Verbal disclosure does not constitute data processing under the Data Protection Act 1998, the UK High Court found in Scott v LGBT Foundation, giving authority to a principle that might seem unsurprising, but had not yet previously been confirmed in case law. This finding applies equally under the current data protection regime.
The claimant, Mr Scott, disclosed details of his recent self-harm and substance use to the LGBT Foundation, a charity providing counselling services and health and wellbeing advice. Following an initial assessment meeting with Mr Scott, the LGBT Foundation shared that information with Mr Scott’s GP practice, due to concerns for Mr Scott’s welfare. The LGBT Foundation’s confidentiality policy (which was set out in a self-referral form that Mr Scott had filled in before his initial assessment with the charity) provided that if there was a reason to be seriously concerned about welfare, the foundation may need to break confidentiality without seeking consent.
Mr Scott’s claim was that the oral disclosure by the LGBT Foundation to his GP practice was:
- a breach of the Data Protection Act 1998 (“the DPA 1998”);
- a breach of confidence at common law; and
- contrary to Human Rights Act 1998.
The court focussed mostly on the first two claims.
Mr Scott sought substantial damages (in excess of £1.8 million) for financial loss and distress. Mr Scott’s job as a nuclear safety consultant required high level security clearances and he described his career as being “finished” because of the LGBT Foundation’s disclosure.
- The DPA 1998 did not apply to purely verbal communications; and
- The LGBT Foundation could rely on a carve-out to the duty of confidence owed to Mr Scott, owing to its self-referral form.
The DPA did not apply to purely verbal communications
Mr Scott claimed that disclosure by the LGBT Foundation to his GP practice constituted unlawful disclosure of “sensitive personal data” under the DPA 1998.
The court rejected that claim, emphasising that the DPA 1998 applies specifically to data which is recorded electronically or manually. It also dismissed Mr Scott’s argument that the conversations relating to his personal circumstances were recorded through being “stored in Ms Lambe [of the LGBT Foundation]'s head”.
This means that not all disclosure of information is “data processing” under data protection legislation – information that does not fall within that specific definition, including, in the case of the DPA 1998, data that is processed orally, will not be covered.
The court considered that, even if the disclosure had constituted data processing, the LGBT Foundation’s disclosure was necessary to protect Mr Scott’s vital interests, which meant that the LGBT could have relied on an exception to the general restriction to processing of sensitive personal data in any event.
The LGBT Foundation could rely on a carve-out to the duty of confidence owed to Mr Scott
Mr Scott’s alternative claim was that the LGBT Foundation had breached their duty of confidence owed to him under common law.
The court found that there was no breach of confidence because the charity’s self-referral forms contained a clearly-worded, limited carve-out to the duty of confidentiality owed by LGBT Foundation. The foundation had pointed it out to Mr Scott at the start of his in-person assessment. The qualifier was valid in indicating that in extreme circumstances the LGBT Foundation may break confidentiality. The qualifier would still have been valid even if Mr Scott had declined to give formal consent.
How should we consider the case going forward?
Scott v LGBT Foundation was decided under the rules in the DPA 1998, as the events in question occurred in 2016, before the introduction of the General Data Protection Regulation (the GDPR). Going forward, we should consider the current data protection regime, i.e. the GDPR and the Data Protection Act 2018 (the DPA 2018).
The position that verbal communication does not constitute data processing would equally apply under the current data protection regime. The scope of the GDPR includes the same requirement that the relevant personal data must be processed by automated means or form part of a filing system or be intended to form part of a filing system.
The GDPR also contains a similar exemption from the general restriction where processing is necessary to protect the vital interests of the data subject. However, under the GDPR there is an additional requirement that the data subject must be physically or legally incapable of giving consent. Were similar facts to Scott v LGBT Foundation to arise in future, they may trigger a factual argument in the context of application of the exemption, as to whether consent was effectively given.
This case illustrates how the data protection regimes and the duty of confidence regimes interact – it shows that the duty of confidence common law regime is broader, and covers a wide range of scenarios, whereas the data protection legislative provisions apply in clearly-defined circumstances only, and only to specific types of information.
For more commentary on the GDPR, please click here.
Case reference: Scott v LGBT Foundation  EWHC 483 (QB).