Legal advice we are happy to share, unlike like the Scottish Government

Despite requests from MSPs and members of the public, the Scottish Government is still refusing to publish its legal advice on the most contentious aspects of its Children and Young People Bill, currently making its weary way through the Scottish Parliament. Given the parliamentary arithmetic, whereby the government can steamroller through what it likes and is showing every sign of doing so in this case, it is unlikely that any appeal to common decency will persuade “those who know best for everyone else” to  abandon the convenience of opacity in favour of transparency.

So far, all amendments seeking to curb unwarranted state intervention in family life, based on tick box state dictated ‘wellbeing’ indicators which fall below the established child protection risk threshold of  ‘significant harm’ (mainly tabled by Liz Smith MSP), have been rejected, and the government clearly intends to persist with its misguided plans that would impose a Named Person on every child in Scotland and permit the sharing of personal information on every child, family member and pet goldfish on an unprecedented scale.

We know we are not alone in expressing misgivings and, frankly, disgust that “those who know best for everyone” are prepared to sacrifice children and families’ human and data protection rights on the altar of ‘wellbeing’ as defined by the state (“the sort of thing Hitler talked about”, if we may quote Tony Benn once again). Many others  in the voluntary sector are up in arms, as are respected social work professionals such as Maggie Mellon, bloggers such as SubRosa and a few clued up journalists, most notably Kenneth Roy of the Scottish Review. Teachers, social workers and medical personnel are most definitely not all on board this express train to totalitarianism and many foresee significant difficulties, not least of all in terms of increased workload and responsibility; but it’s not only those in the ‘caring’ professions who are deeply concerned about the state undermining and effectively taking over the role of parents. The Faculty of Advocates, the Law Society of Scotland, Govan Law Centre and other legal experts have been sounding alarm bells about the named person and  information sharing provisions contained within the Bill (as outlined in our own awareness raising petition about the dangers of GIRFEC, which has attracted over 2300 signatures). It certainly makes us wonder where on earth the government  got its legal advice from since it is on a shoogly nail when compared with everyone else’s, including our own.

Readers may remember that Schoolhouse was fortunate to secure advice from Allan Norman, who acted as the solicitor for the parents in the Haringey case (a precedent that the Scottish Government really cannot afford to ignore). Since a number of councils, most notably Stirling, have been misusing their  ‘power to advance wellbeing’ (derived from the Local Government in Scotland Act 2003) which we have long predicted would be cited as an excuse to breach the Data Protection Act, we asked Allan to comment on the fact that personal information is now being  routinely and overtly gathered and shared by councils on all children, as opposed to vulnerable children.

Schoolhouse observed:

The fact that it is mentioned in recent Scottish Government’s Data Management Board papers suggests that the “wellbeing power” is intended to be used to legitimise the sharing everything on everybody, everywhere if “those who know best for everyone else” are allowed to get away with it.
Back in 2003, when this power was created, “wellbeing” had not yet been defined. Handy, isn’t it, that the Children and Young People Bill does just that with its SHANARRI indicators. And remember, these are not just being applied to every child, but every child, citizen and community.

Allan offered the following comments in response:

… there is equivalent legislation in England, in section 2, Local Government Act 2000. And LAs in England have used it to the same effect, to try to argue a power for information sharing. It doesn’t change my opinion in the slightest; my opinion was given in the knowledge of such provisions.

The key to oppose such interpretations of the well-being power is to be found in its limiting provision. In Scotland, this is in section 22:

22 Limits on power under section 20

(1) The power under section 20 above does not enable a local authority to do anything which it is, by virtue of a limiting provision, unable to do.

(2) In subsection (1) above, a “limiting provision” is one which—

(a) prohibits or prevents the local authority from doing anything or limits its powers in that respect; and

(b) is expressed in an enactment (whenever passed or made).

Meanwhile, the Data Protection Act permits information sharing only in specified circumstances – all of which require consent or necessity, and the relevant ones here being:

5 The processing is necessary—

(b) for the exercise of any functions conferred on any person by or under any enactment,

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

My view is that, frankly, it is legal nonsense to suggest that a general well-being power, which makes no reference to information sharing, can be construed as a duty to share information; and since it is a well-being power not a duty, it cannot become ‘necessary’ for the purposes of the Data Protection Act. Moreover, since the power is limited to things it is not otherwise prevented from doing under an enactment, the correct interpretation is that the Data Protection Act and the Human Rights Act are ‘limiting provisions’.

Of course, the Information Commissioner’s Office has made clear – indeed in the context of child protection – that being able to point to a statutory gateway is not sufficient.  This is both because – as the ICO guidance points out – a statutory gateway may be permissive or mandatory – and also because the existence of a statutory gateway cannot itself make it “necessary” as is required by all of the alternatives to consent within the Data Protection Act itself. (see Protecting Children’s Personal Information: ICO Issues Paper, Information Commissioner’s Office).”

Game, set and match to the citizens, we would say. So where is the Scottish Government getting its advice from?  Well they’re still not telling, so we can still only speculate.

Meanwhile, the taxpayer funded Engage for Education website (strapline: “we ask, you say, we do”) has been having a few technical difficulties of late when it has been down more often that up, but maybe it’s just us? Alan McNiven’s contribution on GIRFEC has recently raised parental hackles and drawn numerous comments, including one from ourselves about distinctly pork-flavoured claims from ‘Engage’ that personal information is not being routinely shared without informed consent. No, our heads do not button up the back.

We commented:

You are being disingenuous as you well know that councils are misusing ‘wellbeing’ powers from the LG Act to share information on all children, despite such powers being trounced by overarching legislation (Article 8 and the UK Data Protection Act) from which Scotland cannot legally depart. Stirling Council is overt about its routine sharing of personal data on all children, and thanks to the Scottish Review, we all know the sort of inappropriate questions Perth & Kinross Council has been asking identifiable schoolchildren without informed consent. It’s time to admit defeat or take responsibility for the consequences of your misguided proposals, which will include (at best) significant disengagement from ‘services’ and (at worst) increased risk to the most vulnerable children.

And as someone else pointed out, this document is already in the public domain:


Scottish Government’s Data Management Board will shortly be publishing its data vision and action plan for Scotland. The action plan addresses use of data under three broad headings:

Sharing of personal data for service delivery;

Use of anonymised data for statistics and research; and

Data Innovation.

As for that controversial intrusive Evidence2Success pupil survey endorsed by Perth and Kinross Council, it is interesting to note that it created a veritable storm when the Scottish Review, blogosphere and local press publicised strong parental objections to its implementation without informed consent, yet it appeared not to disturb the ICO an iota! This discussion thread on the Home Education Forums ridicules claims by apologist researcher Tim Hobbs that children as young as nine should be considered competent to give consent to take part in a survey which asks them questions about anal sex, drug taking and feelings of worthlessness. Parents in Angus and Dundee have been duly warned that their children are going to be the next under-age lab rats if they do not proactively withhold their consent for participation.

Over on the Isle of Man, things have also been getting uncomfortable for “those who know best for everyone else” who are spatchcocked by the same pesky human rights and data protection legislation which applies across the UK.  We have reproduced in full below some recent correspondence from the IoM Data Protection Supervisor in response to questions from a Tynwald member, which is now in the public domain (unlike the Scottish Government’s legal advice). It points out the banana skins for those intent on pursuing the ‘universal interference in family life’ agenda which seems to have  become such a pressing priority (well above poverty, homelessness, unemployment and the economy), to the inevitable detriment of the most  vulnerable children, not to mention hard pressed taxpayers.  Mr McDonald’s opinion concurs with that of Allan Norman and every other expert with whom we have discussed the pitfalls of the Scottish Government’s intention to instigate a unilateral departure from overarching UK and European legislation. Please digest the information thoroughly as you may need to rely on it in court when you seek to uphold your rights.

Dear Mr Rodan

I apologise in advance for the length of the reply to your questions.

What is your view of how the Data Protection Act should be applied in, practice, to ensure that informed consent, freely given, is properly obtained by the DSC for initial assessments?

Obviously, the undertaking of an initial assessment concerns the obtaining and further processing of personal data but also other matters beyond the data protection remit.

Section 41 of the Children and Young Persons Act 2001 (CYPA) makes provision for the  Department to apply for an Assessment Order from the Court, but as I understand it, in keeping with the Department’s general duty under the CYPA to avoid Court proceedings where possible,  initial assessments are usually carried out on a voluntary basis, that is,  a person with parental responsibility for the child agrees to the assessment being undertaken.

The fact that initial assessments are usually voluntary is stated in the Isle of Man Childcare procedures. For example, see  paragraph 12 onwards of

However, while most assessments are voluntary   it seems that parents are not made aware of this. I have checked with individuals who have made complaints to this Office and, as yet, no one was  made aware that the assessments were voluntary and  could have been refused.   Some have said they would have refused or refused to the manner in which part of the assessment was undertaken.  In particular,  the Department’s insistence of questioning  children in isolation from parents has been  mentioned as something that would have been refused. (Of course these are not DP  issues!)

It is interesting to note, in paragraph 14 of the procedures , that if the Court is to make an Assessment Order it must be satisfied that the Order is in the child’s best interests and making the order will be better for the child than not doing so.  This balancing exercise appears to recognise that assessments are not  benign and can be damaging and distressing to the child and family concerned.

I think everyone would agree with the premise that  court proceedings should be avoided and therefore initial assessments should be undertaken on a voluntary basis.

With specific regard to the provisions of the Data Protection Act, while a parent must agree to the voluntary assessment it can be argued that the Department does not require consent to process personal data  when undertaking a voluntary assessment as it has a statutory duty to make that assessment.

However the first data protection principle requires that personal data is processed fairly.  In my view for the processing of personal data  to be fair parents must know that such  assessments are voluntary.

What is your assessment of the attached information sharing  guidance and consent information and can you provide a view as to whether the documents work in practice?

With regard to the information sharing guidance, while I did not endorse it ( contrary to the statement on its cover) I do not disagree with the generality of it.  In general what  it states is good practice if followed properly.   I would not endorse it as I  consider it to be skewed in favour of information sharing without proper engagement with the individual concerned.  In my opinion, this skewing is one of the factors that has contributed to  the extensive amount of unnecessary referrals that are made.  The PCB website states this guidance is under review , hopefully revised guidance will be more balanced as the current guidance is based on the equivalent  document produced in England under the Every Child Matters Agenda.

In my opinion, the consent form  is too general to serve any useful purpose.  Indeed, earlier this year, I discussed this with the Department of  Health who were using a similar form for Mental Health Services.  While I can see the benefit of  an advice note explaining to a service user how information may be shared I see no useful  purpose to obtaining generalised consent to information sharing at the start of engagement with a service user.

Consent must be “freely given,” “informed” and “specific.”  Case law has confirmed  on many occasions that someone  cannot consent to something they have no knowledge of or reasonable expectation of occurring.   In any event where sensitive personal data is processed that consent must be explicit.

Indeed this is also recognised in the information sharing guidance which states in section 3.22:

If there is a significant change in the use to which the information will be put compared to that which had previously been explained, or a change in the relationship between the organisation and the individual, consent should be sought again. Individuals have the right to withdraw consent at any time.

Can you advise how best to ensure that parents are fully aware of their rights under the Act as regards these referrals and assessments?

I would suggest two things:

1.   The referral form

The referral form is modified to include a section in which the parent provides explicit consent to the referral.  In the same section the parent would confirm that he/she has read the referral and agrees with its content (this will also help with the accuracy of the information contained in the referrals. )  The referral is signed and dated by the parent who is then given a copy of the referral.

Of course the exception to the above  would remain, that is  where the referee has a good cause to believe that seeing consent would  increase the risk of significant harm. In such instances the referee should be obliged to make a statement as to why they consider the referral must be made without consent.

2.   The assessment

In my opinion, bearing in mind that more that 701 initial assessments were undertaken last year, an advice note which explains to parents their rights and that assessment are voluntary needs to created as a matter of urgency. Given the nature of theses assessments I would suggest that the parents should be asked to sign that they understand that the assessments are voluntary and  that they may stop the assessment at any time or request the assessment to be undertaken differently. Of course the parent should also be advised that if they refuse an assessment and the Department believes that a child is suffering significant harm then the Department will seek  an Assessment Order

From the experience of this Office, I think the above suggestions may provide an  appropriate balance between the rights of the family and the need to undertake assessments.  I think the suggests also have  the potential to remove most of the issues that we see and  in terms of the DPA the processing would be fair and not come as a surprise to families , proper consent can be evidenced and the content of referrals are likely to be more relevant and accurate.

How might the consent process be externally audited for compliance?

You are probably aware that my Office has no powers to undertake an audit unless the data controllers agree to it.

A DP audit can only focus on the processing of personal data and it is probably better that an audit was undertaken by a body with a wider terms of reference.

If an agreement to DP audit  was reached and this could involve several  data controllers, we would look to follow usual practice and randomly sample 5% of last year’s referrals. That is we would make a random selection of  35 or 36 referrals and then  trace these referrals backs to their source to ascertain whether or not proper consent can be evidenced.

I trust the above is of assistance.

Iain McDonald
Isle of Man Data Protection Supervisor


So where does that leave us as the CHYP Bill continues its passage through the Scottish Parliament and most of the 129 MSPs either fail to grasp the consequences of passing incompetent legislation or just do what they are told by “those who know best for everyone else” and crack the whip to ensure compliance? Well, for the unenlightened, here are the relevant rules and stumbling blocks for the Scottish Government:

Scottish Parliament – Part Two: Stages of Bills: the general rules

Reconsideration Stage – Powers of law officers and Secretary of Stat

2.62 Section 32 of the Scotland Act provides that a Bill, once passed, may be submitted for Royal Assent by the Presiding Officer after the expiry of a four-week period. During that period, the Bill is subject to legal challenge by the Advocate General for Scotland, the Lord Advocate or the Attorney General under section 33, and may also be subject to an order made by the Secretary of State under section 35. The Presiding Officer may, however, submit the Bill for Royal Assent after less than four weeks if notified by all three Law Officers (under section 33(3)) and the Secretary of State (under section 35(4)) that they do not intend to exercise those powers.

2.63 The Secretary of State may only make a section 35 order on the ground that the Bill is incompatible with international obligations or defence or security interests, or because it would adversely affect the operation of the law on reserved matters, where that law is modified by the Bill. Such an order, which must specify the provisions of the Bill objected to and the reasons, prohibits the Presiding Officer from submitting the Bill for Royal Assent. A challenge from one of the Law Officers is made on grounds of legislative competence and takes the form of a reference to the Judicial Committee of the Privy Council (JCPC).16 Once such a reference has been made, the Bill cannot make further progress towards Royal Assent until the JCPC has either decided (or otherwise disposed of) the reference, or has referred a question arising from it to the European Court of Justice (ECJ).

Scotland Act Section 35 – Power to intervene in certain cases.

(1) If a Bill contains provisions—

(a) which the Secretary of State has reasonable grounds to believe would be incompatible with any international obligations or the interests of defence or national security, or

(b) which make modifications of the law as it applies to reserved matters and which the Secretary of State has reasonable grounds to believe would have an adverse effect on the operation of the law as it applies to reserved matters, he may make an order prohibiting the Presiding Officer from submitting the Bill for Royal Assent.

Scotland Act SCHEDULE 5   – Reserved matters

B2. Data protection Section B2.

The subject-matter of—

(a) the Data Protection Act 1998, and

(b)Council Directive 95/46/EC (protection of individuals with regard to the processing of personal data and on the free movement of such data).


If any provision of the Data Protection Act 1998 is not in force on the principal appointed day, it is to be treated for the purposes of this reservation as if it were.

To summarise (and with apologies for the length of this post), the CHYP Bill’s ‘wellbeing’ and information sharing provisions compromise the UK’s International Obligations (European Convention on Human Rights) and reserved matters because it conflicts with the Data Protection Act.

Now where did the Scottish Government’s legal advice come from again? Sadly, but predictably, they’re still not telling us as they clearly prefer that “we who don’t know best for ourselves, our children or anyone else” be kept conveniently in the dark.


Leave a Reply

Your email address will not be published. Required fields are marked *