GiRFEC, wellbeing, GDPR and Human Rights

The request was partially successful.

Dear Dumfries and Galloway Council,

GiRFEC, wellbeing, GDPR and Human Rights.

To be clear and for the purposes of this request, wellbeing and welfare are vastly different in law. Welfare is child protection and has a clear, legal threshold for information sharing without consent; wellbeing is at best pertaining to the economic wellbeing of the country (Supreme Court, July 2016) but for the purposes of GiRFEC, wellbeing is happiness within SHANARRI, deemed vague and open to interpretation (Supreme Court, July 2016) and does not meet the threshold for information sharing without consent.

I would be grateful for the following information:

1. How your organisation is prepared for GDPR in relation to GiRFEC, SHANARRI, wellbeing, and all other processing of data at non-child protection level where it does not meet the high threshold of welfare.

2. What legal base you would process subject’s information in relation to GiRFEC, SHANARRI, wellbeing, (to be clear, not welfare), and the reason for the legal base you would use, e.g. if the base would be public interest, please also describe WHY this base would apply.

3. How you will notify each data subject, including 3rd party subject, in advance that you intend to process their GIRFEC, SHANARRI, wellbeing data, (not welfare) by sharing with another organisation.

4. How you intend to offer each data subject, including 3rd party subject, the right to object to processing their GiRFEC, SHANARRI, wellbeing data, (not welfare).

5. If it be the case that subject’s consent is not required, the reasons WHY their consent would not be required for processing their GiRFEC, SHANARRI, wellbeing data, (not welfare).

6. In the absence of informed consent, or not meeting one of the aims listed in Article 8, how you will apply the balancing test to comply with Human Rights Article 8 (2) ECHR to GDPR and DPA in processing GiRFEC, SHANARRI, wellbeing data, (non-child protection threshold).
Child protection is an exemption, however, wellbeing does not meet the necessity test, and the promotion of wellbeing is not one of the aims of Article 8 (2), (Para 89, Supreme Court, 2016). Legitimate interest base, for example, would need to be balanced with the 3 part test, including human rights, I request how would you apply this test.

7. A copy of your policy/code of practise for data processing.

8. Copies of your staff training programs in relation to GiRFEC, SHANARRI, wellbeing since;
a). Supreme Court ruling, July 2016.
b). 2013 - Supreme Court ruling, July 2016.

9. Copies of your memorandums to staff regarding updating practise information in relation to GiRFEC, SHANARRI, wellbeing since Supreme Court ruling July 2016.

10. Your legal base for processing GiRFEC, SHANARRI, wellbeing data (not welfare) in relation to requests to remove a child’s name from school, that a parent may carry out their legal duty and responsibility to home educate, and how this relates to GDPR and Human Rights.

11. Which legal body provides the staff training in relation to requests to remove a child from school in order to home educate.

12. A copy of:
a). the most recent training program delivered to staff in relation to removing a child from school in order to home educate,
b). the training programs delivered to staff between 2013 and July 2016 Supreme Court ruling in relation to removing a child from school in order to home educate.

13. The names of the organisations you use for legal advice in relation to GiRFEC, SHANARRI, wellbeing, GDPR, Human Rights and home education policies.

Yours faithfully,

V. Colvin

Dumfries and Galloway Council

FREEDOM OF INFORMATION (SCOTLAND) ACT 2002

Thank you for your request for information which was received on 28/05/2018 which we are dealing with in terms of the above legislation. We have given your request the unique reference 337680 and we would appreciate it if you could quote this on all correspondence to us.

Under the terms of the legislation, we have an obligation to respond to your request within 20 working days from the day after your request was received. We will therefore aim to respond to your request by 25/06/2018.

Please be aware that, in some circumstances, a fee may be payable for the retrieval, collation and provision of the information you have requested. If this is the case, a fees notice will be issued, which would need to be paid in order to progress your request.

If your request for information is considered and deemed as a 'business as usual' request, it will be responded to by the appropriate Service within the Council.

If you have any queries in the meantime, please contact [email address].

Kind Regards

FOI Unit
Dumfries and Galloway Council

--
Any email message sent or received by the
Council may require to be disclosed by the
Council under the provisions of the Freedom
of Information (Scotland) Act 2002.

Dear Dumfries and Galloway Council,

I have not received a response to my FOI that you received on 28th May, and under this legislation was due 25th June. I would be grateful for an explanation as to why this is late, and a timescale of when you predict I should have a full response to my FOI.

Yours faithfully,

V. Colvin

FOI Responses, Dumfries and Galloway Council

5 Attachments

                        
Please find below the Council's response to your request 337680 which was
received on 28/05/2018.
 
Details of request: To be clear and for the purposes of this request,
wellbeing and welfare are vastly different in law. Welfare is child
protection and has a clear, legal threshold for information sharing
without consent; wellbeing is at best pertaining to the economic wellbeing
of the country (Supreme Court, July 2016) but for the purposes of GiRFEC,
wellbeing is happiness within SHANARRI, deemed vague and open to
interpretation (Supreme Court, July 2016) and does not meet the threshold
for information sharing without consent.
 
I would be grateful for the following information:
 
1. How your organisation is prepared for GDPR in relation to GiRFEC,
SHANARRI, wellbeing, and all other processing of data at non-child
protection level where it does not meet the high threshold of welfare.
 
2. What legal base you would process subject?s information in relation to
GiRFEC, SHANARRI, wellbeing, (to be clear, not welfare), and the reason
for the legal base you would use, e.g. if the base would be public
interest, please also describe WHY this base would apply.
 
3. How you will notify each data subject, including 3rd party subject, in
advance that you intend to process their GIRFEC, SHANARRI, wellbeing data,
(not welfare) by sharing with another organisation.
 
4. How you intend to offer each data subject, including 3rd party subject,
the right to object to processing their GiRFEC, SHANARRI, wellbeing data,
(not welfare).
 
5. If it be the case that subject?s consent is not required, the reasons
WHY their consent would not be required for processing their GiRFEC,
SHANARRI, wellbeing data, (not welfare).
 
6. In the absence of informed consent, or not meeting one of the aims
listed in Article 8, how you will apply the balancing test to comply with
Human Rights Article 8 (2) ECHR to GDPR and DPA in processing GiRFEC,
SHANARRI, wellbeing data, (non-child protection threshold).
Child protection is an exemption, however, wellbeing does not meet the
necessity test, and the promotion of wellbeing is not one of the aims of
Article 8 (2), (Para 89, Supreme Court, 2016). Legitimate interest base,
for example, would need to be balanced with the 3 part test, including
human rights, I request how would you apply this test.
 
7. A copy of your policy/code of practise for data processing.
 
8. Copies of your staff training programs in relation to GiRFEC, SHANARRI,
wellbeing since; a). Supreme Court ruling, July 2016.
b). 2013 - Supreme Court ruling, July 2016.
 
9. Copies of your memorandums to staff regarding updating practise
information in relation to GiRFEC, SHANARRI, wellbeing since Supreme Court
ruling July 2016.
 
10. Your legal base for processing GiRFEC, SHANARRI, wellbeing data (not
welfare) in relation to requests to remove a child?s name from school,
that a parent may carry out their legal duty and responsibility to home
educate, and how this relates to GDPR and Human Rights.
 
11. Which legal body provides the staff training in relation to requests
to remove a child from school in order to home educate.
 
12. A copy of:
a). the most recent training program delivered to staff in relation to
removing a child from school in order to home educate, b). the training
programs delivered to staff between 2013 and July 2016 Supreme Court
ruling in relation to removing a child from school in order to home
educate.
 
13. The names of the organisations you use for legal advice in relation to
GiRFEC, SHANARRI, wellbeing, GDPR, Human Rights and home education
policies.
 
Response:
 
Q1.         How your organisation is prepared for GDPR in relation to
GiRFEC, SHANARRI, wellbeing, and all other processing of data at non-child
protection level where it does not meet the high threshold of welfare?
 
Response:  Please provide clarification re this question given (1) it is
not clear whether “all other processing of data” is restricted solely to
children; (2) it is not clear what is meant by “non-child protection
level”; and (3) there is no threshold known as “the high threshold of
welfare”.
 
Q.2         What legal base you would process subject’s information in
relation to GiRFEC, SHANARRI, wellbeing, (to be clear, not welfare), and
the reason for the legal base you would use, e.g. if the base would be
public interest, please also describe WHY this base would apply?
 
Response: Please provide clarification re this question given (1) it is
not clear what is meant by “legal base”; (2) it is not clear who the
“subject” actually is i.e. child/family members or all; and (3)  it is not
clear what is meant by “wellbeing,(to be clear not welfare)”.  Without
this clarification we are unable to identify the nature of the data that
the question seeks to address  
 
Q3.         How you will notify each data subject, including 3rd party
subject, in advance that you intend to process their GIRFEC, SHANARRI,
wellbeing data, (not welfare) by sharing with another organisation?
 
Response: Please provide clarification of what is meant by “wellbeing,(
not welfare)” and “including 3rd party subject”.  Without this
clarification we are unable to identify the nature of the data that the
question seeks to address.
 
Q4,         How you intend to offer each data subject, including 3rd party
subject, the right to object to processing their GiRFEC, SHANARRI,
wellbeing data, (not welfare)?
 
Response:  Please provide clarification of what is meant by “wellbeing,(
not welfare)”.  Without this clarification we are unable to identify the
nature of the data that the question seeks to address.
 
Q5.  If it be the case that subject’s consent is not required, the reasons
WHY their consent would not be required for processing their GiRFEC,
SHANARRI, wellbeing data, (not welfare)?
 
Response:  Please provide clarification of what is meant by “wellbeing,(
not welfare)”.  Without this clarification we are unable to identify the
nature of the data that the question seeks to address.
 
Q6.         In the absence of informed consent, or not meeting one of the
aims listed in Article 8, how you will apply the balancing test to comply
with Human Rights Article 8 (2) ECHR to GDPR and DPA in processing GiRFEC,
SHANARRI, wellbeing data, (non-child protection threshold).
Child protection is an exemption, however, wellbeing does not meet the
necessity test, and the promotion of wellbeing is not one of the aims of
Article 8 (2), (Para 89, Supreme Court, 2016). Legitimate interest base,
for example, would need to be balanced with the 3 part test, including
human rights, I request how would you apply this test?
 
Response: Please provide clarification of what is meant by “the balancing
test to comply with Human Rights Article 8 (2) ECHR to GDPR and DPA”;  
“non-child protection threshold”; “Legitimate interest base”  and “3 part
test”.  
 
Q7.         A copy of your policy/code of practise for data processing.
 
Response:  Please provide clarification .  Given the council has
policies/codes of practice for such processing across many spheres
clarification is required as to what specific area(s) of processing form
the subject of this particular question. 
 
Q8.         Copies of your staff training programs in relation to GiRFEC,
SHANARRI, wellbeing since; a). Supreme Court ruling, July 2016.
b). 2013 - Supreme Court ruling, July 2016.
 
Response: Supply Info Sharing Chronology + Info Sharing Chronologies
Presentation and confirm that the Children’s Services Learning and
Development Group have delivered 5 sessions of the Information Sharing and
Chronologies Training since May 2016 i.e.
 
02/06/16 – Stranraer                      - 8
24/11/16 – Castle Douglas           - 12
22/03/17 – Dumfries                      - 15
22/06/17 – Lockerbie                     - 13
08/11/17 – Stranraer                      - 12
 
Total Staff Trained                          - 60
 
Q9.         Copies of your memorandums to staff regarding updating
practise information in relation to GiRFEC, SHANARRI, wellbeing since
Supreme Court ruling July 2016.
 
Response:  Supply Briefing Nos 54, 55 and 59.
 
Q10.      Your legal base for processing GiRFEC, SHANARRI, wellbeing data
(not welfare) in relation to requests to remove a child’s name from
school, that a parent may carry out their legal duty and responsibility to
home educate, and how this relates to GDPR and Human Rights.
 
Response:  Please request clarification of what is meant by “Your legal
base” and “wellbeing data (not welfare) “.
 
Q11.       Which legal body provides the staff training in relation to
requests to remove a child from school in order to home educate.
 
Response:  No legal body provides the staff training in relation to
requests to remove a child from school in order to home educate.
 
Q12.       A copy of:
a). the most recent training program delivered to staff in relation to
removing a child from school in order to home educate, b). the training
programs delivered to staff between 2013 and July 2016 Supreme Court
ruling in relation to removing a child from school in order to home
educate.
 
Response:  a) – S.17 Notice because there has been no recent training
program delivered to staff in relation to removing a child from school in
order to home educate,
 
                      b) – SW.17 Notice because there have been no
training programs delivered to staff between 2013 and July 2016 Supreme
Court ruling in relation to removing a child from school in order to home
educate.
 
Q13.  The names of the organisations you use for legal advice in relation
to GiRFEC, SHANARRI, wellbeing, GDPR, Human Rights and home education
policies.
 
Response:  Legal Services, Dumfries and Galloway Council.
 
 
 
 
Please be aware that the Council holds the copyright, where applicable,
for the information provided and it may be reproduced free of charge in
any format or media without requiring specific permission.  This is
subject to the material not being used in a misleading context.  The
source of the material must be acknowledged as Dumfries and Galloway
Council and the title of the document must be included when being
reproduced as part of another publication or service.
 
If you require any further clarification, please contact us.  However, if
you are not satisfied with the way in which your request has been dealt
with, you can request us to carry out an internal review of the decision
by emailing [1][email address] or writing to us within 40 working days
of receiving this response. 
 
If you are dissatisfied with the outcome of the review, you have the right
to apply to the Scottish Information Commissioner for a decision. Appeals
to the Commissioner can be made online at
[2]https://emea01.safelinks.protection.outl...
or in writing to: The Office of the Scottish Information Commissioner,
Kinburn Castle, Doubledykes Road, St Andrews, Fife, KY16 9DS.
        
Kind Regards
 
FOI Unit 
Dumfries and Galloway Council  
 
Any email message sent or received by the Council may require to be
disclosed by the Council under the provisions of the Freedom of
Information (Scotland) Act 2002.

References

Visible links
1. mailto:[email address]
2. https://emea01.safelinks.protection.outl...

Dear FOI Responses,

thank you, I will clarify further;

Q1 "Response: Please provide clarification re this question given (1) it is
not clear whether “all other processing of data” is restricted solely to
children; (2) it is not clear what is meant by “non-child protection
level”; and (3) there is no threshold known as “the high threshold of
welfare”. "

(1) "all other processing of data" is not restricted to children, it includes anyone who may come into contact with children and whose data is being recorded, stored, gathered, shared, deleted etc. to include all aspects of data processing in relation to my request, and includes any person who may be 3rd party to subject.
(2) "non-child protection level" is the level lower than the lawful threshold of child protection/risk of significant harm for processing subject's information without consent.
(3) "the high threshold of welfare", for clarification, you may substitute for the word welfare 'child protection' or 'risk of significant harm'. Child Protection/risk of significant harm provide the threshold for data processing without subject's consent in the absence of an alternative legal basis.

Q2 "Response: Please provide clarification re this question given (1) it is
not clear what is meant by “legal base”; (2) it is not clear who the
“subject” actually is i.e. child/family members or all; and (3) it is not
clear what is meant by “wellbeing,(to be clear not welfare)”. Without
this clarification we are unable to identify the nature of the data that
the question seeks to address"

(1) "Legal base" can be clarified further as lawful ground or legal basis, and if more than one the plural legal bases.
(2) "Subject". The subject is the individual whose information is being/has been processed. This may be any person including 3rd party subject, i.e. where information is inserted into the main subject's records pertaining to a 3rd party.
(3) "wellbeing, (to be clear, not welfare)" is to differentiate between the two. I would refer you to my opening paragraph which clarifies separately wellbeing and welfare.
To be clear and for the purposes of this request,
wellbeing and welfare are vastly different in law. Welfare is child
protection and has a clear, legal threshold for information sharing
without consent; wellbeing is at best pertaining to the economic wellbeing
of the country (Supreme Court, July 2016) but for the purposes of GiRFEC,
wellbeing, as applied via government SHANARRI indicators, is deemed vague and open to subjective interpretation (Supreme Court, July 2016) and does not meet the threshold
for information sharing without consent.
For further clarification on wellbeing I would refer you to your Briefings, in which 'wellbeing' is stated throughout. For the purpose of my request, welfare is child protection/risk of significant harm and I would request that you precisely define 'wellbeing' in all Briefings.

Q3 "Response: Please provide clarification of what is meant by “wellbeing,(
not welfare)” and “including 3rd party subject”. Without this
clarification we are unable to identify the nature of the data that the
question seeks to address."

"wellbeing, (not welfare)" is to differentiate between the two. I would refer you to my opening paragraph which clarifies separately wellbeing and welfare.
To be clear and for the purposes of this request,
wellbeing and welfare are vastly different in law. Welfare is child
protection and has a clear, legal threshold for information sharing
without consent; wellbeing is at best pertaining to the economic wellbeing
of the country (Supreme Court, July 2016) but for the purposes of GiRFEC,
wellbeing, as applied via government SHANARRI indicators, is deemed vague and open to subjective interpretation (Supreme Court, July 2016) and does not meet the threshold
for information sharing without consent.
For further clarification on wellbeing I would refer you to your Briefings, in which 'wellbeing' is stated throughout. For the purpose of my request, welfare is child protection/risk of significant harm and I would request that you precisely define 'wellbeing' in all Briefings.

"including 3rd party subject". 3rd party subject is where information relating to an associated individual is inserted into the main subject's records.

Q4 Response: Please provide clarification of what is meant by “wellbeing,(
not welfare)”. Without this clarification we are unable to identify the
nature of the data that the question seeks to address.

"wellbeing, (not welfare)" is to differentiate between the two. I would refer you to my opening paragraph which clarifies separately wellbeing and welfare.
To be clear and for the purposes of this request,
wellbeing and welfare are vastly different in law. Welfare is child
protection and has a clear, legal threshold for information sharing
without consent; wellbeing is at best pertaining to the economic wellbeing
of the country (Supreme Court, July 2016) but for the purposes of GiRFEC,
wellbeing, as applied via government SHANARRI indicators, is deemed vague and open to subjective interpretation (Supreme Court, July 2016) and does not meet the threshold
for information sharing without consent."
For further clarification on wellbeing I would refer you to your Briefings, in which 'wellbeing' is stated throughout. For the purpose of my request, welfare is child protection/risk of significant harm and I would request that you precisely define 'wellbeing' in all Briefings.

Q5 "wellbeing, (not welfare)" is to differentiate between the two. I would refer you to my opening paragraph which clarifies separately wellbeing and welfare.
"To be clear and for the purposes of this request,
wellbeing and welfare are vastly different in law. Welfare is child
protection and has a clear, legal threshold for information sharing
without consent; wellbeing is at best pertaining to the economic wellbeing
of the country (Supreme Court, July 2016) but for the purposes of GiRFEC,
wellbeing, as applied via government SHANARRI indicators, deemed vague and open to
subjective interpretation (Supreme Court, July 2016) and does not meet the threshold
for information sharing without consent."
For further clarification on wellbeing I would refer you to your Briefings, in which 'wellbeing' is stated throughout. For the purpose of my request, welfare is child protection/risk of significant harm and I would request that you precisely define 'wellbeing' in all Briefings.

Q6 "Response: Please provide clarification of what is meant by “the balancing
test to comply with Human Rights Article 8 (2) ECHR to GDPR and DPA”;
“non-child protection threshold”; “Legitimate interest base” and “3 part
test”."

Please find from ICO explanation of the balancing test, for clarification.
"What is the balancing test?
Just because you have determined that your processing is necessary for a legitimate interest does not mean that you are automatically able to rely on this basis for processing. You must also perform a ‘balancing test’ to justify any impact on individuals.
The balancing test is where you take into account “the interests or fundamental rights and freedoms of the data subject which require the protection of personal data”, and check they don’t override your interests. In essence, this is a light-touch risk assessment to check that any risks to individuals’ interests are proportionate.
If the data belongs to children then you need to be particularly careful to ensure their interests and rights are protected.
What are the individual’s ‘interests, rights and freedoms’?
The interests, rights and freedoms of individuals in this context is a broad concept which includes data protection and privacy rights, but also other fundamental rights as well as more general interests.
It is clear from other related provisions in the GDPR which talk about risks to the rights and freedoms of individuals that the focus here should be on any potential impact on individuals. Recital 75 provides some relevant guidance here. It makes clear that a risk to individuals’ rights and freedoms is about the potential for any type of impact. This includes physical, financial or any other impact, such as:
inability to exercise rights (including data protection rights);
loss of control over the use of personal data; or
any social or economic disadvantage.
Further Reading
Relevant provisions in the GDPR – See Article 6(1)(f), and Recitals 47 and 75"

The balancing test relates to an individual's freedoms and rights to comply with Data Protection Laws and Human Rights Laws. Data processing balancing test considers human rights as set out in ECHR 8 (2) and HRA 1998. Further information for clarification can be found on the ICO website.

"non-child protection threshold" is the level lower than the lawful threshold of child protection/risk of significant harm for processing subject's information without consent.

"legitimate interest base" "Legitimate interests is one of the six lawful bases for processing personal data. You must have a lawful basis in order to process personal data in line with the ‘lawfulness, fairness and transparency’ principle." (ICO website, 2018)

"3 part test" "Whilst a three-part test is not explicitly set out as such in the GDPR, the legitimate interests provision does incorporate three key elements. Article 6(1)(f) breaks down into three parts:

“processing is necessary for…
…the purposes of the legitimate interests pursued by the controller or by a third party, …
…except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.”

It makes most sense to apply this as a test in the following order:
Purpose test – is there a legitimate interest behind the processing?
Necessity test – is the processing necessary for that purpose?
Balancing test – is the legitimate interest overridden by the individual’s interests, rights or freedoms?
This concept of a three-part test for legitimate interests is not new. In fact the Court of Justice of the European Union confirmed this approach to legitimate interests in the Rigas case (C-13/16, 4 May 2017)
in the context of the Data Protection Directive 95/46/EC, which contained a very similar provision.
This means it is not sufficient for you to simply decide that it’s in your legitimate interests and start processing the data. You must be able to satisfy all three parts of the test prior to commencing your processing.
Further Reading
Relevant provisions in the GDPR – See Article 6(1)(f) (ICO website, 2018)

Q7 "Response: Please provide clarification . Given the council has
policies/codes of practice for such processing across many spheres
clarification is required as to what specific area(s) of processing form
the subject of this particular question."
To clarify, my request is for all data processing policies/codes of practice in relation to GiRFEC and wellbeing only.

Q10 "Response: Please request clarification of what is meant by “Your legal
base” and “wellbeing data (not welfare) “.
"Your legal base" There are six legal bases, this request is to enquire which basis D&G Council/Education Board would apply.
"Wellbeing data (not welfare)" To clarify, this request relates to data which is processed at lower than child protection/risk of significant harm, referred to in your Briefing No. 59 as wellbeing (SHANARRI indicators).

I look forward to your response.
Yours sincerely,

V. Colvin

Dear Dumfries and Galloway Council,

My FOI was due for response by 2nd August and is now late. I would be grateful for an explanation why, and a timescale of when I can expect a full response.

Yours faithfully,

V. Colvin

FOI, Dumfries and Galloway Council

Please accept my apologies for the delay in our response. This case is currently being reviewed and a meeting is being held to discuss the appropriate response following your points of clarification. As soon as we have a response I will forward this to you

Regards

Gillian

Information Management & Complaints Unit
Corporate Services | Dumfries & Galloway Council
Tel: 01387 260202/ Internal 64202 Drop Point: 205
e-mail: [email address] | Visit us online at www.dumgal.gov.uk

Any email message sent or received by the Council may require to be disclosed by the Council under the provisions of the Freedom of Information (Scotland) Act 2002.
 SAVE PAPER - Please do not print this e-mail unless absolutely necessary

show quoted sections

Dear Gillian,

Many thanks for the update. I look forward to receiving your response.

Yours sincerely,

V. Colvin

FOI, Dumfries and Galloway Council

Following on from the message below, it has been confirmed that your case is now being reviewed and a response is being compiled. Due to the complexity of the questions and subsequent points of clarification, this may take up to two weeks to ensure a full response is available.

As soon as I have a response I will contact you with the details

Regards

Gillian

Gillian McCaa
Corporate Services
Dumfries and Galloway Council
Council Offices English Street
Dumfries, DG1 2DD

Internal: 64202
External 01387 260202

Drop Point: 205
Email: [email address]
www.dumgal.gov.uk

Any email message sent or received by the Council may require to be disclosed by the Council under the provisions of the Freedom of Information (Scotland) Act 2002.

P SAVE PAPER - Please do not print this e-mail unless absolutely necessary

show quoted sections

Dear FOI,

My Freedom of Information is long overdue, and your last communication was four weeks ago, to expect a delay for up to two weeks. I would be grateful for an update as to when I can expect the response.

I look forward to hearing from you.

Yours sincerely,

V. Colvin

Data Protection, Dumfries and Galloway Council

Dear Ms Colvin,

 

FOISA 2002 Request - Data Processing, GIRFEC, SHANARRI, Wellbeing - Ref:
337680

 

Thank you for your request for information dated 28th May 2018 and for
your further clarifications dated 4th July 2018.

 

I set out below the Council's responses to each of your requests in turn:

 

Q 1         How your organisation is prepared for GDPR in relation to
GiRFEC, SHANARRI, wellbeing, and all other processing of data at non-child
protection level where it does not meet the high threshold of welfare? 

 

Clarification:

 

1 "all other processing of data" is not restricted to children, it
includes anyone who may come into contact with children and whose data is
being recorded, stored, gathered, shared, deleted etc. to include all
aspects of data processing in relation to my request, and includes any
person who may be 3rd party to subject.

2 "non-child protection level" is the level lower than the lawful
threshold of child protection/risk of significant harm for processing
subject's information without consent.

3 "the high threshold of welfare", for clarification, you may substitute
for the word welfare 'child protection' or 'risk of significant harm'.
Child Protection/risk of significant harm provide the threshold for
         data processing without subject's consent in the absence of an
alternative legal basis.

 

Council Response: The organisation is prepared for GDPR in relation to
such processing by compliance with the six data protection principles to
ensure the protection of personal data combined with identification of the
appropriate lawful basis for processing or what exception to prohibition
on special category data processing applies .  Where relevant Privacy
Statements outline the ways in which we process your personal information
as a Council. It also explains what rights individuals have in relation
their personal information and how these rights can be exercised.  

 

Q 2         What legal base you would process subject’s information in
relation to GiRFEC, SHANARRI, wellbeing, (to be clear, not welfare), and
the reason for the legal base you would use, e.g. if the base would be
public interest, please also describe WHY this base would apply?

 

Clarification:

 

1 "Legal base" can be clarified further as lawful ground or legal basis,
and if more than one the plural legal bases.

2 "Subject". The subject is the individual whose information is being/has
been processed. This may be any person including 3rd party subject, i.e.
where information is inserted into the main subject's records pertaining
to a 3rd party.

3 "wellbeing, (to be clear, not welfare)" is to differentiate between the
two. I would refer you to my opening paragraph which clarifies separately
wellbeing and welfare.

To be clear and for the purposes of this request, wellbeing and welfare
are vastly different in law. Welfare is child protection and has a clear,
legal threshold for information sharing without consent; wellbeing is at
best pertaining to the economic wellbeing of the country (Supreme Court,
July 2016) but for the purposes of GiRFEC, wellbeing, as applied via
government SHANARRI indicators, is deemed vague and open to subjective
interpretation (Supreme Court, July 2016) and does not meet the threshold
for information sharing without consent.

For further clarification on wellbeing I would refer you to your
Briefings, in which 'wellbeing' is stated throughout. For the purpose of
my request, welfare is child protection/risk of significant harm and I
would request that you precisely define 'wellbeing' in all Briefings.

 

Council Response: The lawful bases for such processing or identification
of an exception to the prohibition on special category processing will
depend on the particular facts and circumstances of individual cases and
the nature of the required processing.  Accordingly a generic response
cannot be provided.  Article 9, GDPR sets out exceptions to the
prohibition on processing special category data and Article 6 identifies
lawful bases. 

 

Q 3         How you will notify each data subject, including 3rd party
subject, in advance that you intend to process their GIRFEC, SHANARRI,
wellbeing data, (not welfare) by sharing with another organisation?

 

Clarification:

 

"wellbeing, (not welfare)"  is to differentiate between the two. I would
refer you to my opening paragraph which clarifies separately wellbeing and
welfare.

To be clear and for the purposes of this request, wellbeing and welfare
are vastly different in law. Welfare is child protection and has a clear,
legal threshold for information sharing without consent; wellbeing is at
best pertaining to the economic wellbeing of the country (Supreme Court,
July 2016) but for the purposes of GiRFEC, wellbeing, as applied via
government SHANARRI indicators, is deemed vague and open to  subjective
interpretation (Supreme Court, July 2016) and does not meet the threshold
for information sharing without consent.

For further clarification on wellbeing I would refer you to your
Briefings, in which 'wellbeing' is stated throughout. For the purpose of
my request, welfare is child protection/risk of significant harm and I
would request that you precisely define 'wellbeing' in all Briefings.

"including 3rd party subject". 3rd party subject is where information
relating to an associated individual is inserted into the main subject's
records.

 

Council Response: When personal data is collected from the individual it
relates to, privacy information will be provided to them at the time their
data is obtained, failing which as soon as practicable thereafter. 
Neither the GDPR nor the Data Protection Act 2018 impose an absolute
requirement to notify data subjects or third parties that personal data is
being processed because statutory exceptions can apply dependent on
particular facts and circumstances pertinent to the processing in
question.  In that regard both the GDPR and 2018 Act are easily accessible
and section 25 of the Freedom of Information (Scotland) Act 2002 exempts
information from disclosure where the requester can reasonably obtain the
information without making a request for it.

 

Q 4         How you intend to offer each data subject, including 3rd party
subject, the right to object to processing their GiRFEC, SHANARRI,
wellbeing data, (not welfare)? 

 

Clarification:

 

To be clear and for the purposes of this request, wellbeing and welfare
are vastly different in law. Welfare is child protection and has a clear,
legal threshold for information sharing without consent; wellbeing is at
best pertaining to the economic wellbeing of the country (Supreme Court,
July 2016) but for the purposes of GiRFEC, wellbeing, as applied via
government SHANARRI indicators, is deemed vague and open to subjective
interpretation (Supreme Court, July 2016) and does not meet the threshold
for information sharing without consent."

For further clarification on wellbeing I would refer you to your
Briefings, in which 'wellbeing' is stated throughout. For the purpose of
my request, welfare is child protection/risk of significant harm and I
would request that you precisely define 'wellbeing' in all Briefings.

 

Council Response: Section 25 of the Freedom of Information (Scotland) Act
2002 exempts information from disclosure where the requester can
reasonably obtain the information without making a request for it and we
would refer you to the GDPR and the Data Protection Act 2018 which provide
a statutory right to object. Any such request will be made to the
Council's data Protection Officer.

 

Q 5 If it be the case that subject’s consent is not required, the reasons
WHY their consent would not be required for processing their GiRFEC,
SHANARRI, wellbeing data, (not welfare)? 

 

Clarification:

 

"wellbeing, (not welfare)"  is to differentiate between the two. I would
refer you to my opening paragraph which clarifies separately wellbeing and
welfare.

"To be clear and for the purposes of this request, wellbeing and welfare
are vastly different in law. Welfare is child protection and has a clear,
legal threshold for information sharing without consent; wellbeing is at
best pertaining to the economic wellbeing of the country (Supreme Court,
July 2016) but for the purposes of GiRFEC, wellbeing, as applied via
government SHANARRI indicators, deemed vague and open to            
subjective interpretation (Supreme Court, July 2016) and does not meet the
threshold for information sharing without consent."

For further clarification on wellbeing I would refer you to your
Briefings, in which 'wellbeing' is stated throughout. For the purpose of
my request, welfare is child protection/risk of significant harm and I
would             request that you precisely define 'wellbeing' in all
Briefings.

 

Council Response: Neither the GDPR nor the Data Protection Act 2018 make
consent a prerequisite to processing of personal data because statutory
exceptions can apply dependent on particular facts and circumstances
pertinent to the processing in question.    Section 25 of the Freedom of
Information (Scotland) Act 2002 exempts information from disclosure where
the requester can reasonably obtain the information without making a
request for it and we would refer you to the GDPR and the Data Protection
Act 2018 which detail the exceptions to consent being required for
processing.

 

Q 6         In the absence of informed consent, or not meeting one of the
aims listed in Article 8, how you will apply the balancing test to comply
with Human Rights Article 8 (2) ECHR to GDPR and DPA in processing GiRFEC,
SHANARRI, wellbeing data, (non-child protection threshold).

Child protection is an exemption, however, wellbeing does not meet the
necessity test, and the promotion of wellbeing is not one of the aims of
Article 8 (2), (Para 89, Supreme Court, 2016). Legitimate interest base,
for example, would need to be balanced with the 3 part test, including
human rights, I request how would you apply this test?  

 

Clarification:

 

Please find from ICO explanation of the balancing test, for clarification.

"What is the balancing test?

Just because you have determined that your processing is necessary for a
legitimate interest does not mean that you are automatically able to rely
on this basis for processing. You must also perform a ‘balancing     
test’ to justify any impact on individuals.

The balancing test is where you take into account “the interests or
fundamental rights and freedoms of the data subject which require the
protection of personal data”, and check they don’t override your
interests. In essence, this is a light-touch risk assessment to check that
any risks to individuals’ interests are proportionate.

If the data belongs to children then you need to be particularly careful
to ensure their interests and rights are protected.

What are the individual’s ‘interests, rights and freedoms’?

The interests, rights and freedoms of individuals in this context is a
broad concept which includes data protection and privacy rights, but also
other fundamental rights as well as more general interests.

It is clear from other related provisions in the GDPR which talk about
risks to the rights and freedoms of individuals that the focus here should
be on any potential impact on individuals. Recital 75 provides some
relevant guidance here. It makes clear that a risk to individuals’ rights
and freedoms is about the potential for any type of impact. This includes
physical, financial or any other impact, such as:

inability to exercise rights (including data protection rights); loss of
control over the use of personal data; or any social or economic
disadvantage.

Further Reading

Relevant provisions in the GDPR – See Article 6(1)(f), and Recitals 47 and
75"

 

The balancing test relates to an individual's freedoms and rights to
comply with Data Protection Laws and Human Rights Laws. Data processing
balancing test considers human rights as set out in ECHR 8 (2) and HRA
1998. Further information for clarification can be found on the ICO
website.

 

"non-child protection threshold"  is the level lower than the lawful
threshold of child protection/risk of significant harm for processing
subject's     information without consent.

 

"legitimate interest base"  "Legitimate interests is one of the six lawful
bases for processing personal data. You must have a lawful basis in order
to process personal data in line with the ‘lawfulness, fairness and      
transparency’ principle." (ICO website, 2018)

 

"3 part test" "Whilst a three-part test is not explicitly set out as such
in the GDPR, the legitimate interests provision does incorporate three key
elements. Article 6(1)(f) breaks down into three parts:

 

“processing is necessary for…

…the purposes of the legitimate interests pursued by the controller or by
a third party, … …except where such interests are overridden by the
interests or fundamental rights and freedoms of the data subject
              which require protection of personal data, in particular
where the data               subject is a child.”

 

It makes most sense to apply this as a test in the following order:

Purpose test – is there a legitimate interest behind the processing?

Necessity test – is the processing necessary for that purpose?

Balancing test – is the legitimate interest overridden by the individual’s
interests, rights or freedoms?

This concept of a three-part test for legitimate interests is not new. In
fact the Court of Justice of the European Union confirmed this approach to
legitimate interests in the Rigas case (C-13/16, 4 May 2017) in the     
context of the Data Protection Directive 95/46/EC, which contained a very
similar provision.

This means it is not sufficient for you to simply decide that it’s in your
legitimate interests and start processing the data. You must be able to
satisfy all three parts of the test prior to commencing your processing.

Further Reading

Relevant provisions in the GDPR – See Article 6(1)(f) (ICO website, 2018)

 

Council Response: Legitimate interests processing does not apply to
processing carried out by public authorities in the performance of their
tasks.

 

Q 7           A copy of your policy/code of practise for data processing. 

 

Clarification:

 

To clarify, my request is for all data processing policies/codes of
practice in relation to GiRFEC and wellbeing only.

 

Council Response: The Council serves notice under S.17 of the FOISA that
this information is not held.

 

Q 8         Already answered, see response 27th June 2018

 

Q 9         Already answered, see response 27th June 2018

 

Q 10       Your legal base for processing GiRFEC, SHANARRI, wellbeing data
(not welfare) in relation to requests to remove a child’s name from
school, that a parent may carry out their legal duty and responsibility to
home educate, and how this relates to GDPR and Human Rights. 

 

Clarification:

 

There are six legal bases, this request is to enquire which basis D&G
Council/Education Board would apply.

"Wellbeing data (not welfare)" To clarify, this request relates to data
which is processed at lower than child protection/risk of significant
harm, referred to in your Briefing No. 59 as wellbeing (SHANARRI   
indicators).

 

Council Response: The lawful base is that processing is necessary in the
exercise of official authority vested in the Council as data controller
i.e. under the Standards in Scotland's Schools etc Act 2000, the Education
(Scotland) Act 1980 and the Education (Additional Support for Learning)
(Scotland) Act 2004.  In respect of the Data Protection Act 2018,
Parliament is to be presumed to have legislated in conformity with the
Convention, not in conflict with it.

 

Q 11       Already answered, see response 27th June 2018

 

Q 12       Already answered, see response 27th June 2018

 

Q 13       Already answered, see response 27th June 2018

Kind regards

Information Management and Complaints Unit

 

 

Any email message sent or received by the Council may require to be
disclosed by the Council under the provisions of the Freedom of
Information (Scotland) Act 2002

 

  SAVE PAPER - Please do not print this e-mail unless absolutely
necessary

 

Any email message sent or received by the Council may require to be
disclosed by the Council under the provisions of the Freedom of
Information (Scotland) Act 2002.

Looking for an EU Authority?

You can request documents directly from EU Institutions at our sister site AskTheEU.org . Find out more .

AskTheEU.org