In a case that underscores the profound consequences of data mishandling in the workplace, the King’s Bench Division recently delivered a significant judgment in this case. At the heart of the dispute was a breach of trust and confidentiality between a former employee and one of the UK’s most recognisable pub chains. The Court’s decision serves as a cautionary tale for employers navigating their responsibilities under data protection law and the common law of privacy.
Background
The Claimant, formerly employed at a pub, had disclosed her mother’s mobile number as an emergency contact. This information, explicitly labelled “Strictly Private and Confidential,” was held in a locked cabinet. Unknown to her, this information would eventually fall into the wrong hands.
On Christmas Day 2018, her abusive ex-partner, then in custody, impersonated a Police Officer and deceived staff at the pub into releasing the contact number. He subsequently used it to threaten the Claimant, causing her severe psychological distress. Although she had warned her employer about the risks posed by this individual, her warning had not prevented the breach.
The legal Issues
The Court had to consider three core questions:
- Did the pub misuse private information?
- Was there a breach of confidence?
- Was the employer also liable under the Data Protection Act 2018 and GDPR?
The Recorder had already found the pub chain liable for misuse of private information and breach of confidence, but had rejected the claim under the DPA/GDPR. On appeal, both parties challenged different elements of the Recorder’s ruling.
The outcome
The High Court upheld the Recorder’s findings that:
- The Claimant had a reasonable expectation of privacy over her personal data;
- The disclosure was made without her authority; and
- The disclosure constituted a misuse of private information and a breach of confidence within the scope of the employment relationship.
Crucially, the Court reversed the Recorder’s conclusion on the DPA/GDPR claim. It held that the verbal transmission of the number constituted “processing” under Article 4(2) of the GDPR and that the defendant’s failure to verify the caller’s identity before releasing the information amounted to a clear data breach.
Damages and costs
Although the claimant did not succeed on her primary case for personal injury damages, the Recorder awarded £4,500 for the exacerbation of her psychological condition. The Court also affirmed the full recovery of the success fee under the Claimant’s conditional fee agreement, rejecting the Defendant’s reliance on CPR 44.13 to limit costs recovery.
Why it matters
This judgment strengthens the protection of employees’ private information and clarifies that even verbal disclosures can constitute unlawful “processing” under GDPR. It also reinforces that employers bear responsibility for training their staff in handling personal data, especially in contexts where “pretexting” is a known risk.
How can we help?
Amrik Basra is an Associate in our Private Litigation team.
At Nelsons, our team specialises in these types of disputes and includes members of The Association of Contentious Trust and Probate Specialists (ACTAPS). The team is also recommended by the independently researched publication, The Legal 500, as one of the top teams of specialists in the country.
If you have concerns about the above subject, don’t hesitate to get in touch with Amrik or a member of our expert Dispute Resolution team in Derby, Leicester, or Nottingham on 0800 024 1976 or via our online enquiry form.
Contact us