GDPR and commissioning

The General Data Protection Regulation (GDPR) came into force on 25 May 2018. Superseding the Data Protection Act 1998, this EU-wide directive will be incorporated into English law after Brexit and is designed to harmonise data privacy laws across Europe, and give greater protection and rights to individuals ("data subjects").

For children's sector organisations that process large volumes of personal data as part of their everyday business, the potential impact of the GDPR cannot be underestimated - however, there is currently little information available about its effects. The Centre for Public Impact identified that there was "no evidence of monitoring mechanisms or metrics in place to track progress of the GDPR's impact", and the Information Commissioner's Office has yet to publish details of any prosecutions initiated since 25 May.

A 2017 procurement policy notice suggested that public procurement would be particularly affected, with additional burdens on both commissioners and contractors to ensure compliance with the new legislation. The changes also have the potential for wider impact on the whole commissioning landscape, as the GDPR affects how we think about, collect and use intelligence; especially as it relates to children and young people, and could prompt a cultural shift in relationships between those who provide, process and control information.

Relationships with service users

Commissioners rely on client- and cohort-level data to develop and review services for children and families. The intelligence gained from data analysis is crucial to strategic commissioning, and the legislation contains a specific legal basis for the processing of service user data in the performance of a task carried out in the public interest or in the exercise of the data controller's official authority (such as the business of a local authority or commissioned organisation acting on their behalf).

The GDPR does impose specific conditions on the use of children and young people's data, most notably an obligation to inform children and those with parental responsibility, in a simple and accessible way, who may access their data and why. Analysis in the media has highlighted that the organisation collecting the data is responsible for explaining this clearly and in detail, and that gaining informed consent early on will save time and effort.

Good practice for commissioners is to build these considerations into service development, particularly the principle of "privacy by design" and actively implementing an opt-in approach to processing service user data. Consultation and co-production with children and young people - especially around Data Privacy Impact Assessments - can lead to greater understanding and trust by clients, enabling user empowerment and ownership of services.

Relationships with suppliers

The GDPR identifies specific obligations for data controllers and processors. These roles are usually held by the commissioning organisation and provider respectively, but this is not always the case and can become the subject of debate as the need to ensure compliance with the new legislation prompts a re-negotiation of the relationship between commissioners and suppliers. It can be helpful to consult information governance specialists within commissioning organisations for advice on the compliance requirements for different types of arrangements.

The necessity to vary existing contracts to include GDPR, and embed it within any new contracts, provides an opportunity for organisations to review their contracting arrangements and can offer an additional layer of security to both the commissioner and the contractor. This is particularly the case for packages of care that are spot-purchased or purchased from frameworks - Crown Commercial Service guidance states that commissioners should review each call-off to ensure roles and responsibilities have been updated to reflect Data Protection requirements.

Implementing contracting arrangements that clearly identify the roles and responsibilities of each party benefits contract compliance and enables performance of suppliers to be managed more effectively. As with any commissioning exercise, the relationship between client and contractor is crucial, especially where providers are controllers of data in their own right or where a joint-controller function is more appropriate - the relationship should be one of enablement rather than disenfranchisement.

Relationships with partners

In designing effective services, commissioners often collect data from, and share it with, partner agencies. Strategic commissioning increasingly forms an integral part of multi-agency working; developing the provision which forms the team around the child or family.

Compliant information-sharing protocols need to be implemented between partners (which can include suppliers) to ensure that subjects' rights are protected under the GDPR. While subjects' rights may occasionally be impacted by the need to share information without their consent if this is in their best interests, these procedures provide further opportunities for commissioning organisations to review their partnership working practices, ensuring that information-sharing is done with all parties concerned, not to them.

By increasing the awareness and understanding of data subjects, processors and controllers around what data is used to inform commissioning intelligence, how it is used, and why, commissioners have the opportunity to change the roles of these parties in the commissioning process to those of more active partners.

By working better together, we can improve outcomes for the children, young people and families at the heart of this legislation.

Toni Badnall-Neill is strategic commissioning officer for children's services at Central Bedfordshire Council

• Further reading
• General Data Protection Regulation in the EU, Centre for Public Impact 2017
• Procurement Policy Note - Changes to Data Protection Legislation & General Data Protection Regulation: Action Note PPN 03/17, Crown Commercial Service 2017