ICO campaign on data sharing in the SEN system

[inappropriatelyemployed]

I can't find the original thread on this but if you look at the link here it basically sets out what we are up to.

There are many examples of unlawful information sharing within the SEN system. Even if information can be shared without consent, it should only be shared for the benefit of the child, yet, often, it is shared to undercut demands for improved provision or requests for statutory assessments etc e.g. school and other professionals may agree to share information as a united front against the parents demands.

Sometimes, LAs have been known to exert pressure to change a child's diagnosis or a medical report about their needs. All done covertly obviously.

If you have a story to share PM me. We are putting together stories to approach with ICO about these issues with the help of a firm of solicitors who are acting for free.

Trouble is, the dodgy info sharing is never cc'd to parents, so can't be proved

I don't think you need to be copied in to it to know that it happens! There have been many examples of reports being changed and parents being quite aware of this happening.

I actually have 2 different copies of the same report - one version was for me and the other version was for the school/tribunal. also found out after the tribunal that the NHS OT had had enormous pressure put on her but she stood by her report much to the LA disgust so they just then didn't call her to the tribunal than risk her going 'hostile'

Two different copies of the same report?

How does your version differ from the school's, and how the actual fuck did the LA think they were going to explain that one at Tribunal?

My version is much more meaty - was wrote by autism outreach showing all the strategies she was going to do for him so making me believe that there was an action plan etc.

The other version which I only discovered by mistake I guess through a FOI request for his file from the school was a much shorter version detailing less issues and support required. And yes when the LA put in their papers for the tribunal the shorter one was in their bundle. The LA case was that I was over exgaratting his needs etc, quite why they did I really don't understand to this day.

Thankfully I was one step ahead and served both versions in my bundle and highlighted it to the tribunal in my case statement. At the tribunal the judge made reference to it but didn't really do anything else but I think at least the tribunal did pick up on it.

Here's one I'm not sure about, ie. I don't know if it's the sort of thing you're looking for, see what you think...

Towards the latter stages of our appeal for DS1, I started noticing that a lot of e-mails I was receiving from the LA's SEN team were being copied to a gmail address: [insertLAnamehere][email protected]. The e-mails included text content and attachments with personal data on DS1, as well as more humdrum "when shall we meet to talk about DS1 WD" etc. The messages also did not include DS1's name in the subject header - just his initials, date of birth, and then the title.

I didn't think about it at the time, but afterwards it struck me as odd. Why would an LA with a fully-functioning corporate messaging system need a Google e-mail account to conduct tribunal-related business? And what other information relating to DS1 was being shared by the LA via this gmail account, and who were they sharing it with?

I can't think of many explanations that aren't shady, tbh. For example, until fairly recently DfE Ministers and their special advisers used just this tactic to get around FoI requests.

Has anyone else come across this? I'd be interested to know how it squares with the LA's responsibilities to DS1 under the Data Protection Act, for one thing.

Interesting. I know that there were emails between school and the LA as the school head would often read them to me! When I did my FOI none of these emails were there so I asked for them to be told as they were 'information' only they had been deleted. Maybe they were but more likely they were covering their tracks. Also meetings the La held internally discussing my son were not documented either. I have heard of LA referring to children in meeting by initials so again they Childs details wouldn't be found under a FoI , the parent only knew as someone at parent partnership had been at the meeting where the child was discussed and discovered this is what the LA were doing

Just an FYI - no child should be referred to by name in any emailing that goes outside an internal mail system, unless it is in an encrypted or password protected document and password is sent separately. So if I send an email within my team only I can ask about Jennny Smith from Portland school, but if emailing includes anyone outside the team - eg a clinical psychologist, SALT, teacher etc then children should not be referred to by full name so this child would become 'JS Portland school'. This is not for covering tracks for freedom of information requests, it is because of data protection. The NHS has done this for years but education authorities were slower and as they get data protection training they are toeing the line more. Its something picked up in LA inspections if children are ever referred to by name in external emails.

Actually its a pain in the butt because it means quite often you get an email about a child and you don't know who they are talking about. Makes no difference if parents have requested the info share personally - still initials only.

Thanks for explaining the name redaction ilike, that side of things makes sense now.

For the e-mails sent to me from the LA about DS1, they'd redacted his name in the header, but not in the body of the e-mail text - and there was certainly no use of encryption or password protection for the document attachments.

The LA's use of gmail to communicate sensitive personal information about DS1 still bothers me - in fact, it bothers me more now, in light of the data protection considerations you've just mentioned.

Google automatically scans e-mails sent by gmail so that it can deliver targeted advertising to the gmail account holder. Google argues that "a person has no legitimate expectation of privacy in information [he/she] voluntarily turns over to third parties" - and they are spending large sums in court to defend this stance.

So the LA redacted the identity of DS1 in the e-mail header it used when sending info about him to outside agencies. For data protection. But the LA seemingly then left his data wide open to third party exploitation, because it used gmail to send the data. And all despite the fact that it had its own e-mail systems and servers.

I'm hoping that there's an innocent explanation for it - but I've been around enough special advisers in government to suspect otherwise.

[email protected] sounds like an email address for an outside contractor who handles such things.

Do you think that would qualify as only be shared for the benefit of the child?

[email protected] sounds like an email address for an outside contractor who handles such things

Not sure who that'd be, though - any ideas? This LA uses an in-house team of solicitors for SEN legal advice. The LA's head of SEN services prepares the tribunal casework, pretends to negotiate the working document, dragoons their witnesses, and represents the LA at the hearing.

Tribunal casework is practically all this LA officer does, although responsibility for managing and improving local provision is what the officer is employed to achieve. This officer was averaging about one hearing per week at the last count.

If they're getting their legal advice in-house, who else might they turn to outside the LA for help with tribunal legwork? finding the Tipp-Ex to edit the Christmas card list

Sometimes they instruct external solicitors even when they have their own in-house legal teams, shockingly, for mediations as well as tribunals.

Even if they are not representing the LAs, they are often around advising in the background. Interestingly, the Government isn't interested in addressing this massive power imbalance with the CFB.

I have received this advice on the DPA from a specialist legal team:

There is no blank cheque for sharing information, if that information is personal data. The law defines personal data very broadly, and includes expressions of opinions about the person, or indications of intentions in respect of them. If they are data that relate to your child, and your child can be identified from those data, there are limitations that will apply to how they can be processed which includes sharing them with other people.

For example, if you were to make a written request on your child's behalf, the LA (a data controller) would generally have to tell you whether it is sharing your child's personal data, and give a description of the data, why they are being processed, and with whom they are being shared. There are exceptions to this obligation for health or education-related data processed for court proceedings, or where carrying out the obligation would cause serious harm to any person which don’t appear relevant in this case. However, if a data controller has already complied with a request to that effect, it won’t be obliged to comply with a similar request until after a reasonable interval has passed.

Generally, a data controller can only share personal data in the first place when it can meet one of several conditions. Consent is one of those conditions, but there are others it might be able to rely on if consent hasn’t been given. For example, a data controller can share personal data for the purposes of a “legitimate interest”, as long as the sharing doesn’t unreasonably prejudice the legitimate interests or rights of the data subject. Also, the sharing still needs to be fair and in line with data protection principles: accurate, up-to-date, and not excessive. Whether something is a “legitimate interest” will depend on the particular reasons and facts behind each instance of sharing, but it will always need to be reasonable.

Details about your child's physical or mental health or condition are classed as sensitive personal data, however, and subject to stricter controls. Consent is far more commonly required to share those data: although there are some circumstances in which a data controller can share that data without consent, those are less easily applied. For example, if it was necessary in order to perform one of the functions given to the LA by law. If the LA couldn’t show that was the case, and sensitive personal data was shared without consent, this would be something to approach the ICO with