A recent ruling affirms that an employer is directly liable for the unauthorised disclosure of an employee's private information. An employee worked at a JD Wetherspoon pub for approximately eighteen months, during which time she provided her contact details, including her mother's mobile number as an "emergency contact phone number". These details were kept in her personnel file, conspicuously marked "Strictly Private and Confidential," and locked in a filing cabinet in the manager's office. She ceased working at the pub before Christmas 2018, and her details were properly retained by the defendant.

Throughout 2018, the claimant endured severe abuse from her then-partner, who was arrested in the autumn and held on remand for serious violence and harassment offences. Due to a history of abuse and her desire to avoid further contact with him, she changed her mobile phone number, rendering the number on file obsolete, although her mother's mobile number remained active.

On Christmas Day 2018, while on remand, her ex-partner obtained a mobile phone and called the Wetherspoons pub, falsely identifying himself as a police officer and claiming an urgent need to contact the claimant. A staff member who knew the claimant consulted with the manager, who then accessed the claimant's confidential personnel file, transcribed her mother's mobile number, and instructed the staff member to provide it to the caller.  

The ex-partner then called the claimant's mother, who was out at a Christmas lunch with her family, including the claimant. Again impersonating a police officer, he persuaded the mother of his urgent need to speak to the claimant, and the phone was passed to her, whereupon she was verbally abused and threatened. Not only had the abusive relationship and her fear of contact been disclosed to the manager on several occasions, but Wetherspoons was aware that "pretexting" is a known threat and that their staff was trained concerning such threats.  

The claimant successfully sought damages pertaining to the misuse of private information and breach of confidence, although claims of further breaches under the Data Protection Act (DPA) 2018 and the General Data Protection Regulation (GDPR) 2018, while initially dismissed, were later upheld by the High Court.

Here, there is a clear distinction drawn between a failure to keep data secure online and an active disclosure of data by the employer's staff. Employers must not only have policies in place but also ensure that they are understood and followed in practice. Such training must be robust and regularly reinforced to avoid being found vicariously liable. It is simply insufficient to have a "Strictly Private and Confidential" label or issue a training manual. An employee's emergency contact details, even if they are those of a relative, constitute private information, and employees have a reasonable expectation of privacy.