17/08/2025
Lessons from Raine v JD Wetherspoon
Summary
In Raine v JD Wetherspoon PLC [2025] EWHC 1593 (KB), the High Court handed down a pivotal judgment on 27 June 2025 affirming that oral disclosure of personal data, when originating from a recorded system, constitutes “processing” under the UK GDPR. This decision reverberates across HR and privacy sectors, serving as a sharp reminder:
robust policy isn’t enough, it’s the practice that counts.
Case Facts
- The claimant had supplied her mother’s mobile number as an emergency contact, stored securely in her personnel file marked “Strictly Private and Confidential.”
- She had formally reported serious abuse and harassment experienced at home to her manager in 2018, the employer was thus aware of her vulnerability and risks.
- On Christmas Day 2018, her former abusive partner impersonated a police officer and deceived staff into disclosing her mother’s number, despite training and guidelines in place.
Legal Journey
County Court at Central London (Recorder’s Decision)
- Misuse of private information and breach of confidence, findings in the claimant’s favour.
- Data protection claim under UK GDPR/DPA 2018, dismissed, as the Recorder held that purely oral disclosures do not constitute “processing.” This relied on Scott v LGBT Foundation (2020), where, crucially, the data had never been recorded.
High Court (Mr Justice Bright)
- Appeals by JD Wetherspoon were dismissed, the claimant’s cross-appeal on data protection was allowed.
- Misuse of private information: The mother’s phone number was held to be the claimant’s private information, even though it belonged to her mother, because the relevant data (the digits) pertained to the claimant and was provided for emergency use.
- The court rejected Wetherspoon’s attempt to collapse common law privacy claims into GDPR claims, reaffirming that tortious remedies (misuse of private information, breach of confidence) operate alongside statutory duties, and are triggered when there’s a positive act of misuse.
- Breach of confidence: All three elements were met, confidentiality, obligation, and unauthorised disclosure, even though the defendant argued implied consent to emergency disclosure. Consent does not extend to deceptive requests.
- Data protection: The crucial departure from the Recorder’s judgment lies in recognizing that oral disclosure of data originally recorded in a personnel file is indeed “processing” under UK GDPR Article 4(2). The court distinguished Scott (no record was ever made it was only ever oral information) and relied on authority such as Holyoake v Candy (2017) and the ECJ’s decision in Endemol Shine Finland Oy (C-740/22) to affirm that any disclosure, even made orally, counts as processing.
- The number was taken from the file, read out, and passed on to the ex-partner, each of those steps counts as “processing” under GDPR, which clearly covers both using stored data and disclosing it to someone else.
- There is no indication that any further appeal is currently underway, so the High Court’s ruling stands as the current legal position.
Damages & Outcome
- The claimant’s award of £4,500 in damages for psychological harm caused by the breach was upheld.
- Judgment underscores a firm stance: knowing the risk and ignoring it isn’t a defence, even post-employment record retention doesn’t absolve employers.
Key Insights for Privacy Leaders
1. Emergency contact data is your data too
Even if the contact information belongs to someone else, it becomes personally linked when provided by the subject, treated as the subject’s data under UK GDPR.
2. Oral disclosure = processing (if the data was recorded)
If data has been recorded, even manually, any retrieval and oral disclosure triggers UK GDPR duties. That’s a non-negotiable duty. The UK GDPR definition of ‘processing’ is deliberately broad, I often say if you so much as breathe near personal data, you’re probably processing it under Article 4 UK GDPR.
3. Policies vs. Practice: heart of the problem
JD Wetherspoon had pretexting training, but staff didn’t follow protocol. It’s not enough to have training, you must embed it.
4. Consent has limits
As I always advise, consent to share data in emergencies doesn’t cover cunning or deceptive requests. Staff need clear escalation paths to share data lawfully and demonstrate accountability.
Strategic Takeaways for Your Organisation
| Action Area | Practical Steps |
|---|---|
| Training & Escalation | Simulate deception scenarios, reinforce that staff should refuse suspicious requests and escalate. Training is key to confident handling of data. |
| Data Inventory | Map emergency contact data within personnel systems, understand where it’s stored and who accesses it. Is this reflected in your employee privacy notice? |
| Response Protocols | Create step-by-step guides for verifying identity (e.g., callback systems, confirmation via internal channels). |
| Retention & Access Controls | Even retained records (post-employment) must remain protected, limit access strictly and document disclosures. |
| Incident Review | If a breach occurs, review not just the policy, but why staff deviated. Culture matters. |
Conclusion: Raine v JD Wetherspoon reinforces that oral disclosure of recorded personal data is firmly “processing” under UK GDPR. It’s a critical lesson, especially in safeguarding those who are most vulnerable. Let’s ensure your policies don’t just exist, they protect.
How JH Data Protection can help
At JH Data Protection, we work with you to:
- Translate this ruling into operational protections.
- Turn principles into practical real practices that withstand threats.
- Make your data protocols resilient: from emergency contacts, employee data to breach handling, we ensure UK GDPR duties are lived, not just documented.
Send us a message to start the conversation, email: dpo@jhdataprotection.com
JH Data Protection Limited 
Leave a comment