A timely reminder of the importance of staff training on data protection

Key takeaways

Failure to follow established protocols can have serious legal and reputational consequences, even where policies and training are in place.

Employers are advised to ensure that:

• Staff are familiar with internal procedures for handling requests for personal data whether through informal or formal channels and any gaps between policy and practice are narrowed as far as possible.
• Training is tailored to the specific data risks faced by the organisation, and this is reviewed and updated regularly.
• There is a clear escalation process for unusual or suspicious requests for personal data.
• Third party information i.e. emergency contact details are sufficiently and properly protected.

Case Analysis

The claimant was employed by the defendant until just before Christmas 2018. Throughout 2018, the claimant was subjected to harassment and violence by her then partner, of which the defendant was aware. Following her then partner’s arrest and subsequent conviction in Autumn 2018, the claimant changed her personal mobile number to prevent any further contact. After the claimant left her role with the defendant, her personnel file was retained in line with the defendant’s data retention policies. The file, labelled 'strictly private and confidential,' was securely stored in a locked cabinet. It contained, among other details, the mobile number of the claimant’s mother, which had been provided during her employment for use as an emergency contact.

On Christmas Day 2018, while on remand, the claimant’s now ex-partner called the defendant, pretended to be a police officer and convinced a member of staff to share with him the claimant’s emergency contact information. Despite having had training on “pretexting” and a policy requiring requests such as these to be referred to head office, the staff member only consulted a manager who instructed that the contact details should be released. Later that day, the claimant’s ex-partner used the phone number to further harass the claimant.

As a result, the claimant brought claims against the defendant for damages in the county court for: (1) misuse of private information, (2) breach of confidence and (3) breach of duties owed under the UK GDPR and Data Protection Act 2018 (DPA 2018). The Recorder found in favour of the claimant on the first two claims but dismissed the data protection claim. The defendant appealed the Recorder’s decision, and the claimant challenged the Recorder’s dismissal of the data protection claims. The High Court’s findings were as follows:

• Misuse of Private Information: The relevant information was the knowledge of the phone number, not its ownership. The defendant owed duties to the claimant in relation to this information. The fact that the information was stored in a file labelled “strictly private and confidential” and kept in a locked cabinet reinforced its private nature. The High Court also held that the staff member’s disclosure of the private information to a third party constituted misuse and the defendant’s appeal on this ground was dismissed.

• Breach of Confidence: The High Court found that an employer’s duty of confidence extended to the claimant’s mother’s mobile number in the circumstances, and that the relationship between employee and employer could give rise to such obligations, particularly given the claimant had not authorised the disclosure of the mobile number to her ex-partner. This  ground of appeal was also dismissed.
• Breach of duties owed under UK GDPR and DPA 2018: The Recorder had dismissed this claim on the basis that the oral disclosure of the claimant’s mother’s phone number did not constitute “processing” under the UK GDPR. The High Court disagreed, holding that the information was contained in a manual filing system and its disclosure - whether oral or otherwise - fell within the definition of “processing” and the material scope of the UK GDPR. The claimant was successful in her appeal.