The biggest story in child protection this week – that is, until Justice Goddard quit her own inquiry – was the Supreme Court's decision in The Christian Institute and others (Appellants) v The Lord Advocate (Respondent) (Scotland) that the hugely controversial "named person" scheme in Scotland was a case of overreaching by the Scottish parliament. Specifically, the case turned on the "defective" provisions governing information sharing, and hence the case has also provoked significant interest among those organisations who process sensitive personal data of children or the vulnerable and are, from time to time, asked to share that information with competent authorities.
Briefly to run the rule over what the named person scheme was, and may still be: from 31 August this year it was intended that every child in Scotland would have a nominated individual, and single point of contact, entrusted with monitoring their welfare. This "macro" approach to child protection, root and branch for every person under 18, was only to apply in Scotland: but while logic suggests it might be even harder to bring about in a more populous country, the rest of the UK was looking with interest to see how successful the scheme would be. After all, child abuse and neglect is one of the core issues of our age and many found the radical, all-embracing approach (branded "Getting it Right for Every Child") commendable.
Others, however – including privacy campaigners and libertarians – felt that the proposal by the Scottish government smacked of a "Big Brother" mentality. Supporters of traditional family life felt it might undermine parents, and some social workers feared it would divert finite resources away from those children (and vulnerable adults) known to be genuinely at risk. Hence it was no surprise that a number of interested groups brought a legal challenge.
What does the judgment say?
Ultimately, it was the privacy concern that dragged the new legislation down – temporarily at least. The Supreme Court had problems reconciling Part 4 of the Children and Young People (Scotland) Act 2014 (the "Act") with both Article 8 of the European Convention on Human Rights (protecting the right to privacy and family life) and the Data Protection Act (DPA), finding that the "lack of clarity as to the relationship between the Act and the DPA" needed addressing. In particular it noted the conflict between the DPA's non-disclosure provisions and the wider discretionary rights and duties of local authority sharing of information about children, on which Part 4 of the Act hinged.
It is well established that local authorities will in some circumstances, and in application of their own professional judgment (as well as the DPA), need to share information – even sensitive information – without consent of children or their parents. This includes situations where protection of a person's vital interests, prevention of a crime, or fulfilment of a statutory duty makes it necessary. Competent authorities may also seek such disclosure from schools, care centres, sports clubs and so on. However, the DPA is built around safeguards, which – while not intended to make the jobs of local authority officers, schools or the police any harder than they already are – include satisfaction of various conditions and caveats. This means in practice balancing professional necessity against the rights, freedoms and potential prejudice to individuals. And of course, as always at the heart of the DPA, sharing must be carried out in a way that is "fair" as well as lawful – which might mean notifying individuals, even if not directly seeking consent before acting, while considering what might prejudice an investigation or fulfilment of a core regulatory function.
The revised draft statutory guidance put out by the Scottish government did seek to tackle this, noting: "Public authorities can share information if it is lawful and proportionate to do so, but each case must be considered carefully to assess what is lawful and proportionate in the particular circumstances." It also noted that "it is routine good practice to seek parents' views about information shared, unless it would be against the child's wishes, where they are considered capable of making that decision, or where seeking the views of the parent may be detrimental to the child's wellbeing" – and to involve them in decisions "in all but exceptional situations". But the Supreme Court felt that this was not carried through with any clarity in the Act itself, which did not make that 'good practice' a binding legal requirement. Indeed, it left a good deal to discretion and placed no real legal restriction on these discretionary powers to share information.
Whilst stressing that it was not trying to re-write the legislation, the Supreme Court suggested that a revised Act needed to set out clearly "the circumstances in which (i) the child, young person or parent should be informed of the sharing of information or (ii) consent should be obtained for the sharing of information, including confidential information." The concern was that, if authorisation of sharing private personal data was not done "in accordance with the law" (specifically the DPA) as Article 8 requires, it might result in a disproportionate interference with the home life and privacy of many children – in which case the Court would expect to see the requirement of a "compelling justification". "In short," the judgment concluded, "changes [to the Act] are needed... to provide safeguards so that the proportionality of an interference can be challenged and assessed."
Where does this leave us?
None of this, importantly, changes the existing law – or good practice – on data sharing in these and similar circumstances in the rest of the UK, or even in Scotland (because the case turned on the Act not properly accommodating the existing legal requirements of the DPA). Acknowledging the capacity for misinterpretation of the decision, namely a culture of excess caution leading to failures in child protection, the Information Commissioner (ICO) felt the need last week to put out a short statement on the matter. The key message was that "practitioners should be reassured that information sharing for child protection purposes is not affected by the judgment and that they should continue to share such information following best practice within the framework of the Data Protection Act and other law."
What this means, in practice, is that data protection should never be a bar or impediment to proper management of child welfare. However, that concept of child welfare includes rights of privacy and fair processing of private information which are built into the DPA. Practitioners must consider these, and moreover organisations who are asked to cooperate with police or local authorities – whilst it almost invariably will be necessary and proper to defer to these powers – should take common sense practical steps to ensure they are sharing in a way which is compatible with the rights of data subjects and which reflect the relevant non-disclosure exemption in the DPA, ideally capturing this rationale in a written record.
This is a subject which arises again and again for organisations such as charities, schools and governing bodies. For this reason it will be the subject of a follow-up piece in the coming days to help bring reassurance and clarity to the process.
If you require further information on anything covered in this briefing please contact Owen O'Rorke (firstname.lastname@example.org ; 020 3375 7348) or your usual contact at the firm on 020 3375 7000. Further information can also be found on the Intellectual Property and Technology page on our website.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, August 2016