In Brake & another v Guy & others,1 the Court of Appeal held that an employer could make use of personal emails that an employee had sent from a work email address.
The circumstances were that the email account in question was the main business email address for the business, was designed for customer enquiries, and was accessible by other employees. No right of privacy attached to the personal emails of the employee and the its claims in misuse of private information and breach of confidence were dismissed.
The employees, Mr and Mrs Brake, were employed by a company to run a holiday-letting and wedding business. Mrs Brake had created three new email address for the business, one of which was an account for business enquiries, but which Mrs Brake also chose to use for personal emails.
In 2017, the business was sold to another entity belonging to the Defendant, Dr Guy, at which time Mr and Mrs Brake were dismissed from the business following a breakdown in relations.
Dr Guy subsequently discovered alleged wrongdoing in the business email account relating to the assets of the letting business, and provided copies of Mrs Brake's personal emails held on the company email account to the Mrs Brake’s trustee in bankruptcy2.
Against a backdrop of interlinked proceedings between the Claimants and some of the Defendants, Mrs Brake sought an injunction seeking to restrain the use of the personal emails and claimed that, by sharing the allegedly private emails with third parties, Dr Guy was misusing her private information and acting in breach of confidence.
Misuse of Private Information
The House of Lords in Campbell -v- Mirror Group Newspapers Ltd  UKHL 22 prescribed a two-stage test to determine whether there has been a misuse of private information. The principal test for determining whether information is private is:
- whether in respect of the disclosed facts the person in question had a reasonable expectation of privacy; or
- where there is doubt as to whether information is private, if disclosure of the information about the individual concerned would give substantial offence to a person of ordinary sensibilities placed in similar circumstances to that individual.
Breach of Confidence
For a claim in breach of confidence to succeed, it must satisfy three elements3:
- the information in question must have "the necessary quality of confidence about it";
- that information must have been imparted in circumstances importing an obligation of confidence;
- there must be an unauthorised use of that information to the detriment of the party communicating it.
High Court Decision
At first instance, the High Court dismissed the claim, holding that the user of a business account holding personal emails could have no reasonable expectation of privacy or confidentiality.
Having determined there was no obligation of confidence nor a reasonable expectation of privacy, HHJ Matthews proceeded to address the question of any misuse of private or confidential information "in case the matter should go further"4. HHJ Matthews held that it was difficult to see how the Claimants had suffered "any appreciable damage" in relation to the documents, and concluded there had been no misuse of confidential information or breach of privacy in passing the information, in confidence, to a lawyer or other professional adviser for the purpose of obtaining advice.
The Claimants duly appealed.
Key Legal Issues on Appeal
Misuse of Private Information
The Court of Appeal upheld HHJ Matthew's decision that Mrs Brake had failed to establish that there was an objectively reasonable expectation of privacy in respect of the emails disclosed to the trustee in bankruptcy. The business email address in question was used as a general business enquiries account, designed to receive enquiries from potential customers about the company's holiday letting services. While Mrs Brake was the principal user of the account, other employees of the company also had access and would often respond to business enquiries.
The allegedly private emails were not stored in a separate folder on the server, were not marked with anything to indicate that they were as "private" or "personal" to Mrs Brake, and were not separately password protected. In these circumstances, the Court of Appeal concluded that HHJ Matthews was entitled to find that there was no reasonable expectation of privacy as against the Defendants. Put simply, there could be no expectation that the contents of the emails should remain private to Mrs Brake alone.
Breach of Confidence
The Court of Appeal held that the personal information in the business enquiries account was not "imparted in circumstances imparting an obligation of confidence". Further, there was evidence that certain emails contained publicly available information, meaning they could, in no circumstances, attract the necessary quality of confidence.
Comment - What is private and confidential?
Whilst it is generally the case that employees have a reasonable expectation of privacy in the emails they send in a business environment (for instance, if personal emails are sent containing health data), the judgment is a helpful reminder that whilst content is an important determinative in establishing any claim to privacy, the context and the forum in which such information is stored and shared is also equally important.
While employees retain the right to bring a misuse of private information claim and/or a breach of confidence claim if there is a reasonable expectation of privacy in the information and/or if the information is sensitive or secret, businesses and their employees likewise should recognise the importance of delineating between personal and business email accounts, and minimising overlap between the two in order to fully protect the personal information of employees.
Whilst the Brakes had raised a claim for infringement of their data protection rights, this claim was not pursued at trial. It remains the case that whilst claims based on common law privacy torts are available, organisations are facing an increasing number of claims for statutory breaches of the UK GDPR and Data Protection Act 2018. Whilst the breaks were therefore applied to this privacy action, similar issues are anticipated to arise in the future, focussing on alleged statutory causes of action and breaches of data protection laws.