Free, confidential whistleblowing advice
Call us on 020 3117 2520 or email us


Member Login

Breach of personal data and whistleblowing


What does it mean?

Where your disclosure contains the personal information of your colleagues, clients, or anyone else, then you must be careful not to commit a breach of those persons’ data protection rights.

Data protection law is very complicated. The main piece of data protection legislation is the Data Protection Act 2018 (the “DPA”), which implemented the EU General Data Protection Regulation (“GDPR”) into English law. If you are unsure whether you are permitted to collect or disclose certain personal data then you may wish to consider the legal principles set out below. Please note that these are guiding legal principles only.

What is “personal data”?

The GDPR defines personal data as:

  • any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person” (Article 4(1)).

Personal data can include, but is not limited to, information such as your name, address, appearance, credit card details, or personal telephone number. For example, if one of the pieces of evidence that has led you to raise whistleblowing concerns is a dismissal letter from your employer to a former colleague, this may contain your colleague’s name, email address, phone number, and national insurance number. All of this information is personal data.

It is important to be aware that there are also ‘special categories’ of personal data, which are considered sensitive and require a higher level of protection. These include: (a) race; (b) political opinion; (c) religion; (d) sexual orientation; and (e) biometric and genetic data (such as fingerprints).

Data is only personal data if it relates to a real human being. Disclosure of confidential or sensitive information belonging to a company or other organisation would not therefore be a personal data breach but it may be a breach of confidence.

When will personal data have been breached?

Under the DPA, there are a number of civil and criminal offences relating to the breach of personal data. However, the broadest, most serious, and most likely to apply is that of “unlawfully obtaining personal data” (section 170(1)). This criminal offence is committed where a person knowingly or recklessly, without the consent of the “controller” (which in most cases is likely to be your employer):

(a) Obtains or discloses personal data;

For example, accessing HR records of one of your colleagues and then sharing that with other colleagues.

(b) Procures the disclosure of personal data to another person;

For example, passing on documents containing personal data to a regulator or to the media.

(c) After obtaining personal data, retains it.

For example, emailing evidence from your work laptop to your personal laptop and storing it there.

N.B. As this offence can be committed “recklessly”, you do not need to have intended to commit the offence. It is sufficient if you were aware of the risk that a circumstance existed or would exist and you unreasonably took that risk (R v G and another [2003] UKHL 50).

For example, if you think there is a chance that certain documents you have downloaded contain personal data and you disclose them without first checking whether they do then you may have acted recklessly.

A key element of the offence is that you did not have the consent of the “controller”. The GDPR defines “controller” as the person or body that “determines the purposes and means of the processing of personal data” (Article 4(7)). As noted above, this is most likely to be your employer. Notably, it is not the person whose personal data has been breached.

Other offences of which to be aware:

(a) Re-identification of de-identified data (section 172 DPA); and

For example, where you re-identify the names of individuals whose names have been redacted to protect their identity and you share those names when disclosing the documents.

(b) Offering to sell personal data that has been obtained unlawfully (section 170(4), (5) DPA).

For example, if you offer to sell to the press documents containing personal information that you have obtained without the consent of your employer.

What could happen if I am convicted?

As breaching section 170(1) is a criminal offence, your employer or the individuals whose data have been breached may report you to the police. This could lead to you being charged and prosecuted. As most of these criminal offences are “triable either way”, you may stand trial in either the Magistrates’ Court or Crown Court. The maximum sentence is an unlimited fine. In addition, the court may order documents to be forfeited, destroyed or erased if they think it is appropriate and the documents have been used in connection with processing personal data.

Are there any defences to committing a personal data breach?

You should ensure that you are acting proportionately by not handling any more data than is necessary in the circumstances (for example, you should only handle data that you need to support what you are alleging when raising whistleblowing concerns). You should also only retain that data for as long as is necessary. If you can show this, then it will help you if you are accused of having committed a personal data breach.

Section 170(2) DPA

Section 170(3) DPA

If you are charged with a criminal offence then you will have a defence if you can prove that the breach was:

(a) In the particular circumstances, justified as being in the public interest (for example, if your employer has been committing tax evasion and therefore not paying as much tax as it should have been, you report this to HMRC, and in doing so necessarily disclose some personal data of your colleagues, such as National Insurance numbers). This is the defence that is most likely to be available to a whistleblower;

(b) Necessary for the purposes of preventing or detecting crime (for example, if you reasonably suspect that bribery has been or is being committed within your organisation and you report this to the police, naming the individuals that you believe have been committing bribery); or

(c) Required or authorised by an enactment, rule of law or by the order of a court or tribunal (for example, if you are involved in court proceedings and the court orders you to hand over documents containing clients’ personal data).

There are also “reasonable belief” and “special purpose” defences available where a person has acted:

(a) in the reasonable belief that they had a legal right to do the obtaining, disclosing, procuring or retaining of personal data;

(b) in the reasonable belief that they would have had the consent of the controller if the controller had known about the obtaining, disclosing, procuring or retaining and the circumstances of it; or

(c) for the special purposes (being journalism, academic, artistic or literary purposes), with a view to the publication by a person of any journalistic, academic, artistic or literary material, and in the reasonable belief that in the particular circumstances the obtaining, disclosing, procuring or retaining was justified as being in the public interest.

Dos and Don'ts

  • Do only disclose personal data or private information that it is absolutely necessary to disclose.
  • Do only disclose personal data or private information to the individual(s) to whom it is necessary to disclose.
  • Do take care when disclosing personal or private information, especially if it is sensitive (such as health information or someone’s sexual orientation) – always ask yourself whether it is absolutely necessary to disclose the information in question.
  • Do check your workplace policies on disclosure of information.
  • Don’t access or share materials you are not authorised to access without first seeking legal advice or raising your concerns under your employer’s whistleblowing policy or to a prescribed person.

    A Prescribed Person is someone independent from your employer, but who has a relationship of authority with them (e.g. a regulator). For instance, if your concern relates to data protection / freedom of information then the relevant prescribed person would be the Information Commissioner. A full list of prescribed persons can be found at here. For more information on making a disclosure to a prescribed person see our webpage on external disclosures.

  • Don’t email confidential information to your personal computer, upload it to a cloud platform, or extract confidential information using USB or other devices.


Can I take photos/screenshots of my files or transfer them to my personal computer to ensure I can prove my case?

Unless the public interest or some other defence under the DPA is available, transferring work files to a personal computer without authorisation is very risky. It could lead to your employer terminating your employment contract if they become aware of your actions and could expose you to a breach of contract claim, particularly if the information taken includes trade secrets. Even where you are able to show that you have made a protected disclosure, your employer may defend any claim for automatic unfair dismissal by arguing that they dismissed you for misconduct (in breaching their policy on electronic communications) rather than for the disclosure itself.

As such, it is best not to remove the information from your work computer.

Need advice on this?

You can contact the Protect Advice Line for advice on breach of personal data and whistleblowing.

Your feedback helps us support whistleblowers better

Please fill in this quick anonymous survey about the information in this page: