These examples of unlawful data sharing policies (compiled in August 2017) were all rubber stamped a year before the Children and Young People (Scotland) Act 2014 was passed and more than three years before its information sharing provisions (later struck down by the Supreme Court) were scheduled to come into force.
National Child Protection guidance
This was updated in 2014 to embed the wrong (undefined ‘wellbeing’) threshold, contrary to the law as upheld by the UK’s highest court.
2010 guidance: “The safety, welfare and well-being of a child are of central importance when making decisions to lawfully share information with or about them.”
2014 guidance:”The wellbeing of a child is of central importance when making decisions to lawfully share information with or about them.”
- Under present Data Protection law it is perfectly acceptable and lawful for services to share information, where there is an indication that a child’s wellbeing is at risk. [Unlawful in the absence of consent below the significant harm threshold] Under such circumstances consent is not required and should not be sought as the holder of the information can rely on alternative and more appropriate conditions from schedules 2 and 3 of the Data Protection Act 1998. This has been reaffirmed through the publication of advice by the Information Commissioner [who was completely wrong in this regard and was obliged to withdraw the statement following the court ruling and lawyer’s letter].
- If a child’s wellbeing is considered to be at risk, relevant information must always be shared. [Untrue, especially as wellbeing has no precise legal definition and is therefore open to subjective interpretation]
[The infamous ICO memo (which, according to published minutes, had been concocted ‘jointly’ with the GIRFEC team with no legal advice or reference to parliament) had gained universal currency by 2014, so that routine non-consensual data processing of subjectively interpreted ‘wellbeing’ information (later struck down by the Supreme Court) had infected and taken root across agencies more than two years before Parts 4 and 5 of the CHYP Act were due to come into force in August 2016.]
Guidance for teachers on the conduct of teaching relationships, sexual health and parenthood education within the Curriculum for Excellence
Dated December 2014, with the wrong (undefined ‘wellbeing’) threshold embedded.
The right to confidentiality
17. Teachers should be fully aware of children and young people’s right to privacy in the context of disclosures made in the course of RSHP education, and the limits of that right in terms of child protection guidance. The Children and Young People (Scotland) Act 2014 will introduce [premature exhortation!] duties in respect of sharing information likely to be relevant to a child’s wellbeing with a child’s Named Person. These, and the other Getting it right for every child (GIRFEC) provisions in the Act, are scheduled for commencement in August 2016, although the national GIRFEC approach is already operating on a non-statutory basis in some parts of Scotland. Under the GIRFEC approach, all staff should understand the role of the Named Person and the systems in place to report and manage information if they have concerns about a child’s wellbeing. Where a teacher receives information which affects or is likely to affect the wellbeing of a child or young person, relevant information must be shared as appropriate with the child’s Named Person. [This was – and remains – unlawful] When considering whether information should be shared with the Named Person, the views of the child or young person, so far as reasonably practicable, are to be ascertained and considered. In making a judgement about sharing information a child has disclosed, staff must consider if the likely benefit to the child’s wellbeing of informing the Named Person will outweigh any likely adverse effects on a child’s wellbeing of doing so. The information can only be shared where the likely benefit to the child’s wellbeing will outweigh any likely adverse effects on a child’s wellbeing of doing so. If it is decided that in the interests of the child’s wellbeing that information ought to be shared and the child disagrees, the reasons should be explained to them and a record made of the decision. In considering whether information ought to be shared, staff must also consider the wider circumstances, including the legal duties to which they and their employer are subject, for example the Data Protection Act 1998 and the Human Rights Act 1998. The right to privacy is not an absolute right, and where there is a risk to wellbeing, it is acceptable to share confidential information with the child’s Named Person. [It was never acceptable in the absence of consent below the significant harm threshold]
19. In March 2013 the Information Commissioner’s Office issued a statement clarifying that if there is any doubt about the wellbeing of the child and the decision is to share, the Data Protection Act should not be viewed as a barrier to proportionate sharing between agencies. The statement can be accessed at
[UPDATE: Both the National Child Protection and RHSP statutory guidance, accessed January 2019, remain unchanged since the Supreme Court judgment of July 2016 and the subsequent withdrawal of the ICO statement referenced in para 19 above.]
NHS AYRSHIRE & ARRAN
Dealing with consent being refused
In some cases, the individual may refuse to give consent. Unless there are other factors about a person’s ability to understand the implication of refusal, or there is a risk to the child’s wellbeing, in the first instance we must accept the individual’s refusal.
Where doubt about the person’s understanding, or risk exists, we must weigh the balance between the person’s right to privacy and their or others wellbeing and safety, which will be caused by not sharing information. In these latter circumstances, we should consider whether there remains a need and justification to share without consent, despite permission to share being withheld.
Sharing information without consent may be necessary and appropriate under some circumstances such as – When a child is believed to have been abused or their wellbeing is at risk
A link to “full guidance” in the form of a letter dated 8 April 2013 from the GIRFEC Programme Board to Community Planning Partnership Managers references advice from the Information Commissioner “specifically relating to information sharing under existing law where a child’s wellbeing is at risk and the concern is less than that required to trigger child protection procedures”.
In response to a freedom of information request for clarification of its data management protocols, NHS Ayrshire and Arran confirmed that its practice in safeguarding children was guided by the GIRFEC policy and wellbeing indicators set by the Scottish Government.
It said that “when we have concern over whether a child is safe, healthy, active, nurtured, achieving, respected, responsible and included, in order to determine whether there is a child protection issue, we must gather and share information within health and with other agencies (commonly social work, occasionally education)”.
Do I always need to seek consent?
Recent advice from the (United Kingdom) Information Commissioner’s Office has clarified what has been a misconception held by many in relation to the Data Protection Act 1998 and lawful processing.
Extract: “Where a practitioner believes, in their professional opinion, that there is risk to a child or young person that may lead to harm, proportionate sharing of information is unlikely to constitute a breach of the Act in such circumstances.
“It is very important that the practitioner uses all available information before they decide whether or not to share. Experience, professional instinct and other available information will all help with the decision making process as will anonymised discussions with colleagues about the case. If there is any doubt about the wellbeing of the child and the decision is to share, the Data Protection Act should not be viewed as a barrier to proportionate sharing”
(UK) Information Commissioner’s Office (ICO) Letter of Advice 2013 – Information Sharing (Appendix 3)
In such cases, where information will be shared, consent should not be sought, as to do so would give the subject (child or young person and/or their parents/carers) a false belief that they can control the decision, which they cannot.
A PRACTITIONER’S GUIDE TO INFORMATION SHARING, CONFIDENTIALITY AND CONSENT TO SUPPORT CHILDREN AND YOUNG PEOPLE’S WELLBEING for partner agencies across Grampian (Aberdeen City Council, Aberdeenshire Council, Moray Council, Police Scotland and NHS Grampian) (June 2014)
Remember, nothing whatsoever, in Scottish, UK and/or European Law and/or in the Scottish child protection legislative, policy and/or practice environments prevents you from sharing personal information and in some cases sensitive personal information where you are worried or concerned about a child or young person’s wellbeing. On the contrary, you are, within certain limitations and constraints, empowered to do so.
This approach has been further explained, supported and endorsed by Appendices 2 and 3:
(UK) Information Commissioner’s Office (ICO) Letter of Advice 2013 – Information Sharing;
Scottish Government GIRFEC Programme Board Letter of Advice 2013 – Information Sharing.
Glossary (page 23):
Wellbeing – For the purposes of this guidance, Wellbeing is defined as the GIRFEC Eight Indicators of Wellbeing (SHANARRI) – Safe; Healthy; Achieving; Nurtured; Active; Respected; Responsible; and Included, in which all children and young people need to progress, in order to do well now and in the future.
HIGHLAND GIRFEC PRACTICE MODEL
Guidance to practitioners on conditions for sharing information without consent on the basis of concerns ‘in order to improve the child’s wellbeing or the wellbeing of others. (May 2015)
Section 5: Information sharing
“Where a parent is reluctant to agree, the practitioner will encourage parents to consider the relevance of sharing information. The practitioner will monitor the situation and make a judgement as to whether it becomes necessary to share because the practitioner believes that the Named Person or Lead Professional may need to know about the concern and relevant information in order to improve the child’s wellbeing or the wellbeing of others. In such circumstances, relevant and proportionate information should be shared. It is good practice to inform the child and parents of intended actions, unless this could place the child or others at risk or compromise any investigative enquiry.”
Perth & Kinross Council
Information Sharing, Confidentiality and Consent to Support Children and Young People’s Wellbeing
Confidentiality does not prevent you from sharing a worry or concern about a child or young person’s wellbeing – it actually empowers you to do so.
(UK) Information Commissioner’s Office (ICO) Letter of Advice 2013 – Information Sharing.
Scottish Government GIRFEC Programme Board Letter of Advice 2013 – Information Sharing.
The embedding of the wrong threshold in official guidance has caused confusion among professionals and distress to families. Some victims do not know what personal data has been recorded and shared about their children, themselves, other family members and associated adults. Others have been shocked by the disclosures in files they have obtained via statutory subject access requests, yet have had their complaints shut down on the basis of unlawful guidance being endorsed by the ICO.
One parent said: “After reading our records, I now fully believe we are living in a police state in Scotland, where any and every conversation may be reported.”
Another found she had been labelled a “mollycoddling mother” and had her medical records trawled and shared after she complained about her son being assaulted by school staff.
A young mother described a multi-agency meeting she attended (and recorded), where details of her late mother’s tragic death and sister’s mental health were used by professionals, including her son’s teacher, to undermine her own parenting.
A mother of six was twice referred to social work after she declined the services of a health visitor. She was later shocked to find it recorded in her files that she had spent time in a psychiatric unit, which was either a case of mistaken identity or entirely fabricated.
Yet another had to obtain a court order to force the council to hand over her records, which contained instructions not to tell her about multi-agency meetings after she had expressly prohibited information sharing without her prior consent.