Sharing Safeguarding Data

/in /by

Following cases such as Grace and the Farrelly Commission Final Reports which were published this year, the public has become more and more aware of the protection that is needed At Risk Adults.

Anyone working with, or advocating for, adults at risk of harm will be aware of the legal complexities involved when seeking access to and/or sharing personal data, even where considered necessary to ensure the health, safety or welfare of those at risk adults. Often, confusion over the law can lead to unnecessary delays in accessing and/or sharing of data which can have significant and serious consequences.

Accordingly, it will come as a relief to many that the Data Protection Commission recently published an Adult Safeguarding Toolkit which includes practical advice, templates, and examples to help individuals and organisations navigate this complex area of the law.

It is worth noting that the Toolkit is intended to apply to the sharing of data concerning “At Risk Adults”. The term “At Risk Adult” is very broadly defined and has a much wider meaning than the term “vulnerable adult” for the purposes of Irish law.

An “At Risk Adult” is described as:

“A person who, by reason of their physical or mental condition or other particular personal characteristics or family or life circumstance (whether permanent or otherwise), is in a vulnerable situation and/or at risk of harm and needs support to protect themselves from harm at a particular time. While not an  exhaustive list, this can include individuals suffering from physical or mental conditions (such as cognitive impairment, dementia, acquired brain injury), children with additional needs reaching the age of majority, individuals subject to domestic violence or coercive control, individuals who find themselves homeless, individuals who are subject to financial abuse and individuals who have been trafficked.”

The potential application of the Toolkit could therefore include adults (anyone over 18 years of age):

  • in receipt of health or social care services in the community, including disability services, home support and day services;
  • in receipt of residential health or social care services such as residential care, community residential care, mental health residential services, and acute and primary care settings;
  • in receipt of services other than health or social care services, including services for:
    • adults experiencing homelessness;
    • adults in the international protection process;
    • victims of domestic, sexual or gender-based violence; or
    • substance misuse services.
  • availing of financial services;
  • in prison or in Garda custody.

Anyone involved in the provision of those services and anyone advocating on behalf of adults in receipt of those services should take note of the Toolkit.

Given the very broad definition of “At Risk Adult”, employers dealing with an employee in crisis should also be mindful of the Toolkit. This could include, for example, an employee availing of domestic violence leave or experiencing temporary or permanent mental health issues.

Some of the key takeaways of the Toolkit are:

  • The circumstances of an individual does not alter their entitlement to their data protection rights. Data controllers dealing with at risk adults should be aware those individuals may not be aware of their data protection rights. It is very important therefore that organisations prioritise data protection training and awareness to allow individuals to effectively exercise their rights.
  • Data protection law does not prevent sharing data in the context of adult safeguarding. Instead, data protection law requires that the sharing be lawful, relevant, necessary, and proportionate for the achievement of the objectives of the data controller, such as the safeguarding of at risk adults.
  • The Toolkit contains detailed guidance on the processing of personal data relating to criminal convictions and offences (which extends to the alleged commission of an offence and any proceedings in relation to such an offence). This guidance is useful not only in the context of adult safeguarding but for any data controller processing such data.
  • The Toolkit offers guidance on how to handle what it refers to as “soft information” i.e. concerns / allegations made regarding a person, without any factual evidence being present. While soft information may require action by the organisation, if there is no identified purpose for using the information, then it should not be retained or recorded. If information is categorised as an allegation or hearsay then it ought to be documented as such.
  • In certain circumstances, a data controller may need to disclose information to a third party, such as An Garda Síochana, without informing the individual. This disclosure might be contrary to the will and preference of the data subject; however the data controller might form the view that notwithstanding this, the disclosure of the data should nonetheless take place. This might arise where there is a risk to the safety of an at-risk adult and that safety risk might be heightened by its non-disclosure.
  • The Toolkit notes the factors to be considered by data controllers in exercising their discretion to share information with family members (for example, care plans and appointments) where the data subject does not consent to the sharing of their data.
  • The Toolkit notes there is no prohibition on an individual allowing a third party (eg a relative, friend, or solicitor) to make a Subject Access Request on their behalf, including an at risk adult. However, the data controller must be satisfied that the third party making the request is entitled to act on behalf of the individual.

 

The Adult Safeguarding Toolkit can be found here.

For more information, please contact our Data Protection Team 

 

Richard Neville
rn@ofx.ie
021 4277788

Judith Curtin
jc@ofx.ie
021 4277788

Niamh Carey
nca@ofx.ie
021 4277788