Can Named Persons share personal information about your family?

Everyone knows the Scottish Government’s attempts to re-legislate for Named Person data-sharing have run into the sand.

The UK Supreme Court struck down the original information sharing powers because they didn’t comply with human rights law and the General Data Protection Regulation (GDPR).

The Named Person scheme is still being rolled out across Scotland but on a non-statutory basis, with none of the invasive powers that the Scottish Government originally wanted.

As things stand, can Named Persons still share personal information about you or your children?

Under the GDPR, the sharing of personal information is permitted if one of the bases for data processing in article 6 is satisfied. If the data is deemed sensitive, a basis in article 9 must also be met.

Under each article, the consent of the data-subject is a basis for sharing. Another basis is where “processing is necessary in order to protect the vital interests of the data subject”.

Child protection would be a prime example.

In the absence of consent or child protection concerns, does the GDPR provides any alternative lawful basis for named persons to share personal information about children, young people and their families?

The Government may consider that named persons will be able to rely (at least in relation to non-sensitive data) on the fact the “processing is necessary for the performance of a task carried out in the public interest “ or “processing is necessary for compliance with a legal obligation”.

However, it would be surprising if the GDPR (taken with the European Convention on Human Rights) allowed the state to circumvent fundamental rights of citizens by passing a blanket law to allow officials to override those rights. (This is what they tried to do the first time round.)

Of course there are cases where a legal obligation or public function is so specific and limited in scope that sharing the specified information is permitted.

The limited nature of the function clearly identifies a pressing social need. That justifies limiting the rights of the data subject in the narrow area concerned. The limited nature of the duty imposes its own safeguards and allows the proportionality of any interference to be challenged and assessed.

However, the breadth of the named person policy does not lend itself to this.

The functions of the named person do not impose a legal obligation. Not do they set out clearly circumscribed functions. Notably, section 19(5) of the Children and Young People (Scotland) Act 2014 states that the “functions” of the named person are “doing such of the following where the named person considers it to be appropriate in order to promote, support or safeguard the wellbeing of the child or young person—

  • advising, informing or supporting the child or young person, or a parent of the child or young person,
  • helping the child or young person, or a parent of the child or young person, to access a service or support, or
  • discussing, or raising, a matter about the child or young person with a service provider or relevant authority.

At the heart of these functions is a jelly-like notion of wellbeing. The notion is so malleable it can mean what a person wants it to mean. As the Supreme Court said:

““Wellbeing” is not defined. The only guidance as to its meaning is provided by section 96(2), which lists eight factors to which regard is to be had when assessing wellbeing. The factors, which are known under the acronym SHANARRI, are that the child or young person is or would be: “safe, healthy, achieving, nurtured, active, respected, responsible, and included”. These factors are not themselves defined, and in some cases are notably vague: for example, that the child or young person is “achieving” and “included””.

Elsewhere in the judgement the justices stated:

“[T]he assessment of that wellbeing under section 96 involves the use of very broad criteria which could trigger the sharing of information by a wide range of public bodies and also the initiation of intrusive inquiries into a child’s wellbeing.”

In short, the lack of any definition of wellbeing in the Act gave rise to the Supreme Court’s conclusion that the legislation “may in practice result in a disproportionate inference with the article 8 rights of children, young persons and their parents, though the sharing of private information”. This was the basis of the court’s requirement that the changes to the legislation required by the court judgment would involve providing safeguards and that this would “involve policy questions” for the Scottish Government.

An all-singing, all-dancing concept of wellbeing, which bundles together so many different and vague indicators, has created a policy framework which is like a swollen river. The torrent is gushing downhill and will submerge what lays before it unless a suitable dam is built. Yet, nearly three years since the Supreme Court gave judgment the Government has not been able to construct a solution to the problems identified.

The reason for the Government’s failure to find a legislative fix for the data protection problems identified by the Supreme Court judgment is that the policy around which they are seeking to legislate lacks precision at its core.

In 2017 the Government asked a panel of experts to come up with a new binding code of conduct for practitioners. That panel has so far failed.

Even if the panel come up with a draft, it would have to have such a high level of legal content – deconstructing the elements which make up the SHANARRI concept of wellbeing – that it will render the guidance impossible for non-lawyers to navigate. It will not be fit for purpose.

The problem for the Government is that they have been pursuing a policy which seeks to do everything. If professionals and practitioners are not to be drowned in the impenetrable mess caused by enshrining SHANARRI in law, the Government must focus on the source of the problem. Redirecting the river at its source means a fundamental policy rethink.