Getting it right for every child (GIRFEC) Practice Guidance 4 - Information sharing
This guidance aims to clarify the circumstances in which information can be shared with another agency, the considerations that need to be taken into account to ensure sharing information with another agency is appropriate, and the importance of involving children, young people and families.
10. Lawful bases for sharing information
Every time you process personal information, including sharing it with another organisation, you must have a lawful basis. A “lawful basis” is a reason or justification for sharing information recognised by data protection law (see Article 6 of the UK GDPR). There are six lawful bases that may apply. For special category data, you must also identify a separate condition for processing under Article 9; there are also greater protections for information relating to criminal convictions and offences (including allegations) for more detail on special category and criminal offence data, see section 11.
The six lawful bases are summarised below:
Public interest or public task - Necessary for performance of a specific task carried out in the public interest which is laid down by law, or in the exercise of official authority - for example, a public body’s tasks, functions, duties or powers set out in law (see glossary for definition of public body).
Vital interests - Necessary to protect someone’s life or, for example, if a child or young person is deemed to be at risk of significant harm. You cannot rely on vital interests for special category data if the individual is capable of giving consent, even if they refuse their consent.
Legal obligation - Necessary to comply with a common law or statutory obligation.
Consent - The individual has given clear consent for their information to be shared for a specific purpose.
Legitimate interests - Necessary for your legitimate interests or those of a third party, unless there is a good reason to protect the individual’s personal information (cannot apply for a public authority sharing information to perform official tasks).
Contract - When necessary in performance of a contract entered in to by an individual and therefore unlikely to be relevant in this context.
Reference: Lawful basis for processing;
It may be useful to refer to the Lawful basis interactive guidance tool
10.1 Public Task
For public bodies such as health, education and social work, public task is likely to be the most relevant lawful basis. Public task may provide the lawful basis for third sector and independent organisations to share information in situations where the organisation is commissioned to provide a service on behalf of public authorities.
Public task means processing personal information that is “necessary for the performance of a task carried out in the public interest or in the exercise of official authority”. You do not need a specific statutory power to process personal information, but the specific task or official authority must be laid down by law (for example, National Health Service (Scotland) Act 1978, Children (Scotland) Act 1995, Standards in Scotland’s Schools etc. Act 2000).
The processing must be necessary. You cannot use public task as the lawful basis if you could reasonably carry out the task or exercise your powers in a way that means less interference with people’s privacy.
Public task applies to most situations where someone working in a public body has concerns about a child or young person’s wellbeing that they have assessed needs to be shared with another agency. Organisations should have policies and processes for staff, which they can follow, which signpost the relevant public task.
The Information Commissioner’s Office provide a more detailed explanation of what is meant by public task: Public task.
10.1.1 What does “necessary for the performance of a task carried out in the public interest or in the exercise of official authority” mean?
In situations where information sharing is necessary to deliver a service, children, young people and families should be informed before they agree to engage with the service, what information needs to be shared, with whom, and for what purpose.
In many cases, it will be clear whether processing is necessary or not. For example, if you are concerned about protecting the wellbeing of a child or young person. However, for the processing to be necessary, you must make sure that any information you share is:
- targeted so that you are not sharing more information than necessary; and,
- proportionate to the aim.
You should take into account:
- the sensitivity of the information,
- the purpose of sharing, and
- whether there is a way to achieve the aim that interferes less with the person or people’s privacy.
It may be that you have to share information about a parent or sibling (not just the child or young person) in order to achieve support for a child or young person. When sharing personal information, you must consider and respect each individual’s rights, and identify a lawful basis for each person.
You should record your actions, the reasons for them, and any views expressed. See section 12, Recording decisions and the reasons for decisions, for more detail.
10.2 Legitimate interests as a lawful basis
Public bodies cannot rely on legitimate interests unless they are processing for a legitimate reason other than performing their tasks as a public body, so it is unlikely to be the most appropriate lawful basis for public bodies to share information. However, it may be the most appropriate lawful basis for third sector and independent organisations if the conditions explained below are met.
The ICO guide to UK GDPR states:
- Legitimate interests is the most flexible lawful basis for processing, but you cannot assume it will always be the most appropriate.
- It is likely to be most appropriate where you use people’s information in ways they would reasonably expect and which have a minimal privacy impact, or where there is a compelling justification for the processing.
- If you choose to rely on legitimate interests, you are taking on extra responsibility for considering and protecting people’s rights and interests.
- There are three elements to the legitimate interests basis. It helps to think of this as a three-part test. You need to:
- identify a legitimate interest;
- show that the processing is necessary to achieve it; and
- balance it against the individual’s interests, rights and freedoms.
- The legitimate interests can be your own interests or the interests of third parties. They can include commercial interests, individual interests or broader societal benefits.
- The processing must be necessary. If you can reasonably achieve the same result in another less intrusive way, legitimate interests will not apply.
- You must balance your interests against the individual’s. If they would not reasonably expect the processing, or if it would cause unjustified harm, their interests are likely to override your legitimate interests.
- Keep a record of your legitimate interests assessment (LIA) to help you demonstrate compliance if required.
- You must include details of your legitimate interests in your privacy information.
Information Commissioner’s Office, Legitimate interests, accessed 14 June 2022, licensed under the Open Government Licence.
10.3 Consent
Data protection legislation sets a high standard for relying on consent as a lawful basis, including that the person must have been able to disagree without being concerned about the consequences (i.e. there must be no imbalance of power). ICO guidance states that public authorities and other organisations in a position of power over individuals should not rely on consent unless they are confident they can demonstrate it is freely given (explained in more detail below, see also When is consent appropriate?).
Example: A school offers to refer parents to a local authority parenting support programme. The parents’ participation in the programme is entirely optional. The school should advise the parents that they can contact the parenting support programme themselves; or the school could offer to make the referral. If the school makes the referral it would require to pass on the parents’ contact details. Before doing so the school should seek the parents’ explicit consent.
If the conditions are not met for public task, vital interests or legitimate interests (for example there are no concerns over harm that would justify sharing information), third sector, voluntary and independent organisations may be able to rely on consent as a lawful basis.
It is essential that consent is “specific and informed” and “freely given” in order for consent to be relied on as the lawful basis. Although there is no lower age limit on the right of the child or young person to express their views, data protection legislation provides that in Scotland, children aged 12 or over are presumed to be mature enough to have legal capacity to provide their own consent or exercise the rights conferred by data protection legislation. A determination of their capacity would be required to assert this is not the case.
Advocacy, translation or communication support may be helpful, or in some cases essential, to ensuring children, young people and families fully understand and are able to provide informed and freely give consent.
When consent is used as a lawful basis, the consent must be recorded and the record kept for as long as the information is stored, used or shared based on the consent. If consent is withdrawn, this does not affect the lawfulness of any information sharing that has taken place up to the point of the withdrawal of consent. It simply means that no further information sharing that is based on consent can take place from the time at which the consent is withdrawn.
10.3.1 What does “specific and informed” mean?
This means that you must explain to people in a way they can easily understand:
- The data controller’s identity (who/which organisations will use or store the information and with whom it will be shared);
- The purposes of the processing (what they will use the information for);
- The processing activities: again, where possible you should provide granular consent options for each separate type of processing, unless those activities are clearly interdependent – but as a minimum you must specifically cover all processing activities; and
- The right to withdraw consent at any time (it is good practice to explain how to withdraw consent).
10.3.2 What does “freely given” mean?
Consent can only be freely given if the child or young person can refuse consent without being concerned about any possible consequences. Although the GIRFEC approach promotes choice and full participation, there are likely to be situations where children, young people and their families may feel that there will be negative consequences if they do not agree with the organisation or services, so the option to disagree is not open to them. This is what is meant by a power imbalance.
Consent can only be the lawful basis if there is no power imbalance. This might be possible if, for example:
- the child, young person or their family have no reason to be concerned about the consequences of not providing consent; and,
- it is clear that consent is optional and the decision will not affect the relationship between the child, young person or their family and the practitioner/service, or any support they receive.
In an emergency situation (e.g. safeguarding children or young people) you should go ahead and immediately (and without consent) share information as is necessary and proportionate. You should record the reasons why you have done as soon as possible afterwards. Section 13 goes into more detail on information sharing in an emergency situation.
10.4 Vital Interests
There may be circumstances where vital interests (i.e. necessary to protect someone’s life or, for example, if a child or young person is deemed to be at risk of significant harm) is the most relevant lawful basis.
Contact
Email: GIRFEC@gov.scot
There is a problem
Thanks for your feedback