Christian Institute v Lord Advocate
[2016] UKSC 51
Trinity Term
[2016] UKSC 51
On appeal from: [2015] CSIH 64
| JUDGMENT |
The Christian Institute and others (Appellants) v The Lord Advocate (Respondent) (Scotland)
before
Lady Hale, Deputy President
Lord Wilson
Lord Reed
Lord Hughes
Lord Hodge
JUDGMENT GIVEN ON
28 July 2016
Heard on 8 and 9 March 2016
Appellants Respondent
Aidan O’Neill QC W James Wolffe QC
| Laura-Anne van der Westhuizen | Christine O’Neill |
(Instructed by Balfour & (Instructed by Solicitor to
Manson) the Scottish Ministers) Intervener (Community Law Advice Network) Ailsa Carmichael QC
(Instructed by Community
Law Advice Network)
LADY HALE, LORD REED AND LORD HODGE: (with whom Lord Wilson and Lord Hughes agree)
The background to Part 4 of the 2014 Act
1. This appeal concerns the question whether the provisions of Part 4 of the Children and Young People (Scotland) Act 2014 lie within the legislative competence of the Scottish Parliament. Before considering the issues that arise (summarised in para 26 below), it is helpful to begin with an account of the
background to the legislation. A suitable starting point is the consultation paper, “A Scotland for Children”, published by the Scottish Government in July 2012. In
general terms, two ideas underlay many of the proposals. The first was a shift away
from intervention by public authorities after a risk to children’s and young people’s
welfare had been identified, to an emphasis on early intervention to promote their wellbeing, understood as including all the factors that could affect their development. The second was a shift away from a legal structure under which the duties of statutory bodies to cooperate with one another (under, for example, section 13 of the National Health Service (Scotland) Act 1978 and section 21 of the Children (Scotland) Act 1995) were linked to the performance of their individual functions,
to ensuring that they work collaboratively and share relevant information so that “all
relevant public services can support the whole wellbeing of children and young
people” (para 73). In that regard, the consultation paper stated that it was “essential
that information is shared not only in response to a crisis or serious occurrence but, in many cases, information should be shared about relevant changes in a child's and
young person’s life”. There was, however, “no commonly agreed process for routine
information sharing about concerns about wellbeing” (para 110). The establishment
of a new professional role, that of named person, was proposed in order to address
those concerns (para 111).2. On its introduction in April 2013, the Children and Young People (Scotland) Bill was accompanied by a Policy Memorandum which was similar in content to the consultation paper. It stated, in relation to named persons:
“They can monitor what children and young people need,
within the context of their professional responsibilities, link with the relevant services that can help them, and be a single point of contact for services that children and families can use, if they wish. The named person is in a position to intervene early to prevent difficulties escalating. The role offers a way for children and young people to make sense of a complicated service environment as well as a way to prevent any problems or challenges they are facing in their lives remaining
unaddressed due to professional service boundaries.” (para 68)
The Bill aimed to ensure that every child in Scotland had a named person (para 70). It provided for a wide-ranging duty on all relevant public authorities to cooperate with the named person in the conduct of their duties. This would be of particular
importance in the area of information sharing, since the “role of the named person
will depend on the successful sharing of information between relevant public
authorities” (para 73).
3. The memorandum explained that concern had been expressed about the existing legal framework for information sharing. This was felt to be confusing and potentially insufficient to enable the role of the named person to operate as well as anticipated. In particular, there were concerns regarding sharing information about children where consent was not given (para 75). The memorandum continued:
“Currently, information about a child may be shared where the
child is at a significant risk of harm. However, the role of the named person is based on the idea that information on less
critical concerns about a child’s wellbeing must be shared if a
full picture of their wellbeing is to be put together and if action is to be taken to prevent these concerns developing into more serious issues. Without the necessary power to share that kind of information, the named person will not be able to act as
effectively as is intended … Specific provisions in the Bill,
therefore, set out arrangements on information sharing, to give professionals and named persons the power to share
information about those concerns.” (paras 76-77)
4. It appears, therefore, that one of the principal purposes of Part 4, as envisaged at that stage, was to alter the existing law in relation to the sharing of information about children and young people, so as to enable information about concerns about their wellbeing, held by individual bodies, to be pooled in the hands of named persons and shared with other bodies, with the ultimate aim of promoting their wellbeing.
The provisions of Part 4
5. Part 4 of the Act begins with section 19, which defines a “named person service” as the service of making available, in relation to a child or young person,
an identified individual who is to exercise the functions listed in subsection (5):
“(a) … doing such of the following where the named person
considers it to be appropriate in order to promote, support or
safeguard the wellbeing of the child or young person -
(i) advising, informing or supporting the child or young person, or a parent of the child or young person,
(ii) helping the child or young person, or a parent of
the child or young person, to access a service or support,
or
(iii) discussing, or raising, a matter about the child or
young person with a service provider or relevant
authority, and
(b) such other functions as are specified by this Act or any other enactment as being functions of a named person in
relation to a child or young person.”
In relation to section 19(5)(a)(iii), the expression “service provider” is defined by
section 32 as meaning, in a context of this kind, each health board, local authority,
directing authority, and the Scottish Ministers. The expression “directing authority”
is defined by section 32 as meaning the managers of each grant-aided school, the proprietor of each independent school, and the local authority or other person who manages each residential establishment which comprises secure accommodation.
The expression “relevant authorities” is defined by section 31 and Schedule 2 as
including a wide variety of public bodies, including NHS 24, NHS National Services Scotland, the Scottish Ambulance Service Board, the Scottish Sports Council, the Scottish Police Authority, and the Scottish Fire and Rescue Service.
6. Under sections 20 and 21, responsibility for the provision of a named person service lies with health boards in relation to all pre-school children residing within their area, and generally with local authorities in relation to all other children residing within their area. There are exceptions in relation to pupils at independent and grant-aided schools, where responsibility lies with the directing authority; children kept in secure accommodation, where responsibility lies with the directing authority; children kept in custody, where responsibility lies with the Ministers; and children (as defined) who are members of the armed forces. Under section 22, named person services must also be provided in relation to all young people over 18 who remain at school. Responsibility for making provision for them in that situation lies with the local authority, except in relation to young people at independent or grant- aided schools, where responsibility lies with the directing authority.
7. Section 23 deals with the communication of information following a change in the identity of the service provider in relation to a child or young person (defined by section 32, in this context, as meaning the person whose function it is to make arrangements for the provision of a named person service in relation to the child or young person). That will occur, for example, when a child first goes to school, and the service provider ceases to be the health board and becomes the local authority or directing authority, or when a child goes from a local authority school to an independent or grant-aided school, and the service provider ceases to be the local authority and becomes the directing authority of the school. In terms of section 23(2)(b), the outgoing service provider must provide the incoming service provider with:
“(i) the name and address of the child or young person and
each parent of the child or young person (so far as the outgoing
service provider has that information), and
(ii) all information which the outgoing service provider holds which falls within subsection (3).”
Information falls within section 23(3) if the outgoing service provider considers that:
“(a) it is likely to be relevant to - (i) the exercise by the incoming service provider of any functions of a service provider under this Part, or
(ii) the future exercise of the named person functions in relation to the child or young person,
(b) it ought to be provided for that purpose, and (c) its provision would not prejudice the conduct of a criminal investigation or the prosecution of any offence.”
8. In considering for the purpose of section 23(3)(b) whether information ought to be provided, the outgoing service provider is, so far as reasonably practicable, to ascertain and have regard to the views of the child or young person, taking account
of the child’s age and maturity: section 23(4) and (5). In terms of section 23(6), the
outgoing service provider may decide for the purpose of section 23(3)(b) that information ought to be provided only if the likely benefit to the wellbeing of the child or young person outweighs any likely adverse effect on that wellbeing. Section 23(7) provides:
“Other than in relation to a duty of confidentiality, this section
does not permit or require the provision of information in breach of a prohibition or restriction on the disclosure of
information arising by virtue of an enactment or rule of law.”
9. Section 24 imposes on service providers a duty to publish information about the operation of the named person service, and to provide children and young people and their parents with information about the arrangements for contacting named persons. Section 25 imposes on service providers and relevant authorities a duty to help in the exercise of named person functions.
10. Section 26 is concerned with the sharing of information, and is expressed in similar language to section 23. It imposes two duties to disclose information, and also confers a power. First, under section 26(1), a service provider or relevant authority (or any person exercising a function on their behalf, such as an independent contractor: section 26(10)) must provide to the service provider in relation to a child or young person any information which falls within subsection (2). Information falls within section 26(2) if the information holder considers that:
“(a) it is likely to be relevant to the exercise of the named person functions in relation to the child or young person,
(b) it ought to be provided for that purpose, and (c) its provision to the service provider in relation to the child or young person would not prejudice the conduct of any
criminal investigation or the prosecution of any offence.”
11. Secondly, under section 26(3) the service provider in relation to a child or young person must provide to a service provider or relevant authority (or any person exercising a function on their behalf) any information which falls within subsection (4). Information falls within section 26(4) if the information holder considers that:
“(a) it is likely to be relevant to the exercise of any function
of the service provider or relevant authority which affects or
may affect the wellbeing of the child or young person,
(b) it ought to be provided for that purpose, and (c) its provision to the service provider or relevant authority would not prejudice the conduct of any criminal investigation
or the prosecution of any offence.”
In considering for the purpose of section 26(2)(b) and the corresponding provision in section 26(4)(b) whether information ought to be provided, the information holder is, so far as reasonably practicable, to ascertain and have regard to the views of the
child or young person, taking account of the child’s age and maturity: section 26(5)
and (6). In terms of section 26(7), the information holder may decide for the purpose of section 26(2)(b) and (4)(b) that information ought to be provided only if the likely benefit to the wellbeing of the child or young person outweighs any likely adverse effect on that wellbeing.
12. Thirdly, section 26(8) confers an additional power: the service provider in relation to a child or young person may provide to a service provider or relevant authority any information which falls within subsection (9). Information falls within section 26(9) if the information holder considers that its provision to the service provider or relevant authority is necessary or expedient for the purpose of the exercise of any of the named person functions.
13. Finally, in relation to section 26, subsection (11) provides:
“Other than in relation to a duty of confidentiality, this section
does not permit or require the provision of information in breach of a prohibition or restriction on the disclosure of
information arising by virtue of an enactment or rule of law.”
Section 27 makes further provision in relation to the disclosure of information in breach of a duty of confidentiality: where a person by virtue of Part 4 provides information in breach of such a duty and informs the recipient of that breach, the recipient may not provide the information to another person unless its provision is permitted or required by virtue of any enactment or rule of law.
14. Section 28 imposes a duty on local authorities, health boards, directing authorities and relevant authorities to have regard to guidance issued by the Ministers about the exercise of functions conferred by Part 4. Section 29 imposes a duty on the same bodies to comply with any direction issued by the Ministers. Section 30 confers on the Ministers a power to make provision about complaints concerning the exercise of functions conferred by or under Part 4.
15. These provisions confirm that one of the central purposes of Part 4 is to establish new legal powers and duties, and new administrative arrangements, in relation to the sharing of information about children and young people, so as to create a focal point, in the form of named persons, for the pooling and sharing of such information, and the initiation of action to promote their wellbeing.
16. The terms in which sections 23 and 26 define the information which is subject to those powers and duties indicate an intention that the range of information to be shared will depend on the exercise of judgement by the information holder, and is potentially very wide. That is consistent with the emphasis in the consultation paper on collaborative working and routine information-sharing. Thus, under sections 23(3) and 26(2), the duty to share information does not depend on whether it is objectively relevant or necessary that it should be shared, but on whether the information holder considers that the information is likely to be relevant to the exercise of the named person functions (or, as the case may be, the functions of a service provider under Part 4): functions which are defined by section 19(5) by reference to what the named person considers to be appropriate in order to promote, support or safeguard wellbeing. Section 26(4)(a) is equally wide: the duty again applies to information which the information holder considers is likely to be relevant to the exercise of a function, and in addition the function need not be one which actually affects the wellbeing of a child or young person, but merely one which the information holder considers may affect their wellbeing. Section 26(9) is wider still: the power of disclosure conferred by section 26(8) can be exercised in relation to information whose disclosure the information holder considers to be necessary or expedient for the purpose of the exercise of any of the named person functions.
“Wellbeing” is not defined. The only guidance as to its meaning is provided by
section 96(2), which lists eight factors to which regard is to be had when assessing wellbeing. The factors, which are known under the acronym SHANARRI, are that
the child or young person is or would be: “safe, healthy, achieving, nurtured, active,
respected, responsible, and included”. These factors are not themselves defined, and
in some cases are notably vague: for example, that the child or young person is
“achieving” and “included”.
17. The identification of a wellbeing need does not of itself give rise to
compulsory measures. Part 5 of the Act introduces the “child’s plan” and “targeted
interventions”. Section 33(2) defines “wellbeing need” broadly: a child has a
wellbeing need “if the child’s wellbeing is being, or is at risk of being, adversely
affected by any matter”. Where the responsible authority considers that a child has
a wellbeing need and that that need cannot be met, or met fully, without a targeted intervention which is capable of meeting the need to some extent, it is to prepare a
child’s plan for a targeted intervention or interventions. A targeted intervention is
the provision of services for the child to meet needs which are not capable of being fully met by the general services to children which the relevant authority provides
(section 33(4)). The child’s plan identifies the relevant authority which is to provide
the service, the manner in which it is to be provided and the outcome which the targeted intervention is intended to achieve (section 34(1)). This does not involve
any compulsion. Further, in deciding whether a child requires a child’s plan the
responsible authority is required to consult the named person and, so far as reasonably practicable, to ascertain and have regard to the views of the child and the
child’s parents, among others (section 33(6)).
The Scottish Government’s revised draft statutory guidance
18. Section 28(1) of the Act provides that a local authority, a health board, a directing authority and a relevant authority must have regard to guidance issued by the Scottish Ministers about the exercise of functions under Part 4. The Scottish Government in performance of its duty under section 96(3) published revised draft
statutory guidance (“RDSG”) in December 2015. The RDSG is aimed at the
strategic leaders and operational managers of health boards, local authorities, directing authorities and relevant authorities, which are responsible for operating Parts 4, 5 and 18 of the Act. It provides that the organisations must have regard to the guidance in carrying out those functions (para 1.2.2). It states (para 1.2.5) that separate practice materials will be made available for practitioners. It records the success of the pathfinder project set up in the Highland council area in 2006, which
achieved the better coordination of assessment and planning in support of children’s
needs by establishing common procedures and processes for sharing concerns about
a child (para 1.3.3). It states:
“The pathfinder brought significant improvements to children
and young people and their families, reducing the need for
statutory intervention in children’s and families’ lives by
resolving potential problems at an earlier stage.”
The improvements included greater clarity about whom families should go to when
they needed help, falls in the number of referrals to the Children’s Reporter, a
reduced number of children placed on the Child Protection Register, and the focussing of resources on the children who needed most support (para 1.3.3). It records that the approach had been adopted to varying degrees across Scotland (para 1.3.4).
19. The RDSG provides a useful insight into the context in which the named person is expected to operate. It explains that “wellbeing is multidimensional” (para 2.3.4) and that wellbeing is “a broader, more holistic concept” than welfare (para
2.3.5). It advises on the relationship between child protection and wellbeing in these
terms at para 2.3.6:
“child protection is not something which sits separately from
wellbeing. Indeed a series of low level indicators of wellbeing need (whether obviously related or not) taken together can amount to a child protection issue. Child protection requires taking prompt action to safeguard a child where an assessment indicates that the child may be at risk of significant harm. The
child’s wider wellbeing should also be assessed to ensure their
current and future holistic needs are considered.”
In para 2.4.2, it gives guidance on the interpretation of the eight wellbeing indicators in section 96(2) as follows:
“Safe - protected from abuse, neglect or harm at home, at
school and in the community.
Healthy - having the highest attainable standards of physical and mental health, access to suitable healthcare, and support in learning to make healthy, safe choices.
Achieving - being supported and guided in learning and in the development of skills, confidence and self-esteem, at home, in school and in the community.
Nurtured - having a nurturing place to live in a family setting, with additional help if needed, or, where this is not possible, in a suitable care setting.
Active - having opportunities to take part in activities such as play, recreation and sport, which contribute to healthy growth and development, at home, in school and in the community.
Respected - having the opportunity, along with carers, to be heard and involved in decisions that affect them.
Responsible - having opportunities and encouragement to play active and responsible roles at home, in school and in the community, and where necessary, having appropriate guidance and supervision, and being involved in decisions that affect them.
Included - having help to overcome social, educational, physical and economic inequalities, and being accepted as part
of the community in which they live and learn.”
20. The RDSG observes (at para 2.5.4) that the views of the child, young person
or parents may differ from the practitioner’s view of wellbeing needs and states that
“a holistic assessment should take account of all views”. It recognises that children
can thrive in different environments and counsels respect for their and their parents’ culture and beliefs (para 2.5.5). It advises that a referral to the Children’s Reporter
should be made where the wellbeing assessment reveals that a child needs protection, guidance, treatment or control and that a compulsory supervision order might be needed (para 2.5.6). It continues (at para 2.5.7):
“Early intervention and a compulsory supervision order are not
mutually exclusive in promoting, supporting and safeguarding the wellbeing of a child or young person. The use of compulsion at an early stage may help to ensure compliance with interventions, and prevent wellbeing needs escalating. Parental capacity and willingness to change should be
considered in order to assess whether the child’s wellbeing
needs are likely to be met by voluntary support or whether a
compulsory supervision order might be necessary.”
21. A named person, on becoming aware of a wellbeing need, should use professional judgement in deciding how to respond. “Seeking and considering the
views of the child and parent should be a key part of the process unless doing this is
likely to be detrimental to the child’s wellbeing” (para 4.1.28).
22. The RDSG also gives guidance on the information-sharing duties contained in sections 23, 26 and 27 of the Act. It records (para 10.1.2) that Part 4 of the Act does not change the type of information being shared and received by service providers and relevant authorities but expresses the view that the Act will increase consistency in practice which in turn is likely to mean that more information will be
shared. It advises that the Information Commissioner’s Office (ICO) Guide to Data
Protection and its Data Sharing Code of Practice should be used to support the governance of data sharing (para 10.1.4). On article 8 of the European Convention
on Human Rights (“ECHR”) it states (para 10.3.1):
“The right to privacy in article 8 is a qualified rather than an
absolute right. Public authorities can share information if it is lawful and proportionate to do so, but each case must be considered carefully to assess what is lawful and proportionate
in the particular circumstances.”
23. The RDSG refers to the three tests for the sharing of information in section 26(2) and (4), namely (i) that the information is likely to be relevant to the exercise of the functions in question, (ii) that it ought to be provided for that purpose, and (iii) that the sharing of the information would not prejudice the conduct of a criminal investigation or the prosecution of any offence. In its discussion of the second test (para 10.7.4) it states:
“It is routine good practice to seek parents’ views about
information shared, unless it would be against the child’s
wishes, where they are considered capable of making that decision, or where seeking the views of the parent may be
detrimental to the child’s wellbeing.”
It states that “in all but exceptional situations, the child or young person, and, as
appropriate, their parents” will be involved in the decision to share information (para
10.10.3) (emphasis added). It does not make the involvement of the parents a requirement in all but exceptional circumstances. It says, without elaborating, that there must be no other legal restrictions (paras 10.7.1 and 10.8.1). It explains the discretionary power of a named person service provider to share information under section 26(8) and (9) in para 10.11:
“where the named person service has identified a wellbeing
need or has been made aware of a likely wellbeing need they have the opportunity to share information in order to explore options for support or to make enquiries on behalf of the child,
young person or parents.”
It states in relation to this discretionary sharing of information (para 10.11.2): “Any
information shared must be legal and considered in terms of the principles and
boundaries of data protection, human rights and children’s rights”, again without
elaboration.
24. It explains section 26(11) in these terms (paras 10.13.2 - 10.13.4):
“This sub-section of the Act permits health professionals and
others governed by a professional or common law duty of confidentiality to legally disclose relevant information without
the information provider’s consent where disclosure of that
information has been considered and meets the tests set out in
the relevant sub-sections of section 26.Section 26(11) does not permit or require the sharing of information in breach of any other legal restriction such as the
[Data Protection Act 1998 (‘DPA’)], the Human Rights Act
1998, an order of the court or a decision by a Children’s
Hearing specifying non-disclosure of specific information.
In all but exceptional situations, the child or young person, and - as appropriate - their parents, will be involved in the decision to share information and will be told what information has been
shared in breach of a duty of confidentiality.” (emphasis added)
25. Finally, the RDSG’s guidance on section 27 (disclosure of information
provided in breach of confidentiality) is as follows (para 10.14.2):
“If the person receiving the information believes it is necessary
to share all or part of it in order to promote, support or
safeguard the child’s wellbeing, then the considerations in
section 26 must be applied. This would include taking into
account the child’s views and understanding the likely effect of
sharing on the child’s wellbeing. Other legal requirements must also be considered, including the DPA and the child’s right to
private and family life under article 8 of the ECHR. Decisions to share information in these situations will need to be
evidenced, and the rationale recorded.” (emphasis added)
The challenges to legislative competence
26. Section 29(1) of the Scotland Act 1998 provides that an Act of the Scottish Parliament is not law so far as any provision of the Act is outside its legislative competence. In terms of section 29(2), a provision is outside its competence so far as any of the following paragraphs apply. Paragraph (b) applies where the provision
“relates to reserved matters”. We address that challenge in section I (paras 27 to 66
below). Paragraph (d) applies where the provision “is incompatible with any of the Convention rights or with EU law.” We address the Convention rights challenge and
comment briefly on the EU law challenge in sections II and III (paras 67 to 105
below).
I The reserved matters challenge 27. The appellants are four registered charities with an interest in family matters and three individual parents. They challenge the lawfulness of the data sharing and retention provisions in the Act on the ground that they relate to reserved matters, with the consequence that section 29(2)(b) of the Scotland Act applies. They have focused on sections 26 and 27 of the 2014 Act, but their arguments apply also in relation to section 23(2). In terms of section 29(3) of the Scotland Act, the question whether a provision relates to a reserved matter is to be determined (subject to
subsection (4), which has no bearing on the present case) “by reference to the
purpose of the provision, having regard (among other things) to its effect in all the
circumstances”.
28. Section 30 of the Scotland Act gives effect to Schedule 5, in which reserved matters are defined. In particular, paragraph 1 of Part II of Schedule 5 provides that the matters to which the Sections in that Part apply are reserved matters. As was pointed out by Lord Hope in Imperial Tobacco Ltd v Lord Advocate [2012] UKSC 61; 2013 SC (UKSC) 153, in a judgment with which the other members of the court agreed, the matters listed have a common theme:
“It is that matters in which the United Kingdom as a whole has
an interest should continue to be the responsibility of the UK Parliament at Westminster. They include matters which are affected by its treaty obligations and matters that are designed to ensure that there is a single market within the United
Kingdom for the free movement of goods and services.” (para
29)
Amongst the matters listed in Schedule 5 is Section B2:
“B2. Data protection The subject-matter of -
(a) the Data Protection Act 1998, and (b) Council Directive 95/46/EC (protection of individuals with regard to the processing of personal data and on the free movement of such
data).”
Paragraph 5 of Part III of Schedule 5 provides that references in the schedule to the subject-matter of any enactment are to be read as references to the subject-matter of that enactment as it had effect on the principal appointed day, which was 1 July
1999. It is therefore the version of the Data Protection Act (“DPA”) which was in
force on that date which is relevant.
29. This court has had to apply section 29(2)(b) and (3) on a number of occasions, and the approach to be adopted is now well established. In Martin v Most [2010] UKSC 10; 2010 SC (UKSC) 40, para 49, Lord Walker said that the expression
“relates to” was
“familiar in this sort of context, indicating more than a loose or
consequential connection, and the language of section 29(3),
referring to a provision’s purpose and effect, reinforces that.”
That approach was endorsed by Lord Hope in Imperial Tobacco (para 16).
30. Whether a provision “relates to” a reserved matter, in the sense explained by
Lord Walker, is determined by reference to the purpose of the provision in question. That purpose is to be ascertained having regard to the effect of the provision, amongst other relevant matters. As was said in relation to the similar provisions in the Government of Wales Act 2006 in In re Agricultural Sector (Wales) Bill [2014] UKSC 43; [2014] 1 WLR 2622, para 50:
“As the section requires the purpose of the provision to be
examined it is necessary to look not merely at what can be discerned from an objective consideration of the effect of its
terms.”
31. Determining the purpose of a provision may not be an easy matter. For example, must a single predominant purpose be identified, or will the provision relate to a reserved matter provided one purpose which can properly be attributed to it justifies that conclusion? That question was considered, obiter, by Lord Hope in Imperial Tobacco. The legislation in issue imposed restrictions upon the advertising and sale of tobacco products, and was challenged as relating to reserved matters, namely consumer protection and product safety. Lord Hope stated:
“I do not see this as a case which gives rise to the problem
which may need to be dealt with if the provision in question has two or more purposes, one of which relates to a reserved matter. In such a situation the fact that one of its purposes relates to a reserved matter will mean that the provision is outside competence, unless the purpose can be regarded as consequential and thus of no real significance when regard is
had to what the provision overall seeks to achieve.” (para 43)
32. This approach should not be confused with the “pith and substance” test
developed to resolve problems in a number of federal systems, to which the Court of Session referred in the present case. Although in Martin v Most Lord Hope mentioned cases applying that test as forming part of the background to the scheme applied in the Scotland Act, he went on to point out that the phrase did not appear in the Act, and that the rules which had to be applied were those laid down in the Act (para 15). In Imperial Tobacco, Lord Hope emphasised the latter point:
“[T]he intention was that it was to the 1998 Act itself, not to
decisions as to how the problem was handled in other jurisdictions, that one should look for guidance. So it is to the rules that the 1998 Act lays down that the court must address
its attention.” (para 13)
So, in the present case, the Second Division’s finding that the pith and substance of
the 2014 Act are child protection does not answer the question whether any of its
provisions relate to the subject-matter of the DPA and Directive 95/46/EC (“the
Directive”).33. It is necessary only to add that the question whether a provision of an Act of the Scottish Parliament relates to a reserved matter is different from the question whether such a provision modifies the law on reserved matters. The latter question is addressed by section 29(2)(c) of the Scotland Act and Schedule 4, paragraph 2.
The subject-matter of the Directive
34. The Directive was made under article 100a of the EC Treaty, which authorises measures for the harmonisation of national laws with the aim of achieving the internal market. The subject-matter of the Directive is described in general terms
in its title: it is a directive “on the protection of individuals with regard to the
processing of personal data, and the free movement of such data”. The link between these two subjects is explained in the recitals. In particular, recital 7 states that “the
difference in levels of protection of the rights and freedoms of individuals, notably the right to privacy, with regard to the processing of personal data afforded in the member states may ... constitute an obstacle to the pursuit of a number of economic activities at Community level, distort competition and impede authorities in the
discharge of their responsibilities under Community law.” The recital continues by noting that “this difference in levels of protection is due to the existence of a wide
variety of national laws, regulations and administrative provisions”. Accordingly, recital 8 states that “in order to remove the obstacles to flows of personal data, the
level of protection of the rights and freedoms of individuals with regard to the
processing of such data must be equivalent in all member states”. The intended result, as recital 9 states, is that “given the equivalent protection resulting from the
approximation of national laws, the member states will no longer be able to inhibit the free movement between them of personal data on grounds relating to protection
of the rights and freedoms of individuals, and in particular the right to privacy”. The
scope of application of the Directive is not, however, restricted to situations involving free movement: Bodil Lindquist (Case C-101/01) [2003] ECR I-12971, paras 40-44.
35. Turning to the substantive articles of the Directive, Chapter I sets out general provisions. In particular, article 1 defines the twofold object of the Directive:
“1. In accordance with this Directive, member states shall protect the fundamental rights and freedoms of natural persons, and in particular their right to privacy with respect to the processing of personal data.
2. Member states shall neither restrict nor prohibit the free flow of personal data between member states for reasons
connected with the protection afforded under paragraph 1.”
36. Article 2 defines certain terms, and article 3 describes the scope of the
Directive. In terms of article 3(1), it applies to “the processing of personal data
wholly or partly by automatic means, and to the processing otherwise than by automatic means of personal data which form part of a filing system or are intended
to form part of a filing system.” “Personal data” is defined by article 2(a) as meaning “any information relating to an identified or identifiable natural person (‘data
subject’)”. “Processing of personal data” is defined by article 2(b) as meaning “any
operation or set of operations which is performed upon personal data, whether or not by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking,
erasure or destruction”. Article 3(2) lists certain circumstances in which the
Directive is not to apply. It has not been argued that any of those circumstances applies in the present case.
37. Chapter II sets out general rules on the lawfulness of the processing of personal data. Article 5 requires member states, within the limits of the provisions of that Chapter, to determine more precisely the conditions under which the processing of personal data is lawful. Article 6 sets out five general principles,
somewhat misleadingly described as “principles relating to data quality”, to which
member states must give effect. For example, the second principle is that personal
data must be “collected for specified, explicit and legitimate purposes and not further
processed in a way incompatible with those purposes”. Article 7 sets out six general conditions, described as “criteria for making data processing legitimate”, which
member states must apply to the processing of personal data, so that at least one of the conditions is satisfied. Article 8 sets out particular rules in relation to the processing of what are described as special categories of data, including data revealing racial or ethnic origins, and data concerning health or sex life. Article 8(1) requires member states to prohibit the processing of such data. The remaining paragraphs of article 8 then disapply article 8(1) in a number of specified circumstances, to which it will be necessary to return.
38. Articles 10 and 11 require member states to provide that the data controller must provide the data subject with information about the processing of his personal data. Article 12 requires member states to guarantee certain rights of data subjects in relation to data controllers. Article 13 permits member states to adopt legislation restricting the scope of certain of these rights and obligations where specified conditions are met. Article 14 requires member states to grant the data subject the right to object to the processing of his personal data in certain circumstances. Most of the remaining provisions of Chapter II are concerned with the regulation of data controllers. Chapter III is concerned with judicial remedies, liability, and sanctions. Chapter IV is concerned with the transfer of personal data to third countries. Chapter V is concerned with codes of conduct, and Chapter VI with the establishment of national supervisory authorities and of an EU working party. Finally, Chapter VII is concerned with Community implementing measures.
39. Put shortly, therefore, the Directive was designed to harmonise the laws of
the member states relating to the protection of individuals’ interests in relation to
the use of their personal data. Its provisions specify the standards of protection which the laws of the member states must afford, and the methods by which those standards are to be secured and enforced.
The subject-matter of the DPA
40. The DPA is the measure implementing the Directive in the UK. One would therefore expect its subject-matter to be the same as that of the Directive, and so it proves. The subject-matter of the DPA is described in general terms in its short title:
“the regulation of the processing of information relating to individuals, including
the obtaining, holding, use or disclosure of such information”.
41. Part I of the DPA defines some of the critical terms, broadly following the definitions in the Directive. Part I also contains some other fundamental provisions of the DPA. Section 4 imposes on a data controller an obligation to comply with the data protection principles set out in Part I of Schedule 1, to which it will be necessary to return. Section 6 establishes the office of Information Commissioner, known in 1999 (cf para 28 above) as the Data Protection Commissioner. Part II of the DPA confers various rights on individuals relating to information concerning themselves, including rights to access personal data (section 7), to prevent processing which is likely to cause damage or distress (section 10), and to apply for the rectification or destruction of inaccurate data (section 14). Part III contains provisions relating to the regulation of data controllers by the Commissioner. Part IV makes provision for exemptions from the data protection principles, and from Parts II and III. Part V concerns enforcement by the Commissioner, and Part VI contains miscellaneous and general provisions.
42. It is apparent that the DPA is intended to secure equivalent standards of protection of the rights of individuals in relation to the processing of personal data throughout the UK, and equivalent methods of securing and enforcing those standards. That is as one would expect, given the aims of the Directive. Accordingly, the DPA applies to data controllers throughout the UK: section 5. It establishes a single regulatory authority for the whole of the UK: section 6. (Somewhat confusingly, a separate Scottish Information Commissioner exercises functions under the Freedom of Information (Scotland) Act 2002, but has no regulatory role in relation to data protection). The Commissioner is the designated authority in the UK for the purposes of the 1981 Council of Europe Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data, and is also the supervisory authority in the UK for the purposes of the Directive: section 54(1). He is accountable to the UK Parliament, and must lay before it reports and codes of practice: section 52. His accounts are examined by the Comptroller and Auditor General: Schedule 5, Part I, paragraph 10. His power to issue codes of practice is exercisable as directed by the Secretary of State: section 51(3). The powers to make orders, regulations and rules under the DPA are exercisable only by the Secretary of State, and only by means of a statutory instrument approved by the UK Parliament: see, for example, sections 30, 38, 54, 64 and 67. The power to designate codes of practice, for the purpose of exemptions relating to journalism, literature and art, is similarly conferred on the Secretary of State: section 32(3). Appeals under the DPA lie to the First-tier and Upper Tribunals (in 1999, to the Data Protection Tribunal) throughout the UK: section 70(1).
43. The DPA allows scope for derogation from certain of its requirements by enactments either of the UK Parliament or of the Scottish Parliament. An example relevant to the present case, to which it will be necessary to return, is section 35(1), under which personal data are exempt from certain provisions relating to the disclosure of information where the disclosure is required by or under any
“enactment”, an expression which is defined by section 70(1) as including any
enactment comprised in, or in any instrument made under, an Act of the Scottish
Parliament.44. Put shortly, therefore, the DPA was designed to implement the Directive by
establishing standards of protection of individuals’ interests in relation to the use of
their personal data, and methods by which those standards are to be secured and enforced, which are equivalent in effect throughout the UK. In particular, it imposes obligations on data controllers in relation to the processing of data, and creates rights on the part of data subjects. It also creates a system for the regulation of data controllers by the Commissioner. It allows scope, however, for derogation from certain of its requirements by legislation which need not be UK-wide in application.
The effect of Part 4 of the 2014 Act in relation to the DPA
45. The bodies described in Part 4 of the 2014 Act as service providers, relevant authorities and directing authorities are currently subject, prior to the entry into force of that Act, to a variety of legal duties in relation to the disclosure of information, including duties imposed by the DPA. In particular, as mentioned earlier, section 4 of that Act imposes on a data controller an obligation to comply with the data protection principles set out in Part I of Schedule 1. Those principles include the following:
“1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless -
(a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.
2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they
are processed.”
Section 2 of the DPA defines “sensitive personal data” as including (amongst other
matters) information as to a person’s racial or ethnic origins, his physical or mental
health or condition, his sexual life, or the commission or alleged commission by him
of any offence.46. Those principles are supplemented by the provisions of Part II of Schedule 1 to the DPA, which indicate how they are to be interpreted. For example, Part II contains provisions specifying circumstances in which a data subject is to be provided with information, and the nature of that information, in order for the data to be regarded as having been processed fairly for the purposes of the first principle.
47. In relation to the conditions referred to in the first principle, Schedule 2 sets out the following conditions, so far as material to the present case:
“1. The data subject has given his consent to the processing. ... 3. The processing is necessary for compliance with any
legal obligation to which the data controller is subject, other
than an obligation imposed by contract.
4. The processing is necessary in order to protect the vital interests of the data subject.
5. The processing is necessary -
... (b) for the exercise of any functions conferred on any person by or under any enactment ...
6. (1) The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate
interests of the data subject.”
48. It follows from those conditions that, prior to the entry into force of the 2014 Act, a data controller in Scotland can disclose information about a child or young person without her consent (assuming, in the case of a statutory body, that the disclosure is otherwise within its powers), if the disclosure is necessary to protect her vital interests (condition 4), a test which requires more than that it is likely to benefit her wellbeing; or if the disclosure is necessary for the exercise of a statutory function (condition 5(b)), but not merely because it considers that the information is likely to be relevant to the exercise of that function. The data controller is also, of course, obliged to comply with the other data protection principles so far as relevant, and with any requirements arising from Part II of Schedule 1. In particular, it is required to comply with the third data protection principle, in terms of which personal data must be relevant (and not merely considered by the data controller to be likely to be relevant) in relation to the purpose or purposes for which they are processed.
49. In relation to sensitive data, Schedule 3 sets out the following additional conditions, so far as material:
“1. The data subject has given his explicit consent to the processing of the personal data.
...
3. The processing is necessary -
(a) in order to protect the vital interests of the data subject or another person, in a case where -
(i) consent cannot be given by or on behalf of
the data subject, or
(ii) the data controller cannot reasonably be
expected to obtain the consent of the data subject,
or
(b) in order to protect the vital interests of another
person, in a case where consent by or on behalf of the
data subject has been unreasonably withheld.
...
7. (1) The processing is necessary -
... (b) for the exercise of any functions conferred on any person by or under an enactment ...
8. The processing is necessary for medical purposes and is undertaken by -
(a) a health professional, or (b) a person who in the circumstances owes a duty of confidentiality which is equivalent to that which would
arise if that person were a health professional.”
50. It follows from those conditions that, prior to the entry into force of the 2014 Act, a data controller in Scotland of sensitive data can disclose information about the health or sexual life of a child or young person, without his or her explicit consent (assuming, in the case of a statutory body, that the disclosure is otherwise within its powers), if the disclosure is necessary in order to protect his or her vital interests (and not merely because it is likely to benefit her wellbeing) and, in addition, it is either impossible for him or her to give consent or the data controller cannot reasonably be expected to obtain it (condition 3). The information can also be disclosed if its disclosure is necessary for the exercise of a statutory function (condition 7(1)(b)), but not merely because the data controller considers that the information is likely be relevant to the exercise of that function. It can also be disclosed for medical purposes, but only where a duty of confidentiality is owed (condition 8): a requirement which gives rise to a difficulty (not discussed in this appeal) where disclosure is liable to be made under Part 4 of the 2014 Act, since sections 23(7) and 26(11) of the 2014 Act override duties of confidentiality. It is in addition necessary to comply with the other data protection principles, and with any requirements arising from Part II of Schedule 1.
51. The effect of Part 4 of the 2014 Act on the requirements of the DPA is extremely complex. Numerous difficult questions are liable to arise, which were not discussed in detail, if at all, in the present appeal. A sufficient idea of the effect of Part 4 can, however, be obtained to enable the issue arising in relation to reserved matters to be determined.
52. It may be helpful to explain at the outset that much of the difficulty arises from sections 23(7) and 26(11) of the 2014 Act, in terms of which sections 23 and 26 do not permit or authorise the provision of information in breach of a prohibition or restriction on its disclosure arising by virtue of an enactment or rule of law (other than in relation to a duty of confidentiality). This means that the powers and duties of disclosure set out in sections 23 and 26 cannot be taken at face value. To the extent that their terms may be inconsistent with the requirements of the DPA, they have no effect. The DPA itself, however, contains provisions which confer exemptions from some of its requirements where they are inconsistent with another enactment, or which treat some of its requirements as satisfied where disclosure is necessary for compliance with a statutory obligation. In these circumstances, it is necessary for anyone wanting to understand the effect of sections 23 and 26 on the disclosure of information to have the 2014 Act in one hand and the DPA in the other, to determine the priority which their provisions have vis-à-vis one another notwithstanding the logical puzzle created by sections 23(7) and 26(11) of the 2014 Act when read with the DPA, and to try, by cross-reference, to work out their cumulative effect.
53. One potentially significant effect follows from section 35(1) of the DPA, in terms of which personal data are exempt from the non-disclosure provisions where
the disclosure is “required” by or under any enactment. A provision of an Act of the
Scottish Parliament is an enactment for this purpose: section 70(1). The non- disclosure provisions are defined by section 27(3) of the DPA as meaning the provisions specified in section 27(4) of that Act, to the extent to which they are inconsistent with the disclosure in question. Those provisions are the first data protection principle, except to the extent to which it requires compliance with the conditions in Schedules 2 and 3, the second, third, fourth and fifth data protection principles, section 10 (the right to prevent processing likely to cause damage or distress) and section 14(1) to (3) (the rectification, blocking, erasure and destruction of data). Sections 23(2), 26(1) and 26(3) of the 2014 Act require the disclosure of personal data, subject to sections 23(7) and 26(11). Accordingly, if those provisions are within devolved competence, and if the logical puzzle as to whether section 35(1) of the DPA prevails over sections 23(7) and 26(11) of the 2014 Act is resolved in favour of section 35(1) (a point which was not the subject of argument in this appeal, but was the implicit basis on which the arguments proceeded), then it follows that disclosure as required by sections 23 and 26 is exempt from the non-disclosure provisions, as defined, to the extent that the non-disclosure provisions are inconsistent with the disclosure.
54. For example, the third data protection principle is inconsistent with the disclosure required by sections 23(2), 26(1) and 26(3) of the 2014 Act, since those provisions require disclosure of information which is considered by the data
processor to be “likely to be relevant”, whereas the third principle requires any
personal data disclosed to be “relevant”, as well as adequate and not excessive in
relation to the purpose or purposes for which they are processed. On the other hand, the fifth principle (that data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes) is not inconsistent with sections 23 and 26 of the 2014 Act, and therefore continues to apply. The duties of disclosure imposed by sections 23 and 26 remain subject to numerous other provisions of the DPA, including the first data protection principle, to the extent to which it requires compliance with the conditions in Schedules 2 and 3. The power
conferred by section 26(8) of the 2014 Act, on the other hand, does not “require”
disclosure, and therefore cannot benefit from the exemption conferred by section
35(1) of the DPA.55. The discussion in this appeal focused on only one aspect of the complex inter- relationship between Part 4 of the 2014 Act and the DPA, namely the question whether disclosure in accordance with the duties imposed by Part 4 of the 2014 Act would comply with the conditions imposed by Schedules 2 and 3 to the DPA. It was argued on behalf of the Ministers that conditions 3 and 5(b) in Schedule 2, and condition 7(1)(b) in Schedule 3, would be met. Condition 3 is satisfied where the
processing “is necessary for compliance with any legal obligation to which the data
controller is subject, other than an obligation imposed by contract”. Condition 5(b)
in Schedule 2, and condition 7(1)(b) in Schedule 3, are satisfied where the
processing “is necessary ... for the exercise of any functions conferred on any person
by or under any [or an] enactment”.
56. The imposition of a statutory duty of disclosure by sections 23(2), 26(1) and 26(3) of the 2014 Act has the consequence that condition 3 in Schedule 2 to the DPA is satisfied. The terms in which that duty is imposed do not, on the other hand, meet the requirements of condition 5(b) in Schedule 2 and condition 7(1)(b) in Schedule 3. In each case, the data controller is required by the 2014 Act to disclose personal
data to a third party if he “considers” that the data are “likely to be relevant” to the exercise of certain statutory functions by the third party and “ought to be provided for that purpose”. The test imposed by condition 5(b) in Schedule 2 and condition 7(1)(b) in Schedule 3 to the DPA requires that disclosure must be “necessary” for
the exercise of statutory functions (which must again refer to the functions of the person to whom the disclosure is made, given that section 35(1), read with section 27, requires that a data processor who is under a statutory duty to make the disclosure must comply with Schedules 2 and 3: a requirement which would be
pointless if it were met ex hypothesi). The meaning of “necessary” was considered
by this court in South Lanarkshire Council v Scottish Information Comr [2013] UKSC 55; 2014 SC (UKSC) 1; [2013] 1 WLR 2421. As was explained there at paras 25-27, it is an expression whose meaning depends on the context in which it falls to be applied. Where the disclosure of information constitutes an interference with rights protected by article 8 of the ECHR, as in the present context (as explained at
“(1) This section applies where any court or tribunal decides that - (a) an Act of the Scottish Parliament or any provision of such an Act is not within the legislative competence of the Parliament … (2) The court or tribunal may make an order - … (b) suspending the effect of the decision for any period and on any conditions to allow the defect to be corrected.”
109. We are of the view that this court should consider making an order under section 102(2)(b) of the Scotland Act 1998 to allow the Scottish Parliament and the Scottish Ministers an opportunity, if so advised, to correct the defects which we have identified. We do not think that it is appropriate to set out the possible terms of such an order until we have received written submissions from the parties on the terms of the order, including both the period of suspension and any conditions which should be attached to the order. As was said in Salvesen v Riddell 2013 SC (UKSC) 236 (Lord Hope at para 57), if such an order is made, it may be appropriate to give permission to the Lord Advocate to return to the court for any further orders under section 102(2)(b) as may be required. The court which is best placed to make such further orders may be the Court of Session. In the meantime, since the defective provisions are not within the legislative competence of the Parliament, they cannot be brought into force.
Conclusion
110. We would allow the appeal and invite the parties to produce written submissions on the terms of a section 102 order within 42 days of the date of this judgment.
5
0
0