ARTICLE
14 August 2025

Raine v JD Wetherspoon: A Wake-Up Call On Oral Disclosures And Data Protection

LS
Lewis Silkin

Contributor

Lewis Silkin logo
We have two things at our core: people – both ours and yours - and a focus on creativity, technology and innovation. Whether you are a fast growth start up or a large multinational business, we help you realise the potential in your people and navigate your strategic HR and legal issues, both nationally and internationally. Our award-winning employment team is one of the largest in the UK, with dedicated specialists in all areas of employment law and a track record of leading precedent setting cases on issues of the day. The team’s breadth of expertise is unrivalled and includes HR consultants as well as experts across specialisms including employment, immigration, data, tax and reward, health and safety, reputation management, dispute resolution, corporate and workplace environment.
Explore Firm Details
The High Court's decision in Raine v JD Wetherspoon offers a reminder to employers on the importance of safeguarding employee data, especially in high-risk situations.
United Kingdom Privacy
Georgia Davies and Sean Illing
Your Author LinkedIn Connections

The High Court's decision inRaine v JD Wetherspoonoffers a reminder to employers on the importance of safeguarding employee data, especially in high-risk situations. The case clarifies how oral disclosures of recorded data can still constitute "processing" under theUK GDPR. For HR and privacy professionals, this judgment underscores the need for robust training, clear policies, and practical implementation of data protection protocols.

Background

The Claimant, a former JD Wetherspoon ("Wetherspoons") employee, had provided her mother's mobile number as her emergency contact while employed at Wetherspoons. These details were stored in the Claimant's personal file, which was marked "Strictly Private and Confidential" and stored securely. In 2018, the Claimant began to suffer serious abuse and harassment from her partner at the time. She informed a manager about this on three separate occasions during formal meetings, and raised that she feared further contact. The Claimant left employment at Wetherspoons, and the company retained her file in line with their internal retention periods.

On Christmas Day 2018, the ex-partner called Wetherspoons and convinced staff to disclose the Claimant's emergency contact number by impersonating a police officer. The member of staff on duty checked with the manager on the premises at the time who authorised the disclosure of the emergency number. Despite existing training on impersonation tactics to obtain information (otherwise known as "pretexting"), the staff failed to follow protocol. The ex-partner used the number to further harass the Claimant.

Claims and Original Decision

As a result, the Claimant brought claims in the County Court for misuse of private information, breach of confidence, and breach of the UK GDPR and Data Protection Act 2018. The Recorder found in the Claimant's favour on misuse of private information and breach of confidence but rejected the data protection claim on the grounds that oral disclosure of personal data did not constitute "processing" under the GDPR.

Appeals

Wetherspoons appealed to the High Court on issues of liability, damages and costs. The Claimant cross-appealed the dismissal of the data protection claim.

Mr Justice Bright, who heard the appeal, dismissed Wetherspoons' appeals on all issues but allowed the Claimant's cross-appeal.

Findings

The High Court upheld the Recorder's findings on misuse of private information and breach of confidence, but crucially overturned the earlier dismissal of the data protection claim.

Misuse of Private Information

Applying the two-stage test fromZXC v Bloomberg, the Court found the (1) Claimant had a reasonable expectation of privacy in the emergency contact number, even though it belonged to her mother, and (2) there was no countervailing interest like freedom of expression. The key factor was the confidential nature of the information and the context in which it was provided. The Court rejected Wetherspoons' argument that the number wasn't "hers" and clarified that information can relate to more than one person.

Breach of Confidence

All three elements were satisfied: the information was confidential, there was an obligation of confidence, and the disclosure was unauthorised. The Court dismissed the idea that implied consent to share information with emergency services extended to a deceptive request from an abuser.

Data Protection: Oral Disclosure as "Processing"

The High Court clarified that oral disclosure of data stored in a recorded system qualifies as "processing" under UK GDPRArticle 4(2). This overturned the Recorder's reliance onScott v LGBT Foundation, which involved a person's HIV status being orally disclosed to a charity worker, who did not go on to make any sort of written record of it. Mr Justice Bright found that the facts of this case were materially different from the facts ofScott;in this case, the personal data had been recorded since the number was stored in a file, which was subsequently accessed by staff. The information being retrieved from the file, copied out and its oral disclosure to the ex-partner all triggered UK GDPR obligations, in contrast to the information inScottwhich was only ever provided orally.

Key Takeaways for Privacy Professionals

  1. Emergency contact details are protected: Even if the data relates to a third party (e.g. a parent), it can still be considered the employee's private information.
  2. Oral disclosure can be processing: If data originates from a recorded system, speaking it aloud can constitute processing under the UK GDPR.
  3. Training must be applied in practice: Wetherspoons had pretexting training, but staff failed to apply it. This highlights the gap between policy and practice.
  4. Consent must be interpreted narrowly: Implied consent to share data with authorities does not extend to deceptive or unauthorised disclosures.

This case is a wake-up call for employers to ensure that data protection policies are not only well-drafted but also effectively implemented and employees are clear on how to employ the training in practice. Privacy professionals should review training protocols, escalation procedures, and access controls to prevent similar breaches.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Georgia Davies
Georgia Davies
Photo of Sean Illing
Sean Illing
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More