Data Sharing and Child Welfare in Scotland

It is not very often that this blog reports developments north of the Wall, but we like to make occasional forays, to check up on events of cross-border impact (and of course Common Services Agency and South Lanarkshire are just two examples of gifts from our Scottish brethren which just keep on giving). Assuming you’ll have had your tea, readers may wish to briefly glance at the recent judgment of the Inner House (the Court of Appeal for Scottish civil matters) in The Christian Institute v Scottish Ministers [2015] CSIH 64.

The case was a challenge to the Children and Young People (Scotland) Act 2014, an Act of the Scottish Parliament. Constitutionally minded readers will be aware that challenges can be brought against Acts of the devolved legislatures on grounds which would not be countenanced against an Act of the Westminster Parliament. Parts 1 to 5 of the 2014 Act form a comprehensive scheme intended to promote and safeguard the rights and wellbeing of children and young people. Part 3 provides for the preparation of three year “children’s services plans” for local authority areas designed to secure, inter alia, that children’s services are provided in a way which: best safeguards, supports and promotes the wellbeing of children; ensures that any action to meet their needs is taken at the earliest appropriate time; is most integrated from the point of view of recipients; and constitutes the best use of available resources.  Part 4 requires service providers to make available, in relation to each child or young person, an identified individual (“named person”), whose general function is to promote, support or safeguard the wellbeing of the child or young person, on behalf of the service provider concerned.

The challenge was to the creation of the named person, based upon various Convention articles – particularly 8 and 9 – which need not concern us here. That challenge failed. However, there was also a DP challenge: to “the sections of the 2014 Act which deal with the sharing of information are incompatible with the requirement of the European Parliament and Council Directive on Data Protection (95/46/EC), as read and applied in the light of Articles 7 and 8 of the Charter of Fundamental Rights of the European Union.  For this reason also the provisions are ultra vires of the Scottish Parliament.  They run contrary to the Data Protection Act 1998.  The fact that data could be shared, when not strictly necessary, rendered the information sharing provisions (2014 Act, ss 26 and 27) incompatible with Article 7 of the Directive (criteria for legitimacy).  There were insufficient safeguards against the unlawful sharing of data.  There was no inbuilt “right to be forgotten”“: at [6].

It may be useful to set out the Inner House’s summary of the relevant provisions, at [12]-[14]:

A set of provisions, contained in sections 23 to 27 of the 2014 Act, regulates requests to, and giving assistance by, service providers and the associated sharing and disclosure of information.  Distinct provisions apply according to whether: the named person functions are transferring from one service provider to another (s 23); a service provider is requesting help from another service provider (s 25); a service provider is required to provide information to the service provider (s 26(1)), and vice versa (s 26(3)).  A distinction is drawn between information sharing (s 26) and disclosure (s 27), according to the incidence of confidentiality.

A service provider must generally provide the service provider with information which is likely to be relevant to the exercise of named person functions (s 26(1) and (2)).  An equivalent duty is placed upon the service provider in the reverse situation (s 26(3) and (4)).  The views of the child require to be sought (s 26(5)).  The information holder may decide that the information ought only to be provided if the likely benefit to wellbeing outweighs any adverse effect (s 26(7)).  The holder may provide information if it is necessary or expedient for the purposes of named person functions. The sharing of information is not permitted or required where disclosure is otherwise prohibited or restricted, other than in relation to a duty of confidentiality (s 26(11)).  Thus, disclosure may be permitted, notwithstanding a breach of confidentiality, if the criteria in section 26 are otherwise satisfied and there is no other legal bar to it taking place. It is between service providers, and not individual named persons, that the specified information may be shared.  Where information is to be provided in breach of confidentiality, the recipient must be informed of the breach, and must not provide the information to any other person, unless otherwise permitted or required to do so by law (s 27).

In combination, the provisions are calculated to integrate services in order to secure the wellbeing of children and young people.

The Inner House dealt with the challenge fairly swiftly. It set out the Charter provisions and those of the Directive, before noting that the Directive had been implemented by the “labyrinthine” DPA (not unfair), which was not said to have failed to properly or fully implement the Directive. There was, as a result, no need to go beyond the DPA itself: at [96]. The Court’s reasoning at [97]-[100] is admirably clear.

The 2014 Act was not a mechanism which trumped the DPA. “Section 26(11) of the 2014 Act expressly provides that, with the exception of rules on confidentiality, the information sharing provisions are not to be held as permitting, far less requiring, the provision of information when it is prohibited or restricted by virtue of an enactment or rule of law.  This makes it clear that the operation of section 26 involves compliance with existing law.  That includes the Data Protection Act 1998 and hence the rights of the Charter and the principles in the Directive.” There might well be breaches in individual cases but they could be resolved on their own facts rather than through an abstract challenge. There “is no need for the 2014 Act to incorporate data protection principles, such as the need for consent or other specific protections, including the destruction of out of date data, within its four walls.  The 2014 Act creates a regime involving child welfare which directs what should happen regarding the sharing of relevant information, but it assumes that the actions of those operating the system will comply with data protection principles.

The 2014 Act did not, held the Inner House, involve the creation or collection of any new data; personal, sensitive or otherwise. The Court was obviously significantly influenced by the social policy of the legislation, seeking to introduce a system for the co-ordination and sharing of existing data in relation to children and young persons whereby situations involving a potential risk to a child’s or young person’s well-being, as defined, can more readily be identified and the relevant agency alerted. There was not a proportionality exercise taking place expressly, but the reasoning suggests pretty clearly what the answer would have been had there been one. See too at [102]-[103].

The challenge on DP grounds consequently failed, and the judgment is one which is easy to understand and follow. The need for a single, coherent, statutory scheme for child welfare information sharing which nonetheless complied with existing DP requirements was an unsurprisingly powerful pull for the Court of Session. It is a reminder that data protection is an important safeguard, but it is neither something which prevents agencies doing their jobs nor a trump card to be played in any and all situations. Carefully calibrated and structured schemes need not fear the DPA.

Christopher Knight