Questions of GP liability for Welsh government children’s data distribution

Today is the cutoff in legislation for the tiny data transfer window of children’s records to Local Authorities, under their new process for identifying children missing education in Wales.

The Children Act 2004 (Children Missing Education Database) (Pilot) (Wales) Regulations 2025 came into force on 8 April 2025 and cease to have effect on 8 April 2026. Who determined that this legislation would be written and used? The Welsh government.

It requires a Local Health Board, or a GMS contractor, that holds any of the information specified in relation to any child who is “usually resident” in a pilot local authority’s area to disclose it to the child’s relevant pilot Local Authority by 30 April 2025.


1. The child’s name (including any former name).
2. The child’s address (or last known address) including postcode.
3. The child’s date of birth.

These data from the Local Health Board, or a GMS contractor will be added together with these further information in the CME database that Local Authorities creates from linkage with
:

4. Name, address, postcode, telephone number and email address of all parents of the child.

5. The name and address of the person providing all or part of the education.

6. Any additional learning needs that the child may have and any additional learning provision that is called for. [Our emphasis N.B. special category health data e.g. disabilities, hearing and sight impairments, mental or physical needs related to other conditions.]

Who determined which data items would be included? The Welsh government.

Where have the data been taken from?

The data from children’s health records have not in fact been extracted from any identifiable, “Local Health Board, or a GMS contractor” as described in the legislation, but instead from the NHS Shared Services Partnership, as was described (7.5/ p.8)  in the Data Protection Impact Assessment, as being a data processor, and not mentioned in the legislation.

Who decided that this route would be the one used? The Welsh government.

Who has been told?

We understand that GPs have not been informed of this mass data extraction from their patients. No one has told the patients. When asked, the WG could not offer any information that has been given to GPs to pass on to patients before the data copying and transfer took place. Despite the fact that the WG data protection impact assessment claims, “The data controllers for the information will be general medical contractors (GPs) and local health boards.” DPIA p.7/ Q7.4) The Welsh Government cannot have it both ways. In our view, responsibility and the role of controller rest very clearly with the Welsh Government, not GPs.

The data from health records is being extracted for every registered child, and then the Local Authorities will perform a matching exercise with those they already have on record as in ‘mainstream’ or any other type of state education not in the above groups (noting there is duplication/overlap with flexi-schooling).

In parallel, to make this possible, independent schools are being told to submit their pupil records to the Local Authorities as well. Who determined private schools would be included? The Welsh government.

Since no state nor private school setting, or any health setting has been sent information to pass on to the children and/or their families in accordance with Articles 12-14 of the GDPR (and “given that children merit specific protection, any information and communication, where processing is addressed to a child, should be in such a clear and plain language that the child can easily understand”), the Welsh Government appears to have failed to meet the necessary conditions and obligations in data protection law that are necessary in practice from these legislative changes and are in breach of the law.

Who is responsible?

The basic question of who is the data controller, is key in data protection law and for who does what. Pupils and patients need to know all about the new policy and where data will be held, by whom, for how long, with what access and most importantly what their rights are and who they contact to exercise them.

Including, for example, parents of children at risk who want to ensure their child’s data is shielded from violent ex-partners. Thanks to this legislation, there is now is a legal requirement to include the contact details of all parents of the child in the CME child’s record at the Local Authority. What are the safeguards in place to ensure one can raise objections, including to protect their child from the other being contacted or finding out where each other are as a result?

The substantive risk for the very few children who are both actually at a safeguarding risk and completely off the State radar unknown to authorities, is that parents will be even less likely to want to present, for example for child public health programmes. This was raised in the Child Rights Impact Assessment. It has been raised by expert submissions to the 2024 consultation, and even in the Sennedd, but has not been seriously addressed, but been either dismissed or ignored (see line 371). Nor have the concerns raised by the BMA about lack of effective check for deceased patients and risk of harm to bereaved families. The Welsh government also appears to have ignored the concerns of the General Medical Council.

Knowing who the data controller is, also means knowing who has legal liability when the complaints and cases start being written.

Data ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Once these databases are established (or existing datbases expanded in the case of CME) at the Local Authority level, it may well be considered a joint-controllership for the data itself, after the data has all arrived into the Local Authority systems. But for the purposes and procedure of their new establishment, and the new data transfers from other places to the Local Authorities, data that is held by health records and private schools being sent to LAs or being processed in any way for new purposes, there can be no doubt that the purposes and means of the processing of personal data have been determined by the Welsh Government.

When the BMA responded to the Welsh Government consultation last year, they asked the same questions (p.8/Q13). This brings with it questions of legal responsibilities, including fair processing under data protection law (telling the people whose data it is) and a connected legal liability for the breach of law or the very likely harms that will result from this rushed project that has chosen to ignore a range of expert input.

Of course, Westminster made it all more complicated by bringing Wales into legislation at the very last minute and using their children in effect as a pilot, not only for the rest of Wales, but for England in the Children’s Wellbeing and Schools Bill that is scheduled for debate again tomorrow in the House of Lords. Perhaps ministers and peers will benefit from seeing it all going horribly wrong for their counterparts in Wales. Who takes responsibility for any children and families that the new processes harm, goes far beyond the implications for breaches of data protection law.

---

Our letter for educational settings, and GPs and health settings. [blank letter template 2025 for organisations.pdf  266kB]