Out-of-date ICO data-sharing advice assigned to the dustbin

Like out-of-date milk was the Information Commissioner’s 2013 data-sharing advice to public bodies following the Supreme Court ruling in July.

ICO_logo

The guidance was well and truly past its sell-by date. But yet it continued to remain on the shelf.

In 2013 Ken Macdonald the Information Commissioner issued a letter to public bodies giving guidance about data-sharing practices in relation to the Children and Young People (Scotland) Act, which had just passed through the Scottish Parliament.

On the assumption that the Act would come into force new advice was issued. This became the go-to guidance for public bodies on how state officials should share confidential information.

But in July when the UK Supreme Court struck down the data-sharing provisions in Part 4 of the Act, an alarm was raised about the now legally inaccurate advice, and whether or not local authorities had been sharing data unlawfully as a result.

The Information Commissioner issued updated advice in response to the ruling, but did not withdraw the legally inaccurate 2013 letter until pressured to do so.

Those involved in the NO2NP campaign wrote to Head of ICO Regions, Ken Macdonald, raising concerns. The Information Commissioner eventually conceded and asked the Scottish Government to remove the inaccurate advice from its website.

Simon Calvert, NO2NP spokesman, commented:

“This was clearly legally inaccurate advice given the outcome of the court case. It further demonstrates how the public sector is having to rein in its policies and practices in light of the Supreme Court victory.”

He added: “The difference in content and tone could not be clearer. A key plank to the named person scheme was the scattergun approach to sharing data on families.

“Who knows how many mums and dads and children have already been subject to the implementation of the inaccurate advice previously given out?

“We ourselves have been contacted by numerous families who have uncovered intimate personal information about them being passed between agencies through making subject access requests for information which is held on them by public bodies.

“They are rightly furious and some are considering their legal remedies.”

If you think confidential information about you or your family could have been shared unlawfully, do consider making a Subject Access Request. Find out more here.

If the reply to your Subject Access Request discloses information which alarms you and you think it may help the campaign against Named Persons, contact us by emailing: stories@no2np.org

We understand any information you share with us may be extremely sensitive and will be treated confidentially. We won’t use any information without your explicit consent.

Children’s Commissioner: Named Person info-sharing “caused us most concern”

It’s not often you see a staunch supporter of the Named Person scheme putting his head above the parapet to question the details of the legislation.

Stop

So, credit to the Children and Young People’s Commissioner: although he often appears in the media to defend the scheme, he warned back in June that the information-sharing provisions contained in the Children and Young People Scotland Act had “caused us most concern”.

And that concern was certainly proved right by the Supreme Court judgment.

The Commissioner, Tam Baillie, who says his purpose is to “protect the rights of children and young people”, made the warning in a public statement in June.

Much of his statement is misguided in its understanding of the role of the Named Person as enacted by the legislation. For example a Named Person is not simply an “individual person available to parents” as he tries to claim.

The Supreme Court judgment explains that the Named Person legislation was “to establish new legal powers and duties, and new administrative arrangements, in relation to the sharing of information about children and young people, so as to create a focal point, in the form of named persons, for the pooling and sharing of such information, and the initiation of action to promote their wellbeing” (paragraph 15).

The Commissioner wrote in his statement: “The information sharing part of the Children and Young People Scotland Act (2014) caused us most concern, not least because we felt that not enough time had been afforded for considered reflection. We also felt that more time could have been given to listening to the views of children and young people.”

He recognised that information-sharing was key to the Named Person approach (the Supreme Court said it was “central”) and emphasised that it “must be done appropriately and with respect for the rights of the child”.

The Commissioner also had questions “around the threshold for sharing information”.

He said: “At the moment, the threshold amongst professionals is ‘risk of significant harm’. The Children and Young People (Scotland) Act 2014 lowers this threshold to concern for a child’s ‘wellbeing’.

“A potential risk of this is that the Named Person and other adults may therefore choose to share information about the child that violates their right to privacy and we must guard against this.”

Paragraph 97 of the Supreme Court ruling confirmed this concern, stating: “The provisions of the Act appear to point toward a more relaxed approach to disclosure than is compatible with article 8.”

The judges warned that the wellbeing threshold “involves the use of very broad criteria which could trigger the sharing of information by a wide range of public bodies… and also the initiation of intrusive inquiries into a child’s wellbeing”.

They concluded: “In our view, the criteria in sections 23(3), 26(2) and 26(4) by themselves create too low a threshold for disclosure… and for the overriding of duties of confidentiality in relation to sensitive personal information.”

What a pity the Information Commissioner’s Office (ICO) didn’t see the need to express the same warnings. Instead, ICO officials expressed glee at the prospect of “lowering that trigger down to wellbeing”.

And official ICO guidance issued in 2013 said: “In many cases, a risk to wellbeing can be a strong indication that the child or young person could be at risk of harm if the immediate matter is not addressed. As GIRFEC is about early intervention and prevention it is very likely that information may need to be shared before a situation reaches crisis.

“In the GIRFEC approach, a child’s Named Person may have concerns about the child’s wellbeing, or other individuals or agencies may have concerns that they wish to share with the Named Person. While it is important to protect the rights of individuals, it is equally important to ensure that children are protected from risk of harm.”

“If there is any doubt about the wellbeing of the child and the decision is to share, the Data Protection Act should not be viewed as a barrier to proportionate sharing.”

Perhaps someone needs to remind the ICO of its self-declared purpose: “The ICO upholds information rights in the public interest, promotes openness by public bodies & data privacy for individuals.”