Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
Select an area of expertise to find out more about our experience.
Find out more about our barristers and business support teams here.
In Raine v JD Weatherspoon Plc [2025] EWHC 1593 (KB), the High Court considered three key questions in the context of misuse of private information, breach of confidence and data protection claims in an employment setting:
Factual Background
The Claimant, a former employee of JD Wetherspoon, provided her mother’s mobile number as her emergency contact. The details were clearly marked “Strictly Private and Confidential” and stored in a locked filing cabinet. In 2018, the Claimant suffered serious violence and harassment from her then partner. She told a manager about the abuse in three formal meetings and said she feared further contact from them. The Claimant left Wetherspoon before Christmas 2018 and the company retained her file for a short period.
On Christmas Day 2018, her ex-partner called Wetherspoon and deceived staff into disclosing the Claimant’s mother’s number by posing as a police officer. A member of staff checked with a manager on duty, who copied the mother’s number from the Claimant’s employee file and told the staff member to give it to the caller. Wetherspoon had trained staff on “pretexting” (impersonation to obtain information), but that training was not applied. The ex-partner used the number to subject the Claimant to further abuse.
Claims and the Recorder’s Decision
The Claimant brought claims for misuse of private information, breach of confidence and breach of duties under the Data Protection Act 2018 (“DPA”) and UK GDPR. The Recorder found in her favour on misuse of private information and breach of confidence, but rejected the data protection claim, concluding oral disclosure did not constitute “processing” under the GDPR.
Misuse of Private Information
The High Court applied the two-stage test from ZXC v Bloomberg [2022] UKSC 5: Firstly, whether the Claimant objectively had a reasonable expectation of privacy regarding the information; and secondly, whether this expectation outweighed any competing Article 10 rights for freedom of expression. The case only addressed the first stage as Wetherspoon did not rely on Article 10.
Wetherspoon argued that the Claimant had no reasonable expectation of privacy in her mother’s mobile phone number because it belonged to her mother, not the Claimant herself. The High Court rejected this argument, holding that what mattered was the confidential nature of the information (the digits themselves), rather than ownership of the mobile phone or account. The Claimant had provided the number specifically to allow her employer to contact her via her mother and therefore had a reasonable expectation that this information would remain private. The Court addressed the issue raised in OPO v MTL [2014] EWCA Civ 1227 – whether information could relate or belong to more than one person – and determined that the mother’s information was not prevented from also relating to the Claimant in these particular circumstances.
The High Court further rejected Wetherspoon’s legal arguments relying on Warren v DSG Retail Limited [2021] EWHC 2168 (QB) that there could be no claim for misuse of private information outside the scope of GDPR obligations. The court addressed Warren in two ways. Firstly, relying on the case for this argument was misconceived as Warren itself acknowledges that the essential ingredients of misuse of private information and breach of confidence differ from each other and from a GDPR claim. Secondly, Warren should be distinguished as it concerned the duty to keep information secure, whereas Wetherspoon actively disclosed and therefore misused private information.
Breach of Confidence
The Court also upheld the Recorder’s decision regarding breach of confidence concluding that all three elements were met: the information was confidential in nature, the circumstances imposed an obligation of confidence and there was an unauthorised disclosure. It rejected Wetherspoon’s argument that the Claimant implicitly consented to disclosing contact details to the police or emergency services as that consent did not extend to an unreasonable disclosure in response her ex-partner’s deception.
Data Protection: Oral Disclosure Can Constitute “Processing”
Importantly, the High Court overturned the Recorder’s decision regarding GDPR compliance. The Court clarified that oral disclosure of personal data, where data is stored in any recorded system (as the mother’s number was), constitutes “processing” under GDPR Article 4(2). The High Court distinguished the Recorder’s reliance on Scott v LGBT Foundation Limited [2020] EWHC 483 (QB), which concerned oral-only data not stored in a filing system. Here, since the phone number was initially recorded and subsequently disclosed orally, the GDPR applied. This approach is in line with Holyoake v Candy [2017] EWHC 3397 (Ch) and Endemol Shien Finland Oy (C-740/22).
Implications for Employers
The case has several practical implications for organisations. Emergency contact details kept in a personnel file will be treated as the employee’s information and an oral disclosure of such data is considered processing under the UK GDPR and DPA 2018. The Court made clear that the Claimant could not reasonably have expected disclosure in circumstances where staff ignored Wetherspoon’s pretexting training. This is a reminder for employers to consider carefully how their policies and training are implemented in practice. Do staff members know how to verify a caller’s identify, how to escalate dubious requests and in which limited circumstances it is appropriate to access and disclose information from personnel files?
A monthly data protection bulletin from the barristers at 5 Essex Chambers
The Data Brief is edited by Francesca Whitelaw KC, Aaron Moss and John Goss, barristers at 5 Essex Chambers, with contributions from the whole information law, data protection and AI Team.
