could not constitute the claimant’s personal information and that its duty of confidence did not extend to her mother’s phone number. The judge noted that Wetherspoon had marked the information as “Strictly Private and Confidential” and kept it in a locked cabinet.

The judge upheld the claimant’s appeal in relation to the claim of breach of duties owed under the DPA and GDPR. He confirmed that verbal disclosure of the claimant’s information constituted “processing” under the GDPR.

Key takeaways

This case serves as a warning that you should never disclose personal data without following proper safety precautions, regardless of what may seem at the time to be an urgent or genuinely harmless request. Sharing information verbally is no different to sharing information in writing. The case also highlights the importance of not only having data protection policies in place, but adequately training staff to avoid unintentional breaches and vicarious liability. If they do not already do so, update your policies and training to explain pretexting and ensure staff are alert to this threat.

Subscribe and stay updated
Receive our latest blog posts by email.
Stay in Touch
, ,
Emma Rae

About Emma Rae

Alison Weatherhead

About Alison Weatherhead

Alison supports and advises clients on the full range of human resource queries and acts for clients in employment tribunals and judicial mediations, predominantly for employers. Her experience in tribunals includes advising on unfair dismissal, disability discrimination claims, whistleblowing claims and unlawful deductions from wages.

Full bio

You might also like...

Surveillance at work

The European Court of Human Rights has found that the covert surveillance of an employee at his or her workplace must be considered to be a considerable intrusion into his or her private life. It entails a recorded and reproducible documentation of a person's conduct at his or her workplace, which he or she, being obliged under the employment contract to perform the work in that place, cannot evade.

By Claire Maclean