Preventive data processing and profiling in Scotland

Preventive data processing and profiling in Scotland, as endorsed by the ICO

Relevant excerpts from GIRFEC timeline

1 December 2010 

Stirling Council pilots universal data sharing “to identify families in need”

Exercising the power of wellbeing

“In December 2010 initial discussions took place with a business analytics company to pull together appropriate data sets from across (Stirling) Council to identify families in need. This was conducted in a pilot project. Information from the following Council information systems was consolidated and analysis of those children and families has proved highly valuable in decision making regarding services and interventions. Service Area System Social Services SWIFT Education SEEMIS Housing Northgate Youth Services Cognisoft IO Community Wardens APP Civica Research Team Government demographic data, CACI ACORN Segmentation data Substance Misuse Government demographic data Forth Valley GIS Gazetteer.”

“… it was possible to see, at a glance, the full history of a vulnerable child on the screen. The information allowed decision making staff and case workers to see school attendance, attainment, previous addresses, changes in name, housing repairs, police reports pertaining to the address and Criminal Justice data sets, to name but a few.”

13 December 2012

“Exercising the power of wellbeing” (Stirling Council)

Stirling Council (wrongly*) awards itself the power under the Local Government Act 2003 “to legitimise the collection, sharing and use of personal data on all children for the Vulnerable Children and Young People Project”.

See also: Exercising the power of wellbeing (forum thread)

[* Lawyer Allan Norman refutes the following attempted justification – see later timeline entry]

“In November 2012 the Assistant Chief Executive (Care, Health & Wellbeing), Assistant Chief Constable and the Council’s legal adviser met with representatives from the Information Commissioner’s Office. The purpose of the meeting was to apprise the Information Commissioner’s Office of the Council’s plans to develop this reporting system. The Information Commissioner’s Office endorsed the proposal to exercise the power of well-being to legitimise the collection, sharing and use of personal data on all children for the Vulnerable Children and Young People Project”. [ Not very mindful of Article 28(1) of the EU DP 95 Directive (requirement to act with complete independence), and wrong!]

“Stirling Council’s powers

3.9 Stirling Council derives its powers entirely from statute. To ensure that it does not act beyond its powers, the Council must ensure that all of its actions are provided for in statute.

3.10 There are no express statutory powers to collect, use and share data in relation to children and young people provided for in statute. Further, the consultation paper on the proposed Children & Young Person’s Bill, which was published in July 2012, stated at paragraph 120 that the Act will not contain new express statutory powers to share information between services where there are concerns about children & young People. Instead, whilst acknowledging that “information sharing can be a complex and, at times, confusing legal environment for practitioners” the consultation paper provided that “the intention is that information sharing would occur within existing legal frameworks”.

3.11 Section 69 of the Local Government (Scotland) Act 1973 provides that Local Authorities are empowered to do anything which is “calculated to facilitate, or is conducive to or incidental to the discharge of any of its functions”. This enables the Council to look to the service or function which the data sharing supports for its implied power to data share.

3.12 Under the Children (Scotland) Act 1995 the Council has a duty to safeguard and promote the welfare of looked after children and to promote the welfare of children in need. Data sharing clearly will support the discharge of these functions and so the data sharing may be legitimised but only for looked after children and children in need. The Vulnerable Children and Young People Project seeks to share data about all children and so the terms of The Children (Scotland) Act 1995 are insufficient to legitimise the Project. The Power of Well-being

3.13 The Local Government in Scotland Act 2003 provides the Council with a discretionary power to “do anything which it considers is likely to promote or improve the well-being of:- a. its area and persons within that area; or b. either of those.”

3.14 The term “well-being” is not defined in the Act but there is some assistance to be found in the statutory guidance issued by the Scottish Ministers on the 2003 Act, to which Local Authorities are obliged to have regard (see Appendix 1). This refers at Paragraph 1.4 to the Act as an “important part of the Scottish Executive’s local government modernisation agenda and its drive to see continuous improvement in public services” and to “enable local authorities to work and deliver in partnership with other agencies and communities”. It also specifically refers at Paragraph 1.6 to social factors such as “looking after the needs of children and young people, particularly the most vulnerable” as a key factor which would contribute to the promotion or improvement of well-being.

3.15 The guidance makes it clear that this power is a broad ranging power and refers to it as “a power of first resort”, to be used when there is doubt about whether existing powers would enable a particular course of action or service delivery. The power is subject to various limitations none of which apply in these circumstances.

3.16 It is considered that the Vulnerable Children and Young Persons Project is a legitimate use of the power of well-being.” [Big oops!]

30 May 2013

Data Sharing Technology Board minutes

P 101 Item 5: Lothian TRAK using Named Person and Lead Professional.

P102: Stirling Council papers on Vulnerable Persons Database (VPD) referenced by Data Management Board (docs now gone but saved by HE forum):

“The guidance makes it clear that this power is a broad ranging power and refers to it as “a power of first resort”, to be used when there is doubt about whether existing powers would enable a particular course of action or service delivery. The power is subject to various limitations none of which apply in these circumstances.[like the Human Rights Act?]

“It is considered that the Vulnerable Children and Young Persons Project is a legitimate use of the power of well-being*.”

[* Legal opinion refuted this assertion, confirmed by the Supreme Court judgment which ruled wellbeing to be “notably vague” and without legal definition.]

1 November 2013

 Fife Children’s Services Information Sharing Protocol, November 2013

Details how Fife would appear to have been acting outwith the law since at least 2013. It details exactly what information should be shared (section 26), the means by which they will collect the information (Section 18) and with whom the information will be shared (section 7).

7 The information sharing partner organisations

7.1 This ISP covers the exchange of information between staff of the following organisations that are engaged in delivering the service outlined in this document:

Information Sharing Partner Organisations                         Responsible Manager

Fife Council, Social Work Service                                         Head of Service

Fife Council, Education Service                                             Head of Service

Fife Council, Housing and Neighbourhood Services             Head of Service

Police Scotland                                                                       Fife Division Data Controller

NHS Fife                                                                                Director of Public Health & Caldicott Guardian

Barnardo’s Scotland                                                               Pending Signature

Fife Voluntary Action                                                            Chief Executive Scottish

Children’s Reporter Administration                                     Locality Reporter Manager

13 Consent

The refusal of consent to allow agencies to share information will be a factor which will feature in the overall assessment of risk for a child. On many occasions this may heighten the assessed risk for a child and further investigation/intervention maybe required. [The Supreme Court named person judgment subsequently disavowed this presumption and upheld the established intervention threshold].

15 Sharing information without consent

Advice obtained from the ICO in April 2013, supports early intervention and the fact that information should be shared early enough to avoid risk of harm. Harm can manifest in many forms not just physical, the wellbeing indicators provide a way of assessing risks to a child. Therefore as in many cases, a risk to wellbeing can be a strong indication that the child or young person could be at risk of harm if the immediate matter is not addressed. As GIRFEC is about early intervention and prevention it is very likely that information may need to be shared before a situation reaches crisis

18 Information collection

18.1 The approved collection tools for partner organisations to gather the personal information detailed in this ISP are:

Information System

  • SWIFT  (Fife Council, Social Work)
  • E1 (Fife Council, Education Electronic)
  • GENERO (Fife Council , Housing and Neighbourhood Services)
  • Scottish Intelligence Database (Police Scotland)
  • Crime recording System (Police Scotland)
  • Public Protection Unit System  (Police Scotland)
  • Vulnerable Person System (Police Scotland)
  • PNC (Police Scotland)
  • CHS (Police Scotland)
  • Voter’s Role  (Police Scotland)
  • Visor  (Police Scotland)
  • OASIS (NHS Fife)
  • Child Health Surveillance  (NHS Fife)
  • TIARA  (NHS Fife)
  • EOasis  (NHS Fife)
  • Therefore (A & E) (NHS Fife)
  • CHI  (NHS Fife)
  • SCI store (NHS Fife)
  • Badger (e-maternity system) (NHS Fife)
  • Case Management System (SCRA – Voluntary Organisations)
  • Secure email, Partner’s client paper files, Templates / Forms / Letters
  • Telephone / Verbal communication

26 Details of information to be shared


Risk Assessment including:

  • Parental substance misuse
  • Domestic Abuse
  • Parental Mental Health Issues
  • Parental learning difficulties
  • Health screening and health risks
  • Social risks
  • Environmental risks Investigations
  • Registration details
  • Medical examinations
  • Legal measures
  • Financial assessments
  • Housing situation
  • Family circumstances, care and supports / Informal and formal
  • Household circumstances
  • Additional support needs eg: interpreter
  • Social and Emotional Developmental
  • Immunisations
  • Offence related referrals
  • Risks regarding alleged perpetrator of harm
  • Educational needs
  • Advocacy

This will include information on the child who is the subject of the notification, siblings of that child, other children connected to that child and any key and/or significant adults who are involved and/or associated with the child in question. They will also seek information from and any other service and/or agency that may be involved with the child and/or have relevant information relating to that child.

9 January 2014

Wellbeing power cannot be construed as duty to share information

Lawyer Allan Norman dismisses the Local Government Act’s use as a gateway for routine sharing information (Stirling VPD). [The Supreme Court ruling of 28 July 2016 subsequently confirmed the illegality of such information sharing.]

He writes:

There is equivalent legislation in England, in section 2, Local Government Act 2000. And LAs in England have used it to the same effect, to try to argue a power for information sharing. It doesn’t change my opinion in the slightest, my opinion was given in the knowledge of such provisions.

The key to oppose such interpretations of the well-being power is to be found in its limiting provision. In Scotland, this is in section 22:

22 Limits on power under section 20

(1) The power under section 20 above does not enable a local authority to do anything which it is, by virtue of a limiting provision, unable to do.

(2) In subsection (1) above, a “limiting provision” is one which—

(a) prohibits or prevents the local authority from doing anything or limits its powers in that respect; and

(b) is expressed in an enactment (whenever passed or made).

Meanwhile, the Data Protection Act permits information sharing only in specified circumstances – all of which require consent or necessity, and the relevant ones here being:

5 The processing is necessary—

(b) for the exercise of any functions conferred on any person by or under any enactment,

(c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department, or

(d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

My view is that frankly it is legal nonsense to suggest that a general well-being power, which makes no reference to information sharing, can be construed as a duty to share information; and since it is a well-being power not a duty, it cannot become ‘necessary’ for the purposes of the Data Protection Act. Moreover, since the power is limited to things it is not otherwise prevented from doing under an enactment, the correct interpretation is that the Data Protection Act and the Human Rights Act are ‘limiting provisions’.

Of course, the Information Commissioner’s Office has made clear – indeed in the context of child protection – that being able to point to a statutory gateway is not sufficient.  This is both because – as the ICO guidance points out – a statutory gateway may be permissive or mandatory – and also because the existence of a statutory gateway cannot itself make it “necessary” as is required by all of the alternatives to consent within the Data Protection Act itself. (see Protecting Children’s Personal Information: ICO Issues Paper, Information Commissioner’s Office).

10 January 2014

Stirling Vulnerable Children and Young People Project: legality questioned

HEF thread questions legality of Stirling Council’s ‘wellbeing’ powers under LG Act fot the “collection, sharing and use of *personal data on all children* for the Vulnerable Children and Young People Project” as non-compliant with Data Protection Act and Article 8.


More than 400,000 Scots labelled ‘vulnerable’ on police database (BBC)

Officers attending incidents or crimes add people to the list if they consider them at risk of future harm.
The Information Commissioner said the database breached the Data Protection Act because it lacked an information removal policy.
Police Scotland said it was working to bring it into compliance with the act.
Many people were not told that they had been put on the system.
The force said that the database allowed officers to collate information about vulnerable adults and children – which offered “real opportunities” to prevent future crime.
Figures obtained by the BBC show that there are currently 412,000 adults and children on the Vulnerable Person Database (VPD) – an increase of more than a third since February last year when there were 302,346 on the system.
It was set up to comply with the Child and Young Persons Scotland Act, which Scottish government ministers hoped would include a “named person” scheme.
That has been delayed after Supreme Court judges ruled against certain aspects of the proposals in 2016.
Det Ch Insp Conway added that Police Scotland had done “a lot of work” following the Supreme Court judgement in July last year.
He said: “We believe were still acting within our legal basis in terms of our core purpose and improving safety and wellbeing.

Except the powers do not extend to adding citizens to a database without their consent on the basis of an illegal ‘wellbeing’ threshold.

Despite admitting to databasing citizens since 2013, Police Scotland has bizarrely claimed the powers came from the GIRFEC ‘wellbeing”named person’ data sharing provisions of the 2014 CHYP Act (which never came into statutory force as scheduled for August 2016 after being struck down by the Supreme Court). However, the databasing commenced much earlier using a different statutory gateway (also illegal) which had been rubber stamped by none other than the Ass Scottish ICO.

The VPD ‘concern reports’, based on the same SHANARRI indicators that the Supreme Court found ‘vague, have included such observations as ‘mollycoddled’ and ‘over-nurtured’ in relation to home educated children, whcih have been passed around agencies.

Herald coverage
Scottish Sun: Here’s how to check if you are one of 400,000 people on Police Scotland’s secret database
Care News report
Evening Express report

29 OCTOBER 2017

Personal details of 815,000 ‘vulnerable’ Scots held on secret police databases (Sunday Express)


New figures obtained under Freedom of Information (FoI) legislation show that one in every seven citizens have been added to the register since it was introduced just over three years ago.

The total includes 131,000 children up to 11 years old (one in five) and 108,000 12 to 18 year olds (one in four). Police Scotland’s Vulnerable Person Database (VPD) was set up to collate information about adults and children who may be at risk from crime.

However, the Information Commissioner said it was in breach of the Data Protection Act because there was no policy for removing names and other details.

In September, BBC Scotland reported there were just over 412,000 people on the VPD but it has now emerged this only included “vulnerable” people.