Oral disclosure – is it a data breach?

No, said the High Court in David Scott v LGBT Foundation Ltd [2020] EWHC 483 (QB) (3 March 2020). The court ruled that oral disclosures do not qualify as ‘data’ and do not fall within the scope of data protection laws. 

The facts of the oral disclosure case:

  • The LGBT Foundation is a charity that provides providing a wide range of services including counselling.
  • Mr Scott referred himself to LGBT and he disclosed his substance abuse and self-harm during an assessmemt.
  • The charity was concerned about his significant risk of suicide or other substantial self-harm.
  • Because of this concernt, the charity called Mr Scott’s GP and shared this information with the GP over the phone.
  • The call was entered into the GP’s records, but no documents or written records were shared with the GP by the charity and the communication wasentirely verbal.
  • The charity had a policy. which was set out in the self-referral form, that they would break confidentiality without consent if they had a serious concern about an individual.

The data breach claim:

Mr Scott claimed that the oral disclosure by the charity to his GP practice was a breach of the Data Protection Act 1998, among other things. 


The ruling:

The DPA 1998 was in force at the time of the disclosure. It has since been repealled and replaced by the Data Protection Act 2018 and the UK GDPR.

The court held that an oral disclosure of information did not breach the DPA 1998 and the claim should be struck out. The Court made it clear in its decision that the definition of “data” under the DPA 1998 is limited to information that is recorded electronically or manually, it does not extend to oral information.  The court said that “this Directive shall apply to the processing of personal data wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended to form part of a filing system”.  

The court went on to say that even if the DPA 1998 were to apply to the disclosure, the disclosure was lawful because it was necessary in order to protect the ‘vital interests’ of Mr  Scott  — he had a high risk of suicide or other substantial self-harm.

So, is oral disclosure a data breach?

Oral information is not ‘data’ under the UK GDPR or the DPA.

An oral disclosure, therefore, is not a data breach.

Worried about your data protection in the workplace? Contact us

If you’re wondering how you can protect your data, want to ensure you are GDPR compliant, or just want to chat, get in touch with us today.


Share This

Share this post with your friends!

Share This

Share this post with your friends!