Whether you regard the digitalisation of society as a welcome revolution or a bewildering disruption, the argument that new rules are needed to protect citizens’ data is largely undisputed.
Nevertheless, preparing for the General Data Protection Regulation (GDPR) – a new EU directive due to come into force in May – poses significant challenges for public sector organisations.
For those working in and with services for children, the GDPR introduces an unprecedented layer of complexity, from differing ages of consent across the EU, to competing and repetitive requirements for data from different agencies and providing simple, child-friendly explanations that also inform consent for data sharing. All these issues could cause significant headaches.
But a little extra effort and focus now could help avoid challenges in the future; organisations could be ordered to pay huge fines – £18m or 4% of turnover, whichever is higher – if they do not at least show how they plan to comply.
Children’s social care services hold a significant amount of personal data about the families and children they are involved with. This ranges from basic demographics to in-depth qualitative data, and sometimes stretches over decades.
Currently, local authorities have to share data with colleagues working in other public services, such as health and the police, if it is needed for child protection purposes. How that is done and what needs to happen before it takes place is likely to change under the GDPR.
Ahead of the new regulation coming into force, child-focused app developer Mind of My Own, digital development company Neontribe and public sector digital design experts FutureGov came together to discuss these issues with those on the frontline of children’s services and discover how to prepare. Here, we share the key pointers for children’s services, partners and suppliers.
It’s about consent
For under-16s, parental consent is required to approve a child’s permission to use their personal data. This can be complicated for children in contact with social care services because of concerns about their welfare, and whose best interests may not always be served by the parent with consent rights.
Fortunately, the hierarchy of laws whereby child protection trumps privacy rights is likely to hold, but workers will have to show how they decided additional consent could be waived. Where practitioners work face-to-face with young people, this could be done easily through training and raising awareness. It becomes more complicated when obtaining informed consent from young people to use digital services that may use their data in multiple ways. In their direct work with young people, practitioners will be well-placed to help them understand what is involved in agreeing to privacy statements and terms and conditions.
Sharing information
Children’s services are routinely asked to share personal data with other local public bodies as part of a multi-agency approach. Children’s services teams need to be ready to explain to children and those with parental responsibility about who may access their data and why. Under the GDPR, the organisation collecting the data is responsible for explaining this clearly and in detail. Gaining informed consent early on will save time and effort.
Best practice has always been for workers who collect and may share personal information about children and young people to explain clearly to them and their parents or carers how that data is likely to be used. A good rule of thumb is to remember that the Data Protection Act 1998 and the GDPR are about protecting the privacy of individuals rather than organisations.
Know why
Under the GDPR, all personal data held or processed must have been collected for a specific legal reason, which informs the organisation how it can be used. When a “data subject” gives explicit consent, this is normally sufficient legal basis for processing their data. Other reasons include compliance with employment laws; protecting the vital interests of a data subject who cannot give consent; not-for-profit organisations that do not disclose to third parties; and certain legal processes, such as care proceedings. In cases where teachers, social workers or health professionals have strong evidence of a safeguarding issue, relevant legislation such as the Children Act 1989 takes precedence and personal information may be shared if it is clearly in the child’s best interests.
Prepare, but don’t panic
The GDPR takes the place of the Data Protection Act in the hierarchy of laws about working with children. It broadens the definitions of personal data from those in the act and specifies that consent must be unambiguous, explicit and recorded. There is no real change here, but services are mindful not to repeat the “cookies experience”, where people using websites and apps tend to consent to the collection and processing of personal data without fully understanding the terms and conditions. The GDPR is designed to try to ensure this trap is avoided by requiring organisations to spell things out in language that everyone, including children, can understand.
Any big change can feel onerous, especially during uncertain times. However, if done correctly, the shift required under the GDPR should make data protection easier for everyone to manage and understand – service users and professionals alike.
- Yvonne Anderson is the director of Mind of My Own. Neil Dabson is a privacy expert and coding lead at Neontribe
Join the Social Care Network for comment, analysis and job opportunities, direct to your inbox. Follow us on Twitter (@GdnSocialCare) and like us on Facebook. If you have an idea for a blog, read our guidelines and email your pitch to us at socialcare@theguardian.com
If you’re looking for a social care job or need to recruit staff, visit Guardian Jobs
