Danielle Raine v JD Wetherspoon Plc

This judgment concerns the appeal of the Defendant against the judgment of Recorder Richard Hartley KC, handed down on 12 July 2023 following a trial on 4 July 2023. The events at the heart of the matter go back to Christmas Day 2018. They concern the fact that, on that date, the Defendant disclosed personal information relating to the Claimant to the very person who she most wanted not to have that information: her ex-partner, who had been seriously violent and abusive toward her.

The Claimant brought a claim for damages, alleging causes of action for misuse of private information, breach of confidence and breach of duties owed under the Data Protection Act 2018 (“the DPA”) and the General Data Protection Regulations (“GDPR”). The Recorder found in her favour as regards misuse of private information and breach of confidence, but rejected the claim in so far as brought under the DPA/GDPR. The Defendant appeals against the Recorder’s conclusions on liability in respect of the claims for misuse of private information and breach of confidence. The Claimant wishes to challenge, by a Respondent’s Notice, his conclusion on the DPA/GDPR claim.

The damages asserted by the Claimant were for personal injury, in the form of post traumatic stress disorder, anxiety and depression. At trial, she also pursued an alternative case that, rather than causing injury, the Defendant’s actions had exacerbated existing psychological conditions. The Recorder rejected the primary case as to damages, but accepted that the Claimant’s existing psychological problems had been worsened. The Defendant appeals against the Recorder’s treatment of damages.

There is also a point taken in relation to costs, the Recorder having awarded 100% of the success fee provided for under the Claimant’s conditional fee arrangement with her solicitors. This separate point relates to the Recorder’s ruling on costs, on 9 October 2023.

I am grateful to Mr Waite, on behalf of the Defendant, and Mr McCracken, on behalf of the Claimant, for their assistance.

The Claimant worked for about 18 months at one of the Defendant’s pubs. In the course of her employment by the Defendant, she provided contact details. As well as her own contact details, she provided her mother’s mobile phone number, as “Emergency Contact Phone Number”. These details were recorded in her personnel file, which was a paper file kept (with others) in a locked filing cabinet in the manager’s office. The relevant document was conspicuously marked “Strictly Private and Confidential.”

The Claimant stopped working at the pub before Christmas 2018, but the Defendant quite properly retained her details for a period.

During 2018, the Defendant suffered terribly at the hands of her then partner, Ryan Fletcher. He was ultimately arrested in the autumn of 2018. In December 2018, he was on remand for offences against the Claimant. These included offences of serious violence as well as harassment offences which involved (among other things) subjecting her to many unwanted phone calls. He was ultimately convicted and sentenced to 2 ½ years in prison.

Because of Fletcher’s appalling mistreatment of her, and because she wished to have no further contact with him, the Claimant changed her mobile phone number. She therefore no longer used the number held on file by the Defendant for her. However, her mother’s mobile phone number remained valid.

While on remand, Fletcher got hold of a mobile phone. On Christmas Day 2018, he contacted the pub where the Claimant used to work, pretending to be a police officer. He claimed that he needed to contact the Claimant urgently. He spoke to a member of staff, Kyle Bennett, who had known the Claimant from the period she had worked there. Mr Bennett consulted with the manager, Dawn Brockbank. Ms Brockbank obtained the Claimant’s mother’s number from the Claimant’s personnel file, transcribed it and provided the transcription to Mr Bennett. She instructed Mr Bennett to release the number to the caller. Mr Bennet did so, during a further telephone conversation. All this while, Mr Bennett and Ms Brockbank believed that the caller – Fletcher – was a police officer.

Fletcher then called the Claimant’s mother, who was out having Christmas lunch with her family, including the Claimant. Fletcher again pretended to be a police officer, claimed that he needed to speak to the Claimant urgently and persuaded her mother to pass her mobile phone to the Claimant. He then proceeded to abuse the Claimant and make various threats, before she hung up.

As found by the Recorder, the Claimant was shocked, upset, cried, felt sick and panicked.

It is relevant that, a few months before her employment by the Defendant had ceased, the Claimant had three meetings with another manager, Liza Braddock, in the course of which she referred to the fact that her ex-partner had been abusive, violent and aggressive and that she was frightened about the possibility of contact with him. These were formal meetings which occurred because the Claimant’s anxiety had resulted in her being off work, and a record was therefore made of each of them. On this basis, the Recorder found that the Defendant was aware of the fact that the Claimant had been in an extremely abusive relationship and as a result had suffered physical assault and harassment.

This finding is not one that the Defendant sought to challenge in the appeal before me. However, by Ground 8 of its appeal, the Defendant contended as follows:

“The judge erred in fact and/or his evaluative judgement when imputing knowledge onto the Defendant of the risk that the ex-partner would unlawfully misappropriate the Claimant's next-of-kin details. The Defendant's knowledge was limited to what it had been told whilst the Claimant was an employee. The Claimant stopped working for the Defendant some time prior to the index event. The Claimant confirmed in her oral evidence that she could not have anticipated what happened, let alone the Defendant. The judge imposed a counsel of perfection.”

This is to be directed at the Recorder’s finding in his judgment at [18]:

“My conclusion from the Claimant’s evidence, linked with the above information from the Defendant’s documents, are that the Defendant well knew that the Claimant had been the victim of frightening criminal conduct on the part of Fletcher and that she was worried that he may try and contact her and that this could have serious consequences. They also either knew, or ought reasonably to have known, how important it was (particularly in the context of stalking and violence) that the Claimant’s contact details were kept safe, secure and confidential.”

This is a factual finding, which the Recorder was fully entitled to make, on the basis of the evidence to which he referred. It is indisputably correct that the Defendant knew these matters, from the meetings conducted by Ms Braddock. Mr Waite argued that this was no longer the Defendant’s state of knowledge by late December 2018. I cannot accept this. What had been known by the Defendant in August/September 2018 did not thereafter become unknown. The fact that the Claimant no longer worked at one of the Defendant’s pubs had no bearing on her relationship with Fletcher or her worries that he might try and contact her, with serious consequences; nor did it have any bearing on the knowledge that the Defendant had previously acquired about these matters. I therefore reject Ground 8.

It is also relevant that the Defendant trains its staff in relation to illegal activities such as “pretexting” – which the Defendant’s training manual describes as follows:

“Pretexting is where the perpetrator will impersonate someone else - this could be an authority figure or someone known to you - in order to extract information or money from the victim.”

Someone who has received and absorbed this training should know that the correct course was not to accept the credentials of someone claiming to be an authority figure, without evidence; not to accept claims of urgency; but to refer the matter to head office. None of these precautions was taken on this occasion.

The Recorder found that Mr Bennett and Ms Brockbank were genuinely taken in by Fletcher; and that they intended to help the Claimant, rather than to cause her any harm or distress. However, he also found that they, acting in the course of their employment, failed to act reasonably in all the circumstances: see the judgment at [29]. This finding was challenged by the Defendant in the course of the appeal, in the context of Mr Waite’s submissions under Ground 8, but that challenge was in truth unarguable, on examination of the evidence that I have summarised and for the reasons given by the Recorder in his judgment at [28] and [29].

Liability for misuse of information is determined applying a well-established two-stage test, set out by Lord Hoffman in ZXC v Bloomberg [2022] UKSC5, at [26]:

“It has at all times been common ground that liability for misuse of private information is determined by applying a two-stage test. Stage one is whether the claimant objectively has a reasonable expectation of privacy in the relevant information. If so, stage two is whether that expectation is outweighed by the publisher s right to freedom of expression. This involves a balancing exercise between the claimant’s article 8 right to privacy and the publisher’s article 10 right to freedom of expression.”

Here, as regards stage one, it is not really contestable that the Claimant had a reasonable expectation that contact details that she provided would be kept in her personnel file, which would itself be kept secure.

The Defendant disputed before me that the Claimant’s mother’s mobile phone number constituted the Claimant’s information, or that it was information in which she had a reasonable expectation of privacy. These arguments were developed by Mr Waite under Ground 6.

The fact that the mobile phone number in question related to the Claimant’s mother’s mobile phone account, rather than the Claimant’s own, is immaterial. It is not ownership of the mobile phone that matters, nor the ownership of the account relating to it. What is relevant here is information: the knowledge of the relevant digits. That information had presumably been given consensually by the Claimant’s mother to the Claimant, so that the Claimant could use it, including by sharing it with others as appropriate – for example, an employer. When the Claimant provided it to the Defendant, she did so specifically so that it could be used as a way of contacting her via her mother (not for contacting her mother alone, save as her next of kin). As between the Claimant and the Defendant, it was the Claimant’s information.

I was taken both by Mr Waite and by Mr McCracken to OPO v MTL [2014] EWCA Civ 1227, per Arden LJ at [32], [35] and [38] to [45]. There are some passages in that judgment that might appear to assume that information can only relate to or belong to one person, but I do not think that this is necessarily right. In circumstances such as those here, the information in respect of the Claimant’s mother’s mobile phone number undoubtedly related to her mother; but her mother had given the Claimant the right to provide it to the Defendant, for inclusion in the Claimant’s personnel file. So far as the Defendant was concerned, it was information that related to the Claimant and which she had provided, as the Defendant’s employee, to go the file that the Defendant maintained in relation to her. It therefore was information in respect of which the Defendant owed obligations to the Claimant – not merely or even predominantly to her mother (although it is arguable that some kind of obligation may also have been owed to the Claimant’s mother, notwithstanding the lack of any direct nexus).

As to the expectation of privacy, the information was undoubtedly private when given to the Defendant and was intended to remain private, rather than being published to others. That is why it was intended to be kept, and was kept, in the Claimant’s “Strictly Private and Confidential” personnel file, in a locked filing cabinet. I regard the argument that the Claimant had no reasonable expectation of privacy as unsustainable.

As the Recorder’s judgment records at [24], the Defendant’s case before him had included the positive submission that the Defendant had rightly kept this information in a locked filing cabinet, this being the appropriate treatment for such information. That was, in effect, a concession that the information was confidential and was intended to be kept private and secure. It was a concession that was rightly made. In his judgment at [11], the Recorder referred to the information as “clearly confidential”. He was right to do so. I therefore reject Ground 6.

As to Lord Hoffmann’s second stage, the Defendant did not rely on its article 10 right to freedom of expression. The second stage therefore does not really arise.

The Defendant’s main arguments in relation to misuse of private information did not, in fact, fall comfortably within Lord Hoffmann’s two-stage approach.

First, under Grounds 1 and 2, the Defendant contended that it is impossible as a matter of legal principle for there to be a data security duty outside the DPA and the GDPR. I understood Mr Waite to put this in two slightly different ways:

For both lines of argument, Mr Waite relied on Warren v DSG Retail Limited [2021] EWHC 2168 (QB), in particular at [25]- to [27] and [30]; and also at [34]. He also referred me to Smith v Talk Talk Telecom Group [2022] EWHC 1311 (QB), but the passages he identified in that case did not seem to me to advance matters in any relevant way (although they emphasise the need to consider the substance of matters rather than paying excessive attention to linguistic labels such as “positive act” and “omission”).

Grounds 1 and 2 are based on a fallacious misunderstanding of Saini J’s judgment in Warren. It is obvious, and Warren acknowledges (as the structure of Saini J’s judgment makes clear) that the nature and essential ingredients of claims in either (i) misuse of private information or (ii) breach of confidence are different both from each other (see OBG Ltd v Allan [2007] UKHL 21, per Lord Nicholls at [255]; Vidal-Hall v Google Inc [2015] EWCA Civ 311, per Lord Dyson MR at [21]), and from the nature and essential ingredients of a claim under the GDPR.

In Warren, Saini J was not concerned with a case where the defendant was said to have disclosed information. That was a case where the complaint was that information had not been kept secure, and so was vulnerable to the intrusive actions of a hacker. Earlier in his judgment, at [20] to [32], he explained where this was insufficient for the purposes of misuse of private information or breach of confidence: because the failure to keep information secure cannot constitute misuse or disclosure, which those two actions require. Furthermore, the passage relied on by Mr Waite at [34] is not concerned with misuse of private information or breach of confidence but with the separate argument, raised in that case but not relevant here, that DSG owed a common law duty of care to keep Mr Warren’s information secure.

In this case, the relevant information was not vulnerable to being accessed by a third party, or hacked, when it remained in the personnel file, in the locked filing cabinet. It did not become available to Fletcher because he was able to pierce the Defendant’s security without the Defendant’s knowledge or involvement. He got it because the Defendant gave it to him. The obvious distinction between this case and Warren is apparent from Saini J’s conclusion, in relation to breach of confidence and misuse of private information, at [31]:

“Here, it was not DSG that disclosed the Claimant’s personal data, or misused it, but the criminal third-party hackers.”

In the present case, it was the Defendant that disclosed the Claimant’s personal information; and, by doing so, misused it. This disposes of Grounds 1 and 2.

The Defendant’s Ground 3 raises a separate but very similar argument in relation to misuse of private information: namely, that there was no misuse in this case, because:

“A malicious third party’s ability to unlawfully misappropriate information does not amount to a positive act of misuse of private information by the custodian of that information.”

This argument bears no relationship to the facts. There was a positive act of misuse: the positive disclosure of the information by Mr Bennett to Fletcher, Mr Bennett thereby acting on behalf of the Defendant and on the instruction of Ms Brockbank. Ground 3 therefore also fails.

The essence of this cause of action is accurately summarised in Clerk & Lindsell on Torts (24^th ed.) §25-06:

“Traditionally, there are three requirements for liability for breach of confidence, authoritatively outlined by Megarry J in Coco v AN Clark (Engineers) Ltd [1969] RPC 41, at 47. First, the information in respect of which relief is sought must have the “necessary quality of confidence about it”: per Lord Greene MR in Saltman Engineering Co Ltd v Campbell Engineering Co Ltd (1948) 65 RPC 203, at 215. Secondly, the information must have been imparted in circumstances importing an obligation of confidence. The use of the word “imparted”, however, is now clearly too limited for the modern action, it now being established that there is no need for an initial confidential relationship. Thirdly, there must be an unauthorised use or disclosure of that information.”

As to the first requirement, the Defendant disputed before me that the Claimant’s mother’s mobile phone number constituted the type of information to which an employer’s duty of confidence could apply. This was under Ground 6, which I have already addressed in the context of misuse of private information. Mr Waite’s arguments under Ground 6 were the same in relation to breach of confidence as they were in relation to misuse of private information. They accordingly fail, for the same reasons.

As to the second requirement, it is well established that the relationship between employee and employer is capable in principle of give rise to obligations of confidence: Toulson & Phipps on Confidentiality (4^th ed.), §13-047 ff. The duty of confidence will affect personal information that the employee provides in the context of the employment, and will carry on after the employment has ended: §13-049.

As to the third requirement, the Defendant argued before me that the Claimant must be taken to have consented to disclosure of her contact details to the police or emergency services: Ground 7. However, the evidence before the Recorder was that the Claimant’s contact details were retained in case the Defendant itself needed to contact her: see the Judgment at [28], where the Recorder said:

“The Claimant’s confidential information was kept by the Defendant for three months after the cessation of her work. It seems to me that this is not, per se, unreasonable in that it may have been necessary to contact the Claimant for work-related matters for some short number of months after the termination of her employment.”

I do not accept that the Claimant had authorised the Defendant to disclose her mother’s mobile number to anyone else, let alone to Fletcher. She certainly cannot have anticipated that it would be released in circumstances that were unreasonable, as the Recorder rightly found the circumstances in this case to have been. Specifically, she cannot have anticipated that the Defendant’s employees (including the manager in charge at the time) would fail to put into practice the Defendant’s own training.

It follows that the disclosure occurred without the Claimant’s authority.

This means that all the three requirements for liability are met. None of the limiting principles referred to in Clerk & Lindsell at §25-07 arises, on the facts.

In relation to breach of confidence, the Defendant raised arguments under Grounds 4 and 5 that were the same, mutatis mutandis, as those under Grounds 1, 2 and 3 in the context of misuse of private information. I have already explained why the arguments under Grounds 1, 2 and 3 fail. The same points apply to the equivalent arguments Grounds 4 and 5, which also fail.

Accordingly, Recorder was right to find in the Claimant’s favour on liability, as regards this cause of action.

It follows that it is not strictly necessary to consider the Claimant’s Respondent’s Notice, by which she challenges the Recorder’s dismissal of her claim under the DPA/GDPR. In deference to the arguments that I received from both Counsel, I nevertheless do so, although this is not a point that is necessary for my decision or which can affect the outcome, in the light of my earlier conclusions.

The Recorder’s reason for dismissing the DPA/GDPR claim was that he accepted an argument developed to him by Mr Waite that the communication of data by purely oral means – here, the telephone conversation between Mr Bennet and Fletcher – is not sufficient. For this, Mr Waite relied on Scott v LGBT Foundation Limited [2020] EWHC 483 (QB), at [54].

However, the relevant claim failed in Scott not because the information in question was communicated by the defendant to the third party by purely oral means, but because the information had only ever been provided to the defendant orally; and because it then retained not in electronic or manual form in a filing system, but only in the memory of the individual who had received the original oral disclosure.

As Saini J noted at [63], the GDPR is concerned with records and processing. In that case, there was no record, and no processing. Here, there was a record of the relevant information, and it was processed: the personnel file was accessed by Ms Brockbank, the relevant information was extracted by her and provided in written form to Mr Bennett, for him to communicate to Fletcher.

As Mr McCracken submitted to me, this falls squarely within the definition of “processing” in the GDPR at article 4(2). If judicial confirmation is required that disclosure can constitute processing, even if the disclosure is oral, it is provided by Holyoake v Candy [2017] EWHC 3397 (Ch), per Nugee J at [457]. This is also the view of the European Court: Endemol Shine Finland Oy - Case 740/22 at [39].

Accordingly, the Recorder was wrong to accept Mr Waite’s submissions on this point, and (this being the only point taken by the Defendant on this claim) wrong not to find that this claim succeeded, alongside the claims for misuse of private information and breach of confidence.

The Claimant’s Respondent’s Notice was served out of time, with permission granted without notice by HHJ Sephton KC on 19 September 2024. The Defendant sought to have that order set aside on the basis that the Respondent’s Notice was, in substance, an attempt to cross-appeal. Mr Waite explained this essentially on the basis that, he said, the Claimant was seeking to alter or add to the Judge’s factual findings. I do not agree. It seems to me clear from the judgment that the Recorder only rejected the DPA/GDPR claim on the basis of the Defendant’s point on Scott – i.e., on the basis of a pure question of law, on which I have come to a different view. But for that, he would have found in the Claimant’s favour on this point as well, and his factual findings would undoubtedly have justified such a conclusion. I therefore reject the Defendant’s application to set aside the order of 19 September 2024.

Ground 9 asserts that the Recorder wrongly substituted personal injury damages for pain, suffering and loss of amenity in place of the normal measure of loss. This complaint is not a fair reflection of the judgment at [7], [15], and [31]. The Recorder did not accept that the Defendant’s breaches caused any injury. He found that they exacerbated the Claimant’s existing psychological damage. He seems to have had this distinction well in mind at [31].

However, the fundamental nature of the damages claimed remained in personal injury, as had been pleaded from the outset in the Particulars of Claim and then the Amended Particulars of Claim. It is apparent from the Recorder’s later ruling on costs (on 9 October 2023) that he regarded himself as having awarded damages for personal injury.

Ground 10 asserts that the Recorder erred in assessing loss at £4,500. This ground could only succeed if the Recorder’s award was so high as to be perverse. It was not.

Ground 11 is a catch-all that cannot advance matters and was not really relied on by Mr Waite.

Ground 12 relates to the success fee. The success fee arises under a conditional fee arrangement dated 17 January 2019. This was shortly before the rules changed on 6 April 2019. In other words, as Mr McCracken observed, this point arises only because this is an old case. The relevant issues are of historic interest only. They are of no significance to any future case.

The recovery of success fees was generally restricted, from 1 April 2013, by s. 44 of the Legal Aid, Sentencing and Punishment of Offenders Act 2012, which amended ss. 58 and 58A of the Courts and Legal Services Act 1990. However, by the associated Commencement and Saving Provision Order, SI/2013/77, there was a saving in respect of “publication and privacy proceedings”. This was defined as meaning proceedings of certain specified kinds, including “breach of confidence involving publication to the general public” and “misuse of private information”.

The claim under the GDPR did not fall within any exception; and this claim failed before the Recorder. The claim for breach of confidence did not involve publication to the general public, so that claim also was not excepted. However, because there was also a claim for misuse of private information, which was an excepted claim and which succeeded, the Recorder took the view that the success fee should be recoverable in full.

In reaching that view, he accepted the submissions made by Mr McCracken to the following effect:

The Recorder decided that the success fee should be recovered in full, and that it should not be split. On that last point, he said simply:

“I have also considered the issue of a split to see whether I should say because it applies to part of the claim and that therefore I ought to say that it applies only to certain parts or certain percentages. Again, I am not attracted by that argument. It seems to me that the facts here were fairly composite and whilst three different headings were put on the same facts, those are different legal arguments essentially relating to the first point. If the defendant had, for example, said we admit the misuse of private information but deny the DPA claim, it may well be that my findings would have been different. But in the absence of that sort of splitting approach between the parties, it seems that I should deal with this as one and I find in favour of the claimant for those reasons.”

Before me, Mr Waite said that the Recorder was wrong in principle to allow the recover of the success fee, in so far as this was a personal injury claim and CPR 44.13 therefore meant that Qualified One-Way Costs Shifting was applicable. In the alternative, he said that the Recorder should not have allowed the recovery of 100% of the success fee.

I do not accept that CPR 44.13 (which in any case is subject to CPR 44.17, and thus does not apply to a pre-commencement funding arrangement) has any bearing on whether or not a claim for the misuse of private information is an excepted claim in respect of the general restriction of success fees. The applicability of Qualified One-Way Costs Shifting is a separate matter. To this extent, I agree with the Recorder’s approach to the recovery of the success fee.

I find the Recorder’s explanation of why he then allowed the recovery of 100% of the success fee, and was not attracted to the idea of splitting it, somewhat opaque. However, I recognise that he was giving a ruling on costs in a fast-track trial. It would be unfair to expect him to have descended into great detail.

I suspect that, if I had been the trial judge, my exercise of the discretion may well have been different. However, the Recorder’s decision was not wrong in principle. Ground 12 therefore also fails.