The Data Protection Act 1998 (DPA) is an Act of Parliament of the United Kingdom of Great Britain and Northern Ireland which defines UK law on the processing of data on identifiable living people. It is the main piece of legislation that governs the protection of personal data in the UK. Although the Act itself does not mention privacy, it was enacted to bring British law into line with the EU data protection directive of 1995 which required Member States to protect people’s fundamental rights and freedoms and in particular their right to privacy with respect to the processing of personal data. In practice it provides a way for individuals to control information about themselves.

The Data Protection Act 1998 is ‘reserved’ legislation, which applies across the UK and cannot be tinkered with unilaterally by the Scottish Parliament; so why is it that Scots citizens are currently afforded less legal protection of their personal data than their English, Welsh and Manx counterparts?

In case anyone missed it, here is what the ‘watchdog’ for Scotland has to say about the processing of Scots’ personal data (which includes health, police and social work records):

“One of the messages that the ICO in Scotland has been giving for the past three years at least, in relation to the Children and Young People Act and the named person agenda, is don’t ask for consent if you’re going to do it anyway,”
 
“What we have to have within consent is meaningful choice – that is absolutely fundamental. Don’t ask me for my consent if I really don’t have a choice in the matter. Just go ahead and do it, because you’re going to have to rely on one of these other conditions for processing in any event, so have the courage of your convictions and do it anyway.”

She has previous form (8 mins in) and no shame as she contemptuously mocks ‘Joe Public’, i.e. those who pay her wages.

So your data (and your children’s) is already being mined and shared across agencies without your knowledge or consent, and the Scottish branch office of the ICO is positively encouraging it! Even more worrying is the fact that the provisions of the Children and Young People Act cited in the above comments have no statutory vires until August 2016 and are the subject of a high profile legal challenge due to be heard in the Supreme Court in March 2016.

Yet practitioners are being urged to “just do it” by someone whose own head won’t be on the chopping block for unlawful, non consensual data processing and breaching of the common law duty of confidentiality which is core to health services in particular. Falconer won’t be the one who will be sued, or whose job will be on the line, when the data processor ‘gets it wrong’ for a child or associated adult.

We now also have evidence from the minutes of the (now abolished) GIRFEC Programme Board, that ‘Joe Public’ was being deliberately kept in the dark for as long as possible, preferably until it was too late. Boyd McAdam, the Better Life Chances Unit Leader (we kid you not!) for the  Scottish Government, admitted as much in November 2012:

“There was a suggestion that we need to do more to “take the community with us”. Families, carers and children were not, it was said, switched on to GIRFEC. Boyd McAdam pointed out that it had been a conscious decision to focus first on embedding GIRFEC in the professional practice of all stakeholder delivery bodies, before raising awareness in the general public.”

It is also worth remembering that the Court of Session was materially misled by counsel for the Scottish Government in earlier hearings about the extent of current information sharing, as well as the de facto abolition of the non consensual data processing threshold which has been effected well in advance of the legislation becoming enforceable. The Supreme Court judges will hopefully not be so easily fooled.

Hackers and others with malicious intent are already well aware of the high value children’s data being held on insecure, inter-operable systems, but that is clearly considered an acceptable risk for ‘Joe Public’, especially since we understand that – as with ContactPoint in England – important people’s children will be exempt from the so-called ‘universal service’ databasing. The law doesn’t apply equally to everyone in terms of data protection and security, obviously.

On the matter of consent, we make no apology for repeating ourselves:

If someone says no, they mean no; if they are asleep or without capacity, they cannot consent; and when their consent is bypassed, presumed, coerced or forced, that constitutes serious assault.

On the matter of passing legislation to enable the implementation of illegitimate and immoral government policies, lest we forget:
The holocaust was legal, slavery was legal, segregation was legal. If you use the state as a metric for ethics you’ll end up disappointed.