The disclosure of private, sensitive, or personal information within an organisation or to external parties can lead to unexpected complications. What might seem like routine information sharing among colleagues can increasingly result in complaints, regulatory referrals, or even litigation.
Consider an employee who approaches their line manager with a private health issue and requests confidentiality. While it is natural to want to assure the employee that their disclosure will remain private, such assurances are often neither sensible nor practical.
When employees do not clearly understand when and how confidentiality expectations arise or fail to comprehend the reasons for which such information may be processed under the General Data Protection Regulation (GDPR), errors are likely to occur. While confidentiality obligations can arise in relation to both personal and commercial information, to the extent that any disclosures concern personal data it is crucial for those handling them to fully understand both the rules regarding confidentiality and the GDPR Data Protection Principles.
Understanding confidentiality and data protection
Confidentiality can be imposed in two ways: by contractual agreement or, in certain circumstances, by a common law duty of confidentiality. The latter arises when the situation meets the first two limbs of the test set out in Coco v Clark:
- Quality of confidence: The information must have the necessary quality of confidence, meaning it cannot be information already in the public domain. It must be of a type that is likely to be confidential.
- Obligation of confidence: The circumstances of the disclosure must import an obligation of confidence.
The nature of the relationship between the parties may readily lend itself to a duty arising – for example, interactions between banker and customer, or priest and parishioner. Should a duty arise, the confidential information must not be disclosed to a third party without legal authority, an overriding public interest, or the consent of the individual to whom the duty is owed. Disclosures in the absence of these factors may result in litigation.
However, litigation is expensive and time-consuming. It may be easier for an affected individual to take an alternative route to complain and potentially seek compensation. The GDPR, which applies to any information contained within an organised filing system including emails, provides such a route.
The GDPR enables an individual whose personal data has been mishandled to both complain to the Information Commissioner’s Office (ICO) - at no cost - and to seek compensation via the courts where damage or distress has resulted. Written confirmation from the ICO that a data breach has occurred or that data has been mishandled can be valuable evidence for a claim, and when armed with such a document, the individual may find that compensation is readily offered without a need to file a claim at court.
Navigating obligations in practice
Returning to our disclosing employee – much will depend on context, and the line manager will need to be able to apply the legal expectations to the facts. What is it that the employee has elected to disclose, and against the background of what policies and procedures? If there is a policy in place that signposts what employee expectations should be in terms of confidentiality, or data processing, care is required to ensure that it is followed.
The line manager will also need to consider who needs to know, and how best they can be alerted to the disclosure. Where the initial disclosure concerns health issues that may impact the employee’s working capacity, safety, or wellbeing, the disclosure is likely to trigger health and safety or other employment-related obligations. As such, the line manager cannot be required to keep the information confidential against the world. Once an organisation is on notice of an issue, it cannot turn a blind eye to it.
The line manager will, however, be limited as to whom they can tell. A duty of confidence may arise vis-à-vis the wider members of the employee’s team, where it would not do so as against the HR function. The GDPR Data Protection Principles will operate to limit further processing of the information. The second data protection principle requires that processing be demonstrably necessary to achieve a lawful purpose, and the third data protection principle requires that any processing be the least possible to achieve the purpose.
Should the line manager intentionally, or inadvertently, fail to comply with these requirements, the employee may have a valid complaint. It would not, for example, be appropriate to share specific details with the employee’s wider team – even if the employee was to be absent from work for a period.
Conclusion
Both employers and employees must navigate a complex landscape of confidentiality obligations and data protection principles. Understanding the legal framework, including the common law duty of confidentiality and the GDPR, is essential to avoid costly litigation and regulatory scrutiny. By fostering a culture of compliance and awareness, organisations can mitigate risks and ensure that disclosures are handled appropriately and lawfully.
Our content explained
Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.