Entrance to RPC building - dark

Data regulation and oral communications

Published on 07 August 2020

David Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB) (3 March 2020)

The question 

Are oral communications caught by the Data Protection Act 1998 (DPA)? 

The key takeaway 

The UK High Court ruled oral disclosures (in this case provided during a telephone call) do not constitute “data”, for the purposes of the DPA 1998, and consequently do not fall within the scope of the General Data Protection Regulation (GDPR) that has now superseded it.

The background

The LGBT Foundation (the Foundation) is a charity which provides a wide range of services including counselling, as well as advice in relation to health and wellbeing. In 2016, the claimant, Mr Scott, referred himself to the Foundation and disclosed details of his substance use and self-harm. Following an initial assessment meeting with Mr Scott, the Foundation shared that information with Mr Scott’s GP practice over the phone, due to concerns for Mr Scott’s welfare. While the call was entered into the GP’s records, no documents or written records were shared with the GP by the Foundation, and communications with the GP practice were entirely verbal.

The Foundation’s confidentiality policy (which was set out in a self-referral form that Mr Scott had filled in before his initial assessment with the charity) provided that if there was a reason to be seriously concerned about welfare, the Foundation may need to break confidentiality without seeking consent.

Mr Scott’s claim was that the oral disclosure by the Foundation to his GP practice was: a breach of the DPA 1998; a breach of confidence at common law; and contrary to the Human Rights Act 1998. The Foundation sought summary judgment and/or a striking out of the claims.

The decision

The DPA 1998 was in force at the time of the disclosure. It was repealed with effect from 25 May 2018 and replaced by the GDPR and the Data Protection Act 2018. It was held that an oral disclosure of information did not breach the DPA 1998 and the claim should be struck out. The Court made it clear in its decision that the definition of “data” under the DPA 1998 is limited to information that is recorded electronically or manually, it does not extend to oral information. The Judge agreed with the Foundation that a claim under the DPA 1998 could only arise where there had been processing of “personal data” which, to satisfy the definition in s 1 of the DPA 1998, must be recorded in either electronic or manual form. As such, a verbal disclosure did not constitute the processing of personal data, and thus could not give rise to a claim under the DPA 1998. 

The court considered that, even if the disclosure had constituted data processing, the Foundation’s disclosure was necessary to protect Mr Scott’s vital interests, which meant that the Foundation could have relied on an exception to the general restriction to processing of sensitive personal data in any event.

Mr Scott’s other claims were also struck out. Although a duty of confidence was owed to Mr Scott, this confidentiality always had a “carve out” attached to it permitting the very limited disclosure to his GP that Mr Scott was made aware of. The Foundation was also not a public authority for the purposes of the Human Rights Act 1998, and there was no reasonable expectation of privacy in the context to engage Article 8 ECHR either. If there was an interference, it was justified, as it was made with a view to his GP helping to reduce his risk of suicide or other substantial self-harm. 

Why is this important?

In reaching the conclusion that oral disclosure does not contravene the DPA 1998, the Court referred to Article 2(1) of Directive 95/46/EC of the Data Protection Directive (implemented by DPA 1998). This Article essentially states that the relevant personal data must be processed by automated means or form part of a filing system or be intended to form part of a filing system. The same provision is quoted almost word for word in the GDPR and as such the position that verbal communication does not constitute data processing would very likely apply under the current data protection regime.

Any practical tips?

This case should serve as a valuable and timely reminder to consumers to read terms and conditions to ensure awareness of what can, and may, be done with personal information/data. 

Additionally, businesses should consider looking at their policies and training materials to ensure that the notion of what constitutes “data” for the purposes of processing personal data has been correctly understood.