High Court examines data protection rights of employees where data is obtained deceptively
The High Court has confirmed that employers may be liable under data protection and privacy laws in certain circumstances where personal information is disclosed following deceptive tactics, even if the disclosure is made orally.
Background
In Raine v JD Wetherspoon plc, the claimant, a former employee of Wetherspoon, had provided her mother’s mobile number as an emergency contact. The number was stored in a confidential personnel file.
After her employment ended, her abusive ex-partner, while on remand, called the pub pretending to be a police officer. Staff, despite having been trained in pretexting risks, disclosed the number without verification. The ex-partner used it to continue harassing the claimant.
Claims and findings
The claimant brought claims for misuse of private information, breach of confidence, and breach of data protection law.
In relation to the misuse of private information claim, the employer argued that the contact number was not the claimant’s own and therefore did not amount to her private information. The court rejected that argument. It found that the number, while technically belonging to the claimant’s mother, had been provided for the claimant’s benefit and was clearly private in nature. It was stored in a confidential employment record and had been supplied for use by the employer only. The court was satisfied that the claimant had a reasonable expectation that it would not be disclosed without proper authorisation.
The breach of confidence claim also succeeded. The information was confidential, the employer owed a duty to protect it, and there was no valid reason for the disclosure. The court rejected the suggestion that there had been implied consent to share the number with the police. In any event, the staff had failed to carry out any basic checks to confirm the caller’s identity or authority.
On the data protection claim, the court confirmed that an oral disclosure of information can still amount to processing of personal data if the information was held in electronic form, or was manual information (i.e. not electronic) held in a filing system. In this case, the file had been retrieved, the information transcribed, and then passed on orally. That sequence of actions was sufficient to fall within the scope of the data protection legislation. The claimant was awarded £4,500 for the distress caused by the unlawful disclosure.
Learning points for employers
Your organisation must have effective data protection training in place for all employees (and volunteers) who process personal data to do their job. The wide definition of personal data means that this is likely to be the vast majority of employees. This training should work alongside practical written guidance on the data protection essentials and information security. We also recommend considering how to keep data protection at the forefront of employees' minds, for example, regular bite-sized reminders in staff meetings.
Even where a disclosure is made with good intentions, a failure to consider information security may expose an employer to liability. Employees should be trained to speak to the data protection lead if they have any doubts about the validity of a request for information. This also applies to requests made by email or text message. Our data protection team is able to assist with training and practical guidance for staff.
For more information or advice, please contact Eleanor Taylor in our Employment team.