Adult Support and Protection (Scotland) Act 2007: Code of Practice

This revised Code of Practice aims to reflect the developments in policy, practice and legislation both in the overall context of adult support and protection and in day-to-day activity. It provides information and detail to support practical application of the 2007 Act.


Chapter 3: Duties and powers of the council and other agencies, the role of the council officer and the independent and third sectors, and cooperation and information sharing across organisations and professionals.

What are a council's duties under the Act?

The Act places duties upon the council to:

  • make inquiries if it knows or believes that a person is an adult at risk of harm and that it might need to intervene under the Act or otherwise to protect the person's wellbeing, property or financial affairs (Section 4);
  • undertake investigative activity, as part of its inquiries, involving council officers who have certain powers under the Act (Sections 7-10);
  • co-operate with other councils and other listed (or specified) bodies and office holders (Section 5);
  • have regard to the importance of the provision of appropriate services (including, in particular, independent advocacy services), where the council considers that it needs to intervene in order to protect an adult at risk of harm (Section 6);
  • make visits, with right of entry, for the purpose of conducting interviews and arranging medical examinations (sections 7, 8, 9 & 36 - 40);
  • protect property owned or controlled by an adult who is removed from a place under a removal order (Section 18);
  • set up an Adult Protection Committee to carry out various functions in relation to adult protection in its area, and to review procedures under the Act (Section 42).

What are a council's powers under the Act?

Where it is known or believed that an adult is at risk from harm and the council might need to intervene, the Act places a duty on the council to make the necessary inquiries to establish whether or not action is required to stop or prevent harm occurring.

The Act makes frequent reference to actions that can be taken where a council 'knows or believes' that an adult is at risk of harm. It is clear that 'know'and 'believe' are not intended to be used interchangeably, and that the intention is to allow for engagement with people where it has yet to be determined whether they are an adult at risk. Partnerships should ensure that their procedures are clear that inquiries will often take place before a determination has been made that the adult is at risk of harm.

The Act enables a council to:

  • through the offices of a council officer, visit any place necessary to assist with inquiries under section 4. Council officers may interview, in private, any adult found at the place being visited, and may arrange for a medical examination of an adult known or believed to be at risk to be carried out by a health professional. Health, financial and other records relating to an adult at risk may be requested and examined. Note that the Council Officer is empowered by the Act to identify, take or copy medical records held by a service but having obtained them must ensure they are interpreted by a health professional.; and
  • apply to the sheriff for the granting of a protection order.

Council officers have rights of entry to places where adults are known or believed to be at risk of harm. If, following inquiries, a council officer believes that action is required, the council can apply to the sheriff for a protection order. The range of protection orders include assessment orders (which may be to carry out an interview or medical examination of a person); removal orders (removal of an adult at risk) and banning orders or temporary banning orders (banning of the person causing, or likely to cause, the harm from being in a specified place) (Sections 11-34).

Who can act as a council officer for the purposes of the Act?

Section 53 (1) of the Act defines a council officer as an individual appointed by a council under Section 64 of the Local Government (Scotland) Act 1973.

Section 52(1) of the Act enables Ministers to restrict the type of individual who may be authorised by a council to perform council officer functions under the Act.

Scottish Ministers have made an order that prescribes that a council must not authorise a person to perform the functions of a council officer under sections 7 to 10 of the Act (investigative functions) unless the person:

  • is registered in the part of the Scottish Social Services Council register maintained in respect of social workers or social service workers or is the subject of an equivalent registration;
  • is registered as an occupational therapist in the register maintained under article 5(1) (establishment and maintenance of register) of the Health Professions Order 2001; or
  • is a nurse; and
  • the person has at least 12 months' post qualifying experience of identifying, assessing and managing adults at risk.

A council may withdraw the authority of a person to perform the functions of a council officer if the person no longer meets the relevant requirements.

The Public Bodies (Joint Working) (Scotland) Act 2014 placed a requirement on all Health Boards and councils to make arrangements for adult health and social care services to be provided in an integrated way within each local authority area. Section 23 of the 2014 Act allows Ministers to make regulation to allow suitably qualified individuals who are employed by a Health Board to exercise the functions of a council officer.

Duty to refer and co-operate

While councils have the lead role in adult protection, effective intervention will only come about as a result of productive cooperation and communication between a range of agencies and professionals. What one person or public body knows may only be part of a wider picture. The multi-agency nature of adult support and protection work is crucial to the work of protecting adults from harm.

Section 5(3) of the Act places a duty on certain public bodies or office holders who know or believe that a person is an adult at risk of harm and that action needs to be taken to protect them from harm, to make a referral by reporting the facts and circumstances of the case to the council for the area in which the person is considered to be located. Public bodies should ensure that their staff are aware of the duty to refer and co-operate, and to encourage vigilance in relation to adults who may be at risk of harm.

Good practice would dictate that even if in doubt the referral should be made and should be counted as a referral by the council. The council must then determine if it knows or believes that the person is an adult at risk, and that it might need to intervene. It may take such investigative steps as considered necessary to establish whether the adult is an adult at risk of harm and what action should be taken.

Section 5 provides that certain bodies and office holders must, so far as is consistent with the proper exercise of their functions, co-operate with a council making inquiries under Section 4 of the Act and with each other where this is likely to enable or assist the council making the inquiries. A proper exercise of a public body's functions may include being bound by a duty of confidentiality.

The bodies listed in Section 5 are:

  • The Mental Welfare Commission for Scotland;
  • The Care Inspectorate;
  • Healthcare Improvement Scotland;
  • The Office of the Public Guardian;
  • All councils;
  • The Chief Constable of Police Scotland;
  • All Health Boards (including Special Health Boards); and
  • any other public body or office-holder as the Scottish Ministers may, by order, specify.

(As at July 2022, Scottish Ministers have not specified any other bodies)

As outlined above all of these bodies have a duty to refer where they know or believe an adult to be at risk of harm, and to co-operate with councils in their inquiries. Referrers do not need to have evidence that all elements of the three-point criteria are met in order to make a referral. Their information may form part of a larger picture.

Where staff in named bodies have to report suspected cases of adults at risk of harm within their own organisations, they should be clear to whom they have a duty to report. Staff also have a duty to co-operate with those working in the wider services within councils, including services for adults, children and families, criminal justice, housing, education, trading standards and consumer protection, and a range of services provided by health and specialist health boards, including acute and psychiatric hospitals and community health services.

The public bodies and office-holders may have duties to undertake inquiry, investigation, or other activity under separate legislation, which could overlap with the duty of the council to undertake inquiries and investigations under the Adult Support and Protection Act 2007. For example, Section 33 of the Mental Health (Care and Treatment) Scotland Act 2003 places a duty on local authorities to inquire, in certain circumstances, into the situation of a person in the community who appears to have a mental disorder.

Simultaneous inquiry or investigation activity should never be used as a reason for failing to make adult protection referrals, whenever an adult is known or believed to be an adult at risk. All public bodies and office-holders named in the Act must make adult protection referrals and co-operate with subsequent adult protection inquiries and investigative activity, irrespective of their own specific functions under other legislation.

Good practice is that all relevant stakeholders will co-operate with making referrals and assisting with inquiries, not only those who have a duty to do so under the Act. Adult Protection Committees will wish to consider how best they can engage and encourage co-operation (Section 42(2)) with this broader group of agencies in order to ensure that such agencies are aware of the provisions of the Act, and that they have appropriate procedures in place.

While it is not specified in the Act, a wide range of other services also contribute to the protection of adults at risk. These include:

  • GP Practices[2], dentists and pharmacists;
  • Scottish Fire and Rescue Service;
  • Agencies of the Scottish Government,

e.g. The Scottish Prison Service; Social Security Scotland.

The above services and agencies may all become involved with adults whom they know or believe as being at risk, and may therefore have cause to refer people to the council, and as such have a direct part to play in protecting people from risk of harm. Such services and agencies are expected to co-operate with assisting inquiries and to provide services to support adults at risk of harm.

Some agencies, which have a UK-wide jurisdiction or remit, may not be bound by the Act. However, they are likely to be bound by other legislation or specific protocols agreed with the Scottish Government.

Section 49 of the Act provides that it is an offence to, without reasonable cause, prevent or obstruct any person from doing anything they are authorised or entitled to do under the Act (see Chapter 15 of this Code).

General Practices

The Scottish Government has published revised Guidance for General Practice in tandem with the revised Code of Practice and revised Guidance for APCs . This is intended to assist the involvement of General Practitioners and their staff ("General Practices") in activities which arise from the Act, and aid them to support their patients in achieving the best outcome.

It provides advice on how to make referrals and notes that:

  • General Practices are well placed to identify adults at risk of harm and are a vital component in the multi-agency arrangements to support and protect where it is necessary
  • Adult support and protection applies to those with and without mental capacity
  • As with other referrers, evidence is not required that all elements of the three-point criteria are met in order to make a referral. Their information may form part of a larger picture. In this regard, it is ultimately the responsibility of the council or delegated agency to decide whether an adult meets the definition of an adult at risk of harm
  • General practices will be expected to co-operate with inquiries including with the examination of records under Section 10 of the Act. This co-operation is based upon the Council's knowledge or belief that that the person is at risk of harm. The purpose of providing the information is to assist the Council in determining whether or not the person is at risk, or later in the process to understand how to support and protect them from those risks.

The Scottish Fire and Rescue Service and the Scottish Ambulance Service

The Scottish Fire and Rescue Service ("SFRS") have a key role to play in keeping people safe from harm particularly in relation to fire safety. They are an important source of referrals in regard to adults as a result of their fire safety advice activity and can identify some people who may be at risk of harm for other reasons. The Scottish Fire and Rescue Service is represented on many Adult Protection Committees across Scotland.

The Scottish Ambulance Service ("SAS") is designated a special health board for the whole of Scotland, and is therefore included in the Section 5 duties as outlined above. It operates as an emergency service, and has contact with a wide range of people, many of whom may be adults at risk. They, therefore, can be a source of information; potential referrer and, as with Scottish Fire and Rescue Service, can act as an early warning system for some people at risk of harm. There is scope for greater understanding of the role SAS can play and for greater engagement between the SAS and Adult Support and Protection at both local and national levels.

The Scottish Prison Service ("SPS")

The SPS has a duty of care to ensure that reasonable steps are taken to support and protect from harm individuals in their care, and those who may visit or make other forms of contact with individuals in prisons.

The SPS Child Protection Policy applies to children under 18 years of age. However, as per the Act, a young person over the age of 16 requiring protection may be an adult at risk in some circumstances. As per all cases for young people aged between 16 and 18 requiring support and protection,Prison Based Social Workers, in partnership with SPS managers, must give consideration to which procedures, if any, need to be applied. This will depend on the young person's individual circumstances and the particular legislation or policy framework best able to meet their needs at the time. Further details can be found in the SPS Child Protection Policy.

When SPS staff members or others working in a prison know or believe that an adult is at risk of harm (e.g., the individual is known or believed to meet the 3-point criteria), including an individual in their care, a member of his/her family, or someone with whom they have regular contact through visits, telephone contact or correspondence, they will liaise with community-based adult support and protection services. If an adult in the community is being harmed by an individual in custody, either intentionally or unintentionally, an Adult Support and Protection referral to the local authority where the individual at risk lives may be appropriate. An individual in SPS care may also cause harm in the community whilst located in prison. It may also be appropriate to consider an ASP referral if the adult themselves is at risk of harm when in the community (e.g., when due for release). Any such activity will be undertaken alongside existent offender management procedures.

For example, there may be occasions where a partner, family member or friends are at risk of harm caused by the individual in SPS care, for example on Home Detention Curfew (HDC), temporary release or release on licence. An individual in SPS care may also cause harm in the community whilst located in prison by, for example:

  • insisting the vulnerable person hand in money or property;
  • pressuring someone to volunteer their address for HDC, temporary release or release on licence;
  • threatening harm to an adult via:
    • the prison telephone system;
    • written correspondence, e.g. email or letter;
    • virtual or face to face visits;
  • neglect where the individual in SPS care has previously provided care to an adult.

An ASP referral may also be appropriate if the adult themselves is at risk of harm when in the community. The SPS may be aware of adults who could be considered at risk of harm prior to their arrival to prison and/or as they are being readied for release (e.g. they may be at risk of harm in the community). As such, local services should have protocols in place for advising SPS of any new prisoners who are regarded as being at risk of harm and SPS should remain alert to the potential need for contact to be made with council adult support and protection services in preparation for a prisoner's release.

Independent and third-sector providers and other organisations

Additionally, and importantly:

  • there will be a range of service providers and service user and carer organisations in the independent and third sectors who will have a direct service provision role in relation to adults who may be at risk of harm; and
  • adults who may be at risk of financial harm may have dealings with a range of agencies including financial institutions such as banks, building societies, credit unions, post offices, Royal Mail and the Department of Work and Pensions.

While independent organisations such as these do not have specific legal duties or powers under the Act, care providers have a responsibility to involve themselves with the Act where appropriate by making referrals, assisting inquiries and through the provision of services to assist people at risk of harm. These organisations should discuss and share with relevant statutory agencies information they may have about adults who may be at risk of harm.

These providers and other service provider, and user and carer groups may also be a source of advice and expertise for statutory agencies working with adults with disabilities, communication challenges or other needs. Organisations should comply with requests for examination of records, as it is an offence to fail to do so without reasonable excuse (section 49(2)) of the Act).

Councils will wish to keep under constant review their contract agreements with the independent and third sector providers to ensure that their services are consistent with the principles of this Act.

Chapter 10 of the Code provides further guidance on the examination of records and refers to Social Work Scotland's 'Protocol for Requesting Information under Section 10' of the Act, which is for use by local partnerships as a template for their own procedures.

Information Sharing

We all have a responsibility, individually and collectively, to protect vulnerable people in our communities. This cuts across all aspects of private life and professional business. Supporting individuals at risk of harm is best done through collaboration and with a sense of community responsibility.

The Referral Process

Adult protection referrals can be made in writing (to be submitted electronically) or over the phone to the council for the area in which the adult at risk currently is. For most ASP referrals, this will be to the council for the area where the adult is habitually resident (where they live). Prompt action is vital.

Relevant contact details can be found here: Find your local contact - Act Against Harm. If you are working out of office hours, your local procedures and contacts will advise you of the relevant out of hours procedure, e.g. the Duty Social Worker.

Referral forms (sometimes referred to as an "AP1") – or the electronic link to them – can be requested from your local adult services team in advance; the form can then be saved in a place convenient for future use.

Referral information requested, either on a form or over the phone, may include:

  • Details of the person completing the referral;
  • Details of the person subject to the referral, including name, date of birth, address;
  • The primary user group or client category of the patient, if known (e.g. learning disability, mental health, dementia, substance misuse, acquired brain injury, physical disability);
  • Any communication needs of the adult at risk;
  • Harm type(s) suspected;
  • Whether the adult at risk is aware of the referral;
  • Details of the concern, including as much information as possible about the incident(s), dates, alleged harmer(s), previous concerns, any safeguarding activity undertaken;
  • An overview of the "three-point criteria":

I. In your opinion, is the adult able to safeguard their own wellbeing, property, rights or other interests?

II. In your opinion, is the adult at risk of harm?

III. In your opinion, is the adult affected by disability, mental disorder, illness or physical or mental infirmity, making them more vulnerable to harm?;

  • Confirmation of whether police have been contacted if a crime is suspected;
  • Any relevant relationships, proxy decision makers (guardian or Power of Attorney), and/or caring responsibilities of the adult;

Please note that this list is not exhaustive and a referral should still be made if you believe that the criteria are met for referral, even if lacking some of the information noted above. It is not your responsibility to confirm that the adult meets the three-point criteria; it is enough that you believe them to meet the criteria to warrant an ASP referral. Any information that can be provided at the referral stage will assist the local authority in undertaking adult protection inquiries.

As part of the inquiry process, it is possible that you will be asked to assist the council making the inquiries.

If there is immediate danger to you or the adult at risk, do not hesitate to call 999. You can make a subsequent Adult Protection referral, if relevant.

Referrals – prompt action is vital.

As well as your local contact's details, the Act Against Harm website carries lots of useful information, including how to recognise when an adult may be at risk of harm and examples of the type of support that can be provided once a concern has been reported.

1.

Steps to Take – The "Four Referral Rs"

Recognise – be aware of adult protection issues and how an adult at risk of harm may present. Consider trauma, undue pressure etc., and the adult's ability to safeguard themselves.

Report – where you have an internal adviser for adult protection report the matter to them, discuss with appropriate colleagues the need to make a referral but ensure this does not adversely delay referring.

Refer – Refer the individual and their circumstances through your local adult protection referral process. Where the matter is urgent contact the relevant emergency services without delay.

Record – use the individual's record to note the issues that arose, the circumstances, the decisions made/actions you took, and the rationale for your actions.

If the matter is urgent e.g. there is imminent risk of danger or significant harm has happened please contact the relevant Emergency Service – Police/Fire/Ambulance.

Information - To Share or Not To Share – Checklist

With specific reference to the circumstances of the case, before making a referral, consider:

  • Is the sharing justified at this time?
  • Does the duty to protect the individual outweigh the duty of confidentiality?
  • What are the benefits to the individual of sharing, or the risks of not sharing, information?
  • Are there wider risks from sharing or not sharing (to other family members etc.)?
  • Are you sharing special category data? (see section below under Data Sharing);
  • Are you able to identify a condition for processing from Article 9 UK GDPR that you can you rely on?
  • Do you need to identify an additional condition from the DPA 2018? – see section below on special category data;
  • Are there relevant exemptions?
  • Are there other relevant statutory requirements, legislation or restrictions to consider? e.g. Adults with Incapacity (Scotland) Act 2000; Mental Health (Care and Treatment) (Scotland) Act 2003; Child Protection Guidance 2021; reporting a crime etc.;
  • Is there a legal obligation to share? (for example a statutory requirement or a court order)?
  • Is there an organisational / in house protocol, e.g. a Data Sharing Agreement?
  • Are there other similar, relevant, cases which ought to be considered?
  • Is authorisation required within your organisation to make the decision?
  • Should legal advice or other guidance be sought? E.g. ICO Helpline.

If you decide a referral is needed, and information is to be shared, consider:

  • Has the individual's attorney or guardian, if relevant, been consulted?
  • Should any other person be informed ahead of, or after, sharing?
  • In terms of consent under UK GDPR see Why is consent important?
  • Has the individual been consulted with openness and transparency? If not, reasons should be documented. Note that the controller's fairness and transparency obligations under data protection law must also be referred to
  • Are there suspicions that alerting the patient to concerns could place them at greater risk?
  • What information should be shared?
  • What is fact and what is opinion?
  • How should the information be shared / stored?
  • Record the decision, actions and reasoning.
  • What information was shared and for what purpose.
  • Whom it was shared with.
  • When it was shared.
  • The justification for sharing (responses to the Share or Not To Share Checklist above can be used as a starting point).
  • Whether the information was shared with or without the subject's consent.

Do you need the consent of the adult to make a referral?

No. Whilst adults with capacity have the right to consent or otherwise, there may be a lawful basis to share information under the 2007 Act without this consent.

There is a difference between medical consent and data sharing consent. It is important to be open and transparent with the adult, and vital that all decisions and rationale are recorded. Further information around UK GDPR and consent in respect of data sharing can be found here - Why is consent important? | ICO

Why do we need to share adult protection information?

Organisations need to share safeguarding information with the right people at the right time to:

  • prevent death or serious harm;
  • coordinate effective and efficient responses;
  • enable early interventions to prevent the escalation of risk;
  • prevent abuse and harm that may increase the need for care and support;
  • maintain and improve good practice in safeguarding adults;
  • reveal patterns of abuse that were previously undetected and that could identify others at risk of abuse;
  • identify low-level concerns that may reveal people at risk of abuse;
  • help people to access the right kind of support to reduce risk and promote wellbeing;
  • help identify people who may pose a risk to others and, where possible, work to reduce offending behaviour;
  • reduce organisational risk and protect reputation.

Where someone is suspected of being an adult at risk of harm, an Adult Support and Protection referral should be made to the council within 24 hours – any delay should be recorded with reasons.

Once you have made a referral this places a duty on the council to make inquiries where they know or believe that an individual may be an adult at risk of harm.

Information Sharing: Legalities and Cooperation

Duty to Cooperate

A number of bodies have a duty to co-operate under the Act (Section 5), e.g. Health Boards and Healthcare Improvement Scotland, Police and Councils. Any information received in the course of an inquiry is treated with the utmost confidence and will not be disclosed to any third parties other than in accordance with the provisions of the Act.

(Section 5) outlines a further number of service providers who contribute to the protection of adults at risk. Bodies named in the Act have unequivocal responsibilities to cooperate with the local authority undertaking ASP inquiries; to notify the council of an adult who may be at risk of harm; and to cooperate with others named. Other organisations who are not specifically named should also cooperate with ASP processes where requested, in order to achieve the best outcome for the individual at risk of harm.

Data Sharing

Data protection law enables organisations and businesses to share personal data securely, fairly and proportionately. The Information Commissioner's Office (the "ICO") has a Data Sharing Code of Practice and the resources available at their Data Sharing Information Hub provide detailed guidance and tools to aid data sharing in compliance with data protection law.

The ICO provide a Step by step guide to data sharing.

There are many misconceptions and fears around data sharing, and the ICO have a helpful page exploring these at Data sharing myths busted.

Forward planning for sharing information

It is strongly recommended that organisations take the time to consider all of the scenarios in which they may need to share data about vulnerable adults in their care and associated third parties. Some of this sharing may take place under the Act but other sharing may take place out-with it. Practitioners should be clear about whether they are a data controller, joint controller or processor for the personal data that they intend to share. A data controller has the responsibility of deciding how personal data is processed - they are the main decision-makers and exercise overall control over the purposes and means of the processing of personal data. Both a council and the person making the referral are likely to be controllers. The data subjects will be the adults to whom the information relates, and about whom the enquiry is being made/whose records are being examined.

Where data sharing is a regular occurrence, between organisations, there should be Data Sharing Agreements (DSAs), informed by Data Protection Impact Assessments (DPIAs), which will help to ensure that data sharing is carried out in compliance with the law.

The ICO recommend that as a first step you carry out a DPIA, even if you are not legally obliged to. Carrying out a DPIA is an example of best practice, allowing you to build in openness and transparency of ASP processes.

A DPIA will help you assess the risks in your planned data sharing and determine whether you need to introduce any safeguards.

It will assist you to assess those considerations, and document them. Having a DPIA in place will help to provide reassurance to both yourselves and those whose data you plan to share.

It is also recommended that organisations work with their local Adult Support and Protection Committee to plan for data sharing and develop local processes and templates etc. to reduce duplication and promote consistency. Some organisations may wish to develop processes and templates collectively, perhaps via a representative on the Adult Protection Committee, if applicable.

Data Sharing in Emergency Situations

Organisations can also carry out forward planning for emergency situations. In particular, organisations and practitioners should be confident that relevant personal information can be shared lawfully if it is to protect someone from serious harm, including safeguarding within a medical context. ICO guidance on Data sharing in an urgent situation or in an emergency emphasises that in an emergency, practitioners should go ahead and share data as is necessary and proportionate. It also advises what may constitute an emergency and that organisations should to plan ahead for such circumstances, i.e. consider training staff, consider DPIAs, assess the types of data that might be shared etc.

The key point is that the UK GDPR and the DPA 2018 do not prevent you from sharing personal data where it is appropriate to do so, and you have clear documented records to support your actions.

The ICO has a section on data sharing in an urgent situation or in an emergency in the Data Sharing Code of Practice.

The Code sets out that an emergency includes:

  • preventing serious physical harm to a person;
  • preventing loss of human life;
  • protection of public health;
  • safeguarding vulnerable adults or children.

In these situations, it might be more harmful not to share data than to share it. It is strongly recommended that controllers plan ahead for urgent or emergency situations as far as possible. Controllers should consider what data sharing might need to take place, what data should be shared and how this can be done in compliance with the law. This may involve preparing DPIAs and implementing DSAs to cover emergency situations which can include the relevant lawful bases and any conditions for processing as well what is likely to be necessary and proportionate in the context of the sharing. In an urgent or emergency situation, decisions have to be made rapidly and it can be difficult to make sound judgements about whether to share information. Spending time forward planning is key.

Special Category Data

What is special category data? This is personal data that needs more protection because it is sensitive and may affect an individual's rights and freedoms. This means data which:

  • reveals racial or ethnic origin;
  • reveals political opinions;
  • reveals religious or philosophical beliefs;
  • reveals trade union membership;
  • is genetic data;
  • is biometric data;
  • is concerning an individual's health;
  • is concerning an individual's sexual orientation or activity.

If you process special category data you must keep records, including documenting the categories of data. This does not include personal data about criminal allegations, proceedings or convictions, as separate rules apply (see below).

In order to lawfully process special category data you must identify a lawful basis for processing data, under Article 6 of the UK GDPR and a separate condition for processing under Article 9. These do not have to be linked.

Where Criminal Offence data , including data relating to alleged offences and to victims, is being processed, official authority or an additional condition under Article 10 of the UK GDPR is required. The Data Protection Act 2018 contains specific legal gateways for processing special category and criminal offence data for safeguarding purposes, namely those at Data Protection Act 2018 Schedule 1 Part 2, Paragraphs 18 (Safeguarding of children and of individuals at risk) and Paragraph 19 (Safeguarding of economic well-being of certain individuals).

Exemptions

The UK GDPR and the Data Protection Act 2018 set out guidance on exemptions

from some of the rights and obligations in some circumstances. You should not routinely rely on exemptions; you should consider them on a case-by-case basis.

How do exemptions work?

Whether or not you can rely on an exemption generally depends on your purposes for processing personal data. If an exemption applies, you may not have to comply with all the usual rights and obligations.

Some exemptions apply simply because you have a particular purpose.

However, others only apply to the extent that complying with the UK GDPR would:

  • be likely to prejudice your purpose (e.g. have a damaging or detrimental effect on what you are doing); or
  • prevent or seriously impair you from processing personal data in a way that is required or necessary for your purpose.

You should justify and document your reasons for relying on an exemption.

If no exemption covers what you do with personal data, you need to comply with the UK GDPR as normal.

Lawful Basis – resources and case studies

The ICO have a Lawful basis interactive guidance tool to help organisations determine the appropriate lawful basis for their data sharing, along with lawful basis resources , including slide presentations (lawful-basis-presentation), to refer to.

For processing to be lawful under the UK GDPR, controllers must identify (and document) a lawful basis for the processing.

The basis of consent is only one of six lawful bases and the UK GDPR sets a high standard for controllers to demonstrate that the conditions required for consent have been met. Thus, in this context, consent is unlikely to be an appropriate lawful basis for adult protection purposes, due to the perceived power imbalance between client and practitioner. However both Public Task and Legal Obligation would be more appropriate - through each link you will find detailed explanations and examples where each basis is appropriate. There are also a number of case studies showing different approaches to data sharing here: Case studies | ICO and here: Annex C: case studies | ICO.

Relying on a lawful basis other than consent does not prevent practitioners seeking the adult's input or views and being transparent about the sharing, indeed it is an important component of a controller's fairness and transparency obligations under data protection law.

Practitioners should, in advance of potential need, determine and document which lawful basis they can rely on in different scenarios. This should be done in consultation with their Data Protection Officer where available.

Contact

Email: Heather.Gibson@gov.scot

Back to top