Am I being unreasonable to expect the same rights as everyone else?

[iamlind]

Hello Mumsnet!

ICO are refusing to protect the medical privacy of SEN children and their families.

You can cut through all the detail below - Blanket rules forcing families to hand over a 22-page medical report loaded with highly sensitive and special category data steps over the entire GDPR framework.

-----------------

The NHS commissioned an ADHD assessment for my DD. We accept the data collected as relevant to the NHS scope but not her school. The school say they require the full report and this is blanket policy. It is incompatible to argue the collection of this data is meeting legal thresholds if there is a blanket policy requiring the entire report from them.

GDPR requires considerations to be made before the collection of personal data, especially so in the case of sensitive data. Demanding the full report as standard practice by-passes and abandons all principles set out by the ICO. An assumption has already been made from the start - it is all relevant without asking any questions or setting any parameters.

The assessment took place in a clinical practice and probed a wide range areas such as my own childhood, when my DD started her period, my medical history, details of childbirth, historical pregnancies/abortion/miscarriages, historical relationships, sexuality disclosure and many other private matters. As an investigation, it is designed to seek out the most sensitive areas in people's lives and encompasses data that reaches back decades before your child is born.

I gave the SEN department of the school information I believed to be relevant for their purpose. However, I did invite them to ask me for more and gave them the page index to be helpful. I explained to the school that the document contains too much personal information. I am not trying to be difficult; I only want them to account for what they are taking.

My wishes were dismissed and I'm told they ‘require’ the report in full and this is blanket policy. I asked why they need details of my childhood and how this will be used to support my DD special educational needs. They did not answer this but did say that ‘The pages you have sent do confirm her diagnosis and will be sufficient for our records.’

I reached out to the head numerous times to raise my concerns. Nobody is saying we need X type of data because it helps to support your child in this way. No consideration is being made to the kinds of sensitive data they are collecting and whether they are relevant to purpose. It is just assumed that 100% of this lengthy medical document is relevant for their scope too. The school don’t know what’s in it, they won’t say what they want from it and the privacy policy states the SEN information they need as ‘SEN information’. I was ignored.

I launched a formal complaint and got a response from the deputy head. Previously I was told that what I had provided was sufficient but now the deputy says my child is likely to be refused SEN support on the basis of not handing over the entire report. They give an example of the JCQ examination board denying additional time in exams. Again, nobody is telling me what the JCQ needs from the report, only that they want the full report.

It is the responsibility of the organisation collecting the data to explain what types of personal data are required by the third-party they are collecting on behalf of. I don’t understand why the ICO are not enforcing this.

The ICO say there is no case to investigate because they cannot say what is relevant. They recommended I ask the IPSEA to clarify this and added that if such a body could establish what is relevant then there would be a case to investigate. The IPSEA say it’s not their role to determine this.

I do appreciate that the ICO are not SEN experts and therefore not in a position to evaluate what is relevant but they could enforce the law by compelling schools to account for the personal data they are collecting. These are back door keys into the most sensitive areas of people's lives with no limitations or controls in place.

GDPR law states it is the job the organisation collecting the data to explain what personal data they are asking for. I don’t understand why the ICO have asked me to find a SEN organisation willing to make this determination.

The ICO are not enforcing the GDPR principles stated on their own website.

Article 5(1) requires that personal data shall be:
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);

This is a medical document. It should not be confused with an Educational Health Plan and the school has stated they don’t believe my DD needs an EHC plan.

On the ICO website it says:
‘Special category’ personal data is personal data that needs more protection because it is sensitive. The recitals to the UK GDPR explain that these types of personal data merit specific protection. This is because use of this data could create significant risks to the individual’s fundamental rights and freedoms.

Examples given include:

• their religious beliefs or other beliefs of a similar or philosophical nature
• their sexual life or orientation’

Consider the potential for harm if information such as sexuality or abortion is prised unnecessarily. There are plenty of people who hold views that conflict with the states position.

There does not appear to be any understanding for the sensitivity of this data is or the risks that are being introduced.

This blind spot in GDPR is being allowed to go unchallenged because the data controller is not being pushed to say what they actually need and nondescript definitions like ‘SEN information’ are being accepted in privacy policies by the ICO.

There is an issue of consent for the data collected because parents are being told the entire document is required otherwise their child won’t get SEN support. Forcing parents to choose between SEN support and privacy is not a fair choice. Both could be achieved, if GDPR law is properly enforced and schools are held accountable for the sensitive data they are collecting.

In my case, both parties could have reached a happy medium. I was happy to give the school whatever they needed as long as they could explain it. They didn’t want to explain anything and dismissed my rights outright. An order from the ICO for the school to improve their GDPR training would inspire a more considered approach. Telling me what I had given them was ‘sufficient’ and then going back on that a month later is not the best outcome for anyone, least of all my DD.

Without enforcement, SEN children and their families will continue to be discriminated against because we are not getting the same rights and protections for privacy like everyone else.

What a palaver. I would just give them the report

Two options - give them the report. It really won't be as interesting to them as you think it might be.

Option 2 - go back to the provider and ask for an abridged report which confirms the diagnosis but doesn't reveal information about you.

This has got nothing to do with GDPR.

I think if you want special provision for SEN, you need to provide them with the report in full.

Otherwise it would be ripe for fraud, surely? The provision needs to be based on the facts of the case, not your interpretation of them?

Option 3 - give them a copy of the report with unnecessary sensitive data about you redacted (go over it with a thick black marker).

Redact the report yourself and give it to them

While I can sort of understand your point, all organisations will be bound by the same privacy laws.

I think you need to ask yourself what it is that you're afraid of? Is it

• not wanting your history to be scrutinised or judged? In which case the report will only be shared with people on a 'needs must basis' and the parties involved would have been trained to handle all types of information and also have experience of dealing with all types of family situations. This would not be shared with the wider school community

• are you just doing this on principle? Because if so, you're potentially delaying or running the risk of DC not getting the support they need

Redact everything unrelated to your DD's SEN (if you have access to Adobe, this is much better than black marker, as if they photocopy the underlying text often shows through a black marker unless you've gone over and over), and jot at the side what type of content is redacted (i.e. Redacted: mother's medical history, or Redacted: child's physical development history) unless the header for that section makes clear what is redacted. JCQ won't be encouraging exam boards to be sent parent's medical information by schools! School probably don't entirely understand what you are saying to them, and the redacted version will make it clear why you've been upset.

Why shouldn't a woman expect privacy for miscarriages or other trauma's they've experienced?

Why shouldn't the parent or child expect privacy regarding their sexuality?

There are certainly things in my childhood I would like to keep to private.

I think the point is being missed here. Nobody is saying the school shouldn't get sufficient information. I invited them to ask me for more information.

Redaction is a good idea and I just wish the school had suggested that instead of telling me one minute this is sufficient and then telling me it's not one month later.

You don't need to give them the whole report. I work in a private clinic and were commissioned by nhs to do work. We send full copies to the ADHD/ ASD service and GP. We send an abridged copy to schools which omits the often sensitive family history.

Honestly OP, schools are snowed under with administrative and pastoral work on top of their actual educating work. You are creating huge amounts of work (and likely stress) for someone who already has a very busy job.

Redact the information you do not want them to have and send in the report.

I agree with PP that staff in schools are well trained in GDPR and are used to handling sensitive data.

Getting the right support for your child sometimes involves jumping through hoops.

Not that I have any experience in this, but it could be that if OP redacts the document they will still push it back as they already said they need the full report. Even though this isn't the case here, they could see it as fraudulent activity as they can't actually ascertain what bits of the document has been redacted and anyone could do this to conceal information that can impact the outcome of their decision.

I am intending on sending them a redacted version. I genuinely wish this had been suggested, not just for my sake but for all parents in this situation.

My point is being missed. Blanket rules demanding this medical report in full and not even suggesting to parents some way of balancing privacy with what they need is dangerous.

I think issues like sexuality and abortion could cause a lot of anxiety if disclosed.

YANBU!

I sure as hell wouldn’t send a document with my personal and confidential medical history to the school! I’m shocked that anyone thinks this is ok.

As pp have suggested, can you contact the report writer and request an abridged report for providing to the school?

In the meantime I’d reply that I’m attempting to source an abridged report but to please continue as if this will not be forthcoming, and act in my daughters best interests with the current documentation available.

Sounds like your clinic perfectly understands the distinction between what falls under 'investigation' and what is relevant to purpose. The investigative part should be trusted to the doctors.

I understand that the school needs full information with regards to your child’s situation and needs and you sound 100% happy for this and any other relevant information to be provided. As PP suggested redact the personal information. I would be very unhappy to think the schools admin assistant (who lives in my village and gets plastered in the pub) would have access to highly sensitive family information. I’m absolutely sure she wouldn’t be discussing any of my private info but I don’t want it known. Could you talk to your Head or SEN lead and explain that there is personal information that is only relevant to you that you really don’t want shared with others. Having said that I might bite the bullet and just give them the full document just to get things going. I’m sorry you are going through this and it’s bringing up upsetting past circumstances for you.

I did say to the SEN department there was too much information in there. As well as giving them what I thought to be relevant, I gave them the page index so they could see what kind of things were in there and we could figure out what they needed. I was told the full report is required. At this point, suggesting to me or any parent to redact would have been the best way forward. I don't see why we can't strike a balance here and it shouldn't all depend on the parent.

I did contact the head several times but was ignored.

Without enforcement, SEN children and their families will continue to be discriminated against because we are not getting the same rights and protections for privacy like everyone else.

Your essay doesn't support that conclusion at all.

But I think the decision about what is and isn't necessary to be shared with the school should also sit with the clinician - they should provide a summary document. I can see why the school are reluctant to have only parts of a document with you choosing what is and isn't relevant.

It sounds like you’re nitpicking to search for a claim.

In all honesty, confirmation of diagnosis, areas my DD struggles in and recommendations to discuss with school were all helpfully placed on 1 page.

I don’t know if I’m missing something (having not needed to go through the process myself), but why was your sexuality and private information about your childhood and past pregnancies etc needed as part of your child’s ADHD diagnosis? Were the same questions asked of the father?
I wouldn’t want the school knowing deeply personal things like that either.

JCQ doesn't want to see any reports about your child. The SENCo in your school would look at the diagnosis and give extra time/rest breaks/small room/headphones, etc, based on that, or on tests for slow processing, etc, and would make the access arrangements application through the JCQ portal. No reports are sent off, but school just needs to have evidence in place to support the application if a JCQ exams inspector requested it. They won't read it, they just want to see that school has evidence for SEN children so that access arrangements are only being awarded for the right reasons.

Edited to add that the deputy head is therefore talking rubbish, and a redacted report is perfectly acceptable. Talking to the SENCo might be a better option because they actually know what they're talking about.

This is what I am trying to say. It's an investigation as well as a diagnoses. It can literally drag in anything. I've actually no objection to that under NHS scope.

I don't understand why you divulged such personal data. It isn't relevant to your DC diagnosis. Once you divulge this type of sensitive data it is out there. I went with my DC and gave all the relevant data about him and his health but declined to discuss my health. You could have done the same. I knew the school and DLA would require the full report about DC so kept it about them.

No. What I want is for schools to understand the level of sensitivity these reports can contain and advise parents correctly. I accept that it would be time consuming and very difficult to evaluate what is relevant but advising parents to redact would be the best response.
What I was told is that what I had provided was sufficient and 1 month later I was told something completely different.