Why (with due respect) Ian Elliott is mistaken

Ian Elliott is the chairman of the National Board for Safeguarding Children in the Catholic Church. It is an agency of the Catholic Church in Ireland and is not a State agency. It is tasked with ensuring that the Catholic Church in Ireland follows and implements its own child protection guidelines, particularly with reference to allegations of clerical sexual abuse of children.

It is a difficult job. It is an important job. And it is a function and role that we should be thankful someone is filling.

However Mr Elliott seems to be operating under the misapprehension that the Data Protection Acts are an impediment to the NBSCCC from doing its job effectively. This is not the first time that this fig leaf has been trundled out.Similar issues raised their heads in 2011 when Bishops refused to cooperate with Mr Elliott on spurious Data Protection grounds that were dismissed by the Data Protection Commissioner. Given that the NBSCCC is in effect an agency of the Church it was a bit odd seeing the middle management of the Church trying to wheedle out of cooperating with it.

In the present complaint about the Data Protection Acts Mr Elliott cites the example that the Gardaí are not able to pass information to his organisation without there being a risk of “imminent harm” to a child, which causes problems for the processes of safeguarding children. I believe Mr Elliott to be mistaken in his analysis of where the problem lies. Let’s look at this.

An allegation that someone has committed a criminal offence is sensitive personal data. Information about an identified person contained in such an allegation is personal data. Therefore it can only be disclosed either with the consent of the Data Subject (and in this case the Data Subject is the individual about whom the allegation has been made) or where another exemption under Section 8 of the Data Protection Acts can be identified. The relevant condition that seems to be in dispute here is Section 8(d) which requires that the disclosure is

Required urgently to prevent injury or other damage to the health of a person or serious loss of or damage to property.

In effect he is stating that the Gardaí (or possibly the Attorney General who would likely have advised the Gardaí) are taking the view that there is no imminent harm therefore there is no lawful grounds for onward disclosure. That does not mean that the Gardai are not retaining the data and processing it themselves. Such processing however would fall under the protection of Section 62 of the Garda Siochana Act 2005 which places certain restrictions on the disclosure of data by members of An Garda Siochana, particularly related to investigations or other operational information. Breaches of this section of the Garda Siochana Act carry potentially significant penalties (and as they are a criminal conviction could be at best career limiting for members of the force).

As the NBSCCC is not a State body that investigates criminal offences Section 8(b ) does not apply to them. As child safety in the Church is not a matter of National Security Section 8(a ) does not apply. As there is no legal advice being sought (the Gardaí are not asking the NBSCCC for a legal opinion) and there are no legal proceedings Section 8(f ) doesn’t apply. And given that the subject of an allegation is unlikely to have consented to their data being disclosed, the Consent exemption cannot be relied on.

Which leaves us with Section 8(e). Section 8(e) is what I believe Mr Elliott was actually alluding to (but I may be mistaken). Section 8 (e) allows for the disclosure of information where it is

Required by or under any enactment or by rule of law or order of a court

So the Data Protection Acts contain a provision which would enable the sharing of data by the Gardai with the NBSCCC in any or all circumstances Mr Elliott might wish. He just needs legislation to allow it. This could be either primary legislation or a Statutory Instrument. Primary legislation would have the added benefit of giving some scope to making the role of the NBSCCC more formal. Any form of legislation would potentially provide a framework for properly balanced sharing of information from other State Agencies.

The legislation would, of course, have to include some outlining of the protocols and security controls and limitations on processing that would be applied to the data but that is simply good practice.

But (and here is the important bit) the Data Protection Acts would not need to be touched. The Junior Minister with responsibility for Children would simply need to legislate for some thought through Child Protection rules that would enable balanced and appropriate sharing of information.

The risk in touching the Data Protection Acts is that you could create a situation where the Risk Committee of any employer could potentially seek disclosure from the Gardaí of any reports of specific criminal offences or reports of possible offences committed by current or prospective employees (unless you write the NBSCCC specifically into the legislation, which is derived from an EU Directive that is about to be replaced with a Regulation so… eh… not really possible). That is a dangerously broad and clumsy tool to apply. The law of unintended consequences is still on the metaphorical statute books after all.

Mr Elliott, I politely submit that your analysis – or perhaps the media’s one-sided interpretation and reporting of it – is flawed. Leave the Data Protection Acts alone. Government – legislate for a clear exemption under Section 8(e ) and solve the problem the right way.

Of course if the Data Protection Acts are going to be opened up the logical thing to do- given the impending Data Protection Regulation- would be to legislate on the basis of the principles in the Regulation. Beating the rush so to speak and definitely putting a stamp on the Irish EU Presidency. And I’ve a shopping list of other things…

2 thoughts on “Why (with due respect) Ian Elliott is mistaken”

  1. I welcome this helpful analysis of the problem that I sought to bring attention to which concerns the sharing of information between those involved in the safeguarding of children. What I am seeking is a solution that will enable people to talk to each other without fear of litigation. I cited the impediment of the interpretation and application of the data protection legislation as this is what we are constantly being quoted. Section 8(E) is indeed the key. My belief is that this sets a threshold that we cannot meet and that is why I have tried to highlight it. I do accept the point that you make that are solutions that are possible if a political will existed to address the problem. However, the small contribution I can make is to draw these matters to the attention of as wide an audience as possilbe so that they will eventually be addressed.
    Once again, thank you for your analysis.

    Ian Elliott

    1. Ian

      Thanks for your kind comment. I think the required standard re: section 8 might be worth a more in-depth examination. Ultimately the test is one of proportionality as well as clarity of legal basis. In effect in this situation you find yourself in the position analogous to an organisation operating a whistleblower scheme. The A29 working group issued guidance 6 yrs ago on that topic which might be helpful (http://ec.europa.eu/justice/policies/privacy/docs/wpdocs/2006/wp117_en.pdf)

      If you would like to contact me to discuss this off line I’d be happy to provide whatever insights i can which might be of assistance.

Comments are closed.