Grant Thornton [A Firm] and Anor v Scanlan

THE HIGH COURT Record No. 2015/9954P [2026] IEHC 167 Between GRANT THORNTON and GRANT THORNTON CORPORATE FINANCE LTD Plaintiffs and GERARDINE SCANLAN Defendant Judgment of Mr. Justice Conor Dignam delivered on the 19th day of March 2026 TABLE OF CONTENTS INTRODUCTION ...................................................................................................... 3 THE PARTIES’ PLEADED CASES ................................................................................ 5 BREACH OF CONFIDENCE ........................................................................................ 7 General .............................................................................................................. 7 Information must be confidential .......................................................................... 12 Circumstances giving rise to duty of confidence ...................................................... 15 Duty of confidence ............................................................................................. 16 THE PARTIES’ ARGUMENTS ................................................................................... 18 Facts not in dispute ............................................................................................... 18 Arguments ........................................................................................................... 19 DISCUSSION ......................................................................................................... 21 Quality of Confidence ............................................................................................ 21 Duty of confidence ................................................................................................ 29 Breach of confidence ............................................................................................. 30 Examination of the Information ............................................................................ 30 1 Failure/refusal to return information ..................................................................... 32 Disclosure of information .................................................................................... 41 Copying the information ...................................................................................... 43 Approach of the defendant .................................................................................. 44 No Fire ................................................................................................................ 45 Locus standi/enforceability ..................................................................................... 47 CONCLUSION ON INJUNCTION APPLICATION ........................................................ 55 COUNTERCLAIM .................................................................................................... 58 SUMMARY ............................................................................................................. 63 2 INTRODUCTION 1. These proceedings have a long and procedurally complex history. They are also related to a number of other sets of proceedings. There have been a significant number of interlocutory applications and appeals since the proceedings were instituted in 2015, and a number of written judgments have been delivered. The procedural history is set out in some of those judgments, including a judgment which I delivered at an earlier stage (Grant Thornton (a firm) & anor v Scanlan [2022] IEHC 610), and it is not necessary for me to repeat that background at this stage (though I will refer to some aspects of it later). This judgment concerns the trial of the substantive action. The plaintiffs seek permanent injunctions against the defendant in respect of information that came into the defendant’s possession. By way of Counterclaim, the defendants seeks damages from the plaintiffs for their delay in dealing with a data access request by the defendant. 2. The directly relevant facts can be stated in a few paragraphs. There is very little dispute between the parties as to the key facts. 3. By deed of appointment of the 26th August 2013, Mr. Stephen Tennant of Grant Thornton was appointed as receiver over certain assets of the defendant. 4. The defendant made a data access request to the receiver/Grant Thornton in 2013. There was significant delay on the part of the receiver/Grant Thornton in dealing with this data access request and, in January 2015, the Data Protection Commissioner notified Grant Thornton of the data access request. On the 11th September 2015, Grant Thornton, in response to the data access request, furnished to the defendant a CD containing information and documents. It transpired that this CD, through error, in addition to the defendant’s personal data, also contained a very significant volume of information which did not relate to the defendant. I return to the nature of the information. 5. On the 3rd October 2015, the defendant alerted Grant Thornton to the fact that the CD contained information which was unconnected with her. In reply, on the 13 th October 2015, Grant Thornton advised the defendant that a data breach had inadvertently occurred and requested that the defendant return the information. The defendant did not do so. There followed correspondence between the parties during which this request was repeated. It will be necessary to refer to this correspondence 3 in greater detail later in the judgment. The plaintiffs sought certain undertakings from the defendant. These were not given. The plaintiffs applied for interim injunctions and these were granted by Gilligan J on the 27th November 2015. When the application for interlocutory injunctions came before the court on the 4 th December 2015 (having been adjourned from the 1st December), the defendant gave undertakings and consented to the grant of interlocutory injunctions in relation to, inter alia, dissemination, communication, use, and retrieval of the confidential information (as defined in the schedule to the Order). 6. Prior to this, the defendant had disclosed some of the contents of the CD to two third parties (this is not disputed), and possibly to another third party (this is disputed). She had also copied the contents of the CD onto a number of USB keys and had possibly made a hard copy of the information or some of the information. The plaintiffs claim that they were also contacted by other third parties who had in their possession documents comprising part of the information on the CD, and that documents had been made available to view by the public at large on social media. 7. It is claimed that in those circumstances the defendant acted in breach of confidence and breach of duty. 8. On the day of the interlocutory injunction hearing, the defendant gave the plaintiffs the CD and a USB key. It appears that the defendant could not find the remaining USB key(s) and she gave an undertaking to make every effort to locate it/them and, if found, to return it/them to the solicitors for the plaintiffs. The plaintiffs gave an undertaking to furnish to the defendant her personal data, within the meaning of the Data Protection Acts. 9. A Statement of Claim was delivered in February 2016. The plaintiffs’ pleaded case included a claim in breach of confidence, a claim under the Data Protection Acts, and a claim for damages. At the same time, the plaintiffs invited the defendant to consent to some of the interlocutory injunctions being made permanent on the basis that there would be no further order as to costs and the plaintiffs would undertake not to enforce the costs order related to the interlocutory injunction. This was rejected by the defendant. This offer and rejection were repeated subsequently. The defendant delivered a Defence and Counterclaim in June 2016. The pleadings were amended on a number of occasions. These amendments included the withdrawal by the plaintiffs 4 of any claim under the Data Protection Acts and of their claim for damages. This is part of the protracted history of the proceedings and, indeed, is a persistent cause of complaint by the defendant. Ultimately, the operative pleadings consist of a Re- Amended Statement of Claim dated the 22nd April 2021, an Amended Revised Defence and Counterclaim, and an Amended Revised Reply and Defence to Counterclaim dated the 7th April 2022. The operative Amended Revised Defence and Counterclaim was, unusually, prepared by the plaintiffs, sent to the defendant on the 22nd November 2021, and accepted by the defendant as her Defence and Counterclaim. It was determined by Allen J on the 31st March 2022 to be the defendant’s Defence and Counterclaim. As just noted, the plaintiffs’ claim has narrowed over the course of the amendments to the original pleadings. The operative Re-Amended Statement of Claim does not include any claim on foot of the Data Protection Acts or any claim for damages against the defendant. The defendant makes complaint about the removal of any claims based on the Data Protection Act after they had been part of the plaintiffs’ claim for six years. I will have to refer to that later in this judgment. THE PARTIES’ PLEADED CASES 10. In summary, the claim that is pleaded by the plaintiffs is as follows. The CD contained “personal data relating to the Defendant (within the meaning of the Data Protection Acts)”, and other information which was “confidential information and/or personal data relating to third parties and confidential proprietary information of Grant Thornton, including material which was legally privileged.” For the purpose of the plaintiffs’ pleadings, all of this information other than the defendant’s own personal data was referred to as “the Confidential Information.” The plaintiffs claim that when the defendant received the CD, she knew or ought to have known that it included information that was not her personal data, and that she knew or ought to have known that she had no entitlement to receive, retain, publish or use it. She was, in other words, obliged to maintain the confidentiality of the information. It is pleaded that she disclosed the information, or some of it, to a third party, Mr. Gerard Scriven, another third party who is unnamed in the Re-Amended Statement of Claim (but who was later identified as Mr. Kevin Brophy), and to a Mr. William McKeogh. It is also pleaded that the plaintiffs received correspondence from other third parties who had in their possession documents comprising part of the Confidential Information and that documents had been made available to view by the public at large on social media. It 5 is claimed that in all of those circumstances the defendant “[W]rongfully, in breach of confidence and in breach of duty...refused to return the Confidential Information and instead, without the consent or authority of Grant Thornton, and without lawful justification or excuse, disseminated the Confidential Information to certain third parties.” The Re-Amended Statement of Claim acknowledges that the defendant returned the CD and a USB key on the 4th December 2015, after institution of the proceedings. It is pleaded, however, that not all of the Confidential Information has been recovered. 11. In short, the plaintiffs seek relief on the basis of breach of confidence. 12. The defendant’s pleaded case is as follows. The defendant admits that she received the CD and that it contained information and documents relating to “thousands of other parties under the management of other data controllers.” She admits that the release of information outside her data access request was unintended. 13. She describes the information as information comprising “third party information” and “what was identified (after the fact) as ‘confidential information’ of the Plaintiffs.” This is an important plea because it is the start of a distinction the defendant relies upon between third parties’ information and “confidential information” (which she considers to be information that is private to the plaintiffs). 14. She denies that she could have known anything about the contents of the CD and the nature of the information when she received it and pleads that she only became aware of the nature of it when she started reading the information. She then alerted the plaintiffs to the issue. 15. The defendant denies being under any duty to maintain the confidentiality of the information because “the information was unknown to [her] and could not have been understood as confidential.” She in any event denies violating, publishing, disseminating or using any information from the CD. 16. She does, however, admit that she showed some of the information (which she describes as “a negligible amount of information”) to a trusted colleague of twenty years in confidence. This is Mr. Gerard Scriven. She pleads that she did so to attempt to ascertain what had been received and whether it should have been received at all. 6 She also admits to providing some information to Mr. McKeogh and to possibly looking at information on one of the USB keys on Mr. McKeogh’s laptops. 17. The defendant denies being under any duty in respect of the information. She also denies refusing to return the information. 18. She also denies communicating any information to Mr. William McKeogh or to Mr. Kevin Brophy, the other third party (who was unnamed in the Statement of Claim). 19. Finally, the defendant raises a Counterclaim for damages pursuant to section 7 of the Data Protection Act arising from the plaintiffs’ delay in providing the defendant’s personal data on foot of her data access request. 20. In the plaintiffs’ Amended Reply and Defence to Counterclaim, they, inter alia, admit a failure to respond to the defendant’s data access request within the time limits prescribed by the Data Protection Acts, but deny that she is entitled to any damages or that she suffered any loss or damage. 21. They are, in summary, the cases that are pleaded by the parties. I return to the specific issues that were argued at the hearing. However, as the pleaded case is founded in breach of confidence, and some of the arguments were centred on the circumstances in which such a breach might be said to arise and in which relief might be granted, it may be helpful to first set out the applicable principles. BREACH OF CONFIDENCE General 22. It is well-established that relief for breach of confidence is not dependent on a contractual relationship between the parties, though that is often the context in which such a claim arises. The availability of relief has been variously described as being founded in equity, the duty to be of good faith, and in moral obligation. In House of Spring Gardens Limited & Ors v Point Blank Ltd [1984] IR 611, Costello J said (at page 658): “I am concerned in this part of my judgment with the law relating to breach of confidence and at the outset I should make it clear that the plaintiffs’ case is not 7 based on contract but on certain equitable principles which, it is said, should be applied to the facts of this case...the courts in this country have not yet been called upon to enunciate what those equitable principles are. I will turn, then, to the decisions of the English courts for guidance as to how this court administering equitable principles should decide whether on the facts I have found an obligation in confidence existed and whether a breach of it occurred.” 23. Costello J considered a number of English decisions. He noted the statement by Greene MR at page 211 of his judgment in Saltman Engineering Co. Ltd. v Campbell Engineering Co. Ltd. [1948] 65 RPC 203 that: “The main part of the claim is based on breach of confidence, in respect of which a right may be infringed without the necessity of there being any contractual relationship. I will explain what I mean. If two parties make a contract, under which one of them obtains for the purpose of the contract or in connection with it some confidential matter, even though the contract is silent on the matter of confidence, the law will imply an obligation to treat that confidential matter in a confidential way, as one of the implied terms of the contract; but the obligation to respect confidence is not limited to cases where the parties are in contractual relationship… 24. Costello J also referred to the judgment in Fraser v Evans [1969] 1 QB 349 in which Denning MR said at page 361: “... Those cases show that the court will in a proper case restrain the publication of confidential information. The jurisdiction is based not so much on property or on contract as on the duty to be of good faith. No person is permitted to divulge to the world information which he has received in confidence, unless he has just cause or excuse for doing so.” 25. Costello J also noted that the cases show that there is no simple test for deciding what circumstances will give rise to an obligation of confidence and that there are no hard and fast rules for judging whether or not information can properly be regarded as confidential. 26. At page 663, Costello J went on to set out applicable principles when the court was being asked to exercise its equitable jurisdiction. This statement of principles must, of course, be understood in the context of the particular issues in that case, but nonetheless they are of general application: 8 “...The court, it should be borne in mind, is being asked to enforce what is essentially a moral obligation. It must firstly decide whether there exists from the relationship between the parties an obligation of confidence regarding the information which has been imparted and it must then decide whether the information which was communicated can properly be regarded as confidential information...Once it is established that an obligation in confidence exists and that the information is confidential, then the person to whom it is given has a duty to act in good faith, and this means that he must use the information for the purpose for which it has been imparted, and he cannot use it to the detriment of the informant...” 27. O’Higgins CJ expressly agreed with this statement of the applicable principles when the matter came before the Supreme Court (page 696). 28. In Attorney General v Guardian Newspapers (No. 2) [1990] 1 AC 109 (the “Spycatcher” case), the House of Lords had to consider the law relating to breach of confidence. It is, of course, important to note that this case concerned attempts by the UK government to restrain publication of materials from a former MI5 officer which would be in breach of his duty of confidence arising from his employment. Thus, specific considerations applied. However, the House of Lords (and the lower courts) did set out principles of more general application. 29. Bingham LJ considered the principles when the matter was in the Court of Appeal. He referred to some of the same English cases as Costello J in House of Spring Gardens. He said at page 215: “The cases show that the duty of confidence does not depend on any contract, express or implied, between the parties. If it did, it would follow on ordinary principles that strangers to the contract would not be bound. But the duty "depends on the broad principle of equity that he who has received information in confidence shall not take unfair advantage of it:" Seager v. Copydex Ltd. [1967] 1 W.L.R. 923, 931, per Lord Denning M.R. "The jurisdiction is based not so much on property or on contract as on the duty to be of good faith": Fraser v. Evans [1969] 1 Q.B. 349, 361, per Lord Denning M.R. It accordingly "affects the conscience of the person who receives the information with knowledge that it has originally been communicated in confidence": per Sir Nicolas Browne-Wilkinson V.-C. at the interlocutory stage of this case [1987] 1 W.L.R. 1248, 1265. So it is appropriate that the enforceability of rights of confidence against third parties should be 9 analysed in the traditional terms of equitable rights over property, as Sir Nicolas Browne-Wilkinson V.-C. did [1987] 1 W.L.R. 1248, 1264D, and Nourse L.J. did at an even earlier stage of this case Attorney-General v. Observer Ltd., The Times, 26 July 1986; Court of Appeal (Civil Division) Transcript No. 696 of 1986. The English law on this subject could not, I think, be more clearly or accurately stated than it was by the High Court of Australia in Moorgate Tobacco Co. Ltd. v. Philip Morris Ltd. (No. 2) (1984) 156 C.L.R. 414, 437-438: "It is unnecessary, for the purposes of the present appeal, to attempt to define the precise scope of the equitable jurisdiction to grant relief against an actual or threatened abuse of confidential information not involving any tort or any breach of some express or implied contractual provision, some wider fiduciary duty or some copyright or trade mark right. A general equitable jurisdiction to grant such relief has long been asserted and should, in my view, now be accepted: see Commonwealth of Australia v. John Fairfax & Sons Ltd. (1980) 147 C.L.R. 39, 50-52. Like most heads of exclusive equitable jurisdiction, its rational basis does not lie in proprietary right. It lies in the notion of any obligation of conscience arising from the circumstances in or through which the information was communicated or obtained." A third party coming into possession of confidential information is accordingly liable to be restrained from publishing it if he knows the information to be confidential and the circumstances are such as to impose upon him an obligation in good conscience not to publish. No such obligation would in my view ordinarily arise where the third party comes into possession of information which, although once confidential, has ceased to be so otherwise than through the agency of the third party.” 30. In the House of Lords, Lord Griffiths, having noted that the particular case concerned an attempt by the Government to seek the protection of the law of confidence, went on to consider the general principles in that area of the law. He said at page 268: “Although the terms of a contract may impose a duty of confidence the remedy is not dependent on contract and exists as an equitable remedy. Megarry J. identified the three essentials to found the duty in Coco v. A.N. Clark (Engineers) Ltd. [1969] R.P.C. 41,47: 10 "three elements are normally required if, apart from contract, a case of breach of confidence is to succeed. First, the information itself, in the words of Lord Greene M.R. in the Saltman case [(1948) 65 R.P.C. 203, 215] must 'have the necessary quality of confidence about it.' Secondly, that information must have been imparted in circumstances importing an obligation of confidence. Thirdly, there must be an unauthorised use of that information to the detriment of the party communicating it." ... The duty of confidence is, as a general rule, also imposed on a third party who is in possession of information which he knows is subject to an obligation of confidence: see Prince Albert v. Strange (1849) 1 Mac. & G.25 and Duchess of Argyll v. Duke of Argyll [1967] Ch. 302. If this was not the law the right would be of little practical value...” 31. Lord Goff said in the same case (page 281): “I start with the broad general principle (which I do not intend in any way to be definitive) that a duty of confidence arises when confidential information comes to the knowledge of a person (the confidant) in circumstances where he has notice, or is held to have agreed, that the information is confidential, with the effect that it would be just in all the circumstances that he should be precluded from disclosing the information to others. I have used the word "notice" advisedly, in order to avoid the (here unnecessary) question of the extent to which actual knowledge is necessary; though I of course understand knowledge to include circumstances where the confidant has deliberately closed his eyes to the obvious. The existence of this broad general principle reflects the fact that there is such a public interest in the maintenance of confidences, that the law will provide remedies for their protection. I realise that, in the vast majority of cases, in particular those concerned with trade secrets, the duty of confidence will arise from a transaction or relationship between the parties - often a contract, in which event the duty may arise by reason of either an express or an implied term of that contract. It is in such cases as these that the expressions "confider" and "confidant" are perhaps most aptly employed. But it is well settled that a duty of confidence may arise in equity independently of such cases...” 32. Mahon v Post Publications Limited [2007] 3 IR 338 is a relatively recent restatement by the Supreme Court of the general principles. Again, the context of this 11 case is very different to the current case. In relation to the applicable general principles, Fennelly J said at paragraph 114: “114. The law with regard to confidential information is of comparatively modern origin. It was above all developed to regulate the behaviour of private parties and was based on the doctrine of trust. It is independent of contract. A recipient of a confidence must not breach it by communicating the confidential information to third parties. It is, of course, capable of application both to purely personal and to non-commercial information...” 33. In order for relief to be granted the information must be confidential, the circumstances in which it was imparted must import an obligation of confidence, and the recipient of the information must be guilty of improperly using that information. Costello J appeared to suggest at paragraph 663 of his judgment in House of Spring Gardens that the first step is to determine whether there exists from the relationship between the parties an obligation of confidence. However, that should be seen in the context of there being an existing relationship in that case. Later authorities suggest that the first consideration is whether the information is confidential. That seems to me to make sense as relief is only available in respect of confidential information. Furthermore, in cases where there is not a pre-existing relationship, the question of whether there is an obligation of confidence turns on whether the information is confidential. It therefore makes sense to consider this first. Information must be confidential 34. Thus, the starting point in the consideration of whether the court should grant relief in respect of an alleged breach of confidence is that the information in question must be confidential, or, as it was put by Greene MR in the Saltman case (referred to by Griffiths LJ in the Spycatcher case), it must “have the necessary quality of confidence about it”. Greene MR said: “…I think that I shall not be stating the principle wrongly, if I say this with regard to the use of confidential information. The information, to be confidential, must, I apprehend, apart from contract, have the necessary quality of confidence about it, namely, it must not be something which is public property and public knowledge.” This has been considered in many of the aforementioned authorities. Costello J pointed out in House of Spring Gardens that 12 there are no hard and fast rules for judging whether or not information can properly be regarded as confidential. 35. In the Spycatcher case, Griffiths LJ, having identified the three necessary elements for the imposition of a duty of confidence; the first one being that the information is confidential, said: “The first of these elements will not normally be present if the information is in the public domain - "it must not be something that is public property and public knowledge" per Lord Greene M.R. in Saltman Engineering Co. V. Campbell Engineering Co. Ltd. (1948) 65 R.P.C 203, 215. Furthermore, information may lose its original confidential character if it subsequently enters the public domain. If the confider publishes the information this releases the confidant from his duty of confidence: see O.Mustard and Son v. Dosen (Note) [1964] 1 W.L.R. 109...” 36. Bingham LJ had said in the Court of Appeal (at page 214): “The essence of the confidant's duty is to preserve the confidentiality of the confider's information (in which expression I include information learned not from but during a period of service with the confider). It is thus an essential ingredient of the duty, and of any cause of action arising on breach or threatened breach, that the information should when imparted have been and should remain confidential. This requirement has been put in a number of different ways, but has always been insisted upon. In Saltman Engineering Co. Ltd. v. Campbell Engineering Co. Ltd. (1948) 65 R.P.C 203, 215 Lord Greene M.R. said: "The information, to be confidential, must, I apprehend, apart from contract, have the necessary quality of confidence about it, namely, it must not be something which is public property and public knowledge."[emphasis added] The information must not be "public knowledge" (Seager v. Copydex Ltd. [1967] 1 W.L.R. 923, 931G per Lord Denning M.R.), nor in the public domain Woodward v. Hutchins [1977] 1 W.L.R. 760, 764D per Lord Denning M.R. To be confidential information must have what Francis Gurry recently called the basic attribute of inaccessibility: see Gurry, Breach of Confidence (1984), p. 70. The information must have been acquired in circumstances importing a duty of confidence (Coco v. A. N. Clark (Engineers) Ltd. [1969] R.P.C. 41, 47, per Megarry J) but "However 13 confidential the circumstances of communication, there can be no breach of confidence in revealing to others something which is already common knowledge:” [1969] R.P.C. 41, 47. It is, I think, clear that the duty of confidence ceases to apply to information which, although originally confidential, has ceased to be so otherwise than through the agency of the confidant...” 37. Goff LJ said at page 282 of the Spycatcher case: “...the principle of confidentiality only applies to information to the extent that it is confidential. In particular, once it has entered what is usually called the public domain (which means no more than that the information in question is so generally accessible that, in all the circumstances, it cannot be regarded as confidential) then, as a general rule, the principle of confidentiality can have no application to it. I shall revert to this limiting principle at a later stage...” 38. In Mahon v Post Publications Limited, Fennelly J said: “116. Megarry J. gave further thought to the test for establishing the confidential character of information:- "First, the information must be of a confidential nature. As Lord Greene said in [Saltman Engineering Co. v. Campbell Engineering Co. [1948] R.P.C. 203] at p. 215, 'something which is public property and public knowledge', cannot per se provide any foundation for proceedings for breach of confidence. However confidential the circumstances of communication, there can be no breach of confidence in revealing to others something which is already common knowledge.” 39. One particular issue which the authorities have considered is where the information comprises both public information and private information. In the passage from Coco v A.N. Clark (Engineers) Ltd. referred to by Fennelly J (in paragraph 38 above) Megarry J said that “…there can be no breach of confidence in revealing to others something which is already common knowledge”, but he went on to say “…this must not be taken too far. Something that has been constructed solely from materials in the public domain may possess the necessary quality of confidentiality: for something new and confidential may have been brought into being by the application 14 of the skill and ingenuity of the human brain. Novelty depends on the thing itself, and not upon the quality of its constituent parts." 40. Costello J went on to say at page 661: “The application of the law of confidence in cases where it is suggested that no obligation arose because the information was public appeared again in Seager v. Copydex Ltd...The Court of Appeal held that the plaintiff was entitled to damages. In the course of his judgment Lord Denning, M.R. referred to the judgment of Lord Greene in Saltman with approval and that of Roxborough J. in Terrapin which I have just quoted, and went on at pp. 931-2:- “The law on this subject does not depend on any implied contract. It depends on the broad principle of equity that he who has received information in confidence shall not take unfair advantage of it. He must not make use of it to the prejudice of him who gave it without obtaining his consent. The principle is clear enough when the whole information is private. The difficulty arises when the information is in part public and in part private. As, for instance, in this case. A good deal of the information which Mr. Seager gave to Copydex was available to the public, such as the patent specification in the Patent Office, or the “Klent” grip, which he sold to anyone who asked. If that was the only information he gave them, he could not complain. It was public knowledge. But there was a good deal of other information he gave them which was private...When the information is mixed, being partly public and partly private, then the recipient must take special care to use only the material which is in the public domain. He should go to the public source and get it or, at any rate, not be in a better position than if he had gone to the public source. He should not get a start over others by using the information which he received in confidence. At any rate, he should not get a start without paying for it.” Circumstances giving rise to duty of confidence 41. The courts have also had to consider the circumstances which might import a duty of confidence. It is well-established that where information is given in the context of a pre-contractual, contractual, or employment relationship it will readily be found that there is a duty of confidence in the recipient. Similarly, if a person takes information without consent, a duty will readily be said to arise. It is now also clear that a duty will arise even where the information has come into the person’s 15 possession through an error or accident provided it is clear that the information is confidential. Goff LJ said in the Spycatcher case (page 181): “I realise that, in the vast majority of cases, in particular those concerned with trade secrets, the duty of confidence will arise from a transaction or relationship between the parties - often a contract, in which event the duty may arise by reason of either an express or an implied term of that contract. It is in such cases as these that the expressions "confider" and "confidant" are perhaps most aptly employed. But it is well settled that a duty of confidence may arise in equity independently of such cases; and I have expressed the circumstances in which the duty arises in broad terms, not merely to embrace those cases where a third party receives information from a person who is under a duty of confidence in respect of it, knowing that it has been disclosed by that person to him in breach of his duty of confidence, but also to include certain situations, beloved of law teachers - where an obviously confidential document is wafted by an electric fan out of a window into a crowded street, or where an obviously confidential document, such as a private diary, is dropped in a public place, and is then picked up by a passer-by…” 42. The UK Court of Appeal had to consider the law of confidence in the very different context of matrimonial proceedings in Imerman v Tchenquiz & Ors [2011] 2 WLR 592. On this particular issue of the circumstances in which the disclosure of material might give rise to a duty of confidence, Lord Neuberger said at paragraph 64: “It was only some 20 years ago that the law of confidence was authoritatively extended to apply to cases where the defendant had come by the information without the consent of the claimant. That extension, which had been discussed in academic articles, was established in the speech of Lord Goff of Chieveley in Attorney General v Guardian Newspapers Ltd (No 2) [1990] 1 AC 109. He said, at page 281, that confidence could be invoked “where an obviously confidential document is wafted by an electric fan out of a window … or … is dropped in a public place, and is picked up by a passer-by.” Duty of confidence 16 43. The courts have also had to consider what obligations fall on a person who comes into possession of information in circumstances which give rise to a duty of confidence. Neuberger LJ said at paragraphs 69-73 of his judgment in Imerman: “69. In our view, it would be a breach of confidence for a defendant, without the authority of the claimant, to examine, or to make, retain, or supply copies to a third party of, a document whose contents are, and were (or ought to have been) appreciated by the defendant to be, confidential to the claimant [emphasis added]. It is of the essence of the claimant's right to confidentiality that he can choose whether, and, if so, to whom and in what circumstances and on what terms, to reveal the information which has the protection of the confidence. It seems to us, as a matter of principle, that, again in the absence of any defence on the particular facts, a claimant who establishes a right of confidence in certain information contained in a document should be able to restrain any threat by an unauthorised defendant to look at, copy, distribute any copies of, or to communicate, or utilise the contents of the document (or any copy), and also be able to enforce the return (or destruction) of any such document or copy. Without the court having the power to grant such relief, the information will, through the unauthorised act of the defendant, either lose its confidential character, or will at least be at risk of doing so. The claimant should not be at risk, through the unauthorised act of the defendant, of having the confidentiality of the information lost, or even potentially lost. … 72. If a defendant looks at a document to which he has no right of access and which contains information which is confidential to the claimant, it would be surprising if the claimant could not obtain an injunction to stop the defendant repeating his action, if he threatened to do so. The fact that the defendant did not intend to reveal the contents to any third party would not meet the claimant's concern: first, given that the information is confidential, the defendant should not be seeing it; secondly, whatever the defendant's intentions, there would be a risk of the information getting out, for the defendant may change his mind or may inadvertently reveal the information. 73. An injunction to restrain passing on, or using, the information, would seem to be self-evidently appropriate – always subject to any good reason to the contrary on the facts of the case. If the defendant has taken the documents, there can almost always be no question but that he must return them: they are the claimant's property. If the defendant makes paper or electronic copies, the copies should be ordered to be returned or destroyed (again in the absence of good reason otherwise). Without such an order, the information would still be “out there” in the 17 possession of someone who should not have it. The value of the actual paper on which any copying has been made will be tiny, and, where the copy is electronic, the value of the device on which the material is stored will often also be tiny, or, where it is not, the information (and any associated metadata) can be deleted and the device returned.” 44. The judgment in Mahon v Post Publications is also important because a central part of the defendant’s case is that the plaintiffs have no locus standi or entitlement to enforce the confidentiality of third parties’ information. I deal with this when considering this aspect of the defendant’s case later in the judgment. THE PARTIES’ ARGUMENTS 45. I turn now to summarise the arguments made by the parties. Their positions have already been set out to some extent in the section dealing with their pleaded cases. It would be helpful to first identify the facts that are not in dispute. Facts not in dispute 46. It is not in dispute that the CD was provided to the defendant or that it contained her personal information, third parties’ information and information relating to the plaintiffs. The defendant describes the latter two categories as “other information comprising of third party information” and “what was identified (after the fact) as ‘confidential information’ of the plaintiffs” respectively. 47. Nor is it in dispute that the release by the plaintiffs of information outside of the defendant’s personal information was unintended. 48. The defendant admits to copying the information contained on the CD onto a number of USB keys. She emphasised at the hearing that she only made one copy of the CD onto USB keys but because of the volume of information on the CD she had to use several such keys. She was unsure of how many, but she says it was two or three keys. She handed one of them over at the interlocutory injunction hearing. She admits to being unable to find the remaining key(s). 18 49. It is also not in dispute that the defendant sent a photograph of lever arch folders to the plaintiffs and that they at least appeared to the recipient to contain copies of documents from the CD. The defendant said at the hearing that they did not in fact contain such copies. 50. The defendant admits to having provided information on the CD to a third, party, a Mr. Gerard Scriven. 51. The defendant also admits to having shown another third party, a Mr. William McKeogh, some of the information. She says that she only showed Mr. McKeogh her own information. She pleaded in the past (paragraph 14 of her Revised Defence and Counterclaim of the 21st December 2017) that it was possible that some of the material might have been uploaded onto Mr. McKeogh’s laptop when they looked at material on one of the USB keys, though she seems to have resiled from that plea. Arguments 52. The plaintiffs’ arguments can be summarised as follows. The information that was provided to the defendant (other than her own personal information) was confidential and was provided to her through error. The defendant knew or ought to have known that the information was confidential and she therefore had no right to receive, retain, copy or publish the information. She was, it is submitted, under a duty not only to maintain the confidentiality of the information, but to return it to the plaintiffs. It is submitted that, on the defendant’s own admissions, she did not return the information immediately, she copied the information, and disclosed it, or some of it, to third parties (Mr. Scriven and Mr. McKeogh). It is also submitted that the defendant refused to return the information. It is also submitted that she has not returned all of the information because she has not returned the missing USB key(s). These, it is submitted, constitute a breach of confidence on the part of the defendant. 53. The defendant makes a number of arguments in response. 54. First, she draws a distinction between information relating or belonging to third parties and information relating or belonging to the plaintiffs. Indeed, she goes further and submits that the plaintiffs also draw such a distinction. She submits that she has never refused to return information relating or belonging to the plaintiffs, i.e. information in the second of those categories. She also submits that while she did not 19 return the third parties’ information (until the adjourned date for the interlocutory injunction application), she did not in fact refuse to return it. She also vigorously denies that she is under any obligation to do so. 55. Second, she submits that the information does not have the quality of confidence that is required for a breach of confidence. The defendant makes this submission on essentially three bases: (a) some of the documents are publicly available, such as birth certificates; (b) much of the information is publicly available or already in the public sphere, or will be, because it is part of legal packs when lands are being sold; and (c) there have been previous leaks of information from Grant Thornton and this has led to some of the information appearing on social media. She also appears to rely on the fact that a copy of the CD was also sent to the Data Protection Commissioners. The point was made on behalf of the plaintiffs that the absence of the quality of confidence was not pleaded by the defendant. I am satisfied, though with reservations, that the defendant is entitled to make this argument. Firstly, the defendant does plead that “If information, confidential or otherwise, was issued to any other party and/or available to the public at large, it was directly from the Plaintiffs in relation to ongoing negligence with private information entrusted to them by data controllers and further indication of very serious security issues regarding the protection of private information the Plaintiffs are lawfully obliged to adequately secure.” While this does not expressly plead that the information did not have the required quality of confidence, it is sufficient for the plaintiffs to have known that part of the defendant’s arguments would be that at least some of the information is publicly available and it therefore does not have the quality of confidence. Secondly, in order for the plaintiffs to establish a duty and a breach of confidence, they have to establish that the material has the required quality of confidence. They were therefore not prejudiced in having to deal with the defendant’s argument. 56. The defendant’s third argument is that there was no need, and certainly no urgent need, for the plaintiffs to seek an interim or interlocutory injunction. There was, as the defendant put it, “no fire”. As part of this, the defendant says that the plaintiffs displayed a laconic attitude to the data breach and then suddenly, without any good reason, sought an injunction. 57. Fourth, she also vigorously disputes that the plaintiffs have any entitlement to seek or obtain any Order in respect of the return of the personal data or information of third parties. This is a central part of her case. 20 58. I deal with these arguments during the course of the following discussion of the ingredients of the action for relief against breach of confidence. DISCUSSION Quality of Confidence 59. It is important to note that for the most part the nature of the information on the CD was dealt with by the parties by way of examples and by reference to categories or types of information/documentation rather than by an examination of each document or piece of information on the CD. The defendant delivered written submissions during the hearing just before giving evidence. She submitted that the plaintiffs, if they wished to assert that a piece of information or document was confidential, must address that particular material. That is not the way the parties had proceeded until that point and in reality it is not the way the defendant proceeded even after that point. I am told that there is information relating to thousands of people on the CD. It would be wholly unworkable if it was necessary for the parties and the Court to go through each and every piece of information or documentation to examine whether it specifically had the quality of confidence to begin with and, if so, whether it specifically had retained that quality. 60. The material on the CD contained things like: progress reports from the plaintiffs to the relevant charge-holder(s); VAT calculations; deeds of appointment of receivers; letters from receivers setting out fees charged by the receiver in the disposal of property; birth certificates; auctioneers’ invoices; Vat receipts; details of security advanced on property; a spreadsheet headed “Court Liquidations FY14 – Month by Month Billings” containing headings including (but not limited to) Date of Appointment, Lead Appointee, Fees Discharged in each of 5 months, and Amounts; fee notes from Grant Thornton to clients for services; invoices from auctioneers to Grant Thornton; BER Certs prepared for receiver headed “Specific Assets of [Redacted] in receivership c/o Stephen Tennant”; spreadsheet headed “VAT Danske Property List” which contained headings “Property ID”, “Date of Appointment”, “Legal Firm”, “Borrower Name”, “Security Address”, “Net Fee,” “VAT inclusive Fee” “Date VAT fee paid” “GT initials”; fee notes from solicitors to Grant Thornton in respect of the sale of property (name of property redacted in discovery); invoice to Grant Thornton 21 in respect of insurance on specific property (redacted in the discovery); invoices in respect of property management services; emails from Grant Thornton to Revenue inquiring about VAT refunds (identifying, inter alia, the borrower and the security address). These examples were either given by Mr. Connaughton or Ms. Scanlan in evidence and/or were contained in the discovery made by the plaintiffs. Very many of these documents naturally identify the particular borrower or property in question and personal details about the borrower. In the documents provided in discovery those details are redacted but they were not redacted on the CD. 61. In my view, there can be little doubt that, when taken as a whole, and subject to a consideration of the points raised by the defendant, the nature of this information is private and confidential. The information consists of information relating to the financial affairs and business of the plaintiffs and of third parties. Many of the documents contain information about both third parties and the plaintiffs. I emphasise that my conclusion that the information is private and confidential in nature does not mean that each and every piece of the information has that quality. For example, as the defendant pointed out at the hearing, a birth certificate is not private and confidential. This has consequences for the relief that might be granted rather than for whether the information as a whole has the required quality of confidence. 62. As noted above, the defendant draws a distinction between information relating or belonging to the plaintiffs and third parties’ information or data relating or belonging to third parties. She accepts that information relating or belonging to the plaintiffs is confidential (provided it is confidential information) and emphasises that she gave an undertaking in relation to this information. 63. However, it bears note that she appears to in fact be of the position that there is no such information contained on the CD. This appears to be on two bases: (i) that all documents, even those that could be seen as having been generated by, or are internal to, the plaintiffs, such as progress reports, fee notes, invoices from auctioneers, and property lists, also contain personal data of third parties; and (ii) that the information relating to the plaintiffs is not confidential. For example, at the hearing, she submitted that the relief that is sought “is over personal data, nothing in the evidence is to do with proprietary or legally privileged information of Grant Thornton, it is personal data of private citizens that they use for their own commercial purposes. Nothing here is privileged or that I couldn’t get anywhere else. So there is 22 no confidentiality about the information that is provided here, they are just spreadsheets, they are just dockets, they are birth certificates. I can get that online and, you know, that is just not commercially sensitive information”. She also instanced spreadsheets and said “all those spreadsheets contain people’s name, properties, home addresses, all of their information. That is not proprietary information. That is information that Grant Thornton use for the commercial imperative.” She also said “as far as I am concerned and aware to this date today, the information we were dealing with is very much personal data of third parties. I have never seen proprietary information or legally privileged information of Grant Thornton. And they had specifically actually drawn a line between the two in the Statement of Claim where you can see that it is third party data of others and including proprietary legally privileged information”. So, while the defendant accepts that information relating to the plaintiffs is confidential, she does not accept that there is really any such information on the CD partly because the materials that contain the plaintiffs’ information also contains third parties’ information or data and it is therefore not the plaintiffs’ information. 64. The plaintiffs do not accept that there is such a distinction. I return to this later and for the moment will proceed on the basis that the information can be divided in the manner contended for by the defendant. 65. The defendant’s position in relation to the confidentiality of the plaintiffs’ information is clear. She accepts that in principle it is confidential in nature (but her position is that there is really no such information on the CD). However, her position in relation to whether or not the third parties’ information has the required quality of confidence is less clear. She made conflicting statements in the course of her evidence. 66. She said, “there is no confidentiality about the information that is provided here, they are just spreadsheets, they are just dockets, they are birth certificates.” She also said that they are not highly sensitive documents because they are available everywhere. She said, “You can go to any auction site in this country and download all that information.” She instanced a VAT receipt and said it is not sensitive because people are entitled to that as part of their data access rights, then went on to say that it is not confidential because you could download it from Revenue on a property disposal and sometimes VAT receipts are available in the legal packs for sales as well to show that if there is a VAT liability to the property, it is actually discharged. 23 67. However, on the other hand she also said, “Absolutely admitted, it was personal information that should have been kept confidential by Grant Thornton…”. She said in oral submissions that “I have admitted that I knew the information was confidential, I knew the information was personal data of citizens that was required to be kept confidential…” In her written submissions she stated “If an individual gives their personal data to an organisation, they have a duty to keep the details private and safe.” She also said that the plaintiffs’ duty of care to the third parties was to protect the privacy of those people. 68. It seems to me that there are two limbs to the defendant’s position in relation to the nature of the third parties’ information. Firstly, that in principle it is confidential in nature but that it is not the plaintiffs’ confidential information, because she went on in the quotes from her evidence to say “but it doesn’t make it their [Grant Thornton] confidential information” and “That does not mean that it is Grant Thornton’s confidential information”. This is consistent with her submission that the plaintiff has no entitlement to enforce the confidence of that information, which I come to later. The second limb (this also applies to what she considers the plaintiffs’ information) is that much of the information is not in fact confidential. 69. I deal with the first of these when discussing the plaintiffs’ entitlement to seek relief. In relation to the second limb, as apparent from some of the quotes at paragraph 66, the defendant’s point is that the information does not have the required quality of confidence because some of it never had that quality and other parts of it had that quality but have lost it. This is on the basis that: (i) some of the information or documents are publicly accessible; (ii) some of the information has been part of legal packs made available online in relation to previous sales of land; (iii) some of it will form part of such legal packs; and (iv) information from the CD has already made its way on to social media through other means and data breaches and is, therefore, publicly available. 70. It is clear from the authorities above, that in order to be confidential in the first place and thereafter to retain that quality of confidence, information must not be “public knowledge”, “public property, “common knowledge” or be otherwise in the public domain. 71. The defendant submitted that some of the information is publicly accessible and therefore never had the required quality of confidence. She referred to birth 24 certificates, VAT receipts and fee notes from the plaintiffs to their clients. In relation to the latter, the defendant says that the information is accessible because an individual could calculate what individual fees were paid to the plaintiffs by examining the client companies’ returns to the CRO. I do not accept that the individual fees could be calculated from returns to the CRO, but even if the individual fees could be calculated, the level of effort required to do so in itself means that the information is not publicly available or common knowledge. The defendant also referred to VAT receipts and said that they are not confidential because people are entitled to them as part of their data access rights, that they can be downloaded from Revenue on a property disposal, and are sometimes available in legal packs. I do not believe these points establish that VAT receipts are publicly available or accessible documents. The fact that the person whose property is affected may obtain such a receipt by way of data access request does not mean that it is available to the public. There is no evidence that a member of the public can download a VAT receipt relating to someone else’s lands. Birth certificates are, of course, different because they are documents of public record which may be obtained by members of the public. However, the fact that the information contains a small number of records which are publicly accessible can not affect the overall assessment of the nature of the information. It also seems to me that there is a significant qualitative difference between such records being disclosed in bulk and application having to be made to obtain the record. Furthermore, the context is relevant and significant. The release of a person’s birth certificate along with other personal information about them, including their address and sensitive financial affairs, is qualitatively different to a birth certificate being provided to an individual by a government office on application. I do not accept that the mere fact that the information contains some documents which may be accessed by members of the public means that the information on the CD does not have the quality of confidence. 72. The other basis upon which the defendant says that the information is not confidential at all is that some of it will be part of legal packs when the relevant lands are being sought. The possibility, or even certainty, that information or documents will become publicly available at some point in the future can not mean that they are not confidential before they become public. As Neuberger LJ said at paragraph 69 of Imerman “It is of the essence of the claimant's right to confidentiality that he can choose whether, and, if so, to whom and in what circumstances and on what terms, to reveal the information which has the protection of the confidence.” The information, 25 if confidential, remains confidential and does not lose that quality until it becomes public. 73. The position in relation to information or documents which have already been part of legal packs is different. I accept that they no longer have the required quality of confidence. They had that quality at one time but once they were published as part of legal packs they lost that quality. Indeed, this was accepted in substance (though not in those terms) by Mr. Connaughton, who gave evidence for the plaintiffs. He said in cross-examination that “the purpose is to protect the private and confidential information, and anything that is already in the public domain obviously wouldn’t be covered by that”. 74. It is common case that some of the information has appeared on social media. As a matter of general principle, information contained on the CD which had already become public, if any, can no longer be considered confidential (provided it was not the confidant – in this case the defendant - who made it public). The defendant claims that some of the information on the CD was released by the plaintiffs in earlier data breaches and ended up on social media. 75. One of the main examples given by the defendant and relied upon by her was an earlier data breach to a Ms. Teresa Barrington in 2013. It seems to be accepted by the plaintiffs that data was improperly released to Ms. Barrington in 2013. However, they do not accept that the defendant established that this data breach comprised information that was on the CD. The defendant did not call Ms. Barrington to give evidence but rather said that Ms. Barrington previously swore an affidavit saying that she received the same data as the defendant had received. The defendant sought to rely on this. This affidavit came about because the Order that was made by Gilligan J was served on Ms. Barrington by the plaintiffs’ solicitors. The affidavit was put to the defendant on behalf of the plaintiffs to demonstrate that it did not say what the defendant claimed. At paragraph 2(b) of the affidavit, Ms. Barrington said “The Plaintiffs are WRONG in attempting to connect the Plaintiffs [sic] paper data breach to me in 2013 with the Plaintiffs [sic] electronic data breach to the Defendant in 2015 as there is no link between the 2015 and the 2013 data breaches save both were perpetrated by the Plaintiffs.” (emphasis in original). There is a heading at paragraph 20 “No Link Between 2015 and 2013 Data Breaches”. Ms. Barrington then says at paragraph 20 “I say that the paper data breach I received by post in December 2013 is not the subject matter of the Court Order. The Court Order is only relevant to a 26 [sic] electronic data breach of September 2015 some two years later and has no relevance to the paper data protection breach to me in 2013.” The defendant sought to explain these averments by saying that Ms. Barrington meant that there was no connection between her and the defendant. She also emphasised that the plaintiffs’ solicitor had served the Order on Ms. Barrington and it follows that the plaintiffs must have believed that Ms. Barrington must have had some of the same documentation. The defendant argued that it is misleading to say that Ms. Barrington was saying that there is no connection between the two data breaches, and that what she was actually saying was that she should not be under the 2015 Court Order because that order is effective from 2015 and she was in receipt of a separate data breach. The defendant agreed with counsel for the plaintiffs that if Ms. Barrington had any of the confidential information which was covered by Gilligan J’s Order she was under an obligation to return it and that her response was that she did not have any information because what she got in 2013 was different from what the defendant received in 2015. 76. The defendant could have called Ms. Barrington and did not do so. It is not open to her to give evidence as to what Ms. Barrington meant. In any event, the words speak for themselves, and in my view, they can only be understood as meaning that Ms. Barrington did not have any documents that were on the CD (i.e. documents the subject of Gilligan J’s Order). There is no evidence upon which I could conclude that information which was contained on the CD was provided to Ms. Barrington in 2013. 77. In relation to the information that ended up online, Mr. Connaughton, on behalf of the plaintiffs, said in evidence that he was not claiming that the defendant was responsible for information being placed online. He said that he does not know who is responsible for it. He later said that “I don’t know whether you are responsible or whether you are not responsible...All I can tell you is that this information appeared. It emanated from anonymous sources and that is as much as I can say.” He then said that “I wouldn’t suggest for a moment that you are responsible for it.” Senior Counsel for the plaintiffs also confirmed that they were not making the case that the defendant was responsible for this online activity. He said “At no stage, and not in our pleadings do we say that we attribute responsibility for those disclosures to Ms. Scanlan. We are not in a position to prove that, and therefore, we don’t seek to prove it. But we say that the orders should be made based on, firstly the fact of refusal, secondly the disclosure to Mr. Scriven, thirdly the disclosure to Mr. McKeogh, fourthly the fact that there are USB keys at large. And the additional information in relation to what happened thereafter is not to establish a breach on the part of Ms. Scanlan, but is 27 evidence as the basis for Mr. Connaughton’s concern and the necessity for the orders that are sought on a permanent basis.“ In those circumstances, I can not find that the defendant was responsible for material from the CD ending up online. 78. It is, however, common case that material did appear online. Particulars of these disclosures were given by the plaintiffs in Replies to Particulars: (i) on the 25 and 26th November a facebook profile under the name “Due Dilliger” posted comments that included an annotated screenshot of part of the Confidential Information, (ii) on the same day a Twitter account under the name “Due Dilliger” tweeted the same annotated screenshot tagging the journal.ie and the plaintiffs’ Twitter accounts. In the Replies to Particulars, the plaintiffs also gave the following details: (iii) the plaintiffs received an email from “The Research Routers” with an email name of “Due Dilligence” on the 26th November 2015 which attached a document which was in the Confidential Information, (iv) the plaintiffs’ Cork office received a letter dated the 15 th April 2016 from “A concerned member of the public” enclosing a memory stick including Confidential Information, and (v) the plaintiffs were provided with anonymous letters dated the 10th March 2016 and 31st March 2016 that had been sent to Baker Tilly Ryan Glennon and Byrne Wallace which included part of the Confidential Information. In my view, the information at (i), (ii) and (iii) no longer have the required quality of confidence. I am not satisfied that is the case in relation to (iv) and (v). I return to these below. 79. The defendant also referred to the fact that a copy of the CD was provided to the Data Protection Commissioner. It was not entirely clear whether she was claiming that the provision of a copy of the CD is in itself a basis for the loss of the quality of confidence or that the Data Protection Commissioner was the source of information coming into the public sphere. I do not accept that the provision of the information to the Data Protection Commissioner would in itself cause the information to lose the quality of confidence. In relation to the second point, there is absolutely no evidence upon which I could conclude that the Data Protection Commissioner allowed the information to get into the public domain. 80. I am therefore satisfied that the information overall has and retains the required quality of confidence. The issues about public records such as birth certificates, documents that were part of legal packs, and material that appeared online will have to be revisited when considering the question of relief. 28 Duty of confidence 81. I am satisfied that the information was disclosed to the defendant in circumstances importing a duty of confidence. 82. As is clear from the authorities referred to above, while very often the circumstances which import such a duty of confidence will involve a contractual or pre-contractual relationship, such a relationship is not necessary, and a duty of confidence might arise even where a person comes into possession of material through error. As Goff LJ put it in the Spycatcher case, such a duty can arise “where an obviously confidential document is wafted by an electric fan out of a window into a crowded street, or where an obviously confidential document, such as a private diary, is dropped in a public place, and is then picked up by a passer-by.” 83. Goff LJ in the Spycatcher case said that an equitable duty of confidence will arise where the information is acquired accidentally, because of the recipient’s knowledge that the information is confidential. 84. The information was disclosed to and received by the defendant through an error on the part of the plaintiffs. I am fully satisfied that the reasonable person would have realised that the information on the CD was confidential. Indeed, it is clear that the defendant realised this very soon after receiving the CD as she entered into correspondence with the plaintiffs, stressing the gravity of the breach. In fact, the defendant’s whole approach to the information, and to the plaintiffs’ wrongful disclosure of it, was on the basis that it concerned confidential, private, information. 85. The defendant denies in her Defence and Counterclaim that she knew or ought to have known that the information on the CD related to the plaintiffs or third parties or that it was confidential. However, it is clear that this refers to the period immediately after she received the CD, i.e. before she examined the material, because she admits that she “eventually became aware of other named parties on the CD and immediately notified the Plaintiffs of this discovery.” I am satisfied that from this point on, she knew, or ought to have known that the information, including the personal data of third parties, was confidential information. Her actions subsequent to that date are inconsistent with any contrary belief. 29 86. In my view, the circumstances are clearly such as to import a duty of confidence. Breach of confidence 87. There has been no express statement in this jurisdiction of precisely what the duty of confidence encompasses. In the passages quoted above from Imerman v Tchenguiz, Neuberger LJ held that a person who receives information in circumstances which import an obligation of confidence is under a duty to return the information, and is under a duty not to examine or copy it, or to distribute or communicate it to other parties. 88. The defendant submitted that Imerman was of no relevance because it was a matrimonial case, and it could, in any event, only be a persuasive authority. In my view, this aspect of the judgment is of broader application than simply in matrimonial cases. It also seems to me that it is logical that the duty must encompass those actions identified by Neuberger LJ. Otherwise, the right to confidence would stand for very little. 89. The defendant is potentially in breach of her duty of confidence in a number of respects. Examination of the Information 90. She read the information. In Imerman, Neuberger LJ goes so far as to say that “looking at documents which one knows to be confidential is itself capable of constituting an actionable wrong.” In the circumstances of this case, the mere fact that the defendant initially looked at the documents or even read some of them is insufficient to conclude that there was a breach of confidence or that an injunction should be granted. A defendant must look at the information knowing that it is confidential or in circumstances in which she ought to know it is confidential. The CD was simply sent to the defendant. There was no hard copy index or instruction sheet. Furthermore, as I understand it, the defendant’s information was intertwined with the other information. Thus, it was only upon looking at the contents of the CD, and 30 perhaps reading a very small number of documents, that the defendant could have known that it contained confidential information relating to other persons. Thus, the mere fact that the defendant initially looked at information on the CD could not in itself amount to a breach of confidence. 91. However, it is important to note that in cross-examination, the defendant accepted that shortly after receiving the CD she knew something was amiss and that she had received information which was plainly not her personal data. She said that as soon as she opened the CD she knew that she had received more than she should have. She accepted that she told Gilligan J on the day of the interlocutory injunction application that the files contained “very serious private information”. 92. It was a breach of duty for her to continue to read the information once she realised that it contained private information relating to other parties. On her own evidence, this occurred very shortly after she first looked at the contents of the CD. Despite this, she continued to read the material on the CD. Indeed, she describes herself as carrying out “a full interrogation” and “examination” of the information and “its impact on third parties”. Mr. Scriven, who was called by the plaintiff, said in direct examination that he was asked by the defendant to engage with the plaintiffs (in particular Mr. Tennant) in relation to the matter and that he met Mr. Tennant and a Mr. McAteer. He explained that he wanted to impress on them the benefit of engaging with the defendant in relation to the CD. He said this was because “...it was one thing to receive the CD but Ms. Scanlan’s understanding of the nature and content of the actual data that was on it was exacerbating it probably even more.” The defendant did not challenge this. Mr. Scriven agreed with her when she put it to him that her “concern was escalating.” In re-examination he said that “...Ms. Scanlan was getting more exacerbated by the interrogation of the data and what assistance that should be provided to the people whose data was listed on it.” On her own account, she had read 122 files by the 16th October 2015. She seems to offer at least two reasons for continuing to read the materials even after becoming aware that they contained third parties’ information. The first is the statement just referred to, i.e., to carry out an examination of the information and its impact on third parties, and the second is to find her personal data in circumstances where she had waited two years for her personal data from the plaintiffs. I do not accept that she had an entitlement to continue to examine the document on either basis. Her right to her personal data within a statutorily prescribed period, and the reliefs available to her in respect of a 31 breach of that right, do not confer a right on her to interrogate information or documents which she knows contains personal information relating to third parties. Failure/refusal to return information 93. The defendant also retained the information. She only returned the CD (and one of the USB keys) on the adjourned date for the interlocutory injunction hearing. She claimed at the hearing of the substantive action that she did not refuse to return the material. This is largely irrelevant. Her obligation was to return it immediately when she knew it contained third parties’ information and, whether or not she expressly refused to do so, the reality is that she did not return it until after the proceedings had issued. Her actions and statements in correspondence clearly suggested that she had no intention of immediately returning it. 94. As noted above, the defendant brought the data breach to the plaintiffs’ attention. She did so by letter of the 3rd October 2015 to the plaintiffs’ data officer. She referred to having received a file (the CD) on the 11th September and went on to say: “... While I did receive my own data in that file I was concerned to find various items of information including among others, Deeds of Appointments of receivers on the properties of other unconnected third parties. I have attached copies of some of the documents for your notice. I am unsure what to do with these many and various documents and would be obliged if you would write by return outlining what your advice would be as to the best course of action in this situation. I presume there is no need to impress on you the urgency this matter demands.” 95. She did not receive a reply from the plaintiffs and wrote again, by email, on the 13th October 2015. A Ms. Barry of the plaintiffs replied by email on the 14th October 2015. She attached a letter which stated, inter alia: “We acknowledge receipt of this letter and the breach which has occurred. 32 The breach will be addressed in line with the requirements under Data Protection legislation. Our obligations in this regard lie with the individuals whose data has been breached. We request that all third party information you have received is returned to us and no copies are retained. I have enclosed a prepaid envelope.” 96. The defendant replied by email on the 16th October 2015, stating: “Thank you for your response. I received your letter today. So far I’ve only been able to review 122 files of my data with a cursory review of the rest provided. It would be helpful however, if you could provide the addresses of the victims of the data breach. I’d feel more comfortable sending the data directly to them considering Grant Thornton already mislaid it.” 97. Thus, having asked for the plaintiffs’ “advice...as to the best course of action”, and the plaintiffs, in reply, having asked for the return of all third party information, the defendant did not return it and instead indicated that she was reviewing the files and that she would prefer to deal with the third parties directly. 98. Ms. Barry replied by email of the 19th October 2015. She stated: “Firstly, please note the email contact list below is not appropriate – this is a matter solely between you, Grant Thornton and Danske Bank, whom we are liaising with separately. While I appreciate your concern I cannot provide you with the contact information for the individuals whose data has been breached. This would not be appropriate as it would be an additional and intentional breach of the data protection act. The third party documents were not mislaid, copies were simply sent to you in error. We are fully aware of our obligations under the data protection act arising from the breach and I can assure you we will fully comply with same. Please return all third party information in the prepaid envelop [sic] provided as requested. 33 As for the matters of your data access request and the notification of this breach between you and Grant Thornton, subject to return of the third party information, the matter is now closed.” 99. The defendant replied by email of the 5th November 2015 as follows: “Thank you for your email dated 19th October. Please see attached. Can you confirm your Department is satisfied the matter is indeed now closed regarding the information issued to me September 11th 2015?” 100. This email is of some significance because the defendant attached to it a photograph containing a large number of lever arch folders, some of which were open on a table and clearly contained documents. I return to this later. 101. The defendant wrote to the receiver, Mr. Tennant, on the 10th November 2015. “I am writing to you to give full authorisation to discuss the matter of my Receivership, Data Access Request a