Education and Skills Committee

Meeting date: Wednesday, October 4, 2017

Official Report 549KB pdf

---

Children and Young People (Information Sharing) (Scotland) Bill: Stage 1

The second item of business is two panels of witnesses on the Children and Young People (Information Sharing) (Scotland) Bill. This is the fourth meeting at which we will consider the bill. We have already heard from the Scottish Government’s bill team, as well as from members of the legal profession, health service professionals and local authority education and social work representatives. This week, we have a focus on schools and early years in the first panel, followed by witnesses from the Information Commissioner’s Office.

Before we take evidence, I put it on record that, as agreed by the committee, the deputy convener and I met the Deputy First Minister and Cabinet Secretary for Education and Skills yesterday to discuss the themes in the evidence, and concerns that members have raised during evidence-taking sessions so far about the bill and the draft code of practice. That was to ensure that the Government is sighted on the committee’s concerns, including the lack of a code of practice to inform scrutiny of the bill and the current status of parliamentary scrutiny of the code that will be prepared under the bill. We hope that that will enable the Government actively to consider the committee’s concerns at this relatively early stage in scrutiny of the bill.

I welcome to the meeting Gillian Fergusson, depute rector for pastoral care at Hutchesons grammar school, who is representing the Scottish Council of Independent Schools; Lisa Finnie, the president of the Scottish Guidance Association; Maria Pridden, a classroom assistant and member of Unison; Lorraine McBride, a headteacher and member of the Educational Institute of Scotland; and Christine Cavanagh, network chair for the Lanarkshire area in the National Day Nurseries Association.

If any of the witnesses would like to respond to a question, they should indicate to me and I will call them to speak. I remind members that supplementary questions should lead on from the question being pursued and are not an opportunity to ask a second question.

I thank the witnesses for coming along to give us information. What is your current practice with regard to sharing information about children in cases that fall beneath the threshold for child protection but go into the realms of wellbeing?

In the independent sector, we are committed to the getting it right for every child approach and we have interim guidelines. Many of our colleagues across the sector have a commitment to GIRFEC, but our current practice is a policy-based model that adheres to consent-based principles. There is a lot of anxiety about sharing information when a case does not meet the child protection threshold, so we would seek consent and share information with consent. I have spoken to a number of colleagues, who confirmed that the practice is not to share information without consent.

I agree with a lot of that. As far as possible, we would not share information without consent. Obviously, when a case involves child protection, it is completely different. However, a lot of information goes between people daily and there is anxiety about always being able to record that consent has been sought.

We are also worried about instances in which there is a difficult circumstance—we would like more clarification on that. It is all very well when everyone is singing from the same hymn sheet and the parents and pupil are looking for support. The process is clear if we are making a referral—we have to record a signature, for instance. That is all good, but we are looking for help with more complex cases, in which there is perhaps a reluctance to involve social work.

I totally agree with that. There is an issue when parents do not want us to share information about their child with police or social work, for instance. They are happy for us to share it with health professionals but not with other agencies. I suppose that child protection procedures would kick in and overrule that, but we need more clarity and guidance on the issue.

In the past, there have been times when we have not been allowed to take things forward because the parents have said no. However, something always changes—we find a way around the refusal, things deteriorate and the case becomes a child protection matter, or the parents get desperate. Sometimes a difficulty that arises at one moment does not remain a difficulty—there is a pathway there. That may be where we need to work together.

You are saying that if there is an inability to do something at an early stage, perhaps because you cannot get consent, the case sometimes escalates into a child protection issue.

If it is an early intervention, there can also be the problem that we might be told that the case does not meet a threshold, so we cannot get help anyway. At least we would have known, though.

This is an opportunity for you to tell us what guidance you are looking for when the code of practice comes out in its final form. What do you as practitioners want? Obviously there would be something about consent.

Most people I have spoken to are very much in agreement about what we are looking for. We all understand that quite a heavy document is needed to begin with to get everything covered, and we are all happy with that. However, so much happens on a daily basis—for example, you might have a frantic meeting. Flow diagrams have been mentioned previously, and I think that all my colleagues would like to have that kind of ready reckoner to be sure that they are on the right lines.

We are also looking for a bit more scenario-based training, which is the kind of training that we are used to. I talked about difficult situations. We need to learn how to find a way around the more unusual incidents, rather than the type of incidents that we all deal with every day.

It was suggested by previous panels, from other sectors, that defensive practice might become an issue. Have the debate and the uncertainty over the past year changed practice already? Are people doing things differently?

When the Children and Young People (Scotland) Act 2014 was passed, we saw an increase in communication. Because we are unique in the independent sector, we perhaps do not have the same level of communication as local authority schools have. I saw an increase in communication in my own practice and I heard the same from colleagues.

Since the Supreme Court judgment, that communication has decreased. In addition, we were really positive about the better lines of communication that we had with external agencies—with service providers—but that communication has definitely decreased since the judgment.

Does anybody have any other views?

I am sorry—I will try not to speak all the time, but it is difficult. I would say that it was more a case of relaxing into being allowed to share information. My colleagues have not reported a change in their behaviour—I think that what is different is how they feel about it.

The only thing that has changed is that people share hypothetical situations more often. Instead of being confident that they have definitely done the right thing, they might ask, “If this happened to a child, what would you do? Who would be the right person to go to?” People might run something by social work that they would not have run by it in the past, when they would have been confident that they had made the right decision. We might be a bit more tentative and anxious about sharing now, as opposed to not sharing at the appropriate times. I think that we have been sharing what should be shared and not sharing what should not be shared.

How much of a change to current practice would the duty to consider whether to share information represent?

The difference is that if you had a concern, the duty would give you the backing to share that concern even if the parents were not happy about it. We should all be working together on the GIRFEC agenda—the whole point of it is that everybody is doing their best for every single child. When barriers are put in front of us, it is quite difficult to meet the needs of each child. The duty would enable named persons to say that they were going to share something because, as a named person—a person who has responsibility to ensure that a child is okay—they thought that that was in the best interests of the child. To do so might be against the parents’ wishes, but the named person might have a real concern. It would be unusual for parents not to want to work with us in the best interests of their child. However, the duty would give us the backing—I do not want to say clout—to do the right thing for that child, in confidence.

A lot of colleagues are already thinking about the duty to consider and what they are doing with information, so it would not change what we already do. The next question that we ask is whether we can share without consent. That is where the problem is. As Lorraine McBride said, it is unusual to have a parent or guardian who is at odds with our working towards the best outcome for their child. However, such cases do happen, and they are where we would perhaps benefit from more guidance on whether to share information without consent.

What happens, on a practical level, when you have to make a decision on whether to share information? Are you seeking guidance about both the law and the code of practice that you would expect to give you back-up? In your daily lives in schools, where you work with very young people, does having to do more paperwork place a greater burden on you?

Absolutely. To be honest, everything to do with GIRFEC causes a burden on the person who has to do the paperwork—that is the de facto named person, at the moment. The administrative side of that represents a huge burden, and the confidentiality side of the paperwork has kept increasing.

Has that been to the extent of preventing you from dealing with other things? Can you give us an example?

For example, if a health visitor phones and needs information there and then, we have to access the information, pull it together and get it into a document that has to be sent securely. All the time, we are thinking that we are supposed to be in the classroom, doing a monitoring visit or speaking to a wee one who we wanted to catch up with.

For me, as a headteacher, and for EIS members who are headteachers and depute headteachers, our day can very quickly be filled up with that one piece of paperwork that needs to be pulled together. It is important and it needs to be done, but does it need to be done by the headteacher? I do not know. There is a fine line there, because of confidentiality. Do we say to someone in the admin team, who is already overworked and underpaid, “I need you to drop everything to do something else. I know that you’re doing absences and trying to phone people to find out where their children are, but this is needed by 12 o’clock”? It is an additional burden on our time. What happens all the time is that we extend our day beyond the contractual hours so that we can get all those other things done. I am sure that it is the same for everyone here.

It is exactly the same for us. I feel that we do three jobs. We do the job during the day, which involves phone calls, emails, the teaching itself, children appearing at the door, and dealing with the incident that has blown up after the weekend and needs immediate attention. At the end of the day, the children go away and we start the next job, which is trying to put things into the SEEMiS wellbeing software program—as we watch the circle on the screen go round and round—and also finding bits of paper, putting things away and all the stuff that we have to do when we are at our desks. Then we go home and do the third job, which is all the things that we can do from home. Those might be 3 am jobs, which is why we get teased for sending emails at silly times. Realistically, there are three jobs. The only analogy that I can give is that it is like asking a checkout girl to go and fill the shelves when she has a queue. It cannot be done, and it is impossible to expect people to do it.

But you do it now.

I would not say that I am doing everything that I am meant to do, and I find that very difficult to come to terms with.

10:15  

I thank the panel for coming. I have a brief follow-up to the question before last. We all accept that child protection concerns trump everything and that such issues are raised regardless of consent. However, we need to be clear that we are discussing issues that fall below that threshold. What do you currently do when such issues arise? How frequently do they come up?

I am a classroom assistant. We often work one to one with vulnerable children or with children who are class refusers; we take them out of class and spend a lot of time with them. At present, information sharing is purely verbal—there is no diary system or set process. We therefore need guidelines on how we share information on what has happened to a child on a particular day, and how it will affect their play time, lunch time and going-home time and any transitions that they might experience throughout the day. The system is purely verbal, so we would welcome guidelines.

Is it only in your educational establishment that the system is purely verbal? I imagine that there must be some written records.

If a child comes in to school and discloses that they have had a bad morning, that is relayed verbally. As classroom assistants, we do not have access to SEEMiS or to pastoral notes. We would tell the teacher what the child has said or we would tell other classroom assistants what has happened to the child. Sometimes, we do not get a chance to do that, because there is no time. We just do our best and try to pass on information.

In the independent nursery sector, our nursery heads are not named persons. That is the health worker—

I am not referring necessarily to named persons. I am talking about how you currently deal with the information. I am extending the point that Gillian Martin made. What do you currently do if the issue in question does not relate to child protection?

I understand. I was going to say that, very often, the nursery head has to act as a co-ordinator for issues that are not to do with child protection. They may well be dealing with a number of professionals who are all very overburdened.

As has been said, when we are dealing with one child and trying to help them to get the best outcome, that very often overwhelms everything else that the management team should be doing. We are simply juggling everything and trying to keep all the balls in the air to make sure that we get the best outcomes for the very vulnerable children. That sometimes means that the children who have less critical issues get missed because there is just not enough time in the day to do everything.

I am sorry, but we are straying from the question that I asked, which was about what you currently do.

We currently have a record. In the private sector, we keep chronologies for children that detail the issues that they have. It would be down to the individual nursery manager to seek support for individual children.

My question is on the workforce pressures that you are talking about. Will the need to record decisions that are made as part of the duty to consider sharing information create more workload for headteachers in particular? If they are doing that for hundreds of pupils, will it lead to an increase in workload?

Absolutely. It will do so not only for headteachers but for principal teachers for pupil support in the secondary sector, if it goes down that road. There will be huge issues there—probably even greater than the issues for headteachers—because those teachers have a teaching commitment as well as having to do everything else.

We have to be very careful about what we do and record so that the paperwork does not overwhelm the issues that we are dealing with. That is a big concern. Various authorities around the country put things in place in different ways. Some authorities have gone gung-ho and put everything in place, so there is paperwork galore; others have held back, waiting on decisions. The situation with regard to the recruitment of headteachers is dire. People do not want to do the job, which is a shame, because it is a fabulous job and working with children and young people in that capacity is a great thing to do. However, as the workload increases—the issue that we are discussing is only one small part of the increase in workload—I worry about the next step for the recruitment and retention of headteachers.

You are saying that the workload of headteachers is heavy, which is different from what we are discussing, although I accept that what we are talking about will add to that workload. If the guidance on how the reporting mechanism works is pretty straightforward, will that not just become part of what you do anyway?

It will become part of what we do. However, the worry is that the administrative support will not be there. It is the paperworky bit that will increase the workload. Talking to children and bringing people together for meetings are part of our job now; that is what we do. It is the additional recording and minute taking that those of us in the role of headteacher or deputy head will need someone to help with.

Are you talking about resources?

It is the resourcing of it.

Right. I just wanted to clarify which aspect we are talking about.

That is the part that increases the workload.

It is the paperworky bit.

Yes—the paperworky bit.

In the event that you are not given considerable additional resources, do you have enough time to properly implement the system?

That remains to be seen. We would all try our best to implement it properly with additional resources.

That is the other half to my question. Is it possible that the pressure and burden on your time will lead to mistakes being made, however unintended, for some of the children who we have talked about whose welfare issues are harder to spot? The fact that there will be more pressure and less time to spend with the kids perhaps opens up the possibility of mistakes.

If headteachers are not well resourced and supported in the process, things could be missed. Lower-level things, especially, can get missed, and they are sometimes the most important things. For example, something might not be a crisis but could escalate into one if it is not caught early enough. Resourcing and support for the process are important.

You have described the need for the named person with regard to the low-level stuff that we are trying to stop before it becomes a crisis.

I am interested in which of our panel members are named persons and, if you are a named person, how many young people you are a named person for.

I was a named person and then last year I became an establishment contact when it was decided that there was not a named person. However, I am a named person, as that is the role that guidance teachers undertake.

How many young people are you responsible for?

More than 200.

Lorraine, as a headteacher in a primary school, how many young people are you responsible for?

I am a de facto named person for 240 children.

Is it the same as the old model of guidance teachers in secondary schools, but with added admin? Is that the only difference?

It has changed dramatically but, as you acknowledged, that has been mostly about additional work. It is not really possible to do the traditional guidance role as well as we used to, and there is the additional pressure of revamping personal and social education, which we are supposed to do and which we see as very important, too. How can we do everything at once and do it effectively?

In the old model that I knew, a guidance teacher was a go-to person for young people to talk to and say, “Can you speak to my teacher, because they need to understand that there is a problem?” Is that bit of your role diminishing?

It is less possible to do it the way that I want to do it.

If there was no formal named person role, you would not have the admin but what would we lose? I get the point that you might not want to do the paperwork—it is an extra burden that gets in the road—but what would be missing if we did not have a named person? Would your job change in terms of dealing with children who are in need or would children be more at risk?

I am not sure whether I am answering this correctly, but there is a need for the named person to deliver a fair and consistent approach. One of the first things that I read in the guidance when it came out was that the policy is what we are already doing but it is about trying to ensure that everybody has access to the service. At the moment, the approach is not consistent but, if things were done in the way that we want them to be done, that is what we could deliver. There is a risk that a child is missed and that a serious problem occurs because we do not have the process, legislation or procedures to ensure that the policy is implemented correctly and that we know how to do it.

The key thing is resources, though.

Yes, and consistency.

Maria Pridden said that it is a fundamentally important job to get intelligence, understand what is happening to a child and feed it back into the system. Does the fact that there is a named person make any difference to that important job?

It would definitely help to support the child.

Do you mean if what you said was taken as mattering and there was a guarantee that it would be put somewhere?

Yes.

To address the question about what the implications would be if there were no named person, in the early years, the named person is critical because early years education is not statutory so there is no statutory person there for the child. Although it is difficult for independent nurseries because we might have to deal with 15, 20 or more health visitors, it is still important for the child that there is a consistent contact that everybody can approach. It is very important that there is a named person.

That consistent contact is about the professionals, not the child.

Yes, but it is somebody who has the child’s best interests at heart and whose purpose is to ensure that the professionals who should be looking after that child do it properly, and to bring all the strings of the care together.

Will we end up with a consistent contact for the professionals but a reduced ability of guidance teachers to do the day-to-day contact with children?

Yes. That is where we need the resourcing to be able to pass issues on appropriately and get the support that is required. To go into ideal practice again, how I envisage it is that, if I notice that something has gone wrong with one of my children because that has been brought to me by a teacher, or because I have noticed it, the child has raised it or a police report has come in, I will have somewhere to go with that—I will have support from child and adolescent mental health services, social work or the third sector.

I will test the fair points that the witnesses are making about resources and workload against the fact that the Parliament is being asked to consider a change in the law to create a duty to consider information sharing. Some of the earlier evidence that we took was about what that will mean in practice. I take on board all that the witnesses say on resources and workload—I have plenty headteachers at home telling me all about that every day—but do you have concerns about the bit before the resources and administration, which is the new duty that will be laid on you if the Parliament passes the bill? Do you have concerns about how you will make the assessment that the duty will require and whether it will add in principle to the decisions that you have to take and, therefore, to your workload long before we get into who does the administration?

10:30  

The worry is that, as individuals with the duty to share information, we will be legally liable in some way. There is a duty on the authority—the named person service as a whole—to ensure that information is shared but, because of the legalese about it being a duty, there is a real concern for headteachers in case we get it wrong. We think, “What is going to happen to me?” Before we get to the workload or anything else, there is that worry for all of us in the profession. We worry about the kids and about doing our best for them all the time. We are then worrying about legal liability as well. I appreciate that it is the duty of the named person service, but that needs to be made very clear.

What is the way round that?

For it to be not the individual headteacher but the named person service that has the duty. The service would then have responsibility to ensure that headteachers share information. However, that is a real worry.

So would you rather that an individual pupil did not have a named person and that it was the service as a whole that was used in terms of that legal assessment?

No. I think basically the named person is part of the named person service and the named person has duties or responsibilities towards that individual child. However, in relation to being held legally accountable for the decision taking, there has to be some protection for headteachers.

Absolutely, but that is not how the issue is currently considered. As a headteacher, you would ultimately be that person, particularly given that the governance proposals make you even more responsible for lots of other things.

Yes.

That raises the question about the training that will happen beforehand and how efficient it will be. Will there be on-going training? Will it just be computer program training or will there be a counselling part to show people how to counsel the children? We all have child protection training once a year, but this is slightly different. We need on-going training in place so that we all know what we are doing.

I echo Lorraine McBride’s point about the anxiety of headteachers. She has the backing of a local authority. We are slightly further down the road that you are proposing in that independent schools are autonomous, so that anxiety is even greater. We might envisage more legal recourse more regularly—which has implications for all schools—because of that shared liability, which is a worry. It is a named person service, but I am currently the de facto named person, and I am concerned about my shared liability with that service and eventually, at the end of the road, the governing body, which is really the directing authority.

It comes back to the code of practice being clear enough and in a language that does not tend towards the legal. We need language that teachers and practitioners can actually understand. That would be the key to the success of the code. It has the potential to be really powerful for improving outcomes at the primary prevention and early intervention stage, but we need it to be really secure and accessible.

So you share the concerns that we have heard that the draft code is written by a lawyer. I am not a lawyer and I cannot follow it so how can practitioners follow it? It needs to be written in language that we can all deal with.

Yes.

You are talking about feeling that you might be personally liable. You have to follow quite a lot of legislation and rules already. At the moment, if there was an issue and there was legal action by a person, you would not be personally liable for that, would you? The local authority would be liable. How would the situation be different in relation to the named person?

We are just saying that there needs to be clear guidance on that.

It is the case that you would not personally have to stand in front of a court defending something, is it not?

Yes, that is the case. We work for a local authority.

There will be no difference when the named person legislation comes in.

We do not know whether there will be any difference.

So you need clarity on that.

Yes—we need that clarity.

But it is the case that there will be no difference.

Let us not have a round-table discussion about this. We were told yesterday by the Government’s bill team that individuals will not be held legally liable. What the Government needs to do is exactly what you have said, which is to make it perfectly clear to every practitioner that their legal status will not change from what it is now in respect of their doing their job. The last thing in the world that we need is people like you, who are keen to participate, being worried about sharing information because you might be held legally responsible. The Government has made it clear to the committee that the local authority, or whatever body, would be held responsible.

I see that Oliver wants to come in now, and disagree with me.

I do not, convener.

To follow on from that, do you have concerns—to go a stage down from legal responsibility—about professional standards and about how concerns that might be raised by service users would be dealt with inside your organisation? Does that create additional pressure?

There is anxiety about that. We are not necessarily all waiting for a legal writ, but people are concerned that they will be blamed for something that happens. The system is new and very high profile, so if something goes wrong, it would not just be something like the teacher not having marked some homework: it will be critical and it will be very worrying. People are concerned.

I think that the Government will get the message that it has to make it very clear who will be responsible.

Before I ask my question, it is worth putting on record that the Law Society of Scotland and the Faculty of Advocates said in evidence that the code is not clear about personal liability.

I have some questions about the need for clarity—there have been a lot of comments about that—on when you would share information. Following on from Tavish Scott’s point, how did you react when you read the draft code of practice? Is it adequate for what you need?

No. When I saw the draft code of practice, I could see how it would apply to the child protection threshold but not how it would apply to the wellbeing threshold in terms of sharing information without consent. People would share without informing or without seeking consent, which is really problematic. Apart from very exceptional cases, I cannot imagine where the draft code of practice would sit in relation to the wellbeing threshold.

It would help if we had an idea of what the trigger might be. I understand that that is really difficult to define; it comes down to the definition of “wellbeing” and how we measure it. The tools are there, which is helpful, but there is some confusion across the board in practice around “wellbeing”. We are looking at the draft code and thinking that we cannot imagine a case in which we would share information without consent around, for example, “included”, in a way that would not breach article 8 of the European convention on human rights or the Data Protection Act 1998.

The reference to “vital interests” in schedule 3 to the 1998 act is quite clear to me and other practitioners in terms of child protection, but not in relation to a lower threshold. That is what worries us.

If there are no other comments about that, I will move on.

The SHANARRI—safe, healthy, achieving, nurtured, active, respected, responsible and included—indicators are broad, useful and very welcome, but they lack definition and can often be subjective. In a previous evidence session, we heard that taking a child up Everest could be an example of good parenting to one parent, but an example of something harmful to another. Can you think of examples of where you might share information in relation to the SHANARRI indicators that you currently cannot, would not, or might be hesitant to share? The answer appears to be no.

Finally, in evidence, the Law Society of Scotland and the Faculty of Advocates highlighted in a number of different ways the fact that the duty to consider is very finely balanced, from a legal perspective—it is one that, even as lawyers, they would find difficult. What concerns do you, as practitioners, have about getting the legal judgment right? Are you currently equipped to make that judgment?

We worry ourselves sick every single day about every decision that we make. We think that we are confident in our abilities to make decisions about children and that we have the knowledge to enable us to do that. We know our children well. The SHANARRI indicators are a good indication of how children are doing. They are subjective, but most experienced practitioners can work out what children are experiencing and where it all fits in.

The question goes back to the legal thing and people being sure of themselves. We need to have clarity about whether we are doing the right thing in making decisions. I do not know whether training would help us to understand the duty to consider. It is a difficult situation, because it is hard enough making decisions about children without worrying about the duty to consider. A duty in law is a big thing. It would just make everything that bit bigger, in that we would second guess ourselves more.

The duty to consider is one element, but evidencing that duty is also problematic. We have a very good national practice model, with the resilience matrix, the wellbeing indicators and the “My world” triangle. That model works for us across the sector, and we use those tools, but it is quite a leap to move from that to evidencing the duty to consider. Perhaps more guidance on that would be helpful so that we have the security of knowing that we are doing it correctly, which is what we all want.

Before I bring in Colin Beattie, I will clarify something. What is coming across is that you are already doing a lot of the things that you will be asked to do: you are already making decisions on wellbeing every day, are you not?

Witnesses indicated agreement.

We can debate your concern about protection, but if there is clear notification that you will not be held responsible, that will take a big burden off your shoulders. It will also help if the code of practice is written in the way that you have suggested, with flow charts and so on. I say to Tavish Scott that I accept that it is not quite like that now, but that is what the witnesses have asked for.

Gillian Fergusson said that there is no common understanding of the term “wellbeing”. I do not know whether the rest of the panel agrees—I would be interested to hear whether they do. Does the term need a statutory definition? Is that possible?

I thought that I knew what “wellbeing” means until I heard that other people do not know what it means. Now, I think that I do not know what it means. Up to now, I was pretty sure that there was the welfare element, which was more about child protection, the significant harm element, and wellbeing, which was about looking at SHANARRI when something was wrong—maybe the child was not behaving in a safe way, was not doing particularly well or something else was going on. I thought that it was quite straightforward, but maybe it is not. I am worried now. I was fine last week. [Laughter.]

I said that there is no standard definition or understanding of “wellbeing”. In our practice, we are quite secure internally about what it means, but we come across difficulties in interacting with service providers that have a different understanding of it.

It would be difficult to produce, but it might help if there was a broader definition that we could follow. We have assessment tools, and we are comfortable with them, but what I apply in my school might not be the same as another school’s practice. We are aiming for parity of practice—I would love to have that. Anything that can help to deliver that would be very welcome.

Are you saying that each group of practitioners has a common definition, but it might not be the same as the next group’s?

It is more about having a kind of threshold. If we are doing an assessment, at what point in relation to the child’s wellbeing indicators is there a commonality such that we would say that we have done all that we can internally within the school by putting in supports and so on, and we now need to involve someone else? There needs to be commonality across the country about that.

We take one approach in our authority, but the neighbouring authority might have a different understanding because of the training that people there have had, so they would have a commonality, although, perhaps they would not: it might be a wee bit different from school to school, or between secondary and primary schools. It would be quite useful—to go back to what Gillian Fergusson was saying—to have guidelines on that commonality of threshold.

10:45  

Should the definition of “wellbeing” be statutory or included in the code of practice?

Before I answer that question, I would like to build on the point that Lorraine McBride made, which was that what might be secure at one establishment, or even in one local authority area, might not apply across the board. When they work outwith the education authorities, members of our organisation are very much working on their own. As I said, what is secure in one establishment might not transfer across, so it would be helpful to have “wellbeing” defined somewhere, in the code of practice or independent of it.

Is “wellbeing” definable?

Everybody has their own definition of “wellbeing”, I think. It is a matter of consistency, and clarity and consistency of practice are things that we are here to talk about. Yes, it is definable, but whether everybody would agree to one person’s definition is another matter.

The common theme that seems to be emerging is clarity and consistency. Does the bill achieve that? I realise that the code of practice is not out there yet.

I think that you have answered your own question in reference to the code of practice.

Yes, I think so. I have done that for the second week running.

On a point of information, the Supreme Court ruled that, other than the SHANARRI indices, the definition of “wellbeing” is not seen in law. Therefore, the panel is quite correct in highlighting the fact that there is no legal definition of it. That is the problem.

Thank you for pointing that out.

When the bill first came before us we talked about a duty to share. Are you more comfortable with the duty to share than with the duty to consider?

It does not make much difference; I just want whichever one it is to be clear and for there to be training, with worked examples and scenarios. It does not make a difference to me, personally.

Some witnesses have said that they do not like the idea of having a duty in law on where responsibility lies. Is there a difference in the type of duty, or is the issue about the duty—full stop?

It is still about the duty part of it, regardless.

That is helpful. Thank you.

The named person provisions are in place—that is not what we are talking about today. You can share information when there is a question of child protection. This discussion is about information sharing in relation to wellbeing. Is what we are discussing today something that you want? Is it useful?

Do you mean do we think that it is useful to share information?

Yes—information specifically on wellbeing.

Yes. It is a requirement. If we need to access service providers regarding support for a young person and we have consent to share the information, then we would absolutely want that provision in order for the young person to get the best outcome.

Do you mean sharing without consent?

Yes.

That is part of the issue that we have. If I am looking at a case in which I think it would be helpful to share information because we might access a service, that might involve compulsion of the parent to engage with the named person service, which was never intended. We are left in a position where we have to say what we think would be best.

We have all had occasions when we have asked to share information and been told that we can share one piece of information but not another—we get partial consent. In the event of a parent—or the child, if they have capacity—saying to us that they do not want information to be shared, we would do two things: we would closely monitor the situation and we would see whether we had a better solution that is more creative and could achieve the same outcome.

However, it goes back to the named person service and the fact that parents are not compelled. There is a lot of confusion around whether parents can opt out of the named person service—which is a slightly different issue. The service is there should they wish to access it. We would want to share information to help the young person. If we cannot do that, that is a legal issue under the Data Protection Act 1998, which concerns why we would be sharing the information and how we would define vital interests. We are comfortable with that at a child protection level—but perhaps not below that level.

Thank you very much for your evidence and your time this morning. That was very useful.

10:50 Meeting suspended.  

10:54 On resuming—  

I welcome to the meeting Dr Ken Macdonald, head of ICO regions, and Maureen Falconer, regional manager for Scotland, both of whom are from the Information Commissioner’s Office.

We will move straight to questions. We understand that, under the new Data Protection Bill, your office will have a role in preparing the data sharing code of practice. Will you explain how the code of practice was developed for the Data Protection Act 1998 and what approach you plan to take to the development of the new code, including the likely audience, the use of plain language and practical examples?

You are right. We have a statutory duty to produce codes of practice under the 1998 act. It was a statutory obligation to prepare the code of practice on information sharing, which was published in 2011. We have a standard approach when we develop codes of practice: we draft a code internally, seek views from stakeholders, review the draft code, amend it as appropriate and ensure that it is in plain English.

Anyone who has been working in data protection since the 1998 act came into force will have seen a sea change in the way in which our guidance is produced. The first guidance was very legalistic—in fact, it was not much different from the act itself—but, over the years, we have moved to a much more practitioner and citizen-friendly style. The guidance is in plain English and we give examples. We listen to our practitioners and try to make the examples relevant to them. There is input on the guidance and we consult on it.

How do you consult? For the code under the Data Protection Bill, for example, who will you consult?

It is slightly different according to the guidance that we are preparing. We consult interest groups. We produce our consultative document, make it available for six or eight weeks, take in the responses and amend our draft guidance as appropriate.

One of the good things that we do is set up a band of critical friends. We welcome constructive criticism, so we bring on board people who we know might have an issue with whatever guidance or documentation we are trying to put together. We basically let them loose on it and ask them to come back with any criticisms that they have and then we take those criticisms on board. When we are trying to put guidance together, it is really valuable to have critical friends to ensure that the guidance addresses the salient issues and is in plain English, as Ken Macdonald said. It exists for practitioners and the public to understand.

Dr Macdonald, in your note to the Education and Culture Committee of 3 October 2013, under the section on legislative competence, you acknowledged that a number of witnesses questioned whether

“the competency of information sharing aspects of the”

Children and Young People (Scotland) Bill was in line with article 8 of the ECHR. You also acknowledged that you had considered Professor Norrie’s comments because you had some concerns about the matter. After that reconsideration, what advice did you give to the Scottish Government?

I cannot recall. That is now four years ago. I know that, at one point, I wrote to the clerk of the Education and Culture Committee when the Children and Young People (Scotland) Bill was going through the Parliament. Our big concern was about the relevance of the information that would be shared. One of the data protection principles is about relevance. You can only share information that is relevant and not excessive, and we did not feel that the bill as introduced met that criterion under the Data Protection Act 1998.

An amendment was proposed and we wrote to the Education and Culture Committee in December 2013 to say that, although the change from “might be relevant” to “is likely to be relevant” addressed our concerns, it did so only in large part. We were not satisfied, and were never totally satisfied, that the bill had sufficiently specified the level of data sharing that could go on.

Did you put to the Scottish Government the point that you were not satisfied?

It saw that email as well. It was copied into it.

Did you advise the Government that there was a legislative incompetence in the Children and Young People (Scotland) Bill?

I sent the email to the committee and, as it addressed an amendment that had been proposed, I also sent it on to one of the Scottish Government officials.

When the Supreme Court judgment was made, the people who had been witnesses at the time were proved correct—the data-sharing aspect was ruled to be unlawful. You expressed your disappointment with that judgment. Why were you disappointed?

11:00  

There seems to be a perception that we were disappointed because of a view that we had on the Scottish Government policy. That is quite incorrect. We were disappointed because the Supreme Court had made a judgment on data protection, on which we clearly had not advised, in total or otherwise, as perhaps we should have done.

It has been recognised that the bill and the act were certified in this Parliament as being human rights compliant, and the inner and outer houses of the Court of Session were also satisfied of that. As I said, it was reputational damage that we suffered—it was nothing to do with the policy, as has been suggested by other people.

Thank you for clarifying that. Therefore, the disappointment concerned a misunderstanding about the advice that you had given to the Scottish Government. Is it correct that you were disappointed that the Government did not accept the advice that you gave?

The disappointment was that we had not fully appreciated the points that the Supreme Court raised.

To what lengths have you gone, this time, to ensure that the advice that you have given to the Scottish Government for the new bill is both accurate and legislatively competent?

We have worked with the Scottish Government—Maureen Falconer has been involved quite closely in that—and we have used our legal colleagues in Wilmslow. As you will have seen in our evidence, we think that the current bill is compliant with the data protection side. However, we have reservations about the code of practice, as, it seems, does every other witness.

Have you given any advice to the Scottish Government on that code of practice?

Yes.

Can I ask what that was?

The advice was that, as it stands—given the timeframe and the fact that the general data protection regulation will be commenced in 2018—the illustrative draft code of practice is not fit for purpose. It must take cognisance of the GDPR; in particular, it must take account of the fact that it will be used by public authorities and that the GDPR includes certain restrictions for those authorities.

Thank you. There was obviously some confusion about the letter of advice that was on various local government websites and so on, which I understand was written in 2013. In 2016, you quite rightly amended that advice in light of the Supreme Court judgment. Were you surprised that the old letter of advice was still being used for the implementation of this policy?

We put that letter out and we put a clarifying letter out after the judgment was issued. It is for the local authorities to train their practitioners in how the Data Protection Act 1998 applies to the work that we are doing. Some have chosen to retain that letter, because parts of that advice are still valid.

Would you agree that that is part of the confusion?

I do not know that it is, to be honest. We added to that advice with the Supreme Court’s decision. I think that the confusion relates to the code of practice that is before you now.

Thank you.

Can I just clarify something on the issue of disappointment? Part of our disappointment was to do with the fact that—not for the first time and it will not be for the last time—the courts disagreed with the ICO as the regulator. The court is the final arbiter; we can have a view, as the regulator, in interpreting the 1998 act, but the court can always disagree with that view. That was our main disappointment. It happened over the issue of the definition of personal data, which is pretty fundamental, and we then had to go back to the drawing board over that. Our disappointment was about the fact that the court, as the final arbiter, disagreed with our particular view.

Thank you for that clarification. I was trying to get at whether it was a political disappointment or whether it was to do with the process. You have clarified that it was to do with the process.

I am so tempted to say something about the courts, but I will not.

Will the United Kingdom Data Protection Bill, which was introduced in September, change the landscape?

In some ways. It is a fairly comprehensive bill, which is 200 pages long. Its purpose is to bring the general data protection regulation, which is a piece of European Union legislation, into British law where derogations have been made to member states because, as a regulation, it applies throughout the EU.

The GDPR and the bill will bring the existing regime into the 21st century. There has been huge technological change since the Data Protection Act was passed in 1998. We talk about that being an evolution rather than a revolution. Just think about how technology has changed in that time—it is probable that, in 1998, very few of us had internet access at home, but now we all have it in our pockets. We carry around with us information that would have taken up a room in days gone by. The bill reflects that, and other changes in technology.

I get that, but will the bill make any difference to the named person scheme?

It will enhance people’s rights. It is important to say that, under the 1998 act, an individual has rights, to a degree, in relation to the processing of their information, and the bill and the GDPR will enhance those. However, they will also make fundamental changes. A much greater emphasis will be placed on awareness raising and on ensuring that the person who collects the information provides information to the individual about what will happen to it.

Many of the things that are in the GDPR are things that we have been promoting for several years. When we have talked to practitioners about child welfare, wellbeing or child protection issues, we have always said that they must engage with the child and tell them what will happen to their information. Even if they know that they will pass the information on and that they do not require consent to do so, they should still advise them, because that is crucial to maintaining the relationship between the client and the professional and keeping the child’s trust.

You are describing procedures and guidance, but I am absolutely focusing on whether the Data Protection Bill could change what this Parliament is being asked to consider. I am sorry, but I just want you to address that direct question.

These things are linked. Previously, under the 1998 act, professionals did not have to give quite as much information as they will have to give in the future. I just wanted to highlight that we have been pushing on that for some time.

The other big issue is consent. We have said clearly that if professionals are going to share information on grounds other than that of consent, they should not suggest to the individual that they can give their consent, because that will confuse them. If the professional is going to share the information anyway, suggesting that the individual can give consent might well break down the relationship.

The GDPR talks much more about the balance of power that exists between individuals and the public authority. When it comes to young persons or vulnerable children, it is clear that the balance of power lies strongly in favour of the public authority. A child could be asked, “Do you mind if we share this information?”, but the very fact that it is a teacher or a doctor asking the question could be enough to make the child say yes. That is not real consent, because it is the adult’s dominance in the relationship, rather than the process, that might lead the child to say yes.

Under the GDPR, public authorities are much more limited in when they can ask for consent. That is what a lot of the balance comes down to.

But the Data Protection Bill will go through the House of Commons and then the House of Lords, so it could be amended at any stage.

That condition of processing is with the GDPR—it is an EU law.

You have lost me. I thought that we were talking about a bill that is going through the House of Commons and the House of Lords. As primary legislation, it can be changed by amendment. Most of your answers have lost me so far.

Sorry.

All that I am asking is whether that has implications for us, given that we are considering primary legislation in the Scottish Parliament.

Okay.

Yes or no?

It is not just a yes or no question.

Either it has implications or it does not.

No—I will have to explain the relationship between the three pieces of legislation. At the top is the GDPR, which is a European piece of legislation—

We are about to leave the EU.

The GDPR has taken effect because it has gone through the relevant process. It will be implemented next year when we will still be in Europe—anyway, the Government has already said that we will follow the GDPR. Because it is a regulation, it is automatically part of UK law. The repeal bill that is currently going through the UK Parliament will deal with the post-Brexit side. However, unusually for a regulation, there are several things that are derogated to the member state.

The Data Protection Bill that was introduced on 14 September deals with aspects that were derogated to the member state. Those relate to certain exemptions and issues around children in respect of the information society and matters of law enforcement, and to matters of national security. The two things go together. However, what has not been derogated under the GDPR will have to remain the same. The matter of consent and the balance between the public authority and the individual is a GDPR-level requirement, so it cannot, at this stage, be amended by the member state.

Does that mean that the UK bill will therefore make no difference to the matter that we are considering this morning?

Not on the element of the conditions of processing. There are derogations and exemptions, but we would say that, as it currently stands, the bill would not make a difference, because the conditions of processing are pretty much the same as they are under the current act.

Do you accept my premise that, as a bill, it could be amended and therefore could have an impact?

It could have, but not on the top conditions of processing, such as consent. This is another issue that comes into the discussion about the code of practice and reflects what the Supreme Court said about the number of pieces of legislation that the practitioner has to deal with. If you look at the 200-page Data Protection Bill, you will see that it constantly refers back to the GDPR articles and recitals, so it is not easy to read. If you think that the Data Protection Act 1998 is bad, the new bill is worse and it will make it even more complicated for the practitioner if there is not a nice clear code of practice.

I take your point about the code of practice.

It would be helpful if you could provide the committee with some of the material that you have just discussed with Tavish Scott.

Good morning. We have been taking evidence on current information sharing. Can you give us some clarity around the current legal requirements that enable sharing of information about a child or young person? I am specifically interested in information about their wellbeing, rather than the child protection stuff.

Therein lies the conundrum. I was interested to hear the previous panel talk about child protection. No one has an issue with that and it is considered in relation to significant harm or, in data protection speak, “vital interests”.

You have to rely on a specific condition for processing to be able to process information—that is anything that you can do with a bit of information, from obtaining it through to destruction and everything in between. The Data Protection Act 1998 sets up a framework, but people forget the preamble, which is also in the GDPR, where it is clear that it is not just about the protection of information but also about the free movement of information. The Data Protection Act 1998 sets up a framework to allow for the safe and secure movement of personal information. It is not about ticking one box, rather you have to get all your ducks in a row: you look to the eight data protection principles and then abide by them. The first principle is that information must be processed fairly and lawfully.

Lawful processing requires meeting at least one of the conditions for processing under schedules 2 and 3 to the Data Protection Act, depending on whether the data is personal or sensitive personal. Currently, in order to be able to share information below the “vital interests” level, the practitioner would still have to rely on one of the other conditions for processing, either consent—which is the first condition in both schedules 2 and 3—or, if the practitioner is not relying on consent, the processing has to be “necessary”, as the Supreme Court highlighted, for specific purposes.

11:15  

The important point about information sharing is purpose. Everything to do with data protection is in the context of purpose. That purpose will make the information sharing compliant or non-compliant.

If the purpose is that the practitioner has a wellbeing concern, three levels have to be considered—significant harm, which everyone is familiar with; a wellbeing concern at a very low level, where the practitioner does not like what is happening and it is perhaps not in the best interests of the child but it is not going to harm the child or anyone else if it continues; and the grey area that sits just above the low-level wellbeing concern and just below significant harm, when a practitioner, using all of their experience and professional judgment, knows that the child is on a pathway to harm. That little grey area—and it is little—makes it difficult for everybody to understand how information can be shared under the data protection provisions.

If it is not health-related data, it is about whether it is a public function in the public interest. If it is health-related data, the necessity is likely to relate either to a public function under enactment or perhaps to one of the other substantial public interest conditions set out in the Data Protection (Processing of Sensitive Personal Data) Order 2000.

Thank you. That was a very thorough answer.

You have partly answered my next question, and the committee has heard about it this morning. To what degree is what you have said understood among practitioners?

It is understood almost implicitly by practitioners. The committee heard from the practitioners today that such decision making happens daily.

In the nearly four years for which I have been speaking about the information-sharing provisions, I have understood from practitioners that making such decisions is something that they do. They face decisions on that small grey area almost daily.

Practitioners do not need to think matters through in the way that I have set out. I am the data protection geek in the room and can therefore say what the conditions for processing are and can understand them. That is not the job of the practitioner. That is the job of the data controller, because the liability rests, in data protection terms, with the data controller—the local authority, private sector school or organisational entity.

It is for the controller rather than the practitioner to work those matters out. The controller has a duty of care to ensure that the practitioner has the confidence and support to make those decisions. I could not agree more with the idea of a flow chart. The information commissioner has said that practitioners need to be able to work through the process. If there is a standard process, matters are being dealt with fairly. Every decision has to be subjective, by its nature. As long as the practitioner has a process that they have worked through, the decision has been made fairly and appropriately.

I want to come back to Tavish Scott’s line of questioning to clarify some points.

Dr Macdonald, I understand that the GDPR is European legislation, and that the aspects in the GDPR that will affect the Children and Young People (Information Sharing) (Scotland) Bill will not be affected by any decisions or amendments by the UK Government in relation to the Data Protection Bill. Is that what you are saying?

We cannot guarantee what changes there will be in relation to the various derogations to the UK Government. As it stands, we are satisfied that any changes introduced through the Data Protection Bill would not affect the Children and Young People (Information Sharing) (Scotland) Bill.

The Law Society gave the opinion that we should suspend our bill until we find out what is happening at the UK level. I disagree with that and do not think that we should do that, but from what you have told us, there is no point in our hanging back because the GDPR is the top line and everything that we are doing here is compliant with the GDPR.

Not quite. The GDPR is there, but the Data Protection Bill has a number of exemptions that might impact on data sharing and we do not know how it will change in the interim.

In respect of what the Law Society was saying, there is an argument that you should wait until there is absolute certainty. However, we have degrees of absolute certainty—if you can have degrees of absolute certainty. We know where the GDPR applies and the code of practice could certainly have been drafted to be much more GDPR-compliant than it is at present. That would have been helpful.

The code of practice is where the flexibility can come in to take account of anything that happens at the UK level.

We are satisfied that the Children and Young People (Information Sharing) (Scotland) Bill will not be affected by Westminster’s Data Protection Bill. However, the code of practice, which is of course integral to the implementation of the Children and Young People (Information Sharing) (Scotland) Bill, might well be.

I am concerned about the Children and Young People (Information Sharing) (Scotland) Bill itself. Thank you for clarifying.

I go back to Maureen Falconer’s comments about the grey area. Will the SHANARRI indicators be adequate criteria by which to assess that grey area? Could or should the bill have done more to establish those wellbeing criteria and make the assessment clearer for practitioners?

I am not deliberately copping out, but I do not think that I can comment on that.

Fair enough.

I have some questions on the GDPR and its impact, specifically around consent. Although I accept that the bill might be GDPR-compliant in your eyes, the GDPR will have an impact on how practitioners use the bill, specifically around consent. Is that a fair assessment? What kind of additional requirements around consent, especially considering imbalance, might the GDPR impose on practitioners carrying out these duties?

The big issue on consent under the GDPR is pretty much the inability for public authorities to be using it where there is an imbalance of power. In the higher-level wellbeing type issues, where the child is moving towards the vulnerable stage, it becomes less likely that consent could be used as the condition on which to process. There can be the other conditions, like those that Maureen Falconer mentioned, such as there being a legal duty or being in the public task, and we might have to look more at that in the code of practice.

More needs to be said up front in the code of practice about the GDPR and its emphasis on informing the individual. Let us get the message across to individuals about what is happening to their information and then move into the issues around how we are going to pass it on, if consent is deemed to be the appropriate vehicle.

The Faculty of Advocates commented that the bill should have included a requirement to consider whether to seek consent. Do you agree with that?

I am not really sure how that would work. The data protection framework overrides everything in terms of information sharing and, ultimately, the data controller should be aware of which condition for processing they are using, which means that their consideration whether consent is the appropriate basis is implicit. A requirement to consider whether to seek consent would probably duplicate something that they should already be doing, and I am not sure how you would evidence it, anyway.

I listened carefully to what you said about the GDPR in response to questions from Daniel Johnson and Tavish Scott. The committee wrote to the cabinet secretary asking whether he would be able to produce an updated version of the illustrative code. In his response on 26 September, he said:

“the Committee will I am sure, understand that all of these recent developments make it difficult for the Scottish Government to produce a further draft illustrative code of practice at this stage that would be reflective of a legislative framework in the UK that is not yet clear.”

Given that the key aspects of the GDPR in relation to the bill are pretty much fixed, do you think that we could see an updated illustrative code that would be more reflective of the likely legal parameters that we are working within?

The GDPR was finalised in 2016. That framework could easily have been brought into the code at this stage.

Is it possible to update the code at this point to address the concerns? It might help scrutiny of the bill.

I would have thought that there was sufficient information about the legislative framework that that could be done.

You said that you were not totally satisfied with the Children and Young People (Scotland) Act 2014. Are you totally satisfied with the Children and Young People (Information Sharing) (Scotland) Bill?

We are satisfied that the bill as it stands meets the requirements of the data protection regime.

Are you satisfied that it is compliant with the Supreme Court judgment?

We do not rule on human rights. The issue of compliance will come down very much to the supporting code of practice. The issues were the relevance and excessive nature of the information. It becomes excessive when it moves into human rights aspects of intrusion and privacy. The code of practice is what has to be addressed.

Would you say that, as the bill is currently drafted, it is impossible to scrutinise that interaction without knowing what is in the final code of practice?

I think that it would be difficult for you to be absolutely definitive in your conclusions until you see the final code of practice.

This conversation is a million miles away from a teacher or a support worker sitting with a child in a classroom. That is part of the issue of understanding the responsibility. You say that the data controller would sit in the local authority. The individual professional has a duty to consider whether to share information. Would the data controller create a test to ensure that the professional was compliant? What is the relationship between the data controller and the professional? What would be reasonable evidence that the person who has a duty to consider whether to share information has carried out that duty?

The fundamental difference between the two data protection regimes—the current one and what is coming down the line in May next year—is accountability and governance. Whereas data controllers are currently required to comply with the Data Protection Act 1998, come May 2018 they will be required to evidence that compliance. If an information-sharing complaint found its way to us, as the regulator, we would be looking for that evidence. It would be a case of showing us their workings. What was the decision-making process that led them to decide to share that information? We would look at it on a case-by-case basis; the whole duty to consider is on a case-by-case basis anyway.

A person with a duty to consider would require to evidence that consideration—the data controller would have to see that there was evidence for an individual decision. Would that have to be written evidence?

11:30  

That would be for the local authority to decide. If we take as an example a local authority, as opposed to a health board or the other named person service providers, it would be for that local authority, or its data controller, to put in place the appropriate processes whereby front-line practitioners can work their way through the legislation.

Would it be your expectation that, for good accountability and governance, a local authority would put in place a regime for every individual person in the authority who might have a duty to consider sharing information? Would there need to be evidence that there was a process and that every person had complied with that process?

Yes.

There would need to be evidence not just that there was a process, but that people understood it and complied with it in every single instance in which they made a decision to share information.

I do not think that we would expect them to comply in every single instance, but we would expect there to be a process and a recording mechanism.

One of the crucial things, which goes back to your much earlier remark, is that staff need to be trained. When we take enforcement action, the big issue is that in probably 90-odd per cent of cases the organisation has failed to train or has given only a very basic, cursory training in data protection at induction, which is then forgotten.

It is crucial that staff are kept aware of the rights and their duties and how to go about them. Again, that comes back to the code of practice being a document that they can refer to and having processes that allow the staff to be confident in what they are doing.

We have said to practitioners before that, if they are in doubt, they should speak to someone, such as their line manager, about the situation. In doing so, they do not need to mention that it is little Jimmy that they are referring to. As one of the other speakers said, they can put forward a scenario and say, “This is what I am facing. What is your view?” People should talk to their fellow professionals and, as they make a decision, they can say that they have spoken to their colleagues, whose general view was that the information should be shared for the following reasons.

That would all have to be written up, in every instance in which there was a decision. If there is a duty to consider whether to share, the reason for the decision would have to be written up, along with details of who was spoken to.

Can I clarify something on that? From our perspective, as the regulator of the data protection regime, we would not necessarily come in to investigate whether someone had carried out the duty to share. I do not see that as our responsibility. Our responsibility would be to ask about the basis on which the information has been shared.

The legislation says that somebody has a duty to consider and to show evidence that they have considered. Whose responsibility is it to ensure that that has happened?

That would probably depend on whether the subsequent legislation for the complaints process is taken through Parliament in the way that it was previously. The previous complaints process, which was revoked, was that if someone was not satisfied with the legal entity, they would go through the Scottish Public Services Ombudsman, so it is probably the SPSO who would look at the duty to consider. I do not see us, as regulator of the Data Protection Act 1998, looking at that duty to consider.

So the individual who makes the decision not only needs to ensure that they are complying with the data controller, in order that there is accountability and governance; they also need to be answerable to the SPSO or be expected—

I do not know. I am talking about the original complaints procedure that went through the legislative process, which was that the SPSO would handle that and would be what we might call the final arbiter of such complaints. Whether the Scottish Government intends to do that again, with the Children and Young People (Information Sharing) (Scotland) Bill, I do not know. The committee would have to ask the Government.

From our perspective, as the regulator, the approach is about what the conditions for processing were and what the legal basis for sharing the information was. The duty is no longer to share, because, under the old act, that would have come under what we considered to be a legal obligation. That is no longer there, so there has to be some other condition for processing that will allow the sharing.

Surely it is the legal obligation to consider that would need to be evidenced.

Yes, but that is not something that we need to look at. For us, it is about the legal basis for sharing information. We would not be regulating as to whether someone carried out their duty to consider.

But if they considered and then shared, you would surely be looking at it.

Yes, but it would be the legal basis for sharing that we would look at.

I want to follow up on something that came up in Daniel Johnson’s questioning. Having read the submission from the Information Commissioner’s Office, my view is that it would be difficult for a layman to understand when a local authority could rely on consent and how the process would work. Maureen Falconer said something to the effect that as a child is heading down the road to becoming more vulnerable, it becomes even more difficult for the local authority to take action to obtain consent. However, a critical point would come on that path where it would have to take action in any case. It does not seem to hang together.

The GDPR is attempting to force public authorities, as creatures of statute, to rely on their statutory responsibilities. You will find that the GDPR talks a lot about public authorities and their public task. There is a job of work for public authorities to do in working out exactly what their public task is. There has been a lack of understanding in relation to the conditions for processing that allow people to use personal information, so consent has often been the default position. However, that has often been meaningless, because individuals have not had a real choice over consent. If people who have been told that someone is going to ask for their consent say that they do not want to give it, it is disingenuous for them then to be told, “Oh, well, I’m sorry, but we’re going to do it anyway.”

What the public authorities have to look to is their statutory functions—their statutory or public tasks. If it is for a public task, they need to question whether consent is the appropriate condition to rely on or whether it should be public function in the public interest.

Is there not a possibility that vulnerable children and so on will be put at risk because local authorities will be averse to taking those decisions?

I do not think that they should be—absolutely not.

The Supreme Court decision has possibly encouraged a belief that consent is the only way to share information, but it is not. When we move into child protection issues, there is other legislation involving other duties on professionals working with children and young people that will enable that sharing to take place without consent. As we said, the crucial point is that consent should not be asked for in situations in which it is known that information will have to be shared because the threshold has been reached. In more serious child protection cases, information will be shared anyway and asking for consent will break the trust between the client and the child, which will do them no good service.

The Supreme Court judgment said that

“information can also be disclosed if its disclosure is necessary for the exercise of a statutory function”.

What does that mean?

If the public authority—whether it is a local authority, a health board or the police—has a duty to undertake a particular task and that information is necessary for it to do so, it can be shared. In other words, consent is not needed.

That would also cover vulnerable children and vulnerable adults, for example, if they were caught up in that particular statutory exercise.

The burden cannot be taken off the front-line practitioner’s shoulders. At the end of the day, it is always going to be a decision that the front-line practitioner has to make. That is why it is incumbent on the organisation to ensure that the policies, procedures, processes and protocols are all in place to give the front-line practitioner the confidence—and the support—that what they are about to do is being done in line with professional judgment. It is about getting that bit right.

I do not see why the data controller cannot have a process flow for the practitioner that says that, in the event that they are faced with a certain situation, there are certain questions that need to be asked and tells them where to go if the answers to those questions are yes or no. That would help to walk the practitioner through the decision-making process and enable them to decide whether the information is the sort of information that they need to share. Often, that is something that the front-line practitioner will get a feel for, as a professional person.

Does consent always have to be in writing? Would you expect a child to be competent enough to sign something?

It does not have to be in writing. Again, the GDPR is quite explicit and says that verbal consent is perfectly acceptable.

How is such consent evidenced?

You have to have a process through which that consent is recorded. That might involve the practitioner going back and writing up notes and following a subsequent process, for example. Again, it is for the organisation to set out the process that must be followed in order to obtain consent if someone is going down a consensual route.

In your submission, you talk about someone having the ability to withdraw consent at any time. How would that be evidenced? Would it be done verbally?

It could be done verbally or in writing. We would certainly encourage it to be done in writing, but in some situations, particularly with children and young people, that might not be possible. We have to put our trust in professionals. We all trust professionals in our day-to-day interactions, and this is just another example of a situation in which that should happen. The local authority, as the employer, will have trained the professionals to deal with such situations and would expect them to do so appropriately. If they do not deal with them appropriately, it is not so much a data protection issue as an employment duty and a disciplinary issue.

Is there not a risk that someone who is dealing with a vulnerable person and using a verbal system could get into disputes about whether that person had withdrawn consent?

What the GDPR is trying to say is that you should not lock people into a specific way of doing things—you should not say that consent can be withdrawn only if someone follows a specific process. The GDPR is attempting to give clearer and more emphasised rights to individuals in terms of control over their personal information. If you are going to rely on a consensual model, that is fine, right and proper, but you have to understand that the individual has the right to withhold consent or to withdraw that consent somewhere down the line. Again, if an organisation is relying on a consensual model, it must have in place processes to deal with someone withdrawing that consent. Part of that might involve setting out a process for recording verbal statements in the system.

With regard to the creation of an individual duty, are you saying that it is not possible to detach that duty from some level of individual responsibility or accountability in an organisation when it comes to data practices?

No, I was not saying that.

Okay, so you are saying that, where an individual has a duty to manage or record their own data practices, it can be someone else’s responsibility if that goes wrong. Is that how it works?

I do not really understand the question.

I am thinking of a situation in which an individual named person—in the event that this all goes ahead—is recording and taking evidenced decisions. If they are not compliant with the processes that an organisation has put in place to safeguard their checks, would that individual be responsible for not following data practices, in relation to data protection legislation? Is that how it is seen?

11:45  

Not necessarily. Under data protection legislation, liability and responsibility always rest with the data controller, unless an individual does something knowingly, recklessly and wilfully against the normal process and is doing things that they should not be doing. That is what we call a section 55 offence. However, if I do something wrong because I have not followed the process—if I have made a mistake or something—the liability for data protection rests with the organisation and the data controller. That does not mean that the data controller will not then discipline the individual, which happens.

If you look at the actions that we have taken, which you can see on our website, you will see that, although the data controller might bear the wrath of the ICO, the case might involve something that an individual, not the data controller, has done. The problem might have arisen because of a lack of training or because of a lack of good technical patches or processes but, ultimately, it is the data controller who has the liability.

That is really helpful, thank you. I am sorry that I did not do a good job of explaining what I was looking for.

For clarity, I would just like to make a point. If I, as a nurse, breached confidentiality deliberately, I would be liable, not the data controller, because I had wilfully done something. Employment law still applies, and employees can still be disciplined for doing something that is wrong.

Yes.

That brings us to the end of this evidence session. I thank our witnesses for their attendance.