Danielle Raine v JD Wetherspoon Plc

The claimant succeeded in causes of action for misuse of private information and breach of confidence arising from the defendant employer's disclosure of the claimant's next-of-kin contact details to her abusive ex-partner. The court applied the two-stage test for misuse of private information (ZXC v Bloomberg) and held that the contact details were information in respect of which the claimant had a reasonable expectation of privacy. The employer's staff had been trained about "pretexting" but failed to follow safeguards and disclosed the number after an oral telephone exchange, a positive disclosure amounting to misuse and to an unauthorised use for breach of confidence. The court also found that the recorder was wrong to dismiss the claimant's Data Protection Act 2018 / GDPR claim: the retrieval of the number from a personnel file and transmission amounted to processing within article 4(2) GDPR. The defendant's challenges to liability, to the damages assessment and to the costs order (including recovery of the claimant's success fee under the conditional fee agreement) were rejected.

This is an appeal by the defendant against a County Court (Recorder) judgment finding liability for misuse of private information and for breach of confidence following an incident on 25 December 2018 in which the defendant's staff disclosed the claimant's mother's mobile number (held as the claimant's emergency contact in a marked personnel file) to the claimant's abusive ex-partner who impersonated a police officer. The claimant alleged misuse of private information, breach of confidence and breaches of data protection law (DPA 2018 and the GDPR), and claimed psychiatric injury or, in the alternative, exacerbation of pre-existing psychological conditions.

The court considered:

• (i) the nature of the claim: damages for misuse of private information, breach of confidence and breaches of the DPA/GDPR; an award for personal injury or for exacerbation of existing psychiatric injury; and an order for recovery of the claimant's success fee under a conditional fee agreement;
• (ii) the issues framed: (a) whether the contact number constituted information in respect of which the claimant had a reasonable expectation of privacy; (b) whether disclosure by the employer amounted to misuse of private information and breach of confidence; (c) whether any common-law liability or privacy duty is constrained to the DPA/GDPR; (d) whether the recorder was right to dismiss the DPA/GDPR claim on the basis that an oral communication could not amount to processing; (e) quantum of damages; and (f) recovery of the success fee;
• (iii) the court's reasoning: the personnel-file contact details were confidential and within the claimant's reasonable expectation of privacy; the oral telephone exchange followed a positive, written transcription from a marked personnel file and therefore amounted to a disclosure and to processing under article 4(2) GDPR; the recorder's reliance on cases about hacked data was distinguished because here the data was disclosed by the defendant; the employer knew of the claimant's history of abuse and had training about pretexting but failed to follow safeguards; the recorder's findings on causation of personal injury were upheld insofar as he found exacerbation of pre-existing conditions rather than wholly new injury; and the recorder's allowance of recovery of the full success fee under an excepted privacy claim was not shown to be wrong in principle.

The court therefore dismissed the defendant's appeal on liability and damages, allowed the claimant's respondent's notice overturning the recorder's dismissal of the DPA/GDPR point, and upheld the recorder's costs decision.

Appeal dismissed. The appellate court upheld the recorder's findings that the defendant had committed misuse of private information and breach of confidence by disclosing the claimant's emergency contact number to her abusive ex-partner, on the basis that the number was confidential and within the claimant's reasonable expectation of privacy and that the disclosure was a positive act. The court also held that the recorder was wrong to dismiss the DPA/GDPR claim: extracting the number from the personnel file and communicating it constituted processing under article 4(2) GDPR. The defendant's challenges to the findings on damages and to the costs (including recovery of the success fee) were rejected as not being wrong in principle.

Appeal to the High Court (King's Bench Division, Manchester District Registry) from the County Court at Manchester (Recorder Richard Hartley KC), judgment at trial given 12 July 2023. This judgment is the appellate decision: [2025] EWHC 1593 (KB).