Personal data is the life blood of social services. Whether providing the care needs of the elderly and disabled, assessing the suitability of foster carers or protecting the welfare of abused children, they need to know sensitive and confidential information to carry out their tasks.

All the more reason therefore, for social services to be at the top of their game in respecting data protection rights.  When it comes to sensitive personal information, sharing it with the wrong people or obtaining it without consent can cause real distress and harm to the very people whose welfare they are charged with protecting.

Unfortunately, though the vast majority of social workers carry out their responsibilities competently and carefully, there are too many cases of fundamental errors coming to light in social services data processing, which may undermine the trust we are obliged to place in them as statutory public services with extensive powers affecting the quality of our lives.

Unlike private companies where data breaches may occur because of a software security hack affecting a large number of people, but without lasting impact on their lives once sorted, social services breaches tend to be individually case-driven.

This can mean that highly sensitive personal information is illegally or mistakenly obtained and shared with other people, maybe family members or connections, causing preventable harm to already fragile situations that may be hard, if not impossible, to repair.

DRM Legal has specialist experience of a wide range of social services data breaches, which may be delicate and complicated to unravel.

These mistakes point to the need for improved training and monitoring of staff in observing data protection and GDPR obligations as a part of the general remit of social services in providing solutions – not problems – in the promotion of personal welfare.

So what sort of problems might arise and why?

The fundamental principle underlying data protection laws is the consent of the data subject to the processing of personal data. But because social services have statutory powers and duties, there are times when they can obtain and share personal information without consent of the data subject.  However, these ‘public interest’ exemptions are limited in law and often only under the direction of a court order.

In the vast majority of situations where social services obtain and share your personal data, they are obligated to get the consent of the data subject with regard to who it may be shared with, for what purpose and for how long.

And this is often where things go wrong.  Take a fostering application.  Social workers are charged with assessing the suitability of prospective foster carers and their partners.  This includes obtaining consent for sharing information about their current and past family circumstances, including enquiries about information on police records.

Social workers do not have an automatic right to obtain people’s police records, but they can do so if there is written evidence of consent.  Many people will have experience of giving consent for a Disclosure and Barring Service disclosure as part of job or voluntary work applications, and they will know there are strict rules on who this sensitive information can be shared with.  Likewise, social workers need your explicit written consent to apply for this type of personal data.

Unfortunately there are some instances of ‘short cutting’ – where social workers presume consent or act on the ‘nod’ of a partner. And once obtained, the data which may include highly confidential information not just of past criminal offences but of being a victim of crime such as sexual assault, where lifelong anonymity is protected by law, is carelessly passed on by email to other unauthorised parties such as birth parents in a fostering applications.

In other situations an ex-partner may be asked for a confidential reference about a prospective foster carer, only to discover this sensitive information was shared with the other ex-partner without consent.

Our experience of social services data breaches

DRM Legal even have experience of a case of a concerned family member making a strictly confidential safeguarding report about a child in good faith which was relayed in writing word for word, including the name and contact details of the reporter, to the parents of the child at risk.

These and similar cases crop up regularly, and may be due to pressure of caseload, or simply a failure to understand the limited circumstances in which the sharing of confidential personal information is permitted, in the absence of consent.

But given their powers and duties, and the trust placed in them by law, it is incumbent on social services to ensure that these all too avoidable and damaging mistakes are minimised, if not eradicated completely.

‘The GDPR has been a big wake-up call for social services’, says solicitor Sarah Bacchus at DRM Legal.

‘For too long mistakes and short-cuts in not obtaining consent or wrongly sharing sensitive information was tolerated as being a regrettable hazard of the job.

‘But now there is a strict protocol of redress, including reporting to the Information Commissioners’ Office, informing data subjects of breaches and awarding compensation where warranted.

‘This can be a costly exercise in time and resources, but more so to reputational damage in the community.

‘Recognising and addressing avoidable data breaches and damage caused to clients, often the most vulnerable and disadvantaged people in the community, is a step on the road to confidence in professional service and data protection compliance.’

If you think your data rights may have been breached by social services (or any other public or private body) contact one of our specialist solicitors at DRM Legal to discuss your options, including whether you are eligible to make a claim for compensation.