THE RELATIONSHIP BETWEEN THE MCA AND GDPR
INVOLVING FAMILIES AND FRIENDS
Peter Edwards, Solicitor
“Acting as RPR should I/could I speak with family members? I am being told not to by my manager as it breaches GDPR, but this doesn’t seem right in light of trying to find out wishes and beliefs? Likewise acting as IMCA when completing 39a reports?”
This question got me thinking. Surely this issue goes beyond advocacy.
I encounter professionals, using confidentiality / GDPR (General Data Protection Regulation) to inhibit the sharing of important information from families and friends (where this may be appropriate). This invariably is to the detriment of P.
It seemed to me that some duties under the MCA may be in direct conflict to the Rules of GDPR.
Having read as much as I could, none of the documentation from the Office of the Information Commissioner seemed to provide a straightforward answer.
For advocates, especially these days with limited access to clients who may lack capacity, getting information from 3rd parties might be a vital part of establishing wishes and feelings. I therefore sent a question to the Commissioner and received a very helpful phone call from Christopher Harrison, Case Officer.
He conceded that this area was less than clear and said he would email me following consultation with his policy division.
I hope that this will be the start of a useful dialogue which could result in greater clarity coming from the Commission.
The question that I raised:
I am a specialist solicitor representing those who lack capacity where ‘best interests’ decisions are made under the Mental Capacity Act. There is a duty under the Act to seek the views of relevant others when making such decisions (s.4).
One advocacy agency asserts that because of GDPR, it is not possible to seek the views of families and friends because of the inability of their clients to consent.
It is in my view that this is a common concern which potentially increases the vulnerability of those who lack capacity. May I have your view of this?
It seems that they have a choice in complying with GDPR or complying with the MCA.
To fail to communicate with families is also potentially a breach of Article 8 of the ECHR.
Response from the Information Commission’s Office
There are two potential scenarios that this could fall under and it would depend on what the advocacy entails and who the discussions were with. In both cases you would not necessarily need to rely on consent.
As the individual cannot give consent it should therefore not be seen as a barrier to complying with the Mental Capacity Act.
If the advocate is to act on behalf of and making decisions for the individual without capacity, they may be seen as though they are acting as the same natural person.
In this were the case, and the discussions you referred to were with close family members and friends, it may be seen as purely domestic and outside of the scope of the legislation, as it may not be connected to a professional of commercial activity. This is covered in the GDPR, article 2 and recital 18.
An example of this would be an elderly person speaking with a family member about medical results in order to help them best make a decision about future living arrangements. If the advocate is seen the same as the person they are representing, a similar conversation may be seen as purely domestic.
If not, and the advocate is still acting in a professional manner, discussing the individual with other organisations and third parties, then it is likely that they would be able to rely on an exemption to process any personal details that you are required to.
As you mentioned, the Mental Capacity Act states that you are required to seek the views of relevant others when making such decisions. Therefore it is likely that part two of the exemption “Information required to be disclosed by law or in connection with legal proceedings” is likely to be applicable.
This part of the exemption applies if you are required by law, or other legislation, to disclose personal data to a third party. It exempts you from the GDPR’s provisions on:
• the right to be informed;
• all the other individual rights, except rights related to automated individual decision-making including profiling;
• the lawfulness, fairness and transparency principle, except the requirement for processing to be lawful;
• the purpose limitation principle; and
• all the other principles, but only so far as they relate to the right to be informed and the other individual rights.
Therefore you would only need to ensure your processing was lawful, which means you would need to determine your lawful basis to process any personal data. As the processing is based on legislation, it is likely that your lawful basis would be legal obligation.
Regardless of which scenario best suits your processing you should document any decisions and justifications you made that led you to that point.
Case Officer. Information Commissioner’s Office
It is important to remember that most advocacy is required by statute. A statutory advocate must follow ‘procedures prescribed by law’. This could be the MCA, the MHA or the Care Act. In each case GDPR cannot impede the carrying out of an advocate’s lawful functions.
In the absence of informed capacitated consent, the advocate is under a duty to assist the person by giving voice to their past and /or present ‘wishes and feelings’. In appropriate cases, the advocate may therefore be under a duty to cast the net wide when seeking to understand and give voice to these.