The Local Safeguarding Children Board as Data Controller

What is a Local Safeguarding Children Board (LSCB)? It is a statutory body which local authorities responsible for children’s social services are required to set up under s13 Children Act 2004.

  • Each local authority in England must establish a Local Safeguarding Children Board for their area

The responsibilities of the LSCB are essentially set out in the Act and in The Local Safeguarding Children Boards Regulations 2006. These include:

  • developing policies and procedures for safeguarding and promoting the welfare of children
  • communicating the need to safeguard and promote the welfare of children, monitoring and evaluating the effectiveness of what is done by the authority and their Board partners
  • participating in the planning of services for children in the area of the authority;
  • undertaking reviews of serious cases

Participants in an LSCB are referred to in the legislation as Board partners. Apart from the functions, and reference to statutory guidance, the Act and Regulations are largely silent as to an LSCB’s powers. There is for example no granting of powers to employ persons or hold property. Consideration of s15 of the Act suggests that in effect staff, goods, services, accommodation and other resources will be provided by Board partners. LSCBs are required to have lay members – each LSCB must have at least two individual lay members who reside in the area – and it is notable that s13(5B) of the Act gives the authority, but not the LSCB, power to pay the lay members.

There are potentially up to 150 LSCBs in England. The actual number is somewhat less as authorities are able to share functions and create a joint LSCB for more than one Council area.

A perennial problem for those managing data protection issues in local authorities is whether the LSCB is required to register as a data controller with the Information Commissioner’s Office under s18 of the Data Protection Act 1998 (DPA), or whether they can simply rely on the registrations of their constituent ‘partners’ such as the local authority, health board or police.

This is not just a trivial issue as, if registration is required, failure to do so makes it likely that any processing of personal data by the body is a criminal offence – combined effect of DPA sections 17 and 21. This offence may be committed not only by the LSCB but criminal liability would potentially also attach to individual Board members, including lay members.

So what is the legal status of the LSCB? It is not an incorporated company. Despite the reference to ‘Board partners’ it is not in fact a partnership in the full legal sense as that would require a business being carried out with a view to profit. It is simply an unincorporated association. Nothing in the setting up of LSCBs referred to above requires it to be anything more. It does not need to own property, employ staff, or initiate legal actions.

It is often suggested that an unincorporated association is not a legal entity (See e.g. HMRC at http://tinyurl.com/ykt7l3w ) and that it cannot:

  • enter into contracts;
  • sue or be sued;
  • take on a lease or own property; or
  • employ staff

The first two points above are important as data controllers may need to enter into data processing agreements (contract) and may need to be sued e.g. for damages under s13 DPA. Unfortunately it is not that simple. As long ago as 1901 it was decided that some unincorporated associations can indeed be sued (and by implication can sue).

If the Legislature has created a thing which can own property, which can employ servants, and which can inflict injury, it must be taken, I think, to have impliedly given the power to make it suable in a Court of Law for injuries purposely done by its authority and procurement. (The Taff Vale Railway Co – v – The Amalgamated Society of Railway Servants [1901] UKHL 1)

In addition an unincorporated association can be prosecuted. That may not always have been the case but is now clear law (See e.g. HSE prosecution guidance http://tinyurl.com/m26v78q and R v RL and JF [2008] EWCA Crim 1970).

By analogy one must therefore consider whether the DPA creates a thing (the data controller) which has the required responsibilities and powers to give it sufficient legal status to enable it to register as a data controller, even if it is an unincorporated association.

S1(1) DPA tells us:

data controller” means, subject to subsection (4), a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed;

‘Person’ is not defined in the DPA. The starting point is thus the definition in the Interpretation Act 1978, Schedule 1: “Person” includes a body of persons corporate or unincorporate. This definition is subject to the limitation in s5 of the Interpretation Act: In any Act, unless the contrary intention appears, words and expressions listed in Schedule 1 to this Act are to be construed according to that Schedule.

There does not appear to be any contrary intention in the DPA. In fact s65(1)(b) recognises that for the Information Commissioner’s purpose of serving notices person includes a ‘body corporate or unincorporate’. Most, but not all, such notices are required by the Act to be served on the data controller. The Data Protection Directive (Directive 95/46/EC of the European Parliament and of the Council) definition of data controller also anticipates that an unincorporated body may be data controller as it refers to “the natural or legal person, public authority, agency or any other body” – Article 2(d). An LSCB is accordingly a person for the purpose of the definition of a data controller. But does it determine the purpose and manner of processing personal data?

The purposes of an LSCB are of course not self-determined. They are laid down by statute. However s1(4) DPA is clear:

Where personal data are processed only for purposes for which they are required by or under any enactment to be processed, the person on whom the obligation to process the data is imposed by or under that enactment is for the purposes of this Act the data controller.

Whilst some of the statutory purposes may be fulfilled without processing identifiable personal data, it is clear that others cannot – e.g. conducting a serious case review would be, in practice, impossible without reference to information which would remove any likelihood of anonymity.  It is also clear from a consideration of the LSCB functions (above) that it is, at least jointly, responsible for determining the manner of processing.

The courts have clearly recognised the status of a safeguarding board : see [2013] EWHC 1711 (QB) where the Worcestershire SCB was a party to a Public Interest Immunity action. http://bit.ly/1GGqBKr

An LSCB accordingly fulfils all of the requirements of the definition of a data controller and its unincorporated status can be no bar to the consequences of that. It seems therefore that LSCBs should notify the Information Commissioner and register as data controllers in their own right. This will have some significant consequences.

  • Many data controllers use data processors, and this would inevitably be the case for an LSCB. Typically for example the LSCB will use local authority IT and email systems. The seventh data protection principle requires a contract in writing to underpin the data processing agreement between the LSCB and the authority. Despite the ‘normal’ common law rule against contracts by an unincorporated association the legislative intention will have precedence.
  • S13 DPA entitles a data subject to sue a data controller in certain circumstances. It specifically refers to “proceedings against a person”. Given the legislative intention, that ‘person’ must include an unincorporated data controller (principle derived from The Taff Vale Railway Co – v – The Amalgamated Society of Railway Servants). LSCB Board members will have joint and several liability for any damages and they should be aware of this. In particular lay members might reasonably be given an indemnity on appointment.
  • Similarly there would be joint and several liability of LSCB Board members for any penalties imposed under s55A DPA.
  • DPA provides that the data controller is subject to a number of criminal sanctions. As we have seen the LSCB can be prosecuted. For example assume for a moment that Anyplace LSCB is a data controller but fails to notify the Information Commissioner under the registration process. As soon as it processes any personal data an offence is committed under s21 DPA. The LSCB may be prosecuted. Each Board member may be prosecuted. Whilst it is perhaps inconceivable that the ICO / Director of Public Prosecutions would prosecute a lay member of the Board, they should at least be advised of the potential liability as part of the appointment process, so that they can actively ensure compliance.

On the other hand an LSCB is not, as such, a designated public authority for the purpose of Freedom of Information requests. There is no specific designation in the Freedom of Information Act (FOIA) or subsequent statutory instruments and an LSCB could not fall within the category of a company “wholly owned by the wider public sector” as (a) it has lay members and (b) it is not a “body corporate” as required by FOIA s6(3)(3).

In practice it seems only a minority of LSCB’s have registered as a data controller. A search of the register in December 2014 using the term “Safeguarding” produced only 16 matches. Whether or not the LSCB or sponsoring council agrees with the conclusion above, it should certainly make a clear decision for itself as the requirements of data processing, and the drafting and implementation of data sharing protocols, cannot sensibly be addressed unless the roles and responsibilities of each party are clear.

This entry was posted in DPA. Bookmark the permalink.

Leave a Reply