Kate Bear analyses some of the areas of concern for local authorities when it comes to GDPR and the handling of civil claims.
The new General Data Protection Regulation (GDPR) has caused all sorts of businesses to re-assess how they process personal data. As part of this wider review, it is also a good opportunity to look afresh at how civil claims are dealt with and to review existing policies.
As a data controller it is important to know what information you are still allowed to process, under what basis you are processing it, how long you can keep it and who you can share it with.
1. Processing of social services records
Local authorities have, and will continue to, record and retain information about their service users as a matter of course. However, it is important that the application of the GDPR and the new Data Protection Act is properly understood when dealing with personal data. Generally, processing by local authorities will fall under what is known as a ‘public task’, providing the data processing relates to the local authority’s statutory functions, as this basis can be relied upon when "the processing is necessary for the data controller to perform a task in the public interest or for their official functions, and the task or function has a clear basis in law" (Article 6(1)(e) of the GDPR). The public task basis will be the routine lawful basis for local authorities to rely on when processing personal data to provide a social care service.
However, it is important to note that where the personal data is ‘special category’ data, an additional lawful basis must be identified. This is essentially the same as the previous position under the Data Protection Act 1998, in relation to personal data and sensitive personal data. Special category personal data is defined in the GDPR as being data "revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade-union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person's sex life or sexual orientation". Special category personal data can only be lawfully processed by a local authority if an additional ground in Article 9 also exists. The most likely ground which could be used in the social care context is Article 9(1)(h), which allows local authorities to process special category personal data when it is for a public task, and is "necessary for… the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3" (paragraph 3 refers to obligations of professional secrecy and it means that social care staff processing special category data must be subject to obligations of confidence).
For special category personal data, data controllers must also meet a condition in Schedule 1 to the Data Protection Act 2018 (‘DPA 2018’). The conditions set out in Schedule 1 of the DPA 2018 are very similar to those in the Data Protection Act 1998. In terms of social care, the condition is in paragraph 2 of Schedule 1 and "is met if the processing is necessary for health or social care purposes", with the relevant purposes for local authorities being "the provision of social care" or "the management of health care systems or services or social care systems or services". Part 3 of Schedule 3 to the DPA 2018 provides for some exemptions from the GDPR in relation to social work data, providing for some circumstances where there is a presumption that disclosing a third party’s personal data will be reasonable. Although these are largely a continuation of the position under the DPA 1998, it will be important for local authority staff dealing with data protection issues (including data subject access requests) to ensure that they are familiar with these provisions.
In summary, there is a clear basis under the GDPR for continuing to process personal data (including special category personal data) where doing so relates to the local authority’s statutory functions.
It is also important that the GDPR is not viewed as a blocker to appropriate sharing of information, for example where there are child protection or safeguarding concerns, information should be shared with relevant third parties.
2. Is there anything I can’t give to my solicitors? Third party information in social services records
When sharing information in the context of a civil claim (or potential claim), there will often be a large amount of personal data relating to third parties. The position is similar to that under the previous legislation in that the information is being shared for a specific purpose and subject to the professional obligations of confidence that solicitors must comply with. Such records can still be provided to your solicitors who will prepare the records for disclosure if necessary. However, as a general principle, whenever sharing information, it is important to consider what really needs to be shared and whether the principle of data minimisation has been complied with. The public task grounds set out above will likely cover this type of information sharing and, in addition, Article 9(2)(f) of the GDPR provides a lawful basis for processing special category data when the "processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity". This provision will assist local authorities in having a lawful basis for processing special category personal data in relation to legal claims.
3. Disclosure of records in litigation
The disclosure of records within civil claims is still governed by the Civil Procedure Rules (CPR). Disclosure in civil cases was clarified by the case of Dunn v Durham  EWCA Civ 1654, which confirmed that the CPR was the correct regime under which to disclose and redact documents. In cases where allegations of abuse are made about a care home, the names of other residents will potentially be relevant as these are potential witnesses in the case who may be able to corroborate the claimant’s allegations. The GDPR does not change this.
4. Instruction of experts
As independent data controller, the GDPR also applies to expert witnesses. Your solicitors, or the local authority if instructing an expert independently, would be wise to confirm the data protection arrangements whenever instructing experts. A standard form template can be used when instructing experts to confirm that they are an independent data controller and responsible for ensuring their own compliance with the GDPR, as well as any general requirements relating to how information is shared.
5. Tracing witnesses
It is common to need to identify witnesses to fully investigate claims. Local authorities often provide their instructed solicitors with former employee’s contact details taken from the Pensions Department. In these circumstances the former employees’ details are being held by the local authority for a specific reason and a separate legal basis will need to be identified in order to lawfully use this information for another purpose, i.e. witness tracing.
Providing such information to your solicitors may be justified under the public task grounds and, potentially, the legal claims basis in Article 9(2)(f). In each case, it will be for local authorities to decide whether there is a lawful basis for such processing. It is also worth noting the exemptions in paragraph 5 of Schedule 2 to the DPA 2018 in relation to information required to be disclosed by law or in connection with legal proceedings. This means that some GDPR provisions, for example those dealing with information to be provided, subject access rights, the right to erasure and the right to rectification, do not apply to information which must be disclosed in connection with legal proceedings. If it is not clear there is proper justification, local authorities may wish to ask their solicitors to attempt to find this information through other means first, such as in house tracing departments.
6. Sharing information with police and vice versa
As part of dealing with incoming civil claims local authorities are routinely asked to share information with other agencies, such as the police. This is done for safeguarding reasons and is an important part of ensuring the safety of children in the local area. Law enforcement processing is covered by the DPA 2018 and deals with the requirements for the processing of personal data for criminal ‘law enforcement purposes’. The local authority must still meet the condition in paragraph 2 of Schedule 1 to the DPA 2018. In a similar way to that described above in relation to tracing witnesses, paragraph 2 of Schedule 2 to the DPA 2018 allows personal data to be processed when it is for "the prevention or detection of crime, the apprehension or prosecution of offenders, or the assessment or collection of a tax or duty or an imposition of a similar nature". Where information is processed for these purposes, it also means that some of the GDPR provisions (those listed in paragraph 1 of Schedule 2 to the DPA 2018) do not apply to such processing. Examples of the provisions which would not apply are the right to erasure (Article 17 of the GDPR) and subject access rights (Article 15 of the GDPR).
It will be key to have information sharing protocols in place which are followed by all parties. Thought should be given to whether it is proportionate to share the information, i.e. if the alleged abuser is dead, is there really a proportionate reason to be sharing a Claimant’s personal information with the police?
7. Retention of case files once claim concluded
After a case has concluded a local authority should be able to rely on ‘public task’ as a lawful basis to retain the case files.
The GDPR places greater emphasis on the justification of retaining personal information. As long as the reason for retaining case records can be justified you should not find yourself in breach of the GDPR. It will be important to have policy documents around this, which set out clearly the rationale behind the retention of files. If one is not already in place, local authorities should develop a retention schedule which details how long personal data will be held for. This should reference any guidance and policies on retention periods. Even with policies in place it will be important to give thought to what is being retained in each case. While clearly, the claimant’s allegations and your investigations will be information that it will be important to retain, is there any good reason for keeping a claimant’s medical record? Is this proportionate? As long as it can be demonstrated that thought has been given to this question and you have identified and appropriately documented a reasonable basis for retaining the information your organisation should be protected.