Confidential information and subject access disclosure
In February 2021, the High Court handed down judgment London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB), in which Browne Jacobson LLP acted for the Claimant Council. The judgment is critical reading for public bodies who are required to take action to restrict the use of confidential information in circumstances where that information has been inadvertently disclosed to a third-party.
In February 2021, the High Court handed down judgment London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB), in which Browne Jacobson LLP acted for the Claimant Council.
The judgment is critical reading for public bodies who are required to take action to restrict the use of confidential information in circumstances where that information has been inadvertently disclosed to a third-party. This is most common in response to a request under either the Data Protection Act 2018 or Freedom of Information Act 2000.
Breach of confidence is a complex area of the law. However, the important lesson for public bodies is that steps that can be taken to protect confidential information that has been disclosed to a third-party either by mistake, or due to the improper conduct of a third-party.
London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB)
The background to this case concerned a referral made by the Defendant’s sister (HJ) to the Council’s children’s services department in confidence, under condition of anonymity, in respect of the Defendant’s daughter. After the referral was eventually closed, the Defendant made a subject access request to the Council for a copy of the file held by children’s services.
Unfortunately, the Defendant was able to uncover the confidential information that had been redacted by the Council by copying and pasting the file into Microsoft Word. The Defendant discovered HJ’s identity and threatened to use the confidential information to bring a claim against her for defamation, harassment and various other torts.
The Council commenced a claim for breach of confidence, to restrain the Defendant from using the confidential information. The essential ingredients of the tort of breach of confidence are: (1) the information is confidential; (2) it was imparted to import an obligation of confidence; and (3) there has been or will be an unauthorised use of that information to the detriment of the party communicating it.
Following an interim injunction obtained on behalf of the Council, the matter was set down for an eight-day trial in July 2020. The Defendant’s position was that even if the tort of breach of confidence was made out, he relied on the public interest of iniquity on the basis that his sister had been acting with malice when making the referral. Also, the Council had been a ‘bad actor’ due to the manner it had assessed the referral and handled his personal data (the latter argument was struck out at an interim hearing).
In a detailed judgment, Mr Justice Pepperall held that HJ’s identity was confidential information because of the wider public interest in encouraging members of the public to come forward to help the authorities to protect children. This protection did not come to an end because either the Defendant’s own personal data was involved, or the Council had closed its investigation by the time of the disclosure.
It was clear on the evidence that the Council had attempted to keep HJ’s identity confidential, and the Defendant was aware of that. A duty of confidence will be imposed where obviously confidential information is obtained by design, such as where an individual obtains the information improperly or surreptitiously, or by chance, such as where the document is dropped in a public place and picked up by a passer-by.
While detriment to the referrer of information is required in a claim by a private litigant, the position is different for public bodies. They must establish that the public interest will suffer detriment if an injunction is not granted. In this case, there was no doubt that it was in the public interest to enforce the confidentiality of the identity of an informant who reports their concerns about the care, health and development of a child to the relevant council. Indeed, a failure to do so would undermine public trust in a council’s ability to protect the confidentiality of future informants and therefore put at risk the authority’s effectiveness in protecting the children within its area. The importance of ensuring the protection of both vulnerable children and those raising safeguarding concerns was clearly a fundamental consideration in the judgment.
Even if the referrer had acted maliciously, this alone would not be sufficient to constitute a defence in the public interest, as the public interest also protects untruthful or malicious informants. It is necessary to consider whether the conduct of the informant outweighs the powerful public interest in respecting the confidence of those who make anonymous referrals to a local authority. However, in this case there was no public interest defence because the evidence did not establish that HJ had acted with any malice when making the referral. HJ was found to be a reliable and honest witness, motivated by concern for the child’s wellbeing.
For these reasons, the Court concluded that the Defendant had breached the duty of confidence owed to the Council and therefore the Council was entitled to final injunctive relief to prevent the Defendant from using the confidential information.
This case reinforces that the courts can, and will, prevent the use of information acquired from public bodies, particularly in circumstances where to allow its use would undermine fundamental principles of confidentiality. It provides reassurance to public bodies that where information is acquired from them steps can be taken to prevent that information from being shared more widely.
First published in the Alarm Journal - Stronger in July 2021.
You may be interested in...
Online Event
Shared Insights: Data and Information Governance Issues
Legal Update
Update on data protection claims - Austrian Post Case
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Legal Update
Government to expand network and Information systems regulations
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
UK Government publishes the Online Safety Bill: an overview
Legal Update
Cyber security and data breaches
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
The rising number of cyber-attacks
Legal Update
The continued threat of piracy in Southeast Asian waters
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Published Article
Reaching cloud nine? Public procurement for cloud-based services
Legal Update
Protecting children and their data in the online environment
Legal Update
‘Big Game Hunting’ – the new face of cyber extortion?
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Legal Update
DSA approved: Targeted Advertising Rules explained
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Legal Update
Let’s be direct – doubly so
Legal Update
The Ukraine War: Aviation and cyber issues
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Legal Update
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Legal Update
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
Legal Update
The physical consequences of cyber attacks
Legal Update
ICO consultation on research provisions guidance
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
Legal Update
More good news for data controllers: High Court finds local authority not vicariously liable for the actions of social worker who went off on a "frolic of her own"
Public bodies will be pleased to hear that another significant court decision (Ali v Luton Borough Council [2022] EWHC 132 (QB)) has been made that is favourable to data controllers.
Published Article
Five top tips for strong data compliance in 2022
This article has five excellent top tips for strong data compliance in 2022, including; embracing near misses, leading from the top, outcomes-focused training, learning walks, consequences.
Legal Update
Stemming the tide of data breach claims: good news for data controllers
The cases summarised give considerable comfort to data controllers seeking to defend themselves against claims that relate to breaches arising as a result of a failure rather than a direct act and/or are based on assertions of damage or distress that are exaggerated, unsubstantiated or bear little relation to the breach itself.
Press Release
Reaction: Supreme Court rules in favour of Google
The Supreme Court has unanimously overturned the Court of Appeal’s 2019 decision in the case Lloyd (Respondent) v Google LLC (Appellant) which allowed the claimant, Mr Lloyd, to serve a representative action on Google on behalf of over four million iPhone users who were seeking damages for ‘loss of control’ of personal data.
Legal Update
What are the requirements of cookie law
Cookies and similar technologies are a useful and often necessary tool for online businesses, but their use is governed by both the Privacy and Electronic Communications Regulations (PECR) and the GDPR.
Legal Update
Steps to take following a data breach: reporting, criminal charges and injunctions
Student and staff files will be full of personal data, much of which may be particularly sensitive such as health information (known under the data protection legislation as “special category” data).
Published Article
Confidential information and subject access disclosure
In February 2021, the High Court handed down judgment London Borough of Lambeth v AM (No. 2) [2021] EWHC 186 (QB), in which Browne Jacobson LLP acted for the Claimant Council. The judgment is critical reading for public bodies who are required to take action to restrict the use of confidential information in circumstances where that information has been inadvertently disclosed to a third-party.
Legal Update
Lloyd v Google – what next?
The Supreme Court’s pending decision could potentially open the floodgates for data privacy litigation going forward.
Training
Claims club - 16 June 2021
Watch our on-demand video for our popular Claims Club where we discussed the risk of data sharing, risks in a changing climate, highway claims and what we can see on the horizon.
Legal Update
High Court grants local authority injunction to prevent breach of confidence
This judgment is critical reading for public bodies who need to take action to restrain the use of confidential information in circumstances where that information has been inadvertently disclosed to a third party.
Legal Update
Brexit - now what for data protection law?
UK organisations need to comply with the UK GDPR and continue to be subject to the EU GDPR where EU data is being processed, so there may be two versions of the GDPR to comply with for some personal data processing.
Legal Update - Shared Insights
Shared Insights: Confidentiality and medical records
We talk about the key legal principles that apply when processing requests for access to confidential information and gave some practical tips on how to deal with issues that might arise when Trusts are dealing with complex information requests.
Legal Update
Health care apps – Part 1 of 2: Exploring the ins and outs of intellectual property (IP)
The adoption of smart technology solutions by the health and care sector has exploded in 2020. The pandemic has driven the sector to increase its use of smart phone technology solutions (“Apps”), an example of which is conducting video consultations and assessments.
Guide
Brexit overview: your use of data and Brexit
Despite the lack of clarity around Brexit, there are key data issues that can be addressed now. We can help you with the steps you need to take to mitigate the risks.
Legal Update
Corporate transparency and register reform: Government response now published
In May 2019 the Government consulted on a range of options to enhance the role of Companies House and increase the transparency of companies and other legal entities. On 18 September 2020 BEIS published the Government's response following a huge response to the consultation.