The adoption of certain new amendments by the House of Commons this week is a hugely promising development for child protection and adult safeguarding professionals.
For too long, safeguarding professionals have felt nervous or, worse, constrained by data protection law in how they are able to process and share often highly sensitive personal information – physical and mental health, sexual life, criminal allegations – concerning either children or adults at risk, or persons of interest who might pose a risk.
Whilst Farrer & Co has always sought to advise that any material safeguarding concern should trump data protection concerns, the grounds to support these decisions legally – whilst usually there – have not always been as clear-cut as this sector would wish it to be. This now looks set to change when the final text of the Data Protection Bill is agreed, and brought into law as a new UK Data Protection Act 2018 to sit alongside the General Data Protection Regulation (GDPR).
Many professionals had assumed that GDPR would make their job harder in terms of child and adult at risk protection. This was perhaps justified in terms of the requirement for additional paperwork – namely, the need to document processing activities and decisions, and create appropriate policy documents around use of "special category" data (although of course this was already good practice). However, the most important decisions around how to allow for uses of personal data in the public interest were always left to Member States to determine. This is where the Data Protection Bill comes in.
How does the Data Protection Bill affect safeguarding?
The Bill has, since early drafts, contained a new category of "child abuse data" (not applicable to Scotland) which was defined as "personal data consisting of information as to whether the data subject is or has been the subject of, or may be at risk of, child abuse". Child abuse is defined as physical injury (other than accidental injury) to, and physical and emotional neglect, ill-treatment and sexual abuse of, an individual aged under 18. However, the ambit of these provisions was disappointingly narrow in the sense that it was limited to where requests were made by authorities, and provided for protective steps under subject access requests if disclosing personal data was not in the best interests of the data subject.
The new amendment 85, adopted by the House of Commons Public Bill Committee on Tuesday 13 March, goes further in empowering organisations – in the course of their own activities and judgment – to process personal data for safeguarding purposes lawfully, without consent where appropriate. This will be welcome news for schools, charities and volunteer organisations, religious organisations and sports clubs and governing bodies alike.
What does the amendment say?
In summary, it provides for a lawful ground for the processing of special category personal data – without consent if the circumstances justify it – where it is in the substantial public interest, and necessary for the purpose of:
(i) protecting an individual from neglect or physical, mental or emotional harm; or
(ii) protecting the physical, mental or emotional well-being of an individual
where that individual is a child or an adult at risk (as defined in the Bill, but consistent with the expected definitions of, respectively, under 18 or having needs for care and support, experiencing or at risk of neglect or any type of harm, and unable to protect themselves).
It should be stressed that the amendment still expects the possibility of obtaining consent from an individual to be considered (and in these circumstances it would have to be explicit). However, if in the circumstances the consent cannot be given, or the data controller cannot reasonably be expected to obtain it – notably because obtaining it would prejudice the safeguarding purpose (i.e. the protection of the individual) – then the ground applies.
When does it apply?
Whilst the bar looks high on paper, it is worth noting that "necessary" in this context is nearer to "reasonably" necessary than strictly or absolutely necessary: it is more a question of whether the use of the personal data is proportionate to the lawful aim.
Including the "substantial public interest" test was necessary for UK lawmakers simply because that is the gateway expressly required by GDPR to make the derogation from the EU legislation. It does not mean Parliament is trying to impose a restrictive bar: it means that Parliament has already decided, as GPDR allows, that safeguarding qualifies for this test. It may reasonably therefore be assumed that the law intends any material or justifiable step to protect individuals at risk to be considered as being in the substantial public interest.
Time will tell whether organisations may be able to rely on the ground for broader protective purposes of those in their care, such as imposing drug testing (which will involve processing biometric and medical data), that clearly engage welfare issues but also have ancillary purposes such as disciplinary action. Those in sports already have specific anti-doping grounds under the Data Protection Bill that those in (say) education and charities do not, so it will be interesting to see if the substantial public interest test can be met in this regard.
Are there any other relevant developments?
There is a related amendment 86 (where processing health data is necessary to protect an individual's economic wellbeing) and an amendment 83 for not-for-profit bodies concerning support for individuals with a particular disability or medical condition and their carers or relatives.
It is worth noting that, as currently drafted, the amendment concerns special category data (including physical and mental health or sexual life) but not criminal records information, which is now to be treated separately. However, there may be separate grounds available in that regard under the sections of the Bill concerning criminal records information.
There is also another potentially relevant new "substantial public interest" amendment 81, where processing is necessary for the purposes of complying with (or assisting compliance with) "a regulatory requirement" which involves "taking steps to establish whether another person has committed an unlawful act, or been involved in dishonesty, malpractice or other seriously improper conduct" – and where consent cannot reasonably be obtained.
These amendments will sit alongside existing provisions in the Bill concerning medical data, social work and education – which broadly reflect existing law but include some significant minor changes. These include, in the current draft, making it harder still for independent schools – as well as maintained schools – to prefer the privacy rights of staff acting in the course of their duties over the information access rights of pupils making data protection requests for their data. Similar provisions cover social work and health professionals, so there will be a period of adjustment and analysis once the text of the Bill is finalised.
Where does this leave us?
The Data Protection Bill is not yet law, but it is required to be operative at least in part by 25 May 2018 (when GDPR takes effect) if not before, and these new amendments have been adopted and announced by the Public Bill Committee. It seems likely therefore that they will become law, and hopefully within a matter of weeks.
Victoria Atkins MP, Parliamentary Under-Secretary of State (Home Department), announced the amendment as follows: "This is probably the most important new measure that we intend to introduce to the Data Protection Bill." The ground, she says, is intended to make it easier to carry out "legitimate safeguarding activities that are in the substantial public interest" in full confidence, and to ensure the law is "fit for purpose" and will "cover the safeguarding activities expected of organisations responsible" for individuals at risk.
It seems fair to conclude that this processing ground is intended to go beyond one-off information sharing and reactive steps – namely, urgent measures that might previously have been justified under "vital interests" grounds – and will instead provide a framework within which organisations can justify such reasonable preparatory and policy steps as they deem necessary. This may include bespoke policies on monitoring, reporting, retention and record-keeping: policies designed to ensure organisations capture all the information that might be relevant to questions of early help or prevention.
This will in turn allow them to focus on being safer organisations by design, in part through how they record and share personal data, and not simply to be reactive to incidents that meet a reporting threshold under KCSIE or criminal law. The amendment is therefore to be welcomed.
We will continue to keep you updated on the progress of the Bill and any relevant developments in this area of law.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (firstname.lastname@example.org; +44(0)203 375 7348), or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Safeguarding and Child Protection page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, March 2018