Restrictions on sharing personal, private, and/or confidential information can arise in a range of circumstances.
As a charity you need to be particularly aware of these, not least because they can arise without being clearly understood.
A failure to comply is likely to give rise to reputational damage and Charity Commission involvement.
Breach of confidence
Individuals may be able to bring a claim for breach of confidence if you share their information without their permission.
In order for something to have a legally protected right of confidence a number of tests must be met:
- the information must have the necessary quality of confidence
- the information must have been imparted in circumstances which import an obligation of confidence, for example during a counselling session
- there must be unauthorised use of that information to the detriment of the rights of the holder
A claim may not be successful where disclosure is justified under the public interest exemption – for example, the disclosed information may indicate that the person is a risk to vulnerable people with whom he is likely to have contact.
Human rights protection
Article 8 of the Human Rights Act protects the right of individuals to a private and family life.
This is not an absolute right and it has to be balanced against other rights, for example, Article 10 which gives the right to freedom of expression.
Brexit is not expected to affect human rights law and the European Convention for the Protection of Human Rights is separate to the UK’s membership of the European Union.
Duty not to misuse private information
The duty not to misuse private information is a combination of Article 8 of the Human Rights Act and the duty of confidentiality.
Misuse of private information occurs if you disclose information about someone else when that person had a reasonable expectation of privacy. There is no need for there to be a pre-existing relationship of confidence.
There are situations where you can use private information, for example where the information is already in the public domain.
The GDPR and the Data Protection Act 2018 aim to ensure that people's personal data is used fairly. Any activity using personal data should comply with the data protection principles and must be done under one of the lawful conditions for processing.
As well as risking reputational damage, breaches of data protection law can be a criminal offence.
What can happen if your charity doesn't comply?
If a charity is found to have shared information unlawfully, possible consequences could include:
- an injunction against the charity preventing further disclosure of the information
- a court order that the charity must pay damages if the person has suffered a loss. The courts can also make awards for emotional distress, but these rarely exceed £1,000
- a court order for the deletion of the information from the charity's records
- regulatory action by the Information Commissioner, which could result in a fine
We regularly help clients in navigating these issues so please do contact us if you need assistance.