Disclosure of information to GP: not “data” under GDPR
12 August 2020
Scott v LGBT Foundation [2020] EWHC 483 (QB)
The High Court has struck out a claim that the disclosure of certain personal information made by a charity to the claimant’s GP was unlawful. Although only summary, this judgment goes to the heart of what we believe data protection to be about. As you will tell from my somewhat trenchant comments at the end of this post, I find it difficult to accept the main conclusion in this ruling.
The LGBT Foundation provides services including counselling and health advice. The claimant sought to access the charity’s services by completing a self-referral form in 2016. The form gave an option for the self-referring individual to consent to information being disclosed to their GP, and stated that the charity would break confidentiality without the individual’s consent if there was reason to be seriously concerned about their welfare. Mr Scott gave his GP’s details in the form. He also stated in the form that he no longer wished to be alive, detailed a previous suicide attempt, said that he had recently been self-harming and that he continued to suffer problems from drug use.
A sessional health and wellbeing officer at the charity conducted an intake assessment for Mr Scott to ascertain what support would be best for him. She told him of the confidentiality policy, including the provision that any information he disclosed would be passed on if the charity considered him to be at risk. In this interview he gave further details of drug use, self-harm and suicidal thoughts. The health officer paused the assessment and consulted a colleague, who advised her to inform Mr Scott that they would be contacting his GP because they had concerns about his welfare. The charity concluded it was at that time unable to provide him with the services he sought from them because of his ongoing drug use. They passed the information on to Mr Scott’s GP via a telephone call. This information was in due course recorded in his medical records.
Mr Scott claimed that the disclosure had caused him distress and substantial financial loss. He is a safety consultant with a nuclear installation and had high level security clearances. If, as part of the vetting process for his position, his medical records were inspected, and his personal issues came to light, he might be denied this clearance and he would be unable to work in the nuclear energy industry. Disclosure of this information would contradict statements he had made in a vetting interview, meaning he would be seen as not being frank. He brought a claim under the Data Protection Act 1998, a claim in breach of confidence, and a claim under Article 8 of the Human Rights Act 1998.
Saini J struck out his claim under the DPA Act 1998. The Act did not apply to purely verbal communications. A claim under it could only arise where there had been processing of “personal data”. Under the Act, for information to be considered “data” it had to be recorded, in either electronic or manual form (Durant v Financial Services Authority [2003] EWCA Civ 1746). A verbal disclosure did not constitute the processing of personal data, so could not give rise to a claim under the Act. This basic point was also clear from Article 2(1) of Directive 95/46/EC, which the DPA implemented:
This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
Mr Scott argued that the information had been “stored” in the health officer’s mind with a view or intention to it being put into an automated record/filing system in due course, and therefore it was “data” as defined in the DPA. The judge rejected that submission. It did not fit within the DPA scheme. It may be unfair, but oral transmission of information is not what the DPA is concerned with:
it is a very specific scheme based around records and processing. There are other areas of law (in particular, the law of confidentiality) which are the appropriate vehicle for making such complaints if they are well-founded. [para 63]
The LGBT Foundation submitted that even if the DPA applied to the disclosure, the disclosure was itself lawful under the DPA. It argued that the disclosure satisfied condition 4 within Schedule 2 to the DPA which provides as follows:
“The processing is necessary in order to protect the vital interests of the data subject.”
The judge accepted this argument. On the facts facing the charity, it could not reasonably have been expected to obtain the claimant’s consent. In particular, those facts demonstrated that Mr Scott was considered to be at a material risk of suicide or other substantial self-harm, and he had already been informed that such disclosure could be made without his consent in such circumstances (and he had gone ahead with the intake assessment with such knowledge). Although he argued that he had not been at imminent risk, there was no view for reading a qualifier as to imminent risk into the “vital interests” conditions under the Act. In any event, a reasonable professional faced with the facts disclosed to the health officer would find the risk imminent enough to at least make a limited notification to a healthcare professional.
The judge accepted that the charity “undoubtedly” owed a duty of confidence to the claimant. But Mr Scott had a qualifier to confidentiality, or “carve out”, which permitted the very limited disclosure to his GP. The referral forms had stated that the charity would disclose confidential information to an individual’s GP if it had concerns about their welfare. The health officer had made that clear to Mr Scott. She had later told him that she would be contacting his GP and he had done nothing to prevent her.
In my view the referral forms are not to be read as contractual instruments and as a matter of practical commonsense they are indicating to the user that there might, in extreme circumstances, be a breaking of confidentiality if that is needed to help the individual “stay safe” (the words used in the referral forms, as I have cited above). The individual seeking the Foundation’s assistance would know that a limited disclosure (that is, only to a GP in this context) might take place in such pressing circumstances, even if he or she did not agree or indeed was not even asked for consent. [para 83]
The court also concluded that he had no claim under the Human Rights Act, as the charity was not a “public authority” within section 6 of the Act. The claimant contended that LGBT Foundation was funded primarily by government grants and contracts to provide advice and support to lesbian, gay, bisexual and trans communities. The judge rejected this argument. Although it received public funding to deliver some of its services, Mr Scott had not in fact accessed any of its services, only having attended an intake assessment. Intake assessments were a service devised and implemented internally; they were not directly funded by any specific provider and the charity was not required to provide them on behalf of any public body or funder. The services of public benefit the charity provided and the public funding it received did not make it a public authority.
Nor did the case law on “hybrid” public authorities support the claimant’s case. The LGBT Foundation was not a hybrid public authority. It delivers services of public benefit and it receives some public funding, but such factors were insufficient to make an entity a public authority. Of importance was that LGBT Foundation has no statutory powers, duties or functions (not even matters being delegated to it by true public authorities), and was not in any way “governmental”.
It is simply a charity which, like many such bodies, attracts public funding in addition to funds from other sources. The fact that it helps members of the public on health issues takes matters no further.[para 94]
As to the merits of the Article 8 claim, the judge concluded that Mr Scott had no reasonable expectation of privacy that precluded LGBT Foundation from making the limited disclosure, for the same reasons that he found in relation to the claim for breach of confidence. The disclosure was in accordance with the law, in other words, it involved no civil wrong. Had he been required to decide the point, Saini J would have been inclined to determine that the disclosure was justified under Article 8(2) ECHR in the interests of Mr Scott, as it was made with a view to Mr Scott’s GP helping to reduce his risk of suicide or other substantial self-harm.
The judge therefore granted the summary judgment application and struck out all of the causes of action.
Comment
This seems to open up one very big can of worms
says data privacy expert Jonathan Armstrong in his discussion with Tom Fox on Fox’s podcast Life with GDPR “Verbal Reporting under GDPR”. I have to confess that I hope that can will indeed open, if Mr Scott decides to appeal the strike out.
Regarding Mr Scott’s claim that the disclosure threatened his future in the nuclear energy industry, whilst we don’t want seriously fragile people working in hazardous and potentially dangerous conditions, we have to look at the situation from Mr Scott’s point of view. The case turned on sensitive personal information, and it is precisely that kind of personal information that the behemoth of the GDPR was created to protect. He had said in a vetting interview with his employer that he had no “issues” in 2016, and if the information that he disclosed in confidence to the charity reached that employer they might consider him to have been economical with the truth, with serious consequences for his future employment. We should also take into account the fact that he decided not to report his symptoms to his GP in the first place. Instead, he turned to the charity for help, presumably because he did not want this information to go into his medical records with a public body, the NHS. People with suicidal thoughts do not invariably go on to commit suicide; instead it is an indicator of clinical depression. It was not for the LGBT Foundation to decide for themselves that they had to save his life by reporting him to his GP.
It seems to me highly artificial to separate the reporting on the telephone from the inevitable manual recording of this information at the GP’s end. What did the charity’s assessor have in mind when she picked up the phone? If she thought that she had to report in the interests of his welfare, no benefit would have accrued to him if the GP had not recorded the details disclosed. If the telephone call itself – which was “processing” under the DPA – did not involve data, because it was oral, at what point did the details of the call become data? Only at the point when they were filed by the third party GP?
By deciding that the disclosure did not involve “data” under the DPA and GDPR the court did not have to determine whether the “vital interests” of the claimant had been involved. Under both the DPA and the GDPR an exception is carved out where the disclosure is “necessary” to protect the “vital interests” of the data subject. As Armstrong points out in that podcast interview, necessity is a high barrier to cross. It is a great pity that a full trial of the merits cannot now take place in order for this important balancing test to be undertaken.
This blog is run by 
“It was not for the LGBT Foundation to decide for themselves that they had to save his life by reporting him to his GP.” But Scott went to them for assistance so were they not obliged to respond and being obliged to respond were they not justified in reporting to Scott’s GP as part of the meaning of that response, i.e. to help the supplicant? In other words was their action in reporting not a consequence of their procedure and justified, given that Scott knew under what conditions they might report? The problem with his employment is interesting since although the statement of the case indicates his claim of financial loss, it does not state that the information provided to the GP was disclosed to the employer or that he lost his job as a result.
My simple reading of this raises the question: if Mr Scott didn’t want any information to reach his GP, why did he write their details on the form? If he had indeed “turned to the charity for help, presumably because he did not want this information to go into his medical records with a public body, the NHS” then he was alive to the issue and surely could have guarded against it simply by keeping that information to himself?
It seems to me that the trial judge didn’t understand that a telephone call is, in fact, a data stream. Voices are converted by a microprocessor into data, which is routed through any number of automated switching systems and fibre-optic transmission circuits before another processor at the other end of the line turns the data stream back into audio.
This would seem to meet the test to fall under the DPA described by the judge – i.e. personal data must be wholly or partly processed by automatic means.
Thanks Rosalind – in both those cases, yes, there is likely to be processing of personal data, although I think it would still be important to establish a) by whom? and b) in what capacity? If in both instances it were the GP doing the recording, I’m still far from convinced that the person making the oral disclosure would be “processing” data.
I tend to think that what you describe as “loopholes” are likely actually merely to be cases where data protection law is not engaged (at least for the person making the oral utterance).
To the extent that there is a public policy issue raised (i.e. people choosing to make oral utterances rather than recorded ones), I’d agree, but – again – to me that merely describes where the limits of the applicable law are met. There is plenty of evidence that people already choose not to write things down which they don’t want disclosed (or otherwise brought into data protection law’s ambit).
Many thanks for your thought-provoking response Jon. May I propose a few hypotheticals in relation to the Scott case?
1. What if the charity worker could not get hold of the GP but left her name and contact number and name of patient she wanted to speak about. Is that enough if it was recorded on the GP surgery to create an electronic record?
2. Also, what about, as is so often the case, telephone calls are recorded for “quality and training” ?
I would argue that the outcome of this case as well as Holyoake could potentially lead to organisations using loopholes where they relay sensitive personal data on the phone.
Disturbing that Mr Scotts livelihood was damaged due to this disclosure. The question might be to what extent his disclosure of personal mental health was sufficient or serious enought to overturn DPA, Confidecnaility and HA/ ECHR Article 8 allowing 8(2). I take it that not evidence was made or given as to the correct assessment of his likely self harm other than the LGBT assessment visa authoirty of opinion, expert evidence. I believe this is the sore basis of a correct Dicta.
It reminds me of a similar case when a client was sent to an NHS mental health unit after discussion with the GP (later called self referral) encorraged by media and goverment advertisment. Similarly it was revealed a long standing suicidal tendency. Without detailing the client felt that the interview was not conducted very well, with little empathy and off a computor form, questions in reportition and when s/he could or would not due to sensitivity failed to answer the interviewer was unable to accept it, lacking any empathy. Later it was disclosed that the interviewer was a trainee. Realizing the impact of the disclosure (as above case) a request was made to remove the data and various levels of deflection were applied. The matter was then referred to the ICO who also failed to act and one can wonder if there was a derigation to the NHS. Upon representation to the local MP the ICO responded with more delays and then the NHS information office replied, after missing the deadline to reply to data enquiries and claimed that the retention period which was set by them was some 8-12 years depending on type but none being specific to the matter at hand, unfortunately.
I will stop hear but you may read in may unanswered questions as to probity.
That this was not processing of personal data strikes me as a wholly unobjectionable conclusion. The author seems to want data protection law to go further than it does. I would argue that a proposition that “data” includes information held in one’s mind would be a rather worrying one. Holyoake v Candy [2017] EWHC 3397 (Ch) is a more interesting case, where Nugee J had to decide whether information orally disclosed, which prior to the disclosure was already recorded, was “processing”, but decided that what was disclosed was “the information in his head, not the information in [the] records, and the fact that the same information could in fact be found in [the] records does not mean that what he was disclosing was that information”. Notably, “it seems to me that the purpose of the Act is to regulate what a data controller does with information stored in a relevant record, and it does not seem consonant with that for the Act also to regulate what a person does with information in his own head that has not been derived from the records” (at 458).