Check what’s on your record with a subject access request

Re-blogged from Leahurst66

After last week’s landmark Supreme Court ruling (which was covered in this post), families across Scotland began to realise that their personal data may well have been collected and shared without their knowledge or consent in line with current advice from the Scottish Government that has been held to be unlawful.

This statement still appears on the government’s website, although the section is said to be under review:

Current data protection principles and privacy laws already permit information sharing where it is necessary to prevent or address a risk to wellbeing. These laws apply to all existing information management and data processing by public bodies and those who provide services on their behalf. [emphasis added]

The ‘advice’ they have been relying upon, in the form of a memo from the Assistant Scottish ICO which had been produced (according to publicly available minutes) at the request of the now-defunct GIRFEC Programme Board, was published and ‘cascaded’ nationwide in 2013 to facilitate the free flow of information between agencies on the basis of a subjectively perceived ‘wellbeing’ risk to child, as opposed to meeting the legal risk threshold of ‘significant harm’ (a threshold which had been upheld the same year in the Haringey judgment).

As GIRFEC board minutes from February 2013 noted:

A joint statement has been agreed with the Information Commissioner’s Office which should help clarify situations where a child was on a pathway to risk to wellbeing as well as significant risk of harm. The statement should free up the way practitioners share information under existing law. However there were concerns on how best to disseminate the message in a way that did not produce an adverse reaction for stakeholders. [emphasis added]

Apart from the obvious point that a regulator should work independently of government, the Supreme Court has now held that ‘wellbeing’ is not statutorily defined in the Children and Young People (Scotland) Act 2014, and that the SHANARRI indicators used to assess it are far too open to subjective interpretation. It is therefore inevitable that, on the basis of unsound ‘advice’ sanctioned by the government, an unknown number of families have already had their Article 8 and data protection rights breached and should have an entitlement to redress. In some cases reported by parents to support groups and/or shared with journalists, this unlawful processing of data has caused significant harm to families’ lives, especially in cases where sensitive personal data, such as a parent’s mental health history, has been disclosed to multiple agencies without consent, then used to coerce or undermine parenting decisions and intrude into family life.

Attention is now turning to the possibility of legal action, for which families will need to gather evidence if they are to proceed. Some have been routinely recording all telephone and face-to-face contacts with professionals and have kept meticulous records which demonstrate beyond doubt that their data has been unlawfully processed. However, despite having firm evidence of ultra vires activities on the part of some (by no means all) professionals, they lacked the wherewithal to seek judicial review, the only available route to redress, due to the legal costs involved. Now it is to be hoped that some form of collective action can be initiated by those whose rights have been infringed – perhaps by using a crowdfunding platform, pro bono services or no win-no fee lawyers. It is all horribly reminiscent of PPI mis-selling and every bit as scandalous.

NO2NP published an explanatory blog post earlier this year which warned of the growing problem of information-sharing without consent on the basis of any wellbeing concern (now ruled unlawful). From Kayley Hutton’s story in Perth and Kinross to Meave Gallagher’s more recent experience in North Ayrshire, there is obviously an ingrained culture of non-consensual data-mining and data-sharing across agencies, not to mention the worrying data security lapses that are regularly reported in the media.

Parents are now being advised by NO2NP and grass-roots support groups to submit statutory subject access requests (SARs) to find out what has been recorded about them, their children and other family members, and what may have been shared without their knowledge or consent. The ICO website explains how to make a subject access request under the Data Protection Act 1998 (a UK wide Act), so that ‘data subjects’ can obtain all the records held on them by organisations they have dealt with.

I sent the following response to a parent who contacted me via Twitter to ask how and to whom her SARs should be sent. I hope it might also be helpful to others.

Your subject access requests (plural) should be sent to the data controllers of any organisations you believe hold your personal data or that of your children. Young people aged 12+ a should send their own SARs or countersign the parental request for their personal information.

If you aren’t sure who the data controller is, you can call and ask, find the details on the organisation’s website or simply address the SAR to the data controller, making it clear that your request is being made and should be dealt with under the terms of the Data Protection Act 1998. They will need to be satisfied as to your identity as the data subject or his/her representative in the case of a minor. They have 40 days to comply (with a few exceptions).

Organisations which ‘process’ (i.e. gather, store, edit, share or delete) your data may include your local authority, school, nursery, college, NHS services (e.g. health board, GP, dentist, health visitor, hospital consultant, CAHMS), police (if any involvement, even as a victim or reporter of a crime), private providers such as childminders, third sector organisations (e.g. housing association) or charities (e.g. Barnardo’s school-based projects). Some may have shared your private information without your knowledge or consent  as required by law.

You should ask for copies of all GIRFEC-related records, including SHANARRI wellbeing assessment forms and chronologies, along with data that is held electronically (including everything from the SEEMIS pupil database and shared systems such as Ayrshare). Be specific about what you want from each organisation and give them dates to work with. There may be a charge for some records, but it should not be excessive.

You may also want to instruct organisations to add a note to your records and those of your child(ren) to the effect that your/their personal data may not be shared without express written consent and that you will be submitting regular SARs to ensure compliance with your instructions.

Once you receive your records, which may be partly redacted to remove third parties’ details, take time to scrutinise the information and make a note of any inaccuracies and any instances of data sharing that has been done without your knowledge or consent. Hopefully NO2NP will provide guidance on the next steps for those families who find their rights under the ECHR and Data Protection Act have been infringed and who wish to take matters further.



Leave a Reply

Your email address will not be published. Required fields are marked *