Donald, Where’s Your Schedule 3 Condition to Share Information Aboot Your Troosers?

The insularity of English lawyers can often mean that limited attention is paid to legal developments north of the border. Scotland, like the past, is a legally foreign country and they do things differently there. However, we here at Panopticon are never afraid to join a rousing chorus of ‘500 Miles’ by The Proclaimers (you should see some of the blog’s team at the Christmas Party – carnage). Readers with elephantine memories and little to do by way of fun may recall my post on the Inner House’s judgment concerning the ‘Named Person Service’. At the end of term, the case reached the Supreme Court in The Christian Institute v Lord Advocate [2016] UKSC 51. Apologies in advance for the length of the post which follows…

An introduction to the context is most easily done by lifting the Court’s own press summary. The Children and Young People (Scotland) Act 2014 (“the 2014 Act”) makes provision for a named person service (“the NPS”) in relation to children and young people in Scotland. The NPS establishes the new professional role of the “named person”, and envisages that all children in Scotland will be assigned a named person. The NPS aims to achieve two policy aims: first, a shift away from intervention by public authorities after a risk to welfare has been identified, to an emphasis on early intervention to promote wellbeing. Secondly, moving from a legal structure under which the duties of statutory bodies to cooperate were linked to the performance of their individual functions, to one which ensures that they work collaboratively and share information in order to support wellbeing. Part 4 of the 2014 Act provides that named persons will exercise certain functions in relation to children.

Part 4 also sets out powers and duties relating to information sharing, including (in s.23) conditions for when information must be shared following a change in NPS Provider, and (in s.26) conditions for when information must be shared between service providers or relevant authorities, and the NPS Provider. Section 26(8) includes an additional power of disclosure where the NPS Provider holds information and it considers that providing it to a service provider or relevant authority is “necessary or expedient” (s.26(9)) for the purpose of the exercise of any of the named person functions. There is to be statutory guidance, which was at the time in draft form only.

The Supreme Court delivered itself of a lengthy judgment in the names of Lady Hale, Lord Reed and Lord Hodge, with which Lords Wilson and Hughes agreed. As one might expect – particularly reading this blog – the NPS gives rise to obvious concerns about compliance with the Data Protection Act 1998. So it was in The Christian Institute, but, being Scotland, the matter was framed as more technical point about legislative competence of the Scottish Parliament. Data protection is a reserved matter upon which only the Westminster Parliament can legislate, and the challenge was that the information sharing provisions ‘related to’ a reserved matter and were accordingly invalid. This required the Court to consider and compare the purposes of the 2014 Act, the DPA and Directive 95/46/EC.

Those who work in the area will find of quotable value the Court’s overview of the legislation. At [39] he explains the Directive thus: “the Directive was designed to harmonise the laws of the member states relating to the protection of individuals’ interests in relation to the use of their personal data. Its provisions specify the standards of protection which the laws of the member states must afford, and the methods by which those standards are to be secured and enforced”. At [44] he does the same for the DPA: “the DPA was designed to implement the Directive by establishing standards of protection of individuals’ interests in relation to the use of their personal data, and methods by which those standards are to be secured and enforced, which are equivalent in effect throughout the UK. In particular, it imposes obligations on data controllers in relation to the processing of data, and creates rights on the part of data subjects. It also creates a system for the regulation of data controllers by the Commissioner. It allows scope, however, for derogation from certain of its requirements by legislation which need not be UK-wide in application”. So far, one hopes, so straightforward.

Many public authorities – particularly local authorities, health authorities and the police – will find particularly valuable the short summary of the Court about the ways in which the DPA allows for disclosure of personal data about a child without their consent, namely:

(assuming, in the case of a statutory body, that the disclosure is otherwise within its powers), if the disclosure is necessary to protect her vital interests (condition 4), a test which requires more than that it is likely to benefit her wellbeing; or if the disclosure is necessary for the exercise of a statutory function (condition 5(b)), but not merely because it considers that the information is likely to be relevant to the exercise of that function. The data controller is also, of course, obliged to comply with the other data protection principles so far as relevant, and with any requirements arising from Part II of Schedule 1. In particular, it is required to comply with the third data protection principle, in terms of which personal data must be relevant (and not merely considered by the data controller to be likely to be relevant) in relation to the purpose or purposes for which they are processed”: at [48].

And in relation to sensitive personal data:

(assuming, in the case of a statutory body, that the disclosure is otherwise within its powers), if the disclosure is necessary in order to protect his or her vital interests (and not merely because it is likely to benefit her wellbeing) and, in addition, it is either impossible for him or her to give consent or the data controller cannot reasonably be expected to obtain it (condition 3). The information can also be disclosed if its disclosure is necessary for the exercise of a statutory function (condition 7(1)(b)), but not merely because the data controller considers that the information is likely be relevant to the exercise of that function. It can also be disclosed for medical purposes, but only where a duty of confidentiality is owed (condition 8)…It is in addition necessary to comply with the other data protection principles, and with any requirements arising from Part II of Schedule 1”: at [50].

These summaries do not, of course, tell the entire story but they are good starting points and many public bodies would do well to print them out onto a poster and stick them on the office wall.

The Court of Session had defined the purpose of the 2014 Act as being about child protection rather than data protection. But, as the Supreme Court noted, the effect of the information sharing provisions could only be determined by having them in one hand and reading them with the DPA in the other. It also noted that the arguments had been rather unsatisfactory in relation to how narrowly they were put. The only real argument run was whether disclosure under Part 4 would comply with a condition in Schedules 2 and 3. There followed quite a detailed analysis of some of the potential conditions, with the Court emphasising at [56] that the Part 4 language of ‘relevance’ fell some way short of the DPA language of ‘necessary’, especially as interpreted in its jurisprudence on necessity (see South Lanarkshire Council v Scottish Information Commissioner [2013] UKSC 55). The conclusion, at [58], was that Schedule 2 could be met in relation to duties imposed by Part 4 of the 2014 Act, but not Schedule 3, and neither where Part 4 only provided a power and not a duty to disclose. The 2014 Act could not be read in a way which avoided the need to comply with the DPA. (This is an extremely abbreviated summary of an incredibly detailed and complicated few paragraphs of reasoning, which requires and repays close study and a very cold towel around the head.)

In the end, the Supreme Court agreed with the characterisation below that the principal purpose of the 2014 Act was the promotion of wellbeing of children and young people, and that while Part 4 certainly engaged data protection issues, the DPA recognised in section 35 that legislation might make specific provision for data protection matters, including by devolved legislatures, and compliance with the DPA was protected by failsafe provisions in Part 4 (which, as set out above, were likely to kick in). The 2014 Act did not trespass onto reserved matters: at [63]-[65].

Interestingly, in a shorter part of the judgment the Court dismissed a challenge based on non-compliance with EU law on the basis that it added nothing to the Article 8 challenge (see below). But one strand was that the 2014 Act made no provision for removal of information, and it contravened Google Spain. The Court firmly disagreed: the fifth data protection principle applied and that achieved the same aim, which was subject to the enforcement provisions of the DPA under the eye of the ICO: at [105]. (Note too the passing comment that if dissatisfied with the ICO’s approach to enforcement, judicial review could be sought, which is not entirely consistent with the line taken by the High Court thus far on Google Spain-based judicial review claims against non-exercise of enforcement powers by the ICO – see here – but was almost certainly said without any argument as to the alternative remedy point.)

The separate Article 8 ECHR challenge required just as lengthy a discussion, but can be more rapidly summarised for the purposes of this blog. The basis of it both was that the compulsory appointment of a named person without parental consent amounted to a breach of the parents’ Article 8 rights, and that the information sharing provisions under Part 4 amount to breaches of parents’ and childrens’ Article 8 rights. That there was a prima facie interference was clear.

The 2014 Act, even with the draft guidance, failed the first hurdle of being in accordance with the law. The information sharing provisions had to be read with the DPA in a manner which, as discussed above, was extremely hard to fathom. In essence, the apparent duties created on the face of the 2014 Act were extensively cut across by the need to read them with the DPA: at [83]. Nor was there sufficient safeguards to ensure proportionality could be adequately examined: not all information sharing was subject to a duty to consider the views of the child or even inform the child or parents: at [84].

As to proportionality of the legislation itself, Part 4 undoubtedly pursued legitimate policy aims and was clearly rationally connected to those aims: at [91]-[92]. Allowing the legislature the appropriate margin of discretion, Part 4 was also a reasonable measure for the legislature to impose in order to achieve those legitimate aims: at [93]. The fourth stage of the proportionality framework set out in Bank Mellat was not, however, surmounted. The 2014 Act did not adequately address the factors to be considered in a fair balance, and the guidance was “exiguous”; indeed the Act appeared to suggest a more relaxed test for disclosure than in fact permitted by Article 8, using very broad criteria, required to protect information which would be sensitive and confidential: at [97]. There was insufficient clarity on when or why consent need not be sought: at [98]. Although sensitive personal data was likely to be protected by the DPA (probably contrary to what the 2014 Act had intended), non-sensitive but confidential information was not sufficiently subject to a fair balance, given the lack of requirements to consider consent, or to inform parents of sharing, or of the possibility of disclosure. There were insufficient safeguards: at [100]. Much greater guidance was required and the public authority needed do more than have regard to it: at [101].

This post is already quite long enough without adding further comment. But if readers take anything from it, it should be that the full judgment is important reading for anyone working in an area which involves regular data-sharing concerning sensitive and confidential data. The reminder of what the DPA does and does not permit is always valuable, and the reminder the Article 8 may sometimes impose additional and more rigorous requirements is also a salutary warning.

Christopher Knight