 Felly, y gallwn yn bwysig iawn yn y 29th mewn gweithdoedd y Credits a Fygin i Gwyl Gwyllgor Cymru yn 2017 ac mae'r hunain iawn yn bwylltpostbwyll yn eu cysylltiad ar fy mwyllgor ond yn cais o'r ffeyddol o'i gafnig i mwyfwyllfa gwaith. Mae'r 1st ddafyn yw'r ddweud o'r ddefnyddion o bwyllddio hynny a chyfyddaeth yng Nghyggor o'r 5th yma yn y dyfyrdd mewn prifwyr. Is everyone content that item 5 of this meeting will be taken in private? Thank you. The second item of business is two panels of evidence on the Children and Young People Information Sharing Scotland Bill. This is the fourth meeting where we will be considering the bill. We have already heard from the Scottish Government's bill team and members of the legal profession, health service professionals and local authority representatives in relation to education and social work. This week we have a focus on schools in the early years in the first panel followed by the information commissioner's office. Before we take evidence, I would like to place on record that, as agreed by the committee, the deputy convener and I met with the cabinet secretary yesterday to discuss the themes of evidence and some of the concerns raised by members during evidence sessions so far in relation to the bill and the code of practice. This was to ensure that the Government is cited in the committee's concerns, such as on the lack of a code of practice to inform scrutiny of the bill and the current status of parliamentary scrutiny for the code under the bill. We hope that this will enable the Government to actively consider the committee's concerns at this relatively early stage in scrutiny. I welcome to the meeting Gillian Ferguson, deputy rector for pastoral care on behalf of the Scottish Council of Independent Schools, Lisa Finnie, president of the Scottish Guidance Association, Maria Pridden, classroom assistant and member of unison, Lorraine McBride, headteacher and member of EIS and Christine Cavana, network chair for Lanarkshire area national day nurseries association. I should say to the panel from the outside that if you would like to respond to a question, please indicate to me and I will call you to speak. Can I remind members that supplementary questions should lead on from the question being pursued? It is not an opportunity for you to ask a second question. I would like to start with Gillian. Thank you, convener, and thank you to everyone for coming along to give us some information today. I would like to ask about your current practice with regard to information sharing about children that fall beneath threshold of child protection, but go into the realms of wellbeing? If you could tell me just how you do that at the moment. I am happy to start. We are in the independent sector committed to the GERFEC approach, and we have entered in guidelines. Much of our colleagues across the sector have a commitment to getting it right, but our current practice would be on a policy-based model and adhering to consent-based principles. There is quite a lot of anxiety around sharing information that does not meet the child protection threshold, so we would seek consent and sharing with that consent. I have spoken to a number of colleagues and the practice is not that we would share information without that consent. I agree with a lot of that, but we would not be sharing information without consent as far as possible. Obviously, when it goes into child protection, it is completely different, but it has been acknowledged before that there is quite a lot of information that goes between people on a daily basis, and there is anxiety around being able to always record when consent has been sought. If there is a difficult circumstance, we are a little bit worried and we would like a little bit more clarification. It is all very well when everyone is singing from the same hym sheet, the parents are looking for support, the pupils are looking for support, it is very clear if you are making a referral and you have got to record a signature, etc. That is all very good, but when it gets into more complex ones where there is a reluctance to involve social work, etc, that is where we are looking for a little bit more help. Does anybody else have any further comments to make on that? I think that I would just totally agree with that. The issue is when parents do not want you to share information about their child with police or social work. They are happy for you to share with health professionals but not with other agencies. I suppose that then child protection procedures would then kick in and overrule that, but I think that we do need a bit more clarity and a bit more guidance around that. In the past there have been examples where we have not been allowed to take things forward because the parents have said no, but there is always something that then changes in the future. Either we find another way around it or things deteriorate and it becomes child protection or the parents get desperate. So maybe a difficulty that arises for one moment does not remain a difficulty. There is a pathway there and that is maybe where we need to work together. There is an inability at an early stage potentially because you cannot get consent, can sometimes escalate into a child protection issue. There can also be the problem as well where if it is an early intervention it might be that we are told that the case does not meet a threshold so we cannot get help anyway, but at least we would have known. In terms of the guidance that you are looking for, there is an opportunity for you to tell us when the code of practice comes out in its final form what you as practitioners would want from it. Obviously, around consent you would be something, but I am happy to hear you tell us. I think that most people that I have spoken to are very much in agreement of what we are looking for. I think that we all understand that there needs to be quite a heavy document to begin with to get everything covered and we are all happy to do that. I think that because so much happens on a daily basis and you have got maybe a frantic meeting, flow diagrams have been mentioned and I think that all my colleagues would like is this, is that, do you, do you, that kind of ready reckoner to be sure that you are on the right lines and also we are looking for a bit more scenario based training and again it is going back to these difficult ones. It is not the ones where there has been an incident this that we have all dealt with every day. It is the more unusual ones, how do you find a way around it and that is what kind of training we are used to anyway. There have been some suggestions with previous panels we have had from other sectors about defensive practice becoming an issue. I am wondering if, with the debate, the uncertainty around this over the last year, has that changed practice already? Are you seeing people do this differently? When the act was passed, we saw an increase in communication because we are unique in the independent sector, we perhaps do not have the same communication that local authority schools do. I had seen an increase in communication in my own practice but also I had heard from colleagues and then with the Supreme Court judgment I would have said that communication has decreased and we were really positive about the better lines of communication that we had with external agencies and service providers, but I would say that that has definitely decreased since the judgment. Can anybody get any other views? I will try not to speak all the time. It is difficult. I would say that it was more of a case of relaxing into being allowed to share information that my colleagues have not reported a change in their behaviour. I think that it is how they feel about it, that is the difference. The only thing that I was reflecting on the other day was that I think that there are more times where people would share hypothetical situations more often. Rather than having the confidence to write, I have definitely done the right thing, this is okay. You might say, if you had a child where this happened, what would you do? Would I go to the right person? You might actually run something by social work that you maybe would not have in the past because you would be confident that you would have the right decision. Maybe we are a little bit more tentative and anxious rather than not sharing at the appropriate times. I think that we did feel that we were sharing what should be shared and not sharing what shouldn't. Does anybody else have any? From where we are at the moment, how much of a change would the duty to consider represent for current practice? From where you are now, what difference would it make? I think that the difference that it makes, I suppose it gives you, if you have a concern, it gives you a backing to work with that concern, even if it does mean that the parents aren't happy with whatever you wish to share. We all should be working together on the Gyrffec agenda. That's the whole point of it, that everybody is doing their best for every single child. When barriers are put in front of you, it's quite difficult to meet the needs of each individual child. If we are then able to say, well, actually, I'm going to share this because I think that's in the best interests of the child, as the named person, as that person who has responsibility to make sure that child is actually okay, and yes, it might be against the parent's wishes, but I have a real concern. To be able to do that, I think might... I would be seeing that from your point of view. That would be a very, very unusual occurrence where parents don't want to work with you for the best interests of their child, but it would give you... I don't want to say a bit of clout, but it would give you the backing to be able to do that in confidence that you're doing the right thing for that child. The duty to consider, I think, a lot of colleagues are already considering what am I doing with this information, so I don't think in that respect it would change what we do. I think that the next question that we ask is, can I share without consent? That's where the problem is, because, as you said, Lorraine, it's about being an unusual case. It would be very unusual cases, I think, where you had a parent or a guardian who was at odds with you working towards the best outcome for their child, but those cases do happen, and I think that's where we would benefit from more guidance in terms of the ability to share without consent for us. Just on that point, can I just ask about the practical level of when you do have to make a decision about whether to share the information? You're seeking guidance about both the law and also the code of practice that you would expect to give you that backup. Just on a practical level, in terms of your daily lives in schools and working with very young people, does that produce a greater burden on you to have to do more paperwork? Would you be able to comment on that? Absolutely. Everything to be honest, everything to do with Giffey causes a burden on the person who's having to do the paperwork. The fact will be named person at the moment. There is a huge burden about the administrative side of that, the confidentiality side of the paperwork. That's increased and increased and increased over the... To the extent of preventing you from dealing with other things, would you be able... Could you give us an example of what? For example, if you are dealing with... See, for example, health visitor phones you and they need something there and then, basically, you have to then go access the information, pull it together, get that into a document. It then has to be sent securely and all the time you're thinking, oh, who's in... I'm supposed to be in that class doing a monitoring visit, I'm supposed to be speaking to that. There's a wee one and I wanted to catch up with him, I wanted to check in. The job for me is headteacher and for our members, as headteacher members and deputy headteacher members, you very quickly, your day can get filled up with that one piece of paperwork that you need to pull together because it is important and it does need to be done. Does it need to be done by the headteacher? I don't know. But then, if you're then given that there's a fine line there because there is the confidentiality thing, you know, to then say to someone in your admin team who's already overworked and underpaid and et cetera, et cetera, et cetera, here's something else and I need you to drop everything else. I know you're doing the absences, I know you're doing this, I know you're trying to phone people and find out where the children are, but I need you to do this because they need it by 12 o'clock. So there is an additional burden on your time and what happens is, I'm sure we're all the same, we extend our day and extend our day and extend our day beyond the contractual hours so that we can get all those other things done in case, you know, because these things happen all the time, you know. It's exactly the same with us. I feel that we do three jobs, that we do the job during the day which is the phone calls, the emails, the teaching, the children appearing at the door, the sudden immediate incident that's blown up after the weekend, et cetera, then at the end of the day the children go away and then we start the next job which is trying to get things put into CMIS as you watch the circle go round and round. Finding the bits of paper, putting things away, all the stuff you have to do when you're at your desk and then you go home and do the third job and that's where you do the things that you can do from home and that's the 3am job and then that's when you get teased for sending emails at silly times but realistically it's three jobs and the only thing I can say as an analogy is like asking the checkout girl to go and fill the shells when she's got a queue and it's impossible to ask people to do it. But you do do it just now. I wouldn't say I was doing everything I meant to do. I find that very, very difficult to come to terms with. Okay, thank you. Claire. Thank you, convener, and thank you, panel, for coming in this morning. I just want to ask a brief follow-up question on not that last question but the one before. So I think we all accept that if there's child protection concerns, then that trumps everything. Essentially, child protection concerns, you raise those regardless of concern. But you were saying it's about issues that are below that threshold and I think we just need to really be very clear about that. It's about issues below child protection thresholds. What do you currently do now when you have those and how frequently do those come up? I'm a classroom assistant and very often we work one-to-one with vulnerable children or children who are class refusers. So we will take them out of the classroom and we will take them out of the classroom and we will spend a lot of time with them. At the moment, the information sharing is purely verbal. There's no diary system, there's no set system, so we do need some guidelines of how we can share the information, what's happened to this child today, how's that going to affect the playtime, the lunchtime, the going home time, any transitions that they might have throughout the day. It's purely verbal at the moment, so we would welcome some kind of guidelines. Is that within your your own education establishment that is purely verbal, because I would imagine that there must be some written records. If the child is coming in the morning and has disclosed that they've had a bad morning, that's relayed verbally. Because as a classroom assistant we do not have pastoral notes and we don't have access to CMIS. So we would tell them that this is what the child has said or we would tell other classroom assistants that this is what's happened to this child today. Sometimes we don't get a chance to say that if there's no time to so we just do our best to try and pass on the information that we can. In the independent nursery sector, our nursery heads are not the names to person, it's the health worker. I'm not necessarily talking about name to person, I'm talking about how you I suppose it's extending a little bit from what Gillian Martin was saying. So what would you do if it wasn't a child protection issue currently? I understand that. I was just going to say that very often the nursery head has to act as a co-ordinator for issues that are not child protection. So they may well be dealing with a number of different professionals who are all very overburdened as well. Again, like has been said before very often dealing with one child or trying to help one child to get the best outcome for that child does overwhelm everything else that the management team should be doing. So it's about trying to keep all the balls in the air trying to keep juggling everything and making sure that you do get the best outcomes for the very vulnerable children can sometimes mean that the children that have less critical issues get missed because there's just not enough time in the day to do everything. I guess that's sorry, convener. We're sitting off though the question that I was asking which is what you do currently? Currently our managers, we do have a record we do keep a chronology in the private sector we do keep chronologies for children of issues that they have and it would be down to the individual nursery manager and the individual children. It's sort of leading on from that round the workforce pressures you're talking about. I just wonder whether in terms of recording decisions that have been made as part of this duty to consider sharing information do you think that that will create more workload and particularly in terms of headteachers if you're doing that for hundreds of different pupils do you think that that will lead to an increase in workload? Can I answer that one? Aha. Absolutely. I think for headteachers but also for in the secondary sector principal teacher pupil support if that's the road that that goes down as well huge issues there probably even more than for the headteacher because they have a teaching commitment as well as everything else we have to be very careful that what we do what we record the paperwork that we are submitting et cetera doesn't overwhelm the issue that we're dealing with I think that that's a big thing and I know that within various authorities across the country things are put in place in different ways and and some authorities have gone gung-ho and put everything in place and there's paperwork galore other authorities have held back waiting on decisions et cetera but I do think we're at a time where especially for headteachers recruitment of headteachers is just dire and people don't want to do the job which is a shame because it's a fabulous job and it's a great place to be for children and young people in that capacity but as the workload increases and increases and increases and this is one small part of that increase in the workload I worry about the next step for the recruitment and retention of headteachers sorry I'll let you go first can I come back in after really what you're saying is that the workload of headteachers is heavy which is a different thing really from what we're discussing here and I accept what we're talking about we'll have some kind of extra addition to that workload but if the guidance is such that it's pretty straightforward about how the reporting mechanism goes on will this not just become part of what you do anyway? It will become part of what we do however the worry is then that the support for it isn't there it's the paperworky bit of it that increases it the talking to children the bringing together of people to have a meeting etc that's the job that's our job just now, that's what we do but that additional recording and minute taking and all of that you need somebody to be able to help you with that in the role that we do as headteachers or deputy heads to talk about resources it's the resourcing of it it's just to clarify the aspect of what we're talking about that part is the part that increases the workload so it's the paperworky bit it's the paperworky bit I was going to say in the event that there were in considerable additional resources do you think you've got enough time to implement this properly? that remains to be seen really I suppose that we would all be trying our best to implement it properly with those additional resources and that's sort of other half to my question do you think that the pressure and burden on your time has the possibility to lead to mistakes however unintended being made in terms of some of these when we're talking about some of the children around the welfare issues that maybe are harder to spot do you think that the pressure to spend with the kids or opens up the possibility of mistakes being made? if it's not well resourced and supported if headteacher aren't supported within that process then things can get missed especially low level the lower level things can get missed which are sometimes the things that are the most important it's not a crisis but it could escalate into a crisis if it's not caught early enough but as I say it's the resourcing of that and the support for the process didn't need to be named person haven't you? the low level stuff that we're trying to stop before it becomes a crisis sorry Joanne the Tavish I suppose I'm interested first of all in which of you are named persons and if you are a named person how many young people are you named person for? I was a named person then I became an establishment contact last year when they decided there wasn't a named person but I am a named person but yes that's the role that guidance teachers are undertaking do you be responsible for? over 200 as a headteacher in a primary school how many? I'm a de facto named person I've got 240 children and so it's not I wonder whether in secondary school the old model of guidance teachers is it any different for added admin is that the difference? it has changed dramatically but it's been mostly additional work as I think you're acknowledging and the traditional guidance role isn't really possible to do as well as we used to and then there's the additional pressure where we're supposed to be looking at revamping PSE which we see is very important as well how do we do everything at once effectively so being a guidance teacher in the old model which I knew the go-to person somebody could talk to somebody could say can you speak to my teacher because they need to understand there's been a problem here that bit of your role is diminishing it's less possible to do it the way I want to do it okay and I suppose the other question would be if there wasn't a formal named person role and you say so you're not going to have the admin but what would we be losing and I get that you might not want to the paperwork that's an extra burden that's getting in the road but if we say there is a named person what are you missing if you've not got named person if that makes sense it's not that your job would be in terms of dealing with children who need that change or are children more at risk if we don't have a named person I'm not sure if I'm answering this correctly but I would probably see that there is a need for the named person in terms of delivering fair and consistent approach I think that was one of the first things I read when the guidance came out was that yes this is what we're doing but it's trying to make sure everybody has access to it and what I'm seeing at the moment is not a consistent approach but if it was done the way we want it to be done that's what we could deliver and that's where there is the risk that there is a child somewhere that because there isn't the process the legislation the procedure there to make sure that it's implemented correctly and that we know how to do it that they are missed and that there is a serious problem The key thing is resources though the key thing would be resources can I ask Maria who you said already that a fundamentally important job which is getting intelligence and understanding what's maybe happening to a child in terms of matching to a system does the fact that there's a named person make any difference to that very important job you've got That would help to support the child definitely, yes If it's something that what you were saying really was taken as mattered somehow and it was put somewhere you were the guarantee of that Yes, yes Christine and then Gillian I just addressed the question about what would the implications be if there was no named person in the early years I would say that it's critical because early years is not statutory education so there's no statutory person that's there for the child so while for us in independent nurseries it's difficult because we might be dealing with maybe 15 or 20 or more health visitors it's still important for the child that there is a consistent contact there that everybody can approach so, yes, I think it's very important that there is a named person Is this the contact that's about the professionals it's not about the child? Yes, okay, but somebody who has that child's best interest at heart and whose purpose is to make sure that the professionals who should be looking after that child are looking after them properly and that are bringing all the strings of the care together I suppose I would say to the guidance teacher it's a prevented up though where there's a consistent, is that right a consistent contact for the professionals but your ability to do that day-to-day contact with individual children is reduced? Yes, that's where you need the resourcing to pass it on appropriately and get the support that's required and again this is going into ideal practice you know, taking things forward that I think how I envisage it is that you notice something's gone wrong with one of your children that's been brought to you by a teacher you've noticed it yourself but you have some where to go with it that you have got CAMHS that you have got social work support you have got third sector Okay, thank you Okay, thank you Tavish I just wanted to test the very fair points you're making about resources and workload against the fact that what we're being asked to do as a Parliament is to look at a change in the law is about creating a duty to consider that some of our earlier evidence and the panels we've had has been about what that will mean in practice so I take all you see on resources and believe me on workload, I have plenty of headteachers at home telling me all about that every single day but do you have concerns about the bit before the resources and the administration which is this new duty if Parliamentary passes this that will be laid upon you and how you make that assessment and whether that adds in principle to your to the decisions that you have to take and the workload that you therefore have long before you get into who does the administration behind it No I think that the worry there is that as individuals duty to share in legality we are then liable in some way the named person service as a whole is the duty on the authority to make sure that that happens but I think that there is a real concern round about headteachers that because it becomes a duty that that legal is round about that there is a real worry there in case we get it wrong and you're then you're thinking what's going to happen what's going to happen to me and before you get to the workload before you get to anything else that worry for all of us who are in the profession we worry about the kids all the time we worry about doing the best for them all the time but when you're then worrying about a legal thing above you as well but I appreciate the named service but I think that needs to be made very very clear and that is for that to be not to be individual headteachers but to be the named person service that has the duty there and they have the responsibility to ensure that headteachers share but I think it's there is a real worry there What an individual pupil didn't have a named person it was a service as a whole that was used in terms of that legal assessment I think basically the named person is part of the named person service and the named person is towards that individual child or responsibilities towards that individual child but I think in the decision taking to be held legally accountable for that there has to be some protection for headteachers That's not currently how it's considered I think we knew as a headteacher ultimately be that person particularly given the governance proposals make you even more responsible for lots of other things Maria Prudin wanted to come in Angeline Ferris You mentioned about the training that's going to happen beforehand and how efficient the training is going to be is it going to be ongoing training is it just going to be the computer program training or is it going to be part counselling showing people how to counsel the children We all have child protection training once a year so at that level but this is slightly different so it's that ongoing training that we need but that's in place and we all know what we're doing Maria Prudin Maria Prudin is talking about anxiety of headteachers and the backing of a local authority We're slightly further down the road that you're proposing that independent schools are autonomous therefore that anxiety is even greater and we might worry about envisaging more legal recourse on a more regular basis for all schools because of that shared liability it's a name person service but I as the person I am the de facto name person I am concerned about my shared liability with that service and eventually at the end of the road the governing body who are really the directing authority and I think it does come back to the code of practice being clear enough language that's not too tending towards the legal that teachers and practitioners can actually understand and that would be the key to the success of it and I do think it has potential to be really powerful for improving outcomes at the primary prevention early intervention stage but we need that to be really secure and accessible It is a draft but it's written by a lawyer and I'm not a lawyer and I can't follow it so how do practitioners follow it so it needs to be written in language that we can all deal with Thank you Just to pick up what you're talking about feeling that you might be personally liable it's the case there's quite a lot of legislation and rules that you have to follow already and should there be an issue where maybe there's a legal recourse from someone who's liable for that at the moment would you it would be the local authority that would be liable so how would that be different in the case of a named person I think it's just there needs to be clear guidance on that but that is the case isn't it that you are not personally going to be standing up in front of a court defending something so there will be no difference when this named person legislation comes in we don't know we don't know if there will be any difference so you need that clarity but that is the case let's not have a round table discussion about this we were told yesterday that individual wouldn't be legally liable but by the Government what we do need and what the Government need to do is they do need to do exactly as you've said perfectly clear to every practitioner that their legal status would not change from where it is just now in terms of doing their job because the last thing in the world we need is people like yourselves who are keen to do this to be worried about doing it because you might be held legally responsible they made it clear to us yesterday that it would be local authority or whoever the body would be all of us want to come in now and disagree with me I wondered if it would lead on from that point whether you've got concerns around a stage down from being legally responsible in terms of professional standards or how you might be concerns that were raised by service users might be dealt with within your own organisation and how much whether that's an additional pressure as well I do think that there is an anxiety with that I don't think that we're all necessarily waiting for a legal writ or something but there is just this you will get the blame as such for something and because it's something new and because it's so high profile if something goes wrong it wouldn't just be that what teacher didn't mark a bit of homework it's going to be something that is so critical and so worrying and people are concerned OK, right I think the Government will get the message that they have to make it very clear OK, thank you very much, Daniel Just before I ask my question the evidence given by both the Law Society and the Faculty of Advocates was that it wasn't clear about the personal liability so I think it's worth putting that on record I just want to re-ask some questions about the clarity about when you'd share I mean there's been a lot of questions or comments rather about the need for clarity and just following on from Tavish Scott what were your reactions when you read the illustrative code of practice do you think it's adequate for what you need OK Can I answer? When I saw the illustrative code of practice to me for my threshold of child protection I could apply it but for the threshold of wellbeing I couldn't see how that would apply in terms of seeking to share information without consent or without seeking consent and I think that's really problematic because apart from very exceptional cases I can't imagine where that illustrative code of practice would sit with that threshold so I suppose really what would help is if we had an idea of what the trigger might be and I know that's a really difficult one to define and I understand that and it comes down to the definition of wellbeing and how we measure that the tools are there and that's helpful but perhaps there's some confusion around wellbeing across the board across practice and that's why we're looking at the illustrative code and thinking I can't imagine where I would share information around included for example without consent that wouldn't be a breach of article 8 or the data protection act the vital interests part of the schedule 3 of the data protection act is quite clear in terms for me and practitioners like me in terms of child protection but not at a lower threshold that's what worries us I think Are there any other sort of comments about that? The scenario indicators are very broad and I think they're very welcome they're useful but the lack definition and often raised aspects which are subjective in a previous evidence session the example of taking a child up Everest an example of good parenting to one parent but something harmful to another can you think of examples where the scenario indicators would provide information or types of information that you would share that currently you couldn't or might be hesitant to so finally the evidence that we had from both the law society and the fact of advocates I think in a number of different ways highlighted the fact that that duty to consider is a very finely balanced one from a legal perspective and one that even as lawyers that they would find difficult what concerns do you have as practitioners about getting that legal judgment right and do you think that you currently kind of are equipped to make that legal judgment? I think we worry ourselves sick every single day about every decision that you take we think we're confident in our abilities to make decisions about children we think we have the knowledge to do that if you know your children well the scenario indicators are a good indication of how children are doing it is subjective but most experienced people who are doing that can work out what children are saying and where it all fits in it's back to the whole legal thing again about being sure of yourself we need to have that clarity round about if we make that decision are we doing the right thing and if there's that duty to consider again I don't know if much training would help us to understand that I think we just it's a difficult situation it's hard enough making decisions about the children without worrying about this duty to consider it is a big thing if there's a duty it just makes everything a bit bigger and you'd second guess yourself more the duty to consider is one element of it but then the evidencing of that duty is quite problematic for me so we have the duty we could consider we have a very very good national practice model the resilience matrix, the wellbeing indicators in my world triangle that works for us across the sector we use those tools but I think the link between that is quite a leap to the evidence of the duty to consider and perhaps more guidance for that would be helpful just so that we have the security of knowing that we're doing it the correct way which is what we all want OK, thank you can I just clarify then what seems to be coming across here is that a lot of the things that you'd be getting asked to do you're already making decisions on wellbeing every day, aren't you so a lot of the things that you've been asked to do and what you're concerned about is protection and we can have a debate about if it is or not but if there's clear notification that you're not going to be held responsible that takes a big burden off your head any other is that we need to go to practice to be written in such a way that you can just, as you say, flowcharts etc and that would help it I accept that it's not quite like that Tavish but that's exactly what they've asked for Colin, you wanted to come in Gillian Ferguson mentioned in relation to wellbeing that there's no common understanding of that term I don't know if the rest of the panel agree on a benefit to hear but does the term wellbeing need statutory definition? Is it possible? I thought I knew what it meant till I heard that people didn't know what it meant and now I think I don't know what it means so up until now I was pretty sure that there was the welfare thing and that was more child protection there was a significant harm kind of element to things and then wellbeing to me was just a scenario when there was something wrong maybe the child wasn't particularly behaving in a safe way or they weren't doing particularly well something was going on I just thought that was wellbeing I thought it was quite straightforward but maybe it's not so I'm worried now that was fine last week Can I add that when I say there's no standard definition or understanding of wellbeing in our practice we're quite secure internally of what that means but I think we come across difficulties in interacting with service providers who perhaps have a different understanding of it so I think although it's very difficult to do it might help if there were to be some kind of broader definition that we could follow and currently we've got assessment tools and we're comfortable with them in schools but what I apply in my school might not be the same as another school another school's practice so we are aiming for parity of practice and I would love that so anything that can help to deliver that would be very welcome we're saying that each group of practitioners has a common definition but that may not be the same as the next group Sorry if I can Can I come in? It's more about a wellbeing threshold so at what point in a child's wellbeing indicators if you're doing an assessment at what point is there a commonality that we would say we need to do we've done all we can internally within the school, we've put in supports etc we now need to involve someone else I think there needs to be a commonality across the country about that and at the moment we would have it in our authority but the neighbouring authority might have a different understanding within because of their training so they all have the same commonality or maybe they don't, maybe from school to school it's a bit different as well from secondary to primary so I think that guidelines on that commonality of threshold would be quite useful just to go back to what Gillian was saying Should it be statutory or in the code of practice? I would just like to just before we move on to that build on the point that Lorraine made that what's very secure in one establishment or even one authority might not apply across the board and when you're working out with our members of our organisation very much working on their own what's secure in one establishment might not transfer across so it would be very helpful to have it defined somewhere whether it's in the code of practice or whether it's independent from that it would be very helpful to have it defined somewhere Is it definable? I think everybody has their own definition of wellbeing don't they and I think it's a consistency of practice is what one of the things we're here to talk about and yes wellbeing is definable but whether everybody would agree to one person's definition would be something else I think a common theme that seems to be coming forward is clarity and consistency does the bill actually achieve that? I realise the code of practice is not out there yet does it? I think that's your answer I think you've answered your own question That's the second point that I'm honest with you Yeah, yeah Okay, thank you. The panel absolutely correct that the Supreme Court ruled that the definition of wellbeing was not other than the Shinari indices it was not seen in law and therefore the panel are quite correct in flagging up the fact that there is no legal definition of it that's the problem Thank you very much for pointing that out Oliver, you wanted to ask It was just to ask when the legislation first came forward and we were talking about a duty to share was that a more comfortable was that a more comfortable process than the duty to consider? Are you more comfortable with the duty to share than the duty to consider? I don't think that it made much difference to me whichever one it is to be clear and have training have worked examples, have scenarios just as long as I know which it is it didn't make a difference to me personally Okay, because you said some of the panel said before they didn't like the idea of having a duty in law in terms of where responsibility lies is there a difference in the type of duty or is it just the duty full stop? It's still the duty part of it really, regardless Okay, that's helpful Thank you Great, thank you very much Oliver Daniel, if you wanted to come back in Briefly The name person is in place, that's not what we're talking about you can share information when it's a question of child protection it's about information sharing around wellbeing Can I just ask it's what we're discussing today actually something that people on the panel actually want do you think it's useful just briefly Do we think it's useful to share information Specifically on wellbeing Yes It's a requirement if we need to access service providers in terms of support for a young person and we have consent to share that information then absolutely we'd want that provision for the young person to get the best outcome but do you mean sharing without consent? That's part of the issue we've got that if I'm looking at a particular case where I think it would be helpful to share the information because we might access this then it gets back to the compulsion on the part of the parent to engage with the name person service which isn't there and was never intended to be there so we're left in a position where we have to say we think it would be best and we've all occasions where we've requested perhaps to be able to share information and we've maybe had you can share that piece of information but you can't share that so we can get partial consent but in the event of a parent saying to us well no I don't want that information shared or the child saying no I don't want that information shared if they have capacity then we would be doing two things monitoring very closely and looking to see if we had a better other solution that was more creative and we could achieve the same outcome but it does get back to the name person service and the fact that parents are not compelled and I think there's a lot of confusion around that which is a slightly different issue around whether they can opt out of the name person service it's there should they wish to access it and we would want to share information to help the young person but if we can't then that's a legal issue so the data protection act and what we're why we would be sharing the information and how we would define vital interests and we're comfortable with that at a child protection level but not perhaps below that yeah that's helpful okay right thank you very much in that case can I thank you very much for your evidence and for your time this morning that was very useful and we'll close the suspended session for a moment or two allow witnesses to leave and we'll bring on to the second panel thank you very much okay can I now welcome to the meeting Dr Ken MacDonald head of ICO regions information commissioners officer and Maureen Faulkner regional manager in Scotland information commissioners officer and I'll go straight to questions and my question is we understand that under the new data protection bill your office will have a role in preparing a data sharing code of practice developed for the 1998 act and what approach you plan to take for the development of the new code including the likely audience use of plain language practical examples etc yes you're right we have a statutory duty to produce codes of practice under the existing act and we have had one code of practice which was a statutory obligation to prepare itself and that was the one on information sharing that was published in 2011 and we have a standard approach when we're developing them we draft it internally we seek views from stakeholders we review it we amend as appropriate and we make sure that it's in plain English I think anyone that's been working in data protection since the 98 act came in will have seen a sea change in the way in which our guidance is published the very first was very legalistic in fact it wasn't really much different from the act itself but over the years we've moved to a much more practitioner and citizen friendly style of guidance it's in plain English they give examples and we listen to our practitioners and we try and make these examples relevant to them but there is input from it and in what way would you consult in this case for example who would it be that you've been consulting with it's indifferent according to the guidance we're preparing it's in slightly different ways but we would consult with interest groups we do produce our guide our consultative document we make it available for a number of weeks six or eight weeks and we amend as appropriate I think one of the good things that we do is to set up a band if you like of critical friends so we welcome constructive criticism so we would bring on board people that we know would perhaps have an issue with whatever guidance or documentation that we're trying to put together and we basically let them loose on it and say please come back and make criticisms that you have and then we take them on board so I think having critical friends is really really valuable when you're trying to put guidance together to make sure that it's addressing the salient issues and that as Ken says it's in plain English it's there for practitioners and the public to understand Okay thank you Elizabeth would you like to come on? Thank you convener 2013 under the legislative competency but you acknowledged that a number of witnesses had made the point about questioning whether the competency of the information sharing aspect of the bill was actually in line with article 8 and you also acknowledged in that meeting that you would go back and consider Professor Norrie's comments because you had some concerns about that could I just ask you after that reconsideration what advice did you give to the Scottish Government? I can't recall and that's now four years ago I know that I wrote to the committee at the time that the bill was going through I did write to the clerk at one point saying that there had been one of the amendments our big concern at that time was the relevancy of the information that was going to be shared and of course the legislative data protection principles is about relevancy and you can only share information which is relevant and that's not excessive and the way that the bill was originally framed we didn't feel met that criteria for the data protection act there was an adjustment made and we wrote to the committee in December of 2013 and what we said was that while the change might be relevant to likely to be relevant addressed our concerns it was only to a large part we weren't satisfied and we were never totally satisfied that the bill as written was going to be had specified the level of data sharing that could go on satisfactorily enough to be clear did you put that point to the Scottish Government that you were not satisfied that it was fact they saw that email as well they were copied into that email sorry you advised them that there was a legislative incompetence I sent the email to the bill and as it was addressing an amendment that had been put forward I also sent it on to one of the Scottish Government officials obviously when the Supreme Court judgment was made the people who had been witnesses at the time were proved correct that the data sharing aspect was ruled to be unlawful you expressed your disappointment with that judgment could I ask you why you were disappointed there seems to have been a perception made that we were disappointed because of a view that we had on the Scottish Government policy that was correct we were disappointed because obviously the Supreme Court had made a judgment on data protection which we clearly hadn't advised either in total or otherwise as we perhaps should have I would say of course that it's been recognised that the bill and act was approved by the certified in this Parliament as being human rights compliant and the inner and outer houses of the Court of Session were satisfied that it was human rights compliant and yes, as I say it's a reputational damage that we had it wasn't anything to do with the policy as the movie has been suggested by other people thank you for clarifying that the disappointment therefore was that there had been a misunderstanding about the advice that you had given to the Scottish Government that they didn't accept the advice that you'd given, is that correct? The disappointment was that we hadn't fully appreciated the points that the Supreme Court were raising Could I ask this time to what lengths have you gone to ensure that the advice that you've given to the Scottish Government for the new bill is both accurate and legislatively competent? We've worked with the Scottish Government Maureen herself has been involved quite closely we've used our legal colleagues in Wilmslow and as you've seen in the evidence here we think that the bill as put forward is compliant with the data protection side but we do have, as every other witness seems to have, reservations about the code of practice Have you given any advice on that code of practice to the Scottish Government? Yes Could I ask what that was? The advice has been that as it stands given the timeframe given the commencement of the general data protection regulation in 2018 that the illustrative draft code of practice is not fit for purpose essentially that it has to take cognisance of the GDPR particularly has to look at the fact that it's public authorities that are doing this and that GDPR does have certain restrictions for public authorities. Thank you Just a final question Obviously there was some confusion about the letter of advice that it was on various local government websites et cetera that, as I understand it was written in 2013 and you quite rightly amended that advice in light of the Supreme Court judgment and that was 2016 Were you surprised that there was still the old letter of advice that was being used for the implementation of this policy? We've put the letter out we put a clarifying letter out after the judgment was issued it's for the local authorities themselves to train their practitioners on how the data protection act applies to the work that we're doing and some have chosen to retain that because there are parts of that advice that are still valid That's part of the confusion I don't know that it is part of the confusion to be honest we added to that advice with the Supreme Court's decision I think the confusion is going to be in the court of practice that is before you now Can I clarify just on the issue of disappointment part of our disappointment was the fact that and not for the first time and it won't be for the last time the courts disagreed with the ICO as the regulator so the court is the final arbiter and we can have a view as the regulator in interpreting the data protection act disagreed with that view and that was our main disappointment it happened over the issue of the definition of what was personal data which is pretty fundamental and we then had to go back to the drawing board over that so in terms of expressing our disappointment it's just the fact as I say that the court is the final arbiter disagreed with our particular view where we were at I was just trying to get at the fact that whether it was a political disappointment or whether it was to do with the process Thank you very much Tavish I was so tempted to say something about courts but I won't I wanted to follow on from the Smith's line of questioning the UK data protection bill was introduced in September will that change the landscape? In some ways it's a fairly comprehensive bill it's 200 pages long and its purpose is to bring the GDPR the general data protection regulation which is a piece of EU legislation into British law where there's been a delegation made to member states because a regulation applies throughout what the GDPR and the act do is bring the existing regime up into the 21st century in 1998 it's passed and there's been a huge technological change and we talk about it being an evolution rather than a revolution and it recognises if you just think about how your technology has changed in 1998 probably very few if you had internet at home and now we've all got it in our pockets we carry around with us information that would have taken a room in days gone by so it's reflecting that and other changes in technology it's also that it's enhancing people's rights as well and I think this is important because the rights of the individual in terms of the processing of individual whilst they exist to a degree in the existing act they're enhanced but there are some fundamental changes one is that there is a much much greater emphasis on the level of information and awareness raising of what's going to happen to an individual's information between the person who's collecting it and the individual themselves now I should say that many of the things that are in the the GDPR I think we've been promoting for several years and one of these key things has been when we've been talking to practitioners about whether it's child welfare wellbeing and child protection issues it's always been saying you must engage with the child you must tell them what's happening to their information and even if you know you're going to be passing that information on that you do not require consent for that you still should advise them because that is crucial to maintaining the client professional relationship and keeping the trust of the child with the adult you're describing procedures there and guidance but I'm absolutely focused here on will this act potentially change what this Parliament's being asked to consider I'm sorry for just the direct question no but the things are linked because previously they didn't have to under the act give quite so much information as they will have to do in the future and I was probably just highlighting that we've been pushing that for some time the other big thing is consent and again we've said very clearly before that if you're going to be passing on information if you're sharing information on grounds other than consent then do not suggest to the individual that they can give their consent because that confuses them and again because you're going to go on and do that it may well break down the relationship the GDPR talks much more about the balance of power that relates that exists between the individual and the public authority and clearly when you're talking about young persons or vulnerable vulnerable children then that balance of power lies very very strongly in favour of the public authority and the very fact that you could be asking a child do you mind if we share this the fact that it's the teacher that's doing it or the doctor that's asking you is enough to say yes but it's not real consent because it's the power the dominance of that relationship that's led them to say yes rather than the process so under a GDPR the public authorities are limited in when they can ask for consent and of course that comes down to a lot of the balance here but this is a bill going through the House of Commons and then through the House of Lords it could be amended and changed at any stage that condition of processing is with the GDPR so it's there, it's an EU law you've lost me I thought this was a bill going to the House of Commons and the House of Lords which therefore is subject to primary legislation it can be changed by amendment and all I'm asking is does that have implications for us given work considering primary legislation in this Parliament yes or no well it isn't just a yes either is or isn't I'll have to explain the relationship between the three pieces of legislation at the top there's the GDPR the GDPR is a European piece of legislation it's a European piece of legislation which has taken effect because it's been gone through that process but the implementation of it takes effect next year we will still be in Europe and the government anyway said we will be following GDPR because it is a regulation it is automatically part of UK law and the repeal bill that's going through will deal with the post Brexit side however unusually for a regulation there are a number of things which are dedicated to the member state the new bill that was introduced on I think the 14th of September is dealing with aspects which were dedicated to the member state these relate to certain exemptions they relate to issues around children in terms of information society that relates to matters of law enforcement that relates to matters of national security so the two things go together but what's not been derogated within the GDPR is going to be has to remain the same and the matter of consent and the balance between the public authority and the individual is a GDPR level requirement and so cannot at this stage be amended by no difference therefore to the thing that we're considering here this morning on the element of the conditions of processing it has it includes derogations and exemptions but as it currently stands we would say that it wouldn't because they're pretty much the same as in the existing act so you accept my premise that it's a bill and it could therefore be amended and therefore could have an impact it could have but not on these top conditions of processing such as consent and this is if I may say just another issue that comes into the whole thing about the code of practice and reflects things that the Supreme Court have said about the number of pieces of legislation that the practitioner has to deal with and if you look at the 200 page data protection bill you'll see it's constantly referring back to the GDPR articles and recitals it's not an easy bit to read if you think the 98 act is bad this one is worse and it just makes it even more complicated for the practitioner without a nice clear code of practice OK, thank you may well be at that be handy for you to send to us some of that information that you've just passed on at Tavish it might be helpful if you'd write that to the committee can I ask Ruth to come in and enjoy Good morning panel when taking evidence about current information sharing that's in in place at the moment can you give us some clarity around the current legal requirements that enable sharing of information about a child or a young person but specifically about their wellbeing so not the child protection stuff but when we're specifically talking about wellbeing that therein lies the conundrum I was interested in the previous panel when you were talking about child protection and no one has got an issue with that everyone is very familiar that that's a significant harm or from data protection speak it's vital interests so you have to rely on a specific condition for processing to be able to process information and that's anything you can do with a bit of information from obtaining it right on through to destruction and everything in between data protection act sets up if you like a framework I think people forget that the preamble to the current data protection act and it continues into GDPR is not just about the protection of information it's also about the free movement of information and what the data protection act sets up is this framework to allow for the safe and secure movement if you like of personal information so it's not about ticking one box you have to get all your ducks in a row so you look to the eight data protection principles and you have to abide by those and the first of those is fair and lawful processing so personal information must be processed fairly and lawfully and when it comes to lawful processing you have to be able to meet at least one of the conditions for processing under schedules 2 and 3 of the data protection act depending whether it's personal or sensitive personal data so currently in order to be able to share information below the vital interests level you would still have to rely on one of the other conditions for processing you either allow consent which is the first condition in both schedules 2 and 3 if you're not going to allow consent then the first of all the processing has to be necessary as the Supreme Court highlighted for specific purposes the very important point about information sharing is about purpose and everything to do with data protection is in the context of purpose that purpose will make it compliant or non-compliant so if the purpose is that you have a wellbeing concern then I think what we have to think about then are three levels what you have is the significant harm and everyone as we said is familiar with that then you've got a wellbeing concern that sits very very low level and that's what we might term that you don't like it it's maybe not in the best interest of the child but it's not going to harm the child or anyone else if they carry on doing what they're doing but there's that little grey area that sits just above that and just below significant harm where a practitioner using all of their experience and professional judgment knows that that child's on a pathway to harm and that's been that little bit there and it's just a little bit that makes it difficult for everybody to understand how can you share that under data protection so it's really about whether you're looking at a public function in the public interest if it's not health related data or if it's health related data then the necessity is lightly to come up to either a public function under enactment or perhaps one of the other substantial public interest conditions that are set out in statutory instrument 2004-17. Thank you, the very start of answer. I suppose that you kind of answered this and we've heard some about it this morning but what degree do you think that that is understood amongst practitioners at the moment? To be honest I think it's understood almost implicitly for a practitioner I think we heard from the practitioners that that kind of decision making happens on a daily basis so what in the nearly four years now of speaking about this it's been my understanding from practitioners that this is something that they do it's a decision that they face almost daily where they have to make that decision on this very small area and they don't need to know the other things that we've tried to say is it's not for the practitioner to have to do what I've just told you I'm the data protection geek in the room therefore I can tell you what the conditions for processing are and I can understand them but that's not the job of the practitioner that's the job of the data controller because the liability rests from data protection terms with the data controller that is the local authority or the private sector school for them to have to sit and work this out that's for the controller to do but it's the controller's duty of care to ensure that the practitioner has the confidence and the support in place so that they can make those kinds of decisions and I couldn't agree more with the idea of a flowchart again that's something that we've been saying practitioners need that they need to be able to work through a process and that's the important thing that if you've got a standard process that you've dealt with fairly for every single decision it's going to be subjective by its very nature it has to be but so long as a practitioner has got a process that they work through then you know that that decision has been made fairly and appropriately it's really helpful OK thank you very much Gillianne? I want to come back to have a Scots line of questioning just to clarify some things Dr McDonnell so as I understand a GDPR comes from Europe and the aspects that will affect the legislation that we're looking at right now are in GDPR and won't be affected by anything that happens in the UK Government that any decisions and amendments won't change that is that what you're saying? We can't guarantee what changes will come in relation to the various derogations that have been left to the UK Government but as it stands at present we are satisfied that the changes through the data protection bill wouldn't affect this bill one of the things that we were told by the an opinion was given by the law society is that we should suspend our legislation till we find out what's happening at the UK level but from what you've told us today that there's no point in us hanging off on this at all because GDPR is the top line on this and everything that we're doing here is compliant with that Not quite because GDPR is there there is the bill that has a number of exemptions that which will or may impact on data sharing we do not think that we should impact on data sharing we do not know how that bill will change in the interim and so in respect of what the law society is saying there is an argument that maybe you should wait until there's an absolute certainty but we do have degrees of absolute certainty if you can't have degrees of absolute certainty we know that the GDPR where the GDPR applies and certainly the code of practice could have been drafted in a much more GDPR compliant way than it is at present and I think that that would have been helpful In terms of the bill itself it's really talking about the code of practices where the flexibility can come to take into account anything that happens at the UK level As far as the bill is concerned we're satisfied that it's not going to be affected by the Westminster legislation but the code of practice which is integral to the implementation of the bill may well The bill itself is what I'm concerned about thank you very much for clarifying that Thank you Daniel I'd just like to come back to Maureen Falkner's comments about the grey area Do you think that Shinari provided adequate criteria by which to assess that grey area or should have done more to really establish those wellbeing criteria to make that assessment clearer for practitioners? I'm not deliberately opting out or copying out of this but I don't think that's an area that I can comment on to be honest Fair enough I've got some questions following on from GDPR specifically around consent so I accept that GDPR is compliant in your eyes GDPR will have an impact on how practitioners will use it specifically around consent Is that a fair assessment and what additional requirements around consent especially considering imbalance that GDPR might impose on practitioners and carrying out those duties to consider? The big issue on consent under GDPR is pretty much inability for public authorities to be using it where there is this imbalance of power and of course in the sort of certainly in the higher level wellbeing type issues where the child is moving towards the vulnerable stage then it becomes less and less likely that consent could be used as the condition on which to process there can be the other conditions such as Maureen mentioned such as the being illegal duty or being in the public task and we might have to look more at that in the code of practice One of the things again reflecting perhaps GDPR and its emphasis on informing the individual perhaps more needs to be said up front in the code of practice about that the message is crossed to them first the individuals what's happening to their information and then move into the issues around how you're going to pass that on if consent is deemed to be the appropriate vehicle One comment that came from the fact of advocates that the bill should have included a requirement to consider whether to seek consent in the bill itself and agree with I'm not really sure how that would work because the data protection framework overrides everything in terms of information sharing and ultimately the data controller should be aware of which condition for processing they're using implicitly they have to be considering whether consent is the appropriate basis or not so it's probably duplicating something that you should be already doing and I'm not sure how you would evidence it anyway Thank you Oliver Thank you, convener I've been listening carefully to what you've been saying around the GDPR both in relation to Daniel and also Tavish before The committee wrote to the cabinet secretary asking whether he'd be able to produce a updated version of the illustrative code and in his response on the 26th of September he came back and said The committee I'm sure will understand that all of these recent developments make it difficult for the Scottish Government to produce a further illustrative code of practice at this stage that would be reflective of a legislative framework in the UK that is not yet clear given that the aspects of the GDPR in relation to this bill are pretty much fixed that we could see an updated illustrative code that would be more reflective of the likely legal parameters that we're working within The GDPR was passed in 2016 it was finalised in 2016 so certainly that framework could easily have been brought into the code at this stage Do you think it's possible to update the code to reflect some of those concerns at this point and that would possibly help scrutiny of the bill? I would have thought that there's sufficient information for in terms of the legislative framework that it could be done Thank you My second question was you said before that you weren't totally satisfied last time are you totally satisfied with the bill this time? We're satisfied that the bill as it stands meets the requirements of the data protection regime we think it fits Just sort of the next stage from that are you satisfied that it's compliant with the Supreme Court judgment? We don't rule on human rights the issue of compliance I do think will come down very much to the supporting code of practice and the issues were about the relevance of the information and the excessive nature of the information where it becomes excessive moves into your human rights aspects of intrusion and privacy really the code of practice is what has to be addressed Would you say it's impossible to scrutinise that interaction without knowing what's in the final code of practice as the bill is currently drafted? I think it would be difficult for you to be absolutely definitive in your conclusions until you see the final code of practice Thank you very much Okay Thank you, Joanne Sorry, I do feel this conversations a million miles away from a teacher or a support worker sitting with a child in the classroom and I think that's part of the issue of even understanding of the responsibility so you say that the data controller would sit in the local authority The individual professional has to have a duty to consider whether to provide or share information Would there be a test that the data controller would create to ensure that they were compliant? What's the relationship between the data controller and the person who's got a duty to consider and what would you consider reasonable evidence that they had to consider? I think that if you look at the difference between the two data protection regimes that the current one imports coming down the line in May next year the fundamental difference is accountability and governance whereas currently data controllers are required to comply with that. Come May they will be required to evidence that compliance so from our perspective if there was an information sharing complaint that found its way to us and we were looking at it as a regulator we would be looking for that evidence so for us it would be what shows your workings what was the decision making process that led you to decide to share that information and we would then look at it on a case-by-case basis which that whole duty to consider is on a case-by-case basis anyway. To the duty to consider would require evidence the data controller would have to see that there was evidence for an individual decision and that evidence presumably would have to be written? It would be for the local authority if we just take the local authority as opposed to the health board or the other name person service providers but it's for that local authority or that data controller to put in place the appropriate processes whereby front-line practitioners can work their way through this legislation. The expectation would be that you would expect if there was good accountability in governance that a local authority would have to put in place a regime for every individual person within a local authority who may have a duty to consider to share information there would need to be evidence that there was a process and that they complied with that process not just that there was one but that they understood it and that they complied with it in every single instance where they are making a decision to share information? I don't think we'd be expecting them to comply in absolutely every single instance but we would expect them to have the process they would have a recording mechanism one of the crucial things that goes back to your very introductory remark is that they need to train their staff as well and that's one of the big issues that we have when we're taking forward enforcement action is that probably in 90 odd percent of cases the organisation has failed to train or you give a very basic cursory training in data protection and induction and then it's forgotten and crucial to this is keeping the staff aware of their rights and their duties how to go about it and again this comes back to the code of practice being a document that they can refer to processes that allow the staff to be confident in what they're doing again what we've said before is if you're in doubt speak to someone about it speak to your line manager speak to somebody else and in doing so you don't actually need to mention that it's little jimmy you put forward as one of the other speakers said you put forward a scenario this is what I'm facing what's your view talk to your fellow professionals and then as you make that decision you'll say I've spoken to my colleagues and our general view was that this should have been shared for the following reasons I would all have to be written up in every instance where there was a decision where it's a duty to consider whether to share there has to be written up why you decided and why you didn't decide and who you spoke to can I just clarify on that that from our perspective as the regulator of the data protection regime then we would not necessarily be coming in to look at or question or investigate whether someone had carried out that duty to share I don't see that as being our responsibility our responsibility would be on what basis did you share the information whose responsibility is it then to ensure in legislation somebody has a duty to consider and to show evidence that they consider whose responsibility is to ensure I think that would probably go depending on whether the subsequent legislation for the complaints process is then re-enacted or taken through Parliament as it was previously because it had been revoked but I would imagine that whatever the complaints process and I think it was if you're not satisfied with the legal entity you would then go through the Scottish Public Services Ombudsman so I think it's probably the SPSO to consider I don't see us as regulator of the data protection act looking at that duty to consider The individual making a decision not only needs to ensure that they comply with the data controller in order of accountability and governance we need to also be answerable to the SPSO or be expected to expect that I'm talking about the original complaints process that had been put through was that the SPSO was going to be handling it would be the final arbiter if you like of complaints for this whether the Scottish Government intend to do that again with the new bill I don't know you would have to ask them but from our perspective as a regulator it's about what condition for processing what was your legal basis for actually sharing the information so the duty is now no longer to share because under the old act under what we consider to be a legal obligation that's no longer there so there has to be some other condition for processing that's going to allow that sharing to consider that we need to be evidence yes but that's not something that we need to look at for us it's the legal what legal basis did you have for sharing the information we wouldn't be regulating as to whether someone actually carried out their duty to consider yes but it would be the legal basis for the actual sharing that we would be looking at I'd like to just come on the back of something that came up when Daniel Johnson was asking questions reading the submission from information commissioner as a layman I would say it's quite difficult to understand when for example local authority could rely on consent and how that would work and again I think Maureen Faulton actually said something to the effect that as a child was going down the road to becoming more vulnerable it becomes even more difficult for the local authority to take action to obtain consent and yet you would think that there's going to come a critical point in that path where they would have to take action and it doesn't seem to hang together What GDPR is attempting to do is to force public authorities as creatures of statute to rely on what their statutory responsibilities are and you'll find in GDPR that it talks a lot about public authorities and their public task and that's where there is a job of work for public authorities to work out of public task because there has in the past that there has been a lack of understanding in relation to the conditions for processing that allow people to use personal information so very often the default position has always been consent but very often that it's been meaningless because individuals have not had real choice over consent it's been we're going to ask for your consent no I don't want you to do that oh well I'm sorry we're going to do it anyway What the public authorities have to look to is their statutory functions their statutory tasks their public tasks and then if it's for a public task they need to question whether consent is the appropriate condition to be relying on or whether it should be public function in the public interest Is there not a possibility that vulnerable children and so on will be put at risk because local authorities will be averse to taking those decisions in the future I don't think they should be absolutely not I do think that the Supreme Court decision has possibly encouraged a belief that consent is the only way to share information and it is not and when you're moving into child protection issues there's other legislation and other duties that professionals working with children and young people have that will enable that sharing to take place without consent and the crucial thing that we were saying before is that do not ask for it in these situations where you know you have to share it because you have moved on to that threshold into more serious issues in child protection because you're going to share it anyway and you'll break the trust between the client and the child and that will do a good service to them at all The Supreme Court judgment said that information can also be disclosed if its disclosure is necessary for the exercise of a statutory function What does that mean? The public authority whether it be local authority or health board, police have got the duty to do a particular task and that information is necessary for them to undertake that task and then it can be shared In other words, you don't need the consent That would cover vulnerable children and adults and so on if they were caught up in that particular statutory exercise Sorry I was going to say that I think this is where you cannot take the burden off of the shoulders of the front-line practitioner because at the end of the day it's always going to be a decision that the front-line practitioner has to make and that's why it's incumbent upon the organisation to make sure that the policies the procedures, processes, protocols are all in place to give the front-line practitioner the confidence and the support that what they're about to do they're doing in their professional judgment and it's about getting that bit right I don't see why the data controller cannot have for the practitioner as I've said already that the process flows that in the event that you're faced with this situation, here are the questions you need to ask if the answers to those are yes, you go here if they're no, you go there and walking the practitioner through that decision making process to decide whether at the end of the day this is information that I need to share that the front-line practitioner is going to feel as a professional person Does consent always have to be in writing? Would you expect a child to be competent to sign? It doesn't, again, GDPR is quite explicit and says verbal consent is perfectly acceptable How is that evidenced? Well, it has to be done through process so you have to have a process by which that consent is recorded whether the practitioner is going back and writing up notes and taking you through a process Again, it's for the organisation to say in the event that you are going down a consensual route that this is the process that you follow in order to obtain consent Your evidence, you talk about having the ability to withdraw that consent at any time Again, how would that be evidenced? Would it be just a verbal It could be verbal It could be in writing and we would certainly encourage it to be in writing but situations are particularly with vulnerable children and young people that writing wouldn't be possible but we also have to put our trust in professionals we all trust professionals on our day-to-day interactions and this is just another example that they should be doing it so the local authority as employer will have trained them in it's their expectations if they don't follow through these processes then it's not so much data protection but it's more employment duties and disciplinary grievance type issues If you're dealing with vulnerable people If you're dealing with vulnerable people isn't the risk if you're using a verbal system that you could get into disputes whether someone had in fact withdrawn that consent It's just one way What GDPR is trying to say here is that you don't lock people into a specific way in which you can only withdraw your consent if you go down this specific process GDPR is attempting to give clearer, more emphasised rights to individuals to control over their personal information so if you're going to rely on a consensual model that's absolutely fine and it's right and it's proper but you have to understand that if you're going to do that the individual has the right to withhold consent or indeed to withdraw that consent at some way down the line so again it's for the organisation to have processes in place but if they're relying on a consensual model and then that individual withdraws their consent there has to be a suitable process for that to be gone through and part of that might be if it's done verbally this is how you would then record it if you like within the system All of us, finish me all of us Very very brief supplementary I just wanted to clarify something Maureen Falkner had said that in terms of creating an individual duty you've sort of effectively seen that it's not possible to detach that duty from some level of individual responsibility or accountability within an organisation when it comes to data practices is that right? No, no, was it saying that? Okay, so you're saying an individual can have a duty so if an individual's got a duty to record or manage their own data practices it can be someone else's responsibility if that goes wrong is that how it works? I'm sort of thinking whereby an individual named person in the event that this all goes ahead is recording when taking those sort of evidence decisions if they're not compliant with the sort of processes within an organisation that an organisation's put in place to sort of safeguard their checks with that person in terms of data regulation would that individual be responsible for not following data practices is that how it's seen? Necessarily liability and responsibility under data protection always rests with the data controller unless an individual does something knowingly, recklessly and willfully against the normal process doing things that they know they shouldn't be doing that's what we call currently a section 55 offence but if I do something wrong cos I haven't followed the process I've made a mistake in some way then still the liability of data protection rests with the organisation the data controller that doesn't mean to say that the data controller won't then discipline the individual that happens and if you look at the action that we've taken on our website you'll see that although the data controller might bear the wrath if you like of the ICO it might not be something that the data controller has done itself it's one individual that's perhaps done something wrong but it might be because there's a lack of training it might be not good technical patches in place or good processes in place but ultimately it's the data controller that has the liability that's really helpful and I'm sorry I didn't do a very good job for explaining what I was looking for but thank you it will be brief so just for clarity essentially what this means is that if for instance I breached confidentiality as a nurse but I did that deliberately I would be liable not the data controller because I have willfully done something so employment law still still applies employees can still be disciplined for doing wrong within ok thank you very much in that case that brings us to the end of this evidence session can I thank you very much for your attendance today that was very helpful thank you this takes us on to agenda item 3 oh sorry I thought you were ok agenda item 3 with two pieces of subordinate legislation which are listed on the agenda both of these are subject to the negative procedure and I'll take each in turn do members have comments on the instrument regarding the teacher superannuation and pension scheme? declare an interest as somebody who is in receipt of a pension just before we how many votes to my register of interest that I was a teacher and if a superannuated pension is somebody I received that's noted any other comments I should note that I'm in a scheme as well oh it's all coming out now not telling you whether I've reached each of getting anything back yet ok any other comments outside of somebody who's making money out of this ok right in that case we'll move on to the next one do members have comments on the instrument and individual learning accounts MD and receipt of one of them ok right in that case in that case thank you very much that's the end of the public session and we'll move on to private session