Welcome to ‘Did You Know?’,  Hempsons’ publication designed to keep you informed about the latest legal developments, legislation, and noteworthy case law across our sectors.

Data protection and information governance are full of surprising nuances that can catch even experienced professionals off guard. In this edition, we explore five key areas where common assumptions often lead to mistakes: from the risks of a single oral disclosure, to the pitfalls of over-notifying data breaches, to clarifying who really falls under the Freedom of Information Act 2000. We also share practical tips for handling Subject Access Requests and uncover why the GDPR doesn’t apply to deceased individuals. These insights aim to help you stay compliant, avoid unnecessary exposure, and strengthen your organisation’s approach to information management.

We hope you find the articles in this edition interesting and useful. If you need any legal assistance, have questions, or wish to discuss any of the issues covered, we would be delighted to hear from you.

A single oral disclosure of personal information in the wrong circumstances can lead to liability for organisations under a number of potential grounds. In Raine v JD Wetherspoon plc, the High Court heard an appeal in which it considered claims for the misuse of private information, breach of confidence and on the basis of breach of data protection rules. The case is particularly relevant to situations where data is obtained through deception. It is a useful reminder that potential liability can arise under more than one type of claim.

The Court has upheld damages of £4,500 in the circumstances of this case, where the disclosure caused an exacerbation of claimant’s existing psychological conditions.

Case Summary

The claimant, a former employee of the defendant, had given her mother’s mobile phone number to her employer as an emergency contact. These details were recorded in her personnel file, which was a paper file kept in a locked filing cabinet marked “Strictly Private and Confidential”. The claimant had told her employer that her former partner was abusive. After her employment ended, the claimant’s ex-partner called the pub and pretended that they were a police officer claiming that he needed to urgently contact the claimant.

A staff member was permitted, after consulting with the manager, to disclose the claimant’s mother’s mobile phone number to the caller, believing the request to be urgent and official. It is very common in scams seeking personal information for individuals to impersonate individuals in authority and indicating that the information sought is urgent. After obtaining the mother’s mobile phone number, the ex-partner contacted the claimant’s mother and was able to speak to the claimant, during which he abused and made various threats to the claimant.

Judgment

The Court had to consider

1. Whether information relates or belongs to more than one person for the purposes of a misuse of private information claim?
2. Are misuse of private information and breach of confidence claims still available if a parallel GDPR/Data Protection Act (“DPA”) 2018 claim fails?
3. Does an oral disclosure of data from a recorded file constitute “processing” under the UK GDPR and the DPA 2018?

Misuse of private information

The Court usually applies a two-stage test to these sorts of claims:

• did the claimant have a reasonable expectation of privacy in the relevant information; and
• was that expectation outweighed by freedom of expression rights.

The second of these points was not argued in the case.

In relation to the first stage, the Court was clear that personal records here would have an expectation of privacy.  The defendant argued that the claimant’s mother’s mobile phone number would not fall within the meaning of the claimant’s information. In the context of the claimant and defendant’s relationship the Court considered that information also belonged to the claimant. Here, the claimant’s mother’s number was found to be “undoubtedly private” as it was marked “Strictly Private and Confidential” and securely stored.

Arguments made by the defendant that only DPA/GDPR could create liability for claims relating to personal data breaches were rejected.

Liability was made out for this claim.

Breach of confidence

The Court applied the three-stage test:

• the information must have the necessary quality of confidence about it;
• the information must have been imparted in circumstances importing an obligation of confidence; and
• there must be an unauthorised use or disclosure of that information.

The Court held that the claimant’s mother’s mobile phone number was confidential information supplied in an employment context, and the employer’s duty of confidence extended beyond employment termination. The disclosure was unauthorised, as the claimant had not authorised the defendant to share the information beyond internal use. Therefore, all elements for liability of breach of confidence were met.

GDPR/ Data Protection

The lower Court had held that the communication of data by purely oral means – here, the telephone conversation between the employee of Wetherspoons and the claimant’s former partner was not sufficient to amount to processing. As the Court had already upheld damages claims in relation to the earlier points, this claim did not need to be decided. However, the Court considered the arguments and ruled that the provision of the telephone number in these circumstances “falls squarely within the definition of “processing” in the GDPR at article 4(2)”. Accordingly, if necessary, the claim would also be upheld under GDPR.

Damages awarded

The claim in this case was for damages much more significant than mere trivial upset about a data loss.  The recorder found that the defendant’s breaches “exacerbated the claimant’s existing psychological damage” and awarded damages for personal injury to the sum of £4,500. The High Court upheld this award.

Key takeaways from the judgment

This case reinforces several important principles for organisations handling personal data:

• Need for Verification: personal details must be treated as confidential information and safeguarded appropriately, organisations should take measures to avoid being tricked into releasing personal data to supposed figures of authority without having determined that the request is from an appropriate authority and there is a basis on which to release the requested information;
• Liability Beyond Data Protection Laws: breaches of confidence and misuse of private information can occur separately from breaches of the DPA / GDPR, meaning liability can arise even when a claim under data protection legislation may be unsuccessful;
• Training: this judgment underscores the need for organisations to have clear policies on data protection, and to implement robust training in relation to the release of personal information; and
• Damages: Courts will award compensation where disclosure causes harm.

In the event of any doubt or to have a further discussion around data protection issues, do speak to one of our specialist lawyers

“We think we may have had a data breach” is a phrase guaranteed to make the heart sink. As the UK GDPR requires data controllers to have systems in place to report suspected data breaches internally, evaluate their severity and report onwards externally, those responsible for information governance will receive such messages all too often.

However, it does not necessarily follow that a large number of internal notifications will lead to a large number of external reports or indeed is a sign of poor data protection practice within your organisation. Data controllers should encourage a low threshold for reporting potential data breaches internally, and should empower staff to raise issues without fear of then being subject to some disciplinary sanction – most data breaches are the result of isolated human error, and collecting information about trivial errors and near misses provides data controllers with the data needed to identify improvements to internal systems and protocols.  If staff are hesitant to report issues, you may only discover the weakness in your system after a catastrophic data breach, so a positive reporting culture is to be encouraged[1].

Not every data breach reported internally will need to be reported externally.  The UK GDPR sets out three levels of data breach:

• Data breaches that are ‘unlikely to result in a risk to the rights and freedoms of natural persons’[2]. There is some guidance as to what this means – so for example accidental disclosure to a ‘trusted recipient’ who deletes or returns the data will not be reportable externally[3].
• Data breaches where the risk to the ‘rights and freedoms of natural persons’ is not ‘unlikely’ but is also not ‘high’[4]. These breaches are to be notified to the regulator, the Information Commissioner (soon to be renamed the Information Commission) within 72 hours.
• Data breaches presenting ‘a high risk to the rights and freedoms of natural persons’, which must be notified to the Information Commissioner and the affected data subject(s)[5] (our emphasis).

It is the assessment of whether a data breach is likely to present a ‘high risk’ to the rights and freedoms of data subjects that presents data controllers, especially in the health and social care sectors, with the greatest difficulty, and often results in the assumption that all data breaches affecting such information have to be notified to the affected data subjects. After all, the Information Commissioner’s guidance gives the example:

“A hospital suffers a breach that results in accidental disclosure of patient records. There is likely to be a significant impact on the affected individuals because of the sensitivity of the data and their confidential medical details becoming known to others. This is likely to result in a high risk to their rights and freedoms, so they would need to be informed about the breach.”[6]

However, case law indicates that for all types of data breach, the risk assessment is to be undertaken in light of the particular circumstances of any given case – while all information in health records is protected by the same duty of confidentiality, not all such information has the same sensitivity – there is a difference between information simply confirming that a person is a patient of a particular healthcare provider and information about the detail of that particular person’s treatment.

A very recent Court of Appeal decision in Farley v Paymaster (1836) Limited (trading as Equiniti)[7] sheds light upon when a data breach will be regarded as causing harm sufficient to attract a remedy in damages. Harm will normally materialise as a consequence of fear that the information in question will be misused, for example for identity theft, or unwanted contact, or dissemination of sensitive health data. The Farley decision confirms that for the harm to give rise to a right of compensation, these fears must be objectively ‘“well-founded” as opposed to being based on a “purely hypothetical risk” or similar’[8].

Of course, the level of risk to the rights and freedoms of the data subject does not correspond precisely to the likelihood of harm. However, it is a factor that should be taken into account when making an assessment of the level of risk arising from a data breach. Indeed, with some trivial data breaches, the risk to the rights and freedoms of data subjects may arise not from the breach itself, but from the fact of notification, and in a situation where the breach involves no risk that the data subject could take action to protect themselves against, and where there is, objectively, nothing that could give rise to any ‘well-founded’ fears on the part of the data subject, it is legitimate to question whether there is a ‘high risk’ to the data subject requiring individual notification. A parallel can be drawn with the NHS duty of candour, which has a threshold that the incident could cause prolonged psychological harm.

Thus, even where a data breach involves health or social care data, an individual assessment of the likelihood of risk to the affected data subject should be undertaken – it should not be assumed that just because health data is involved the breach must automatically be notified to individuals. Of course, with this approach there is a danger that a data controller could be accused of downplaying the risk of harm to avoid making notifications – after all, your view that a data breach is trivial could be seen as self-serving. In such situations however, any data controller will be well advised to report the data breach to the Information Commissioner and explain the rationale behind any risk assessment concluding that individuals need not be informed given the circumstances of the data breach, providing external oversight of the decision-making process.

In the event of any doubt or to have a further discussion around whether to notify or not, do speak to one of our specialist lawyers.

The Freedom of Information Act (2000) allows the public to make a formal request for access to information held by public authorities. Public Authorities include government departments, local authorities and the NHS. However, we have recently been asked to advise whether non-public bodies which have been commissioned by public bodies to carry out tasks on their behalf are subject to Freedom of Information requests.

Schedule 1 of the Act contains a list of bodies that are classed as public authorities for these requests. In addition to this, section 6 of the Act confirms that companies that are wholly owned by the wider public sector also must respond to requests for information. However, there is nothing in the Act that states that an organisation that receives public money, or performs public functions, is obligated to respond to a request for the information it holds on behalf of the public authority. The Information Commissioner’s Office website (What is the FOI Act and are we covered? | ICO) confirms that [my emphasis added]:

“Where you subcontract public services to an external company, that company may then hold information on your behalf, depending on the type of information and your contract with them… The company does not have to answer any requests for information it receives”.

However, although there may not be a statutory duty to respond to the requests, the contract that allows a non-public body to perform the public functions may include a contractual obligation to respond to these requests. Therefore, it would be sensible to review any contracts carefully for such a provision.

If an organisation is not contractually obligated to respond to these requests, then good practice would be for the organisation to forward any freedom of information requests to the public body that they are acting on behalf of, in order for them to respond as required.

If you receive a freedom of information request and are unsure whether you are legally or contractually required to respond, do speak to one of our specialist lawyers.

Under Article 15 of the General Data Protection Regulations (“GDPR”), individuals have the right to access and request copies of their personal data. This is known as a Subject Access Request.

We assist a number of organisations and charities in complying with their subject access requests. Here are our top tips for these requests:

Make a note of the date the request is received

Subject access requests do not need to be made in a specific format. They can be relatively informal and don’t need to mention data protection law or that it is a subject access request.

A subject access request must be complied with without undue delay, and at the latest within one month of receiving the request. This time can be extended by a further two months if the request is complex, or if there are numerous requests.

Therefore, keeping track of the date that the request is received will help you keep track of any deadlines.

Could the request for a large amount of data be clarified?

Where large quantities of information are requested, Recital 63 GDPR allows for an organisation to request further information from the individual to pinpoint the information that they are looking for. This could include a request for data during a particular time period, from a specific person, or around a specific incident.  The time limit for responding to the request is paused until the clarification is received.

What is classified as personal data?

An individual only has a right of access to their own personal data. Personal data is defined in Article 4 GDPR as any information relating to the individual. Therefore, when deciding whether a document or email should be disclosed as part of a subject access request, it is important to ensure that the information has the individual as its focus. Some examples of this include where:

• The content of the information is about the individual
• The purpose of the information is to evaluate or make a decision about the individual

The following are examples of information which does not necessarily constitute personal data:

• If the individual is referenced in a record, but the context does not relate to them. For example, they may be named an email, however the email is considering the care of a patient. This email would therefore be the personal data of the patient.
• Emails relating to the everyday working of the organisation, such as office-wide memos that the individual also received. As with the above example, although the individual received the email, the context of the email means that this is not their personal data.

What if the request includes third party data?

If the information requested also contains the personal data of a third party, this is known as mixed data. In these circumstances it should be assessed what information can be disclosed without revealing the other person’s data. This may be, for example, removing or redacting the third party data and any data that makes the third party identifiable.

However, if the mixed data is so inextricably linked that the individual’s data would be indecipherable if the third party data was redacted, then it will need to be assessed whether the information should be withheld from the individual on the basis of the ‘third party data’ exemption set out  Schedule 2 Section 16 of the Data Protection Act 2018.

In the event of any concern or doubt around complying with a subject access request, do speak to one of our specialist lawyers.

Small sections of the Access to Health Records Act 1990 remain in place specifically to address requests for copies of health records received after a person has passed away.

Only the individual’s personal representative or a person who may have a claim arising out of the deceased’s death, may request and be provided with a copy of the records.

It is important for a provider to check that the person requesting access to the records is in fact entitled to receive them.

It is also important to check whether there is an entry in the records indicating that the deceased did not want their records to be shared following their death. This might be expressly that they not be shared with anyone, or that they not be shared with a particular person.

It is not uncommon for previously unknown relatives to request copies of records after someone has passed away, thinking they might be able to bring e.g. a clinical negligence claim, and it is important therefore to exercise just as much caution around what information is shared, and to whom, after the person has died, as whilst they are still alive and their records are subject to the GDPR.

If information is to be provided, then this does not mean that a complete copy of the records needs to be shared. The holder of the records need only share information that is relevant to any potential claim.

This legislation specifically relates to health records, being those made by or on behalf of a health professional. The legislation does not expressly reference social care records, but we know requests are often made to social care providers for copies of records after a person’s death. We would urge care providers to exercise the same caution and the same principles when considering disclosure.

If you have any queries surrounding access to records after a person’s death, do not hesitate to speak to one of our data protection team who would be very happy to advise further

Hempsons offers expert guidance on data protection and information law, helping organisations stay compliant while enabling innovation. Our services include:

• GDPR & Governance – Policies, privacy notices, and compliance frameworks tailored to healthcare and research.
• Data Breach Response – Strategic advice and regulator liaison to manage incidents effectively.
• Requests & Investigations – Support with subject access requests, FOI matters, and ICO investigations.
• AI & Analytics Projects – Trusted research environments and safeguards for cutting-edge data use.
• Contracts & Procurement – Legal oversight for IT contracts and collaborative projects.

We combine legal expertise with practical solutions to protect data and empower progress.

Main contacts