Skip to main content

Data Protection support service: example

My support service aims to be prompt, helpful and clear, no matter how complex the problem. 

Here's an example of a genuine exchange:

Q:

My question relates to discussions I've been having with our local authority for the past 10 years.  Their contracts with service providers require providers to furnish the LA with details of all service users to demonstrate compliance with e.g. numbers, profiles of users, categories of service provided etc.  In most cases, this is not a problem but it can be in relation to mental health charities.  Often the reason why the charity is commissioned is because the service users mistrust statutory sector staff and therefore will not use statutory sector mental health services.   But when the charity tells these SUs that it will have to provide their details to the Council, the service user will not give consent - and in a number of cases would rather refuse to help from the charity altogether, than have their details passed on to SCC.  So, in effect, the object of the contract gets defeated.    I know you can argue that the SUs' refusal is probably not reasonable or rational - but it is understandable in the context!

I have been trying to think of a way that a charity can credibly give Commissioners info about individual service users and the services provided that would not identify them for DP purposes, where the Data Subject will not give consent to processing.

Any ideas would be most welcome!

A:

I understand completely the reluctance of some clients - whether 'objectively' justifiable or not - for their data to be passed to the council.

The first thought that comes to mind is whether there is another way round the problem altogether.  If the council is, in effect, auditing the way you have spent their money, would it accept a report from an independent auditor instead, which did not identify individuals?  Normally there is no need to inform people if their data is seen by auditors that you employ, since the auditors are acting on your behalf and under strict confidentiality.  So could you set up a system where auditors are employed jointly by you and the council (but paid by them, of course) to verify your figures?

Failing that, would the council accept your figures with a proportion of 'prefer not to say' responses?  Then you could inform people that the council would like to see the data in order to monitor your performance, and give them the option to opt out.  Their data would be included in statistics, but not given on an individual basis.

The third option would be to try to give the council enough information to satisfy them, but making it anonymous.  The problem with this is that people are not anonymous if the organisation holding the data can identify them from the data itself plus any other information that they are 'likely' to have.  Given that many of these people will be beneficiaries of council services in some way, there must be a strong possibility that the council would have enough other information to 'reverse engineer' your data and identify the individuals, despite your efforts to make them anonymous.  You would need to discuss your anonymisation process with the council to ensure that this couldn't happen.  If you can do that, then you don't need to inform people, as you are not passing their personal data to the council.

Those are my best offers off the top of my head.  I'm happy to discuss further if it would help.  It may also be worth phoning the Information Commissioner's helpline (0303 123 1113), if you haven't done so already to see what they think.