Charities routinely obtain personal information from clients or service users, often given in confidence and relating to very sensitive matters. Most charities have privacy and data protection processes in place to avoid unauthorised access to such personal information, and to assure clients that their information will be kept secure. But what happens if a charity needs to share personal information with a third party in order to protect someone's welfare?
This was the question that the High Court was faced with in the case of Scott v LGBT Foundation Ltd (LGBT).
What personal information did the charity have?
LGBT provides counselling and health advice. In 2016 Mr Scott filled out self-referral forms to access LGBT's counselling service and he provided his GP's details. He also disclosed recent mental ill health and substance use issues, as well as a previous suicide attempt. The form stated that LGBT would break confidentiality without Mr Scott's consent if there was reason to be seriously concerned about his welfare.
A health worker from the charity conducted an intake assessment for Mr Small and told him about the confidentiality policy, including the provision that any information he disclosed would be passed on if LGBT considered him to be at risk. When he gave further details about his drug use, self-harm and suicidal thoughts, the worker told Mr Small that the charity would be contacting his GP because they had concerns about his welfare. He left and did not use the counselling services.
What personal information was shared?
LGBT contacted Mr Small's GP by phone and disclosed his suicidal thoughts, self-harm and drug use. LGBT explained that they could not offer counselling services until Mr Scott had addressed his ongoing drug use and suggested that he be referred to LGBT's drug and alcohol services. The GP added notes to Mr Small's medical records.
Unfortunately, Mr Small worked as a nuclear safety consultant and his work required high-level security clearances, which included periodic reviews of his medical records. The information on his GP record from LGBT contradicted statements he had made during a vetting interview and he claimed that this had "finished" his career.
Mr Scott brought claims against LGBT for breach of confidence, breach of data protection legislation (then the Data Protection Act 1998), and a claim under the Human Rights Act 1998. He sought damages of £1.8 million.
What did the court decide?
In a result that will be welcomed by charities, the court rejected all three of Mr Small's claims.
First, there was no breach of the data protection legislation because LGBT made the disclosure to the GP over the phone and a verbal disclosure did not constitute processing of personal data – the court rejected Mr Small's suggestion that the information had been "stored" in the health worker's mind. Even so, the court went on to say that the disclosure would have been lawful as it would have been considered necessary in order to protect Mr Small's vital interests, given that he was considered to be at risk of suicide or self-harm.
Second, there had been no breach of confidence as the limited disclosure to Mr Small's GP was permitted in the circumstances. LGBT's referral forms had stated that the charity would disclose confidential information to the GP if it had concerns about welfare and the health worker had reiterated this in the first interview Mr Small attended.
Finally, the court said Mr Small had no claim under the Human Rights Act as the charity was not a "public authority" under the Act. Although it received public funding to deliver some of its services, the services weren't directly funded by any specific provider and the charity wasn't required to provide them on behalf of any public body or funder. In any case, Mr Scott did not have a reasonable expectation of privacy that would have precluded LGBT from making the limited disclosure to his GP for the reasons referred to in connection with the breach of contract claim.
What can charities learn from this case?
Although the case was brought under the old Data Protection Act 1998, which has now been replaced by the GDPR and Data Protection Act 2018, the wording that the court referred to has not changed. On this basis, it is likely that the same result would have been reached if the case had been brought under new data protection laws. This provides some comfort to charities providing confidential services as it confirms that conversations or thoughts held in someone's head won’t fall within the definition of personal data.
This case also stresses the importance for charities of having clear statements regarding confidentiality and, more importantly, the circumstances in which confidentiality may be broken. Charities also need to make sure that front-line staff are trained to draw people's attention to this. Here, the fact that the confidentiality wording in LGBT's self-assessment forms was reinforced by the health worker helped the court to make a finding that the charity had not breached Mr Small's confidence or human rights.