KA-2023-MAN-000005 - [2025] EWHC 1593 (KB)

Liability for misuse of information is determined applying a well-established two-stage test, set out by Lord Hoffman in ZXC v Bloomberg [2022] UKSC5, at [26]:

“It has at all times been common ground that liability for misuse of private information is determined by applying a two-stage test. Stage one is whether the claimant objectively has a reasonable expectation of privacy in the relevant information. If so, stage two is whether that expectation is outweighed by the publisher s right to freedom of expression. This involves a balancing exercise between the claimant’s article 8 right to privacy and the publisher’s article 10 right to freedom of expression.”

Here, as regards stage one, it is not really contestable that the Claimant had a reasonable expectation that contact details that she provided would be kept in her personnel file, which would itself be kept secure.

The Defendant disputed before me that the Claimant’s mother’s mobile phone number constituted the Claimant’s information, or that it was information in which she had a reasonable expectation of privacy. These arguments were developed by Mr Waite under Ground 6.

The fact that the mobile phone number in question related to the Claimant’s mother’s mobile phone account, rather than the Claimant’s own, is immaterial. It is not ownership of the mobile phone that matters, nor the ownership of the account relating to it. What is relevant here is information: the knowledge of the relevant digits. That information had presumably been given consensually by the Claimant’s mother to the Claimant, so that the Claimant could use it, including by sharing it with others as appropriate – for example, an employer. When the Claimant provided it to the Defendant, she did so specifically so that it could be used as a way of contacting her via her mother (not for contacting her mother alone, save as her next of kin). As between the Claimant and the Defendant, it was the Claimant’s information.

I was taken both by Mr Waite and by Mr McCracken to OPO v MTL [2014] EWCA Civ 1227, per Arden LJ at [32], [35] and [38] to [45]. There are some passages in that judgment that might appear to assume that information can only relate to or belong to one person, but I do not think that this is necessarily right. In circumstances such as those here, the information in respect of the Claimant’s mother’s mobile phone number undoubtedly related to her mother; but her mother had given the Claimant the right to provide it to the Defendant, for inclusion in the Claimant’s personnel file. So far as the Defendant was concerned, it was information that related to the Claimant and which she had provided, as the Defendant’s employee, to go the file that the Defendant maintained in relation to her. It therefore was information in respect of which the Defendant owed obligations to the Claimant – not merely or even predominantly to her mother (although it is arguable that some kind of obligation may also have been owed to the Claimant’s mother, notwithstanding the lack of any direct nexus).

As to the expectation of privacy, the information was undoubtedly private when given to the Defendant and was intended to remain private, rather than being published to others. That is why it was intended to be kept, and was kept, in the Claimant’s “Strictly Private and Confidential” personnel file, in a locked filing cabinet. I regard the argument that the Claimant had no reasonable expectation of privacy as unsustainable.

As the Recorder’s judgment records at [24], the Defendant’s case before him had included the positive submission that the Defendant had rightly kept this information in a locked filing cabinet, this being the appropriate treatment for such information. That was, in effect, a concession that the information was confidential and was intended to be kept private and secure. It was a concession that was rightly made. In his judgment at [11], the Recorder referred to the information as “clearly confidential”. He was right to do so. I therefore reject Ground 6.

As to Lord Hoffmann’s second stage, the Defendant did not rely on its article 10 right to freedom of expression. The second stage therefore does not really arise.

The Defendant’s main arguments in relation to misuse of private information did not, in fact, fall comfortably within Lord Hoffmann’s two-stage approach.

First, under Grounds 1 and 2, the Defendant contended that it is impossible as a matter of legal principle for there to be a data security duty outside the DPA and the GDPR. I understood Mr Waite to put this in two slightly different ways:

For both lines of argument, Mr Waite relied on Warren v DSG Retail Limited [2021] EWHC 2168 (QB), in particular at [25]- to [27] and [30]; and also at [34]. He also referred me to Smith v Talk Talk Telecom Group[2022] EWHC 1311 (QB), but the passages he identified in that case did not seem to me to advance matters in any relevant way (although they emphasise the need to consider the substance of matters rather than paying excessive attention to linguistic labels such as “positive act” and “omission”).

Grounds 1 and 2 are based on a fallacious misunderstanding of Saini J’s judgment in Warren. It is obvious, and Warren acknowledges (as the structure of Saini J’s judgment makes clear) that the nature and essential ingredients of claims in either (i) misuse of private information or (ii) breach of confidence are different both from each other (see OBG Ltd v Allan [2007] UKHL 21, per Lord Nicholls at [255]; Vidal-Hall v Google Inc [2015] EWCA Civ 311, per Lord Dyson MR at [21]), and from the nature and essential ingredients of a claim under the GDPR.

In Warren, Saini J was not concerned with a case where the defendant was said to have disclosed information. That was a case where the complaint was that information had not been kept secure, and so was vulnerable to the intrusive actions of a hacker. Earlier in his judgment, at [20] to [32], he explained where this was insufficient for the purposes of misuse of private information or breach of confidence: because the failure to keep information secure cannot constitute misuse or disclosure, which those two actions require. Furthermore, the passage relied on by Mr Waite at [34] is not concerned with misuse of private information or breach of confidence but with the separate argument, raised in that case but not relevant here, that DSG owed a common law duty of care to keep Mr Warren’s information secure.

In this case, the relevant information was not vulnerable to being accessed by a third party, or hacked, when it remained in the personnel file, in the locked filing cabinet. It did not become available to Fletcher because he was able to pierce the Defendant’s security without the Defendant’s knowledge or involvement. He got it because the Defendant gave it to him. The obvious distinction between this case and Warren is apparent from Saini J’s conclusion, in relation to breach of confidence and misuse of private information, at [31]:

“Here, it was not DSG that disclosed the Claimant’s personal data, or misused it, but the criminal third-party hackers.”

In the present case, it was the Defendant that disclosed the Claimant’s personal information; and, by doing so, misused it. This disposes of Grounds 1 and 2.

The Defendant’s Ground 3 raises a separate but very similar argument in relation to misuse of private information: namely, that there was no misuse in this case, because:

“A malicious third party’s ability to unlawfully misappropriate information does not amount to a positive act of misuse of private information by the custodian of that information.”

This argument bears no relationship to the facts. There was a positive act of misuse: the positive disclosure of the information by Mr Bennett to Fletcher, Mr Bennett thereby acting on behalf of the Defendant and on the instruction of Ms Brockbank. Ground 3 therefore also fails.