Raine and Scott: comparing two oral disclosure cases

The decisions in Raine v JD Wetherspoon plc and Scott v LGBT Foundation Ltd provide important guidance on oral disclosure and data protection. At first glance the cases appear similar because both concern sensitive information disclosed verbally. The real distinction is narrower and more important: Scott is a memory-only case, whereas Raine concerns information retrieved from a recorded personnel file and then disclosed by telephone.

Introduction

The decision is important because it sharpens the way oral disclosure cases should be understood in data protection law. For some years, Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB) had been read as authority for a broad proposition that verbal disclosure is not processing of personal data. Raine shows that this reading is too wide. The better view is that the legal analysis depends on the source of the information and the way it is handled before it is spoken.

Both cases involved oral disclosure of sensitive personal data and both engaged privacy and confidentiality concerns. However, each case had materially different facts. Scott was decided under the Data Protection Act 1998 and turned on a communication that the court treated as purely verbal. Raine, by contrast, involved information held in a structured personnel file, accessed from that file, and then disclosed. That distinction explains why the outcomes differ.

Quick comparison

The Scott decision

Scott arose after the claimant approached the LGBT Foundation for support and disclosed very sensitive information about his mental health and wellbeing. The Foundation later telephoned his GP practice because of welfare concerns. The claimant alleged breaches of the Data Protection Act 1998, breach of confidence and infringement of his rights under the Human Rights Act 1998.

The High Court rejected the claim. On the data protection point, the court held that the DPA 1998 applied to recorded information and did not extend to a merely verbal disclosure of information that was not being processed from a relevant filing system. The confidence claim also failed because the charity’s confidentiality framework made clear that disclosure could be made where serious safeguarding concerns arose. The Human Rights Act claim failed because the defendant was not a public authority for those purposes.

The Raine decision

Raine concerned a former employee of JD Wetherspoon who had provided her mother’s mobile number as an emergency contact. The number was kept in paper form in a personnel file marked strictly private and confidential. Wetherspoon’s management also knew that the claimant had suffered serious domestic abuse and feared further contact from her former partner.

After the employment ended, the former partner telephoned the pub and pretended to be a police officer. Staff accessed the personnel file and disclosed the emergency contact number to the former partner without properly verifying the request. The former partner then used the number to continue harassing the claimant. At first instance the claimant succeeded in the misuse of private information and breach of confidence claims but the recorder dismissed the data protection claim because the final disclosure had been oral.

On appeal, Bright J restored the data protection claim. The High Court held that this was not a memory-only disclosure. The information was held in a recorded filing system, accessed from that system, and then relayed. That chain of activity fell within the definition of processing under the UK GDPR and the Data Protection Act 2018. The common law findings in misuse of private information and breach of confidence were also upheld.

Comparison and legal significance

The most useful way to compare the cases is to focus on what happened before the information was spoken. In Scott, the court treated the defendant’s disclosure as a purely verbal communication and therefore outside the old statutory regime. In Raine, the staff member did not simply speak from memory. The information came from a confidential employment record. It was located, extracted and then disclosed. The oral communication was therefore the end point of a data handling process rather than a free-standing conversation.

Raine does not overrule Scott. Instead, it confines Scott to its proper facts. Scott remains a narrow case about information that was not being processed from a relevant record at the point of disclosure. Raine establishes that an organisation cannot evade data protection obligations merely because the last step in the chain is verbal. If staff retrieve personal data from a file, spreadsheet, database or other structured record and then say it aloud, the handling of that information may still be processing.

The two cases also diverge on confidentiality and privacy. In Scott, the disclosure was treated as falling within a safeguarding exception that had already been communicated to the claimant. In Raine, there was no proper basis for disclosure. The staff member was dealing with an impersonator, the information was plainly confidential, and the employer’s own training on pretexting had not been followed. That made the common law analysis much more straightforward in the claimant’s favour.

Practical implications

For employers and other organisations, Raine is the more important modern authority. Most problematic oral disclosures do not begin in memory. They begin in a system: an HR file, a customer account, a patient record, a spreadsheet or a call handling screen. Raine confirms that the law looks at that wider sequence rather than isolating the final spoken act.

The case is also a reminder that data protection law does not operate alone. Misuse of private information and breach of confidence remain powerful causes of action where staff disclose confidential information to an unauthorised person. In practice, that means organisations should treat social engineering as a privacy risk as well as a security risk. Training, verification procedures and escalation rules matter most in exactly the kinds of fast-moving telephone interactions that caused the damage in Raine.

Conclusion

Read together, Scott and Raine are not contradictory. They deal with different kinds of oral disclosure. Scott is best understood as a memory-only case under the DPA 1998. Raine is the recorded-file case under the UK GDPR and the Data Protection Act 2018. The main lesson is that the legal analysis turns on whether the information was held in, and processed from, a recorded system before it was spoken.

That distinction matters in real-world compliance. It means that a spoken disclosure can still be a data protection breach, and in an appropriate case it can also amount to misuse of private information and breach of confidence. Raine therefore narrows the practical scope of Scott and provides the clearer guide for modern organisations handling sensitive information.

Authorities

Raine v JD Wetherspoon plc [2025] EWHC 1593 (KB)

Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB).

FAQ’s

Can a verbal disclosure be a data protection breach?
Yes. The Raine decision confirms that where personal data is retrieved from a structured record and then disclosed verbally, the activity may constitute processing under UK GDPR.

What is the difference between Raine and Scott?
Scott concerned a memory-only disclosure, whereas Raine involved information accessed from a recorded personnel file before being disclosed by telephone.

Does Raine overrule Scott?
No. Raine does not overrule Scott but limits its application to its specific facts.

Why is Raine important for organisations?
It highlights that staff disclosures made during telephone calls can create data protection liability where information is obtained from records before being disclosed.

Who would be interested in this article?
Data protection professionals, compliance officers, HR teams, legal practitioners and organisations handling sensitive personal information.