- with Senior Company Executives, HR and Finance and Tax Executives
- with readers working within the Accounting & Consultancy and Property industries
The recent High Court decision in Raine v J D Wetherspoon underlines how fragile privacy can be when organisations fail to protect personal information in practice, even when they appear to do everything right on paper.
At its centre is a disturbing episode of deception. On Christmas Day, the former partner of Ms Raine, a Wetherspoon employee, telephoned her workplace pretending to be a police officer. He persuaded staff to hand over her mother's mobile number, which she had given as an emergency contact. That number, lifted directly from her confidential personnel file, was then used to continue a campaign of harassment against her.
The story is stark not because the information disclosed was a bank detail or a medical record, but because it was something apparently mundane: a mobile phone number. Yet the consequences were anything but mundane. For Ms Raine, it meant renewed exposure to the very risks of harm her employer knew she feared. For Wetherspoon, it meant liability across three fronts: misuse of private information, breach of confidence, and breach of the Data Protection Act 2018 and the UK GDPR.
The reach of private information
One of the most important aspects of the judgment is the Court's treatment of the emergency contact number itself. The defence argued that the number belonged to Ms Raine's mother, not to Ms Raine, and therefore could not qualify as her "private information."
The Court rejected that line of reasoning. What mattered was not strict ownership but context. The number had been provided by Ms Raine in a personal capacity, to be used for her protection in emergencies. It was stored in her personnel file, which was labelled "Strictly Private and Confidential." In those circumstances, she had a clear and reasonable expectation of privacy in the information.
This broad understanding of private information is significant for employers. It demonstrates that privacy rights can attach to data beyond the obvious categories. Even if the data point does not directly identify the employee, if it relates to them in a way that can affect their dignity, safety or autonomy, the courts will treat it as private. Emergency contacts, next-of-kin details, and other ancillary information fall squarely within this scope.
The legal weight of an oral disclosure
Another critical element of the decision is the finding that oral disclosure can amount to "processing" of personal data under data protection law. Many employers assume that GDPR obligations bite primarily when information is handled in electronic or written form. The Court was clear that this is not the case. When an employee accesses information from a personnel file and communicates it aloud to a third party, they are engaging in processing just as much as if they had sent an email or uploaded a spreadsheet.
This point matters in practice. Casual conversations, off-the-record disclosures, and hurried attempts to be helpful can all amount to breaches of data protection duties. The fact that the disclosure in Raine took place over the phone, rather than through a formal channel, did not shield the employer from liability. For organisations, this decision should put an end to any complacency about "informal" disclosures. The law makes no such distinction.
Pretexting and the human element of data security
The mechanism by which the breach occurred (i.e. deception by a third party) deserves careful reflection. Pretexting, or social engineering, has long been recognised as a risk in cybersecurity. Yet the Raine case shows that it is just as dangerous in the context of employment and HR data. The caller presented himself as a police officer, exploiting both the urgency of the occasion and the authority of law enforcement to persuade staff to release the information.
Wetherspoon had confidentiality policies in place, and staff had been given some training. But the Court found that was not enough. The failure was not one of awareness but of resilience. Employees were not sufficiently equipped to resist deception, nor were there robust processes for verification before information was disclosed. In practice, the system was only as strong as the momentary judgment of a staff member confronted with a persuasive lie.
This brings us to the heart of the matter. Privacy and data protection are not just technical or procedural issues. They are deeply human. Organisations must reckon with the fact that their staff can be manipulated, flustered, or simply too eager to help.
Effective compliance therefore means creating structures that support staff in those moments: clear escalation routes, unambiguous policies about refusing requests, and cultural reinforcement that the default position is non-disclosure unless identity and authority can be rigorously confirmed.
Privacy as protection, not red tape
It is tempting to see this case purely in legal terms. As a combination of claims under misuse of private information, breach of confidence, and data protection legislation. But to do so risks missing its human dimension. Privacy law is not a bureaucratic trap for employers. It is a framework designed to protect people from real harm.
For Ms Raine, the disclosure of her mother's number was not an abstract breach of principle. It was an act that exposed her to renewed harassment from an abusive ex-partner. For employers, that reality should be a wake-up call. The personal data held in personnel files is not inert. It is powerful information, and if it falls into the wrong hands, it can become a tool of intimidation or abuse. That is why the law insists on a culture of care, not just compliance.
Practical implications for employers
What, then, should employers take from Raine? The first is that all personal data, no matter how trivial it may seem, must be treated as sensitive if it has the potential to cause harm. Emergency contact details, next-of-kin information and similar data should not be regarded as low-risk.
The second is that policies alone are insufficient. Training must be practical, rehearsed and reinforced so that staff know not only what the rules are, but how to apply them under pressure.
Procedures for verifying the identity of those requesting information must be robust, particularly when the request is framed as urgent or authoritative. And organisations must consider whether certain information should be more tightly controlled, with disclosure routes restricted to senior staff who are less likely to be manipulated.
Finally, employers should understand that liability can arise from multiple legal angles at once. In Raine, the claimant succeeded under privacy law, breach of confidence and data protection statutes. Each of those frameworks carries its own remedies, and together they create significant exposure for organisations that fail to protect staff information.
A broader cultural lesson
The Raine case is, ultimately, about trust. Employees hand over their personal information to employers because they have no real choice – it is a condition of employment. In doing so, they trust that their employer will use and protect that information responsibly. When that trust is broken, the consequences can be severe, both for the individual and for the organisation's reputation.
For Wetherspoon, the disclosure of a single phone number on Christmas Day has now become a precedent-setting case. For every other employer, it is a reminder that the duty to protect staff data is not just a matter of compliance but of humanity. The law in this area will continue to develop, but the underlying principle is timeless – people deserve to feel safe, and their information deserves to be treated with respect.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
