Protocol for informing children of data protection breaches: FOI release

Information requested

What processes are recorded as being put in place [potentially under the Children (Scotland) Act 2002] such that a child can be informed of the breaches of the Data Protection Act 2018/General Data Protection Regulations (GDPR) that has allowed false Special Category (SC) data and Criminal Offence (CO) “sensitive” data (as defined by the Data Protection Act 2018) to be shared at multi-agency meeting (such as an “IRD" or “MARAC") and this unlawfully shared data to be filed as a Concern Report on the Police Scotland interim Vulnerable Persons Database (iVPD) and thence passed to the Local Authority Council Children & Families Social Work System?

Response

Personal information including convictions, crime reports and Interim Vulnerable Person Database entries shared by Police Scotland during Initial Referral Discussions (IRD) and Multi-Agency Risk Assessment Conference is shared for law enforcement purposes to safeguard prevent, investigate and prosecute criminal offences.

The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 require all organisations that process personal data to comply with six enforceable principles regarding privacy and disclosure; these vary slightly according to why personal data is being processed. These principles are that data shall be:

• Processed lawfully, fairly and in a transparent manner*
• Collected for specified, explicit and legitimate purposes
• Adequate, relevant and limited to what is necessary
• Accurate and, where necessary, kept up to date
• Kept for no longer than is necessary
• Processed in a manner that ensures appropriate security

* The requirement for transparency does not apply in the same way to processing of personal data for law enforcement purposes – defined as the prevention, investigation or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security. This is because the disclosure of information relating to this processing may prejudice these purposes.

Any decisions made during an IRD and MARAC process that affects a child will be explained to them, but this will not include the disclosure of personal information about other parties unless it is necessary to safeguard.

About FOI

The Scottish Government is committed to publishing all information released in response to Freedom of Information requests. View all FOI responses at http://www.gov.scot/foi-responses.