14 Managing information
Disclosure of personal information
Data protection legislation governs the collection, recording, storage and disclosure of personal information. Such information held about individuals cannot normally be used for purposes other than those for which it was originally supplied without the individual's consent. Personal data covers both facts and opinions about a living individual which might identify that person. 1 Disclosure of personal information must comply with statutory data protection principles. 2 Unauthorised disclosure of personal data is an offence. 3
Article 8 of the ECHR guarantees respect for a person's private and family life, his home and his correspondence. Disclosure of personal information breaches that right unless it complies with the human rights tests of necessity and proportionality: the disclosure must be in accordance with the law, or necessary for the protection of an individual, or is in the public interest. Unless there is a lawful basis for disclosing information, such as the subject having given consent or compliance with a legal requirement to disclose, the information should not be shared.
There are several important exceptions to this. 4 Data may be disclosed to safeguard national security, to prevent or assist the detection of crime, or to protect the vital interests of the person. This last provision is usually interpreted as 'protecting life and limb'. Common law also has a concept of medical confidence, which impacts on capacity to share personal health information. The General Medical Council only allows doctors to share information to prevent or detect a serious crime, i.e. murder, rape or serious assault. Common law enables the disclosure of information where this is necessary to protect a vulnerable person from harm. If there is reasonable concern that a child may be at risk of harm this will always override a professional or agency requirement to keep information confidential. 5 All professionals and service providers have a responsibility to act to make sure that a child whose safety or welfare may be at risk is protected from harm and this is enshrined in professional and ethical codes of conduct. In some circumstances the police have powers to request professionals to disclose information.
Right of access to personal information
An individual may request access to personal information held about him or her by an organisation. 6 Personal information includes local authorities' case records about looked after children, required by secondary legislation. 7 The organisation must describe what information it holds about the person, where it has come from, why the information is being stored and how it will be used including with whom it will or may be shared. If the personal information held by the organisation is the only basis on which a decision which will significantly affect the individual will be made, the person designated to manage data held by the organisation, the data controller, must tell the person how and why the information is used to make the decision.
A request for access to personal information under data protection legislation places certain legal requirements on the recipient organisation and is therefore a transaction having legal effect. Young people over sixteen have legal capacity to access personal information. The right of access extends to children under 16 years of age who understand what it means to exercise that right and the public authority should consider whether a younger child has sufficient understanding to do so. A person aged 12 years of age or over is assumed to be sufficiently mature to have such understanding.
If a child does not have sufficient understanding to make his or her own request, a person with parental responsibilities and rights can request access to the records acting on the child's behalf as their legal representative. 8 An agency may refuse a parental request for personal information when the circumstances fall within prescribed exemptions. 9 Where an agency considers that granting access to a parent is likely to result in serious harm to anyone, it may refuse access. The parent, acting on the child's behalf, may then make an application to the courts or the Information Commissioner for access.
Different legislation governs children and young people's access to their medical and health records. 10 Patients, including children who are capable of understanding the nature of the application to see their health records, are entitled to access unless a health professional believes that access would cause serious harm to the physical or mental health of the patient or any other individual. Where children do not have the requisite understanding their parent or another person with parental responsibility may access the child's health record if the health professional considers that access is in the child's best interests. Information in the health record provided by another party may also be withheld unless the third party has consented to its disclosure. 11 Parents have a right to access their child's educational records for inspection free of charge within fifteen days of a request in writing, and are entitled to have a copy of the record subject to payment of a fee. 12 Children and young people have no statutory right of access to their educational records.
Freedom of information
Members of the public have had access to information held by Scottish public authorities since 1st January 2005. 13 Scottish public authorities include central and local government, health services, the Scottish Children's Reporter Administration ( SCRA) and the police. 14 The framework for access to public information is overseen by the statutory office of Scottish Information Commissioner, 15 and is governed by statutory codes of practice on how public authorities should respond to requests for access 16 and all aspects of their records management. 17 Certain information is exempt from the requirement for public access, including personal information or information 18 given in confidence. 19