Cordery

Legal.Compliance.

Client Alert: UK Court Judgment on Verbal Disclosure under Data Protection Rules (Scott v LGBT Foundation)

Introduction

The UK High Court recently ruled that oral disclosures (in this case provided during a telephone call) do not qualify as ‘data’, for the purposes of processing of personal data, and consequently do not fall within the scope of data protection rules. This article is a summary about the case and its possible implications.

What’s the case about?

This case concerns the legality of an oral disclosure made by LGBT Foundation Limited (‘LGBT’) of certain personal information concerning David Paul Scott (‘Mr. Scott’) to his doctor (i.e. his general practitioner, ‘GP’), on 25 July 2016.

An application for so-called ‘summary judgment’ (a litigation procedure used to try and bring an early end to proceedings) and/or striking out was brought by LGBT who were the defendant in a case brought by the claimant Mr. Scott (who represented himself) in a claim for damages for breach of the UK Data Protection Act 1998 (DPA 1998 – the disclosure in question was pre-GDPR), breach of the UK Human Rights Act 1998 (HRA 1998), and breach of confidence; this article only deals with the data protection issues.

The salient background facts of this case are as follows:

  • LGBT is a charity providing a wide range of services including counselling, as well as advice in relation to health and wellbeing to lesbian, gay, bisexual and transgender communities;
  • Mr. Scott referred himself to LGBT who assessed him as being at significant risk of suicide or other substantial self-harm. LGBT was at that time unable to provide Mr. Scott with the services he sought from LGBT because of Mr. Scott’s ongoing drug use. Being concerned about Mr. Scott’s welfare, LGBT disclosed the above-mentioned information to Mr. Scott’s GP, along with confirmation that LGBT could not offer counselling services until Mr. Scott had addressed his ongoing drug use and to that end LGBT also told Mr. Scott’s GP that he needed to first be referred to LGBT’s drug and alcohol services. The information disclosed by LGBT to Mr. Scott’s GP was in due course recorded in his GP’s records;
  • Mr. Scott contended that the disclosure was in violation of both the DPA 1998 and the HRA 1998, and also amounted to a common law breach of confidence, in respect of which he sought damages from LGBT of some £1.8 million. Mr. Scott was a nuclear safety consultant with high level security clearances and the UK vetting agency (the ‘UKVS’) would review his medical records for these clearances. Mr. Scott’s security clearances expired in January 2018. Mr. Scott said that the disclosure entry in his medical records directly contradicts statements he made in a vetting interview in 2016 and so he would be seen as having not been frank with the UKVS. Mr. Scott had intended to return to his line of work but claimed that his career was now over because of LGBT’s alleged wrongful disclosure to the GP, which is why he was claiming substantial damages.

What did the court rule?

The court struck out all of Mr Scott’s claims (including the HRA 2018 and breach of confidence claims) and granted summary judgment in favour of LGBT. The court rejected the claims under the DPA 1998 for the following reasons;

  • Mr Scott’s contention was that the disclosure involved the unlawful disclosure of ‘sensitive personal data’ (as defined in the DPA 1998) concerning his sexual life and mental health (as well as alleged commission of an offence, relating to drug use); it was not disputed that the disclosure was made purely verbally (over the telephone), and that information communicated was itself orally provided (by Mr. Scott) to an LGBT member of staff;
  • A claim under the DPA 1998 can only arise where there has been ‘processing’ of ‘personal data’. In order to qualify as ‘personal data’, the information in issue first needs to satisfy the definition of ‘data’ under the DPA 1998, which means information that: (a) is being processed by means of equipment operating automatically in response to instructions given for that purpose; (b) is recorded with the intention that it should be processed by means of such equipment, (c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system; or, (d) does not fall within paragraph (a), (b) or (c) but forms part of an accessible record;
  • According to the court, “the need for personal data to be recorded, in either electronic or manual form is clear from the Court of Appeal’s” 2003 Durant v Financial Services Authority judgment and the terms of (EU) Directive 95/46 (which preceded GDPR) that the DPA 1998 implemented, which states that: “This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system”;
  • Based on this, the court concluded that a verbal disclosure does not constitute ‘data’ (that can be processed as personal data) and therefore cannot give rise to a claim under the DPA 1998. Mr. Scott had argued that the material was in effect “stored” in the mind of the LGBT member of staff in question with a view or intention to it being put into an automated record/filing system in due course, and therefore it was ‘data’ as defined in the DPA 1998. But this was rejected by the court as not fitting within ‘the scheme’ of the DPA 1998;
  • Whilst the court seemed to have some sympathy with Mr Scott’s argument that it was unfair that oral onward disclosure of the private information which he first orally provided to LGBT is not prohibited, for the court it was not what the DPA 1998 is concerned with as it “is a very specific scheme based around records and processing”;
  • Further, in the alternative, LGBT submitted that even if the DPA 1998 were to apply to the disclosure, the disclosure was itself lawful under the DPA 1998 on the basis that the processing was necessary in order to protect the ‘vital interests’ of Mr. Scott. The court agreed that, in such an instance, the disclosure was necessary to protect Mr Scott’s ‘vital interests’: Mr. Scott was considered to be at material risk of suicide or other substantial self-harm and although Mr. Scott tried to challenge this before the court by saying that he had not been at ‘imminent’ risk, the court concluded that there was “no basis […] for reading a qualifier as to ‘imminent’ risk into the ‘vital interests’ processing conditions under the DPA [1998]”.

What are the takeaways?

First, would the same interpretation apply under GDPR? As regards the basis of the court’s ruling that in order to constitute ‘data’ personal data has to be (properly) recorded etc., the (above-mentioned) wording relied on by the court in (EU) Directive 95/46 is identical in substance to the wording in GDPR. So, yes the same interpretation would very likely apply under GDPR; the UK Data Protection Act 2018 also makes reference to the relevant provision of GDPR. As regards the alternative conclusion on the facts of this case (assuming as a counterfactual that the disclosure was ‘processing’) as to whether the disclosure would be lawful on the basis of ‘vital interests’, again the wording relied on by the court in the DPA 1998 is similar in its core meaning as the wording in GDPR. So again, yes the same interpretation would very likely apply under GDPR; the UK Data Protection Act 2018 also makes provision for ‘vital interests’ in similar terms.

Second, if the LGBT staff member had first recorded the information (orally) disclosed to them by Mr. Scott in a filing system or automated record and then orally disclosed that (by phone) to the GP would this have changed the position? Arguably it might have as it could be said that once the data had been recorded then its subsequent oral disclosure was merely a means of transmitting something that (by being recorded) had been ‘made into data’ for the purposes of the processing of personal data – it will take a court to settle this particular issue.

Third, is there a disconnect in data protection law between what qualifies as ‘data’ for the purposes of the processing of personal data and ‘data breaches’? ‘Data breaches’ are defined widely under GDPR and in real life come in many shapes and sizes. Oral disclosure of personal data can constitute a ‘data breach’ (depending on the circumstances) – this is not in dispute (previous ICO annual reports have often referred to oral or verbal disclosure as a type of breach, in the context of data breaches that have been notified to the ICO). Bearing in mind also that the court seemed to sympathise with the argument that it was unfair that oral disclosure was not prohibited, can it be argued that there is therefore something of a disconnect in what might be called the general grand scheme of data protection law (as currently designed in GDPR) between the fact that an oral disclosure as such does not constitute ‘data’ for the purposes of processing personal data but (depending on the circumstances) an oral disclosure can nevertheless constitute a ‘data breach’? If so, it seems that only an amendment to GDPR could change the current position.

Is there anything that I can do?

As part of a compliance audit, businesses should consider looking at their policies and training materials to ensure that the notion of what constitutes ‘data’ for the purposes of processing personal data has been correctly understood.

Cordery’s GDPR Navigator includes resources to help deal with data protection compliance. GDPR Navigator includes:

  • Detailed guidance on the security aspects of GDPR in paper and on film;
  • A template data breach log;
  • A template data breach plan; and,
  • A template data breach reporting form.

For information about our Breach Navigator tool please see here: https://www.corderycompliance.com/solutions/breach-navigator/

We report about data protection issues here: http://www.corderycompliance.com/category/data-protection-privacy/.

For more about GDPR please also see our GDPR FAQs which can be found here:  http://www.corderycompliance.com/eu-data-protection-regulation-faqs-3/ and our Data Protection Glossary which can be found here: http://www.corderycompliance.com/?s=glossary.

The High Court’s summary judgement can be found here: https://www.bailii.org/ew/cases/EWHC/QB/2020/483.html

For more information please contact André Bywater or Jonathan Armstrong who are lawyers with Cordery in London where their focus is on compliance issues.

Jonathan Armstrong, Cordery, Lexis House, 30   Farringdon Street, London, EC4A 4HH André Bywater, Cordery, Lexis House, 30             Farringdon Street, London, EC4A 4HH
Office: +44 (0)207 075 1784 Office: +44 (0)207 075 1785
Jonathan.armstrong@corderycompliance.com Andre.bywater@corderycompliance.com
 

 

 

 

 

Contact a Cordery Specialist +44(0)207 118 2700 | Contact Us

Cordery is a trading name of Cordery Compliance Limited. Authorised and regulated by the Solicitors Regulation Authority.
SRA number 608187. Company number 07931532 registered in England and Wales. VAT number: 730859520
Registered office: Lexis House, 30 Farringdon Street, London, EC4A 4HH, United Kingdom

Cordery Compliance Limited trading as Cordery provides some products and services which are not regulated by the Solicitors Regulation Authority; we will clearly state this to you if this is the case.

We use the word “partner” to refer to a shareowner or director of the company, or an employee or consultant who is a lawyer with equivalent standing and qualifications.

Cordery is a registered trademark of RELX (UK) Limited, used under license. The Knowledge Burst logo is a registered trademark of Reed Elsevier Properties Inc., used under license.

Copyright © 2021 Cordery. All rights reserved.