Tag Archives: misuse of private information

June 29, 2025 · 8:19 am

Oral disclosure of personal data: a new domestic case

“Pretexting” and “blagging” are forms of social engineering whereby someone attempts to extract information from a source by deception. One (unethical) example is when a journalist purports to be someone else in order to gather information for a story.

A recent misuse of private information and data protection judgment in the High Court deals with a different, and sadly not uncommon, example – where an estranged, abusive partner convinced a third party to give information about their partner so they can continue their harassment of them.

The claimant had worked at a JD Wetherspoon pub, but had left a few months previously. She had given her contact details, including her mother’s mobile phone number, to her manager, and the details were kept in a paper file, marked “Strictly Private and Confidential”, in a locked filing cabinet. During the time she was employed she had been the victim of offences by a former partner of serious violence and harassment which involved subjecting her to many unwanted phone calls. He was ultimately convicted of these and sentenced to 2 ½ years in prison. Her employer was aware of the claimant’s concerns about him.

While her abuser was on remand, he rang the pub, pretending to be a police officer who needed to contact the claimant urgently. Although the pub chain had guidance on pretexting, under which such attempts to acquire information should be declined initially and referred to head office, the pub gave out the claimant’s mother’s number to the abuser, who then managed to speak to (and verbally abuse) the claimant, causing understandable distress.

She brought claims in the county court in misuse of private information, breach of confidence and for breach of data protection law. She succeeded at first instance with the first two, but not with the data protection claim. Wetherspoons appealed and she cross-challenged, not by appeal but by way of a respondent’s notice, the rejection of the data protection claim.

In a well-reasoned judgment in Raine v JD Wetherspoon PLC [2025] EWHC 1593 (KB), Mr Justice Bright dismissed the defendant’s appeals. He rejected their argument that the Claimant’s mother’s mobile phone number did not constitute the Claimant’s information or alternatively that it was not information in which she had a reasonable expectation of privacy: it was not ownership of the mobile phone that mattered, nor ownership of the account relating to it – what was relevant was information: the knowledge of the relevant digits. As between the claimant and the defendant, that was the claimant’s information, which was undoubtedly private when given to the defendants and was intended to remain private, rather than being published to others.

The defendant then argued that there can be no cause of action for misuse of private information if the Claimant is unable to establish a claim under the DPA/GDPR, and, relatedly, that a data security duty could not arise under the scope of the tortious cause of action of misuse of private information. In all honesty I struggle to understand this argument, at least as articulated in the judgment, probably because, as the judge suggests, this was not a data security case involving failure to take measures to secure the information. Rather, it involved a positive act of misuse: the positive disclosure of the information by the defendant to the abuser.

The broadly similar appeal grounds in relation to breach of confidence failed, for broadly similar reasons.

The counter challenge to the prior dismissal of the data protection claim, by contrast, succeeded. At first instance, the recorder had accepted the defendant’s argument that this was a case of purely oral disclosure of information, and that, applying Scott v LGBT Foundation Limited, this was not “processing” of “personal data”. However, as the judge found, in Scott,

the information had only ever been provided to the defendant orally; and…then retained not in electronic or manual form in a filing system, but only in the memory of the individual who had received the original oral disclosure…In that case, there was no record, and no processing. Here, there was a record of the relevant information, and it was processed: the personnel file was accessed by [the defendant’s employee], the relevant information was extracted by her and provided in written form to [another employee], for him to communicate to [the abuser].

This fell “squarely within the definition of ‘processing’ in the GDPR at article 4(2)”. Furthermore, there was judicial authority in Holyoake v Candy that, in some circumstances, oral disclosure will constitute processing (a view supported by the European Court in Endemol Shine Finland Oy).

Damages for personal injury, in the form of exacerbation of existing psychological damage, of £4500 were upheld.

The views in this post (and indeed most posts on blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Breach of confidence, Data Protection, data sharing, GDPR, judgments, misuse of private information, Oral disclosure

Tagged as , ,

October 8, 2024 · 4:39 am

Is the purchase of a watch “private information”?

[reposted from LinkedIn]

An interesting (if it gets to trial) Northern Ireland case of Frampton and Van Der Horst [2024] NIMaster 17, in which the plaintiff former boxer (P) has sought damages in, variously, passing off, copyright, breach of confidence, misuse of private information and data protection, as a result of the defendant watch seller’s (D) publication of a YouTube video revealing that P had bought a watch from D.

P had obtained judgment in default and D sought to set this aside. In deciding to do so the master only had to determine whether the D has an arguable defence.

The analyses of whether the MOPI and data protection defences are arguable are interesting (and in the latter case, flawed).

On MOPI, the master noted that the “Murray factors” (“the attributes of the claimant, the nature of the activity in which the claimant was engaged, the place at which it was happening, the nature and purpose of the intrusion, the absence of consent and whether it was known or could be inferred, the effect on the claimant, and the circumstances in which and the purposes for which the information came into the hands of the publisher”) will require consideration at trial, and also noted that the authoritative law books on the topic identify “personal financial and tax related information” as one of the types of information that will normally (but not invariably) be regarded as giving rise to a reasonable expectation of privacy. All these points could only, said the master, be determined by a trial judge, having heard all the evidence.

On the data protection claim, the defence consisted in an argument that D’s processing was based on his legitimate interests. Here, the master seems to have erred, in assessing that “This would appear a particularly weak argument as there was no express consent from the plaintiff and the purported legitimate reason for processing the data was effectively to make money, which is not an exemption under UK General Data Protection Regulations [sic]”. But, of course, reliance on Article 6(1)(f) UK GDPR legitimate interests does not (cannot) require the consent of the data subject; rather, it requires the controller’s legitimate interests to be balanced against the interests, rights and freedoms of the data subject. Nor is there any authority for the proposition that an interest or interests cannot be “legitimate” because they are commercial interests (indeed, the CJEU, in a finding which I am certain would be followed by the domestic courts, only last week ruled that a commercial interest is capable of being a legitimate interest).

This, of course, was not a fully argued case (the master only had affidavits and draft pleadings to go on). If the case goes to trial we may well see all of the claims more properly argued and considered.

The views in this post (and indeed most posts on this blog) are my personal ones, and do not represent the views of any organisation I am involved with.

Leave a comment

Filed under Data Protection, judgments, misuse of private information

Tagged as ,