The effective protection of a child often depends on the willingness of people to share and exchange relevant information appropriately. It is critical that there is a clear understanding of the Church authority’s professional and legal responsibilities with regard to data protection, confidentiality and the exchange of information.
The deficiencies in both internal and external communication of essential child protection information by various Church authorities has been identified and criticised in a number of statutory reports, including the Ryan Report, the Ferns Report, the Report of the Commission of Investigation into the Catholic Archdiocese of Dublin (the Murphy Report), and the Cloyne Report. It is essential that the lessons from these reports are learned, and that improvements result in the sharing of information.
What is meant by information sharing?
All information regarding child protection suspicions, concerns, knowledge or allegations which meet the threshold for reporting (current or retrospective) should be shared with the statutory authorities, in the interest of the child. The provision of information to the statutory authorities for the protection of a child is not a breach of confidentiality or data protection, and failure to share this information with the statutory authorities is an offence in law.
The importance of confidentiality should be accepted by all working in the Church and should be discussed at induction and should form part of training given to Church personnel. It is important that everyone is clear about their legal and ethical responsibilities relating to the sharing of information, in good faith with the statutory authorities.
Civil law is clear that no undertakings regarding confidentiality can ever be given when allegations of child abuse are made.
Canon law makes an exception in terms of the Sacrament of Reconciliation.
Interagency cooperation is as important at all stages of child protection work. Therefore, Church personnel involved in a suspected, alleged or confirmed child abuse case should consistently make efforts to communicate all relevant information expediently and to remain in contact with the statutory authorities until risk has been assessed and managed.
Information sharing with third parties outside statutory bodies is governed by data protection acts 2018 in both the Republic of Ireland and Northern Ireland.
Situations when information must be shared
• Sharing information with the statutory authorities
All allegations, suspicions concerns or knowledge regarding child abuse that meet the threshold for reporting must be passed to the statutory authorities (Canon law makes an exception to information received in the Sacrament of Reconciliation). Where the information is given by the complainant disclosures should include names, addresses, details of the allegations, and whether the respondent has made an admission.
Sharing information with statutory authorities for child protection purposes, and in particular to assist investigation of potential offences, is permitted under the Data Protection Acts. Additionally, the Protection for Persons Reporting Child Abuse Act 1998 (ROI) affords protection from civil liability to such persons reporting child protection concerns to statutory authority agencies in good faith.
Situations when information can be shared
• As part of an investigation by the statutory authorities
During the course of an investigation, if the Gardaí/PSNI request information from a file, every effort should be made to cooperate. However, careful consideration should be given to sharing the following without consent:
Legal advice obtained by the Church authority may be privileged and may not be shared without the consent of the Church authority;
Assessment reports may require the permission of the author and the respondent.
Sharing information with statutory agencies attracts the protections cited above only insofar as it relates to child protection. Therefore, if the information goes beyond this area, it will not benefit from these exceptions. Case files are stored in the name of the respondent and may hold other information, for example information about third parties, or suspicions, concerns, knowledge or allegations relating to other complainants outside the subject of the statutory investigation.
• Sharing information with the NBSCCCI
The NBSCCCI, as a data processor to the constituent members of the Church is entitled to access certain information contained on a Church authority’s files and records for the purposes of analysing all such data in terms of compliance with best child protection practice, and in order to report upon any issues that arise in relation to that investigation.
Subsequent to the General Data Protection Regulation (GDPR) and the introduction of the Data Protection Acts (2018 in both jurisdictions) the National Board has clarified when and how personal data can be shared with them as follows:
Notification of allegation information should be shared on an anonymous basis – using the form 2.1A Template 1. A notification MOU and data processing deed should have been signed by the Church authority and forwarded to the NBSCCCI.
Requests for advice on case management matters from National Office staff requires the exchange of full identifying information and details with the NBSCCCI, following signing of an MOU and data processing deed.
Advice sought from the National Case Management Committee requires full exchange of identifying information and details and an additional data processing deed and MOU.
Assistance with case file restructuring is a process whereby a member of National Board staff will have access to full case records; requires an additional data processing deed and MOU.
Reviews of Safeguarding practice by National Board’s reviewers enables the reviewers to access all records, written and verbal to allow an assessment of compliance against the Church’s safeguarding standards. This requires an additional data processing deed and MOU.
In relation to notification of allegations, given that key information is shared on an anonymous basis, there is no need for the execution of a data processing deed.
The Data Protection Commission has confirmed to the NBSCCCI that for the other services outlined above, the data processing deeds are in compliance with the Data Protection Act 2018.
Once the Church authority has signed the relevant MOUs and data processing deeds, information can be shared with the NBSCCCI for purpose associated with the deeds outlined above.
The NBSCCCI has robust data protection procedures which are in compliance with all relevant legislation, to ensure that data is collected, stored, and destroyed in line with best practice in relation to data protection.
Sharing information between Church bodies
There may be occasions when information relating to an allegation against a cleric or religious between Church bodies is required.
Under canon law, faculties to minister as a priest in public can only be granted by a bishop. While not automatic, there may be occasions where it is appropriate that information is shared between a provincial of an ordained cleric from a religious order/congregation when an allegation of child abuse is made against that priest, so that the bishop can determine whether or not to withdraw faculties.
A cleric or religious ministering in another Church Body against whom an allegation has been made may need to be withdrawn from that ministry; in such circumstances information about the allegation may need to be shared between Church Authorities
Information relating to a religious living in a community who has had an allegation made against him, or who has been withdrawn from ministry may need to be shared with other community members.
Vos estis lux mundi (2019) requires the sharing of information across a number of Church bodies and relevant dicasteries within the Holy See.
As each of these situations is unique, the decision whether and what to share with another Church body will be on a case-by-case basis. In the first instance, if possible consent should be sought from the data subject to share the information. If this consent is not forthcoming or is not possible to obtain, a decision should be taken about the legal basis for sharing the information. To assist, a privacy impact assessment should be conducted on each occasion where it is determined that information should be shared, by considering the following questions:
Does the recipient have a lawful basis for receiving this information?
What is the justification for sharing information?
How will the information be shared?
Is the sharing of the information necessary and proportionate for the purpose(s) for which it is being shared?
What are the risks of harm to an identified or unidentified child if such information is not shared?
What are the risks to the rights and freedoms of the respondent if the information is shared?
Can permission be obtained from the respondent to share information?
Should the respondent be informed that the information is being shared?
Is the respondent in public ministry as a priest and has faculties from the bishop?
Is the respondent in the public ministry of a Church body?
Should information about the complainant be redacted?
A summary of the requirements of storage and retention of data, confidentiality and data protection is contained in Appendix B.
Legislation, guidance and case law
This approach is underpinned by the following:
• Data Protection:
The principles of the relevant data protection legislation should be taken into account when considering whether to share information with persons other than the civil authority agencies (see Appendix B).
• Data Protection Acts 1988–2003 (ROI) and Regulation (EU) 2016/679 (General Data Protection Regulation)
Sharing personal data is a form of “processing” within the meaning of the data protection legislation. Article 6(1) of the GDPR states that processing shall be lawful only if and to the extent that at least one of the following lawful bases applies:
(a) the data subject has given consent to the processing of his or her personal data for one or more specified purposes;
(b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
(c) processing is necessary for compliance with a legal obligation to which the controller is subject;
(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
(f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The circumstances in which special categories of personal data (which include personal data revealing a person’s religious or philosophical beliefs, data concerning health or data concerning a person’s sex life) may be processed are more limited than those outlined above. Such circumstances include where the data subject has consented or where the processing is necessary for the establishment, exercise or defence of legal claims. Another circumstance is where processing is carried out by a not-for-profit body with a religious aim in the course of its legitimate activities, on condition that the processing relates solely to the body’s members, former members or persons who have regular contact with the body, and the personal data is not disclosed outside the body without the consent of the data subjects.
Church bodies should determine whether there is a lawful basis, in line with GDPR and the Data Protection Act 2018 to disclose the information to a third party.
• Children First Act 2015
Section 17 of the Children First Act 2015 effectively prevents the disclosure of details of child sexual abuse against a member of a Church body to a third party. In circumstances where details of a child sexual abuse allegation have been made known to the relevant Church body by Tulsa, explicit permission of Tusla to share that information must be obtained.
• Protection of Persons Reporting Abuse Act 1998
This affords protection from civil liability to persons, who report allegations of child abuse in good faith to an ‘appropriate person’, namely the designated officer of Tulsa or a member of An Garda Síochána, thereby exempting them from liability for defamation as a result of such reportage.
The Children First guidance in the Republic of Ireland references Information Sharing with a third Party on page 47, but this relates to Tusla sharing information with third parties usually, family and relevant others.
Chapter 3 refers to the responsibilities in relation to mandated assisting and the requirements on mandated persons to engage with Tusla’s social work team to assist in the protection of a child. Tusla advise that a mandated assistor, must not share information with a third party unless Tusla considers it appropriate and authorises in writing that the information may be shared.
The Catholic Church on the island of Ireland is expected to embrace best practice standards in child safeguarding, including those on information management, information sharing and interagency cooperation as it functions.