Disclosure of information to GP: not “data” under GDPR
12 August 2020
The High Court has struck out a claim that the disclosure of certain personal information made by a charity to the claimant’s GP was unlawful. Although only summary, this judgment goes to the heart of what we believe data protection to be about. As you will tell from my somewhat trenchant comments at the end of this post, I find it difficult to accept the main conclusion in this ruling.
The LGBT Foundation provides services including counselling and health advice. The claimant sought to access the charity’s services by completing a self-referral form in 2016. The form gave an option for the self-referring individual to consent to information being disclosed to their GP, and stated that the charity would break confidentiality without the individual’s consent if there was reason to be seriously concerned about their welfare. Mr Scott gave his GP’s details in the form. He also stated in the form that he no longer wished to be alive, detailed a previous suicide attempt, said that he had recently been self-harming and that he continued to suffer problems from drug use.
A sessional health and wellbeing officer at the charity conducted an intake assessment for Mr Scott to ascertain what support would be best for him. She told him of the confidentiality policy, including the provision that any information he disclosed would be passed on if the charity considered him to be at risk. In this interview he gave further details of drug use, self-harm and suicidal thoughts. The health officer paused the assessment and consulted a colleague, who advised her to inform Mr Scott that they would be contacting his GP because they had concerns about his welfare. The charity concluded it was at that time unable to provide him with the services he sought from them because of his ongoing drug use. They passed the information on to Mr Scott’s GP via a telephone call. This information was in due course recorded in his medical records.
Mr Scott claimed that the disclosure had caused him distress and substantial financial loss. He is a safety consultant with a nuclear installation and had high level security clearances. If, as part of the vetting process for his position, his medical records were inspected, and his personal issues came to light, he might be denied this clearance and he would be unable to work in the nuclear energy industry. Disclosure of this information would contradict statements he had made in a vetting interview, meaning he would be seen as not being frank. He brought a claim under the Data Protection Act 1998, a claim in breach of confidence, and a claim under Article 8 of the Human Rights Act 1998.
Saini J struck out his claim under the DPA Act 1998. The Act did not apply to purely verbal communications. A claim under it could only arise where there had been processing of “personal data”. Under the Act, for information to be considered “data” it had to be recorded, in either electronic or manual form (Durant v Financial Services Authority  EWCA Civ 1746). A verbal disclosure did not constitute the processing of personal data, so could not give rise to a claim under the Act. This basic point was also clear from Article 2(1) of Directive 95/46/EC, which the DPA implemented:
This Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system.
Mr Scott argued that the information had been “stored” in the health officer’s mind with a view or intention to it being put into an automated record/filing system in due course, and therefore it was “data” as defined in the DPA. The judge rejected that submission. It did not fit within the DPA scheme. It may be unfair, but oral transmission of information is not what the DPA is concerned with:
it is a very specific scheme based around records and processing. There are other areas of law (in particular, the law of confidentiality) which are the appropriate vehicle for making such complaints if they are well-founded. [para 63]
The LGBT Foundation submitted that even if the DPA applied to the disclosure, the disclosure was itself lawful under the DPA. It argued that the disclosure satisfied condition 4 within Schedule 2 to the DPA which provides as follows:
“The processing is necessary in order to protect the vital interests of the data subject.”
The judge accepted this argument. On the facts facing the charity, it could not reasonably have been expected to obtain the claimant’s consent. In particular, those facts demonstrated that Mr Scott was considered to be at a material risk of suicide or other substantial self-harm, and he had already been informed that such disclosure could be made without his consent in such circumstances (and he had gone ahead with the intake assessment with such knowledge). Although he argued that he had not been at imminent risk, there was no view for reading a qualifier as to imminent risk into the “vital interests” conditions under the Act. In any event, a reasonable professional faced with the facts disclosed to the health officer would find the risk imminent enough to at least make a limited notification to a healthcare professional.
The judge accepted that the charity “undoubtedly” owed a duty of confidence to the claimant. But Mr Scott had a qualifier to confidentiality, or “carve out”, which permitted the very limited disclosure to his GP. The referral forms had stated that the charity would disclose confidential information to an individual’s GP if it had concerns about their welfare. The health officer had made that clear to Mr Scott. She had later told him that she would be contacting his GP and he had done nothing to prevent her.
In my view the referral forms are not to be read as contractual instruments and as a matter of practical commonsense they are indicating to the user that there might, in extreme circumstances, be a breaking of confidentiality if that is needed to help the individual “stay safe” (the words used in the referral forms, as I have cited above). The individual seeking the Foundation’s assistance would know that a limited disclosure (that is, only to a GP in this context) might take place in such pressing circumstances, even if he or she did not agree or indeed was not even asked for consent. [para 83]
The court also concluded that he had no claim under the Human Rights Act, as the charity was not a “public authority” within section 6 of the Act. The claimant contended that LGBT Foundation was funded primarily by government grants and contracts to provide advice and support to lesbian, gay, bisexual and trans communities. The judge rejected this argument. Although it received public funding to deliver some of its services, Mr Scott had not in fact accessed any of its services, only having attended an intake assessment. Intake assessments were a service devised and implemented internally; they were not directly funded by any specific provider and the charity was not required to provide them on behalf of any public body or funder. The services of public benefit the charity provided and the public funding it received did not make it a public authority.
Nor did the case law on “hybrid” public authorities support the claimant’s case. The LGBT Foundation was not a hybrid public authority. It delivers services of public benefit and it receives some public funding, but such factors were insufficient to make an entity a public authority. Of importance was that LGBT Foundation has no statutory powers, duties or functions (not even matters being delegated to it by true public authorities), and was not in any way “governmental”.
It is simply a charity which, like many such bodies, attracts public funding in addition to funds from other sources. The fact that it helps members of the public on health issues takes matters no further.[para 94]
As to the merits of the Article 8 claim, the judge concluded that Mr Scott had no reasonable expectation of privacy that precluded LGBT Foundation from making the limited disclosure, for the same reasons that he found in relation to the claim for breach of confidence. The disclosure was in accordance with the law, in other words, it involved no civil wrong. Had he been required to decide the point, Saini J would have been inclined to determine that the disclosure was justified under Article 8(2) ECHR in the interests of Mr Scott, as it was made with a view to Mr Scott’s GP helping to reduce his risk of suicide or other substantial self-harm.
The judge therefore granted the summary judgment application and struck out all of the causes of action.
This seems to open up one very big can of worms
says data privacy expert Jonathan Armstrong in his discussion with Tom Fox on Fox’s podcast Life with GDPR “Verbal Reporting under GDPR”. I have to confess that I hope that can will indeed open, if Mr Scott decides to appeal the strike out.
Regarding Mr Scott’s claim that the disclosure threatened his future in the nuclear energy industry, whilst we don’t want seriously fragile people working in hazardous and potentially dangerous conditions, we have to look at the situation from Mr Scott’s point of view. The case turned on sensitive personal information, and it is precisely that kind of personal information that the behemoth of the GDPR was created to protect. He had said in a vetting interview with his employer that he had no “issues” in 2016, and if the information that he disclosed in confidence to the charity reached that employer they might consider him to have been economical with the truth, with serious consequences for his future employment. We should also take into account the fact that he decided not to report his symptoms to his GP in the first place. Instead, he turned to the charity for help, presumably because he did not want this information to go into his medical records with a public body, the NHS. People with suicidal thoughts do not invariably go on to commit suicide; instead it is an indicator of clinical depression. It was not for the LGBT Foundation to decide for themselves that they had to save his life by reporting him to his GP.
It seems to me highly artificial to separate the reporting on the telephone from the inevitable manual recording of this information at the GP’s end. What did the charity’s assessor have in mind when she picked up the phone? If she thought that she had to report in the interests of his welfare, no benefit would have accrued to him if the GP had not recorded the details disclosed. If the telephone call itself – which was “processing” under the DPA – did not involve data, because it was oral, at what point did the details of the call become data? Only at the point when they were filed by the third party GP?
By deciding that the disclosure did not involve “data” under the DPA and GDPR the court did not have to determine whether the “vital interests” of the claimant had been involved. Under both the DPA and the GDPR an exception is carved out where the disclosure is “necessary” to protect the “vital interests” of the data subject. As Armstrong points out in that podcast interview, necessity is a high barrier to cross. It is a great pity that a full trial of the merits cannot now take place in order for this important balancing test to be undertaken.