General enquiries :
+44 (0)20 7602 6000

Data protection and youth justice: understanding your legal obligations

Thursday 7 June 2018 Data Insight & AnalyticsGDPR

Marc Radley's picture
By Marc Radley
Youth justice data, while being vitally important to the protection of young people, is also extremely sensitive and as we know must be managed securely and appropriately. 
 
With all the hype around the General Data Protection Regulation (GDPR), it’s easy to consider that seemingly-unnecessary retained personal data should be deleted – especially given the much-publicized possibility of severe financial consequences for non-compliance. 
 
But while this is true for most personal data processing activities, criminal justice carries some exemptions. 
 
The Goddard Report of 2015 and the Data Protection Act of 2018 both seek to enable agencies and victims more control over managing their data. And both indicate contrasting considerations to the basic principles of the GDPR.
 
For example, the Goddard Report set out guidance to curtail the premature destruction of files or records that may be used as evidence of child sexual abuse in the future. And the Data Protection Act strengthens the rights of criminal justice agencies’ use of data to safeguard vulnerable young people and the community and consider prevention strategies.
 

The law can be confusing: know what’s required before you make a decision

Before deleting any personal data in an effort to comply with GDPR, first weigh up whether it’s data that you might need to keep under the terms of the Data Protection Act and/or the Goddard Report.  
 
For example, if a young person has committed a minor offence, but it’s their first contact with the youth justice system this case may be dealt with by informal action. In which case, you may feel you can safely delete the related records – especially if the individual or guardians involved ask you to do so under ‘the Right to Be Forgotten’.
 
But if this person were to come into contact with the system again, in any capacity (as a perpetrator, an accessory, or a victim), the information about that young person, their behaviour and relationships that concerns a practitioner may be instrumental in considering prevention and/or minimising future harm. 
 
The Data Protection Act and Goddard Report both state that youth justice agencies have the right to retain this kind of personal data where its retention can be justified on the grounds of reducing risk.
 
For youth justice teams, that means making informed decisions about whether to delete or retain personal data. If the decision is taken to retain it, it means finding a secure way to retain it that doesn’t expose the data to risk of inappropriate access. It also means having the means to record and justify that decision in the event of an enquiry or investigation.
 

Your software vendor can help 

In all of these areas, your software supplier should be able to help. As the market leading supplier we aim to share our decades of data protection and criminal justice practice experience. To keep you abreast of the legal requirements (even where these conflict) and to share how our users can record on and use our software tools to take specific compliance actions in youth justice service contexts. 
 
For example, our ChildView youth justice offending case management system enables users to keep a reportable trail of oversight decision-making around individual records, to provide robust evidence of decisions to delete or retain data.
 

How ChildView can help 

At CACI, we are continually improving features in our ChildView software that enable youth justice agencies flexibility and options to manage practice, security and data protection obligations. 
 
Whether you want to permanently delete records, or you want the ability to retain records in compliance with data privacy legislation, the basic compliance features already delivered in CACI ChildView help, including password management, role-based security, data management and consent management etc. 
 
If you do decide to retain personal information in compliance with Goddard or the Data Protection Act, you may feel more comfortable with the option of keeping the personally-identifiable elements of the case data in a secure archive rather than in your operational systems where it can be easily accessed by searches or reports. 
 
This is an area we at CACI are currently addressing, by adding an intelligent archiving service for exactly this purpose. With intelligent archiving functionality, should the data ever be needed in future, it can be restored in full with the right security credentials. This offers the additional benefit of retaining data for reporting on patterns which helps with targeting services and prevention.
 
 

Get help to navigate the compliance landscape

If you have questions or concerns about your data protection obligations and/or how CACI software handles them, we’re here to help. Get in touch and one of our experts will guide you to what we offer and how best to use this. 
 

With the introduction of General Data Protection Regulation (GDPR), youth justice partnerships may be confused about their data protection obligations. Informed decision-making is the way forward.

Data protection and youth justice: understanding your legal obligations

Add new comment