Named Person information sharing not legal

The Supreme Court unanimously ruled that the information sharing provisions of Part 4 of the Children and Young People (Scotland) Act 2014 were outwith the competence of the Scottish Parliament. Information sharing was to be through the Named Person created by Part 4 of the Act.

The Scottish Government wants to create a proactive system that looks after the wellbeing (undefined) of Scottish children and young persons rather then reacting when those children and young persons are identified as at risk.

They set out to achieve this by Part 4 of the 2014 Act, which was due to come into force on the 31st August 2016. This was no longer possible given the Court’s decision.

Part 4 provided that every child and young person up to the age of 18 (or beyond if still at school) was to have a Named Person. The pivotal role of the Named Person was to pool and share information about children and young persons with other relevant bodies. The Supreme Court recognised that the range of information to be shared was potentially very wide. In addition the sharing of information could take place not only where the holder of the information considered that the wellbeing was being affected but also where the holder considered that the child and young person’s wellbeing may be affected.

The Supreme Court recognised that the interplay between Part 4 of the 2014 Act and the DPA was extremely complex. It went on to decide that the information sharing provisions of Part 4 of the 2014 Act were outwith the competence of the Scottish Parliament. It held that there was a need to “address the lack of clarity as to the relationship between the Act and the DPA…”. The provisions could not be brought into force on the 31st August. The Scottish Parliament and the Scottish Government were given the opportunity to correct the defects while the Court would decide whether to suspend the effect of the judgement to give time for the remedies to be made. The Scottish Government said that it would start immediately to make the necessary amendments to the 2014 Act.

Following the Court’s decision the ICO said that data controllers should ensure that they meet the requirements of Schedule 2 and Schedule 3 (where appropriate) of the DPA when sharing information.