Further thoughts on the “use” of GDPR and the Data Protection Act 2018 to restrict information-sharing with family where care is provided to adults with a learning disability or dementia or other cognitive impairment.
Is informed consent needed for the sharing of information?
According to Information Commissioner’s Office (ICO) guidance, if the data subject does not have the necessary mental capacity to manage their own affairs, “it is reasonable to assume that an attorney with authority to manage the property and affairs of an individual will have the appropriate authority. The same applies to a person appointed to make decisions about such matters….in England and Wales, by the Court of Protection”.
But what about the many thousand of people of all ages, receiving professional care and support who have never made or been able to make a power of attorney, and whose family could not afford to apply for or would not be granted welfare deputyship?
Perhaps the answer lies elsewhere?
In fact, “consent” is only one lawful basis for data processing (which includes data sharing).
Article 6 (1) of the GDPR provides 6 possibilities:
(a) the data subject has given consent;
(b) processing is necessary for the performance of a contract to which the data subject is party (or in order to take steps at the request of
the data subject prior to entering into a contract);
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in
the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
Care providers may be able to rely on a number of these (particularly ( c) and (f), or in the case of an emergency (d)), as their lawful basis for sharing information with family, as they make best-interest decisions in the arrangements for and delivery of care.
According to the ICO, “legitimate interests is most likely to be an appropriate basis where you use data in ways that people would reasonably expect and that have a minimal privacy impact. Where there is an impact on individuals, it may still apply if you can show there is an even more compelling benefit to the processing and the impact is justified”. Information is available on the ICO website on how to apply this ground in practice.
Government has produced its own guidance in relation to children and young people: “Information sharing – Advice for practitioners providing safeguarding services to children, young people, parents and carers”.
The “myth-busting” section is a useful read. It includes the following advice:
“the Data Protection Act 2018 balances the rights of the information subject (the individual whom the information is about) and the possible need to share information about them. Never assume sharing is prohibited – it is essential to consider this balance in every case”.
The principles in this guidance might apply equally to adults who lack the capacity to consent to the sharing of information, but there is no specific formal advice out there. As this is an issue that is currently affecting the lives of many individuals, and their families, perhaps it is time for government and the ICO to get drafting again – to ensure information is shared as appropriate with those who know the person best – in that person’s best interests.