Published in the Scottish Review, 16 August 2017. Hyperlinks to sources have been added to aid independent research.
A new, dedicated information-sharing bill has finally been introduced to parliament in a bid to remedy defective sections of the Children and Young People (Scotland) Act 2014 which were overturned by the Supreme Court last July for failing to comply with data protection and human rights laws. The landmark judgment not only cast doubt on the competence of the Scottish Parliament to scrutinise legislation, but also led to questions about the role of the information commissioner, state-funded children’s charities and other vested interests who had resolutely defended the government’s privacy-breaching pet project.
We can only hope that lessons have been learned and that ‘consultation’ this time round is not the pointless exercise that saw legal advice ignored, inconvenient evidence buried and families’ concerns dismissed in order to steamroller through the ill-fated 2014 legislation.
For all the protestations that the aim of the original legislation was legitimate and benign – a point that was neither contested nor ruled upon by judges – it came a legal cropper due to the totalitarian means of its pursuit. Yet the deputy first minister offered no apology for getting it wrong, insisting that a minor tweak would fix a major breach of citizens’ rights. Perhaps it hadn’t yet dawned on him that he been effectively hamstrung by the carefully crafted judgment.
Although John Swinney remains determined to defy public opinion – including 36,000 petitioners – and impose a state guardian on every child from pre-birth to 18, he has been forced to drop data theft from the job description. Powers to enable public and third sector bodies to pass around families’ private information without permission have had to be abandoned, and practitioners will need to be able to justify every instance of data use in order to stay within the law. We are back to that single point of contact that no one ever took issue with – or are we?
Mr Swinney’s refusal to concede that the court ruling did not apply to current policy and practice looks distinctly disingenuous when it is a matter of record that official guidance was amended in 2013 to sanction the sharing of confidential information on the basis of any ‘wellbeing’ concern, as opposed to the legal threshold of ‘risk of significant harm’ to a child. Information sharing for child protection purposes has never been contentious, but wellbeing is a nebulous notion open to subjective interpretation.
More than 200 catch-all wellbeing risks – including being under five, an only child, or even losing the pet hamster – had been prepared by the government to include every child in the ‘at risk’ category, and, by extension, label every parent a risk to their child’s wellbeing. Blurring risk boundaries by shouting ‘child protection’ may well have sold the policy to an unsuspecting public, and indeed an inept parliament, but it was bound to put the most vulnerable children at greater risk by diverting resources from vital social work services.
Remedial legislation aside, we need an explanation as to how illegal information-sharing came to be embedded in public policy more than three years before the proposed powers were due to come into force. According to victims of data misuse, the law is still being openly flouted by services, but complaints have been closed down because current policies permit the passing on of their sensitive information, with or without their knowledge.
Indeed published minutes confirm that the downward shifting of the data sharing threshold from child protection to ‘wellbeing’ – criticised by the Supreme Court as ‘notably vague’ – was orchestrated by the ‘GIRFEC team’, with ministerial approval, and rubber-stamped by the ICO nearly a year before the original bill cleared Holyrood. Given that the ICO agreed to help the government ‘free up the way practitioners share information under existing law’, doubts have also been cast on the ‘complete independence’ demanded of the regulator by the EU Data Protection Directive. In fact this ‘freeing up’ directly contradicted previous ICO advice on the equivalent ‘Every Child Matters’ policy in England, which stressed that ‘approaches used in the context of protection are not assumed to be transferable to the welfare context.’
By early April 2013, Barnardo’s chief executive Martin Crewe, in his capacity as chair of the GIRFEC board, had circulated the new ICO ‘guidance paper’ to all community planning partnerships, giving the green light to predictive data sharing where a child might be ‘on a pathway to risk to wellbeing as well as significant risk of harm.’ This new lower threshold for breaching family privacy was soon quietly incorporated into all public sector policies, including the 2014 update of national child protection guidance. Practitioner training was already encouraging non-notification of data collection and sharing because parents ‘might think they have a choice.’ Meanwhile, existing datasets were being expanded – including the SEEMiS pupil database – to collect wellbeing information about children and their families from different agencies. A named person contributor to the May 2013 AYRshare newsletter confessed that the purpose of this was to monitor children’s lives.
Shortly after the 2014 Act was passed, Martin Crewe was noted in minutes as insisting on the need ‘to move from a permissive to directive approach on information sharing’ amid concerns that some services, notably health, were still reluctant to breach confidentiality unless a child protection issue had been identified. At least some professionals were valiantly trying to hold the line. Unlike the NHS, however, the police and housing were already said to be fully on board, while Fife was hailed as a shining example of how well information sharing had been working in practice under the (definite article) named person scheme just months before the murder of Liam Fee by his mother and her partner. A significant case review into Liam’s death has since found that the named person scheme ‘may have contributed to confusion.’
GIRFEC board minutes further reveal deliberate concealment from the public of the privacy-busting powers built into the named person scheme until they were fully embedded across services, contradicting claims that the policy had been welcomed by parents as they had been kept unaware of its existence.
The timing of the ICO’s advice was also significant as an English judgment issued just weeks earlier had awarded damages against Haringey Council for sharing information without consent in the absence of established child protection concerns. Allan Norman, the lawyer who acted for the parents in that case, later challenged the legality of the data sharing powers in the children and young people bill in a consultation submission on behalf of a Scottish charity, citing the same legislation, case law and ‘totalitarian’ references that would later appear in the Supreme Court judgment.
He wrote at the time: ‘The threshold for compulsory state intervention has hitherto been “significant harm”, a test higher than “harm” and clearly distinguishable from “wellbeing concerns”. Whenever there are significant child protection concerns, there are no legal problems, but compulsory intervention to impose contested wellbeing outcomes will fall foul of data protection principles and the EU directive.’ He also strongly criticised the assistant Scottish ICO for ‘blurring hitherto clear legal concepts’ and for ‘creating the impression that consent is a minority approach’ to information sharing ‘when every legal alternative to consent includes the word “necessary”.’
When the Supreme Court judgment subsequently held that ‘promoting the wellbeing of children and young people’ did not count as one of the exemptions that could justify state interference in family life, it essentially nullified the advice on which current policies and practice are based.
Mr Norman believes the new draft legislation will place professionals directly in the firing line as they will have to work out what the law means in each and every case. He predicts that it will be another disaster ‘if officials and MSPs look for guidance to the same people who didn’t appreciate in the first place that they were getting it wrong.’ Not being one to mince his words, he has also warned: ‘Anyone who believes the Supreme Court ruling applies only to the 2014 legislation fails to understand that the same interpretation of human rights and data protection law must be applied everywhere else – that is how case law works. Similarly, anyone who thinks that current guidance and practice are unaffected by the ruling are not only wrong, but are being misled by people who ought to know better.’
Professor David Anderson from Aberdeen would concur. He only learned how ingrained the culture of state snooping had become when he accidentally discovered the existence of a covertly-created dossier in which doubts were cast on his ‘parental capacity to provide wellbeing.’ Of his own experience he said: ‘Agencies had been gathering and sharing our data with impunity and, when challenged, confidently asserted they did not need permission. Complaints to the ICO were then dismissed on the basis of advice that has since been ruled unlawful. I eventually found out that the ICO had already cooked up a memo that effectively swept away our right to privacy, so we found ourselves in a logical circle, with agencies being encouraged to break the law.’
Internal emails obtained via a freedom of information request have since revealed that UK ICO staff ‘hadn’t the foggiest’ what the Supreme Court ruling meant, while the assistant commissioner expressed his ‘disappointment’ at the outcome. Asked recently about the circumstances surrounding the production of the 2013 advice, the ICO pointed to a statement issued last September, in which local authorities, health boards and Police Scotland were urged to take their own legal advice to ensure their information sharing practices complied with the court ruling. ‘If people feel their information hasn’t been handled in line with the law, they can complain to the ICO,’ a spokesperson said.
Professor Anderson is not the only one being sent round in ever-decreasing circles.