This is a short, but very useful piece of non-statutory guidance that clarifies the importance of and procedures for information sharing in relation to safeguarding and the promotion of the welfare of children. Poor information sharing has been a recurring theme in Serious Case Reviews and all who come into contact with children should be proactive in their information sharing.
The changes in the guidance, naturally are focused around GDPR and Data Protection Act 2018.
The key changes are:
• Under the GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk (page 4).
• Under GDPR and the Data Protection Act 2018 organisations handling personal data need to have comprehensive and proportionate arrangements for collecting, storing, and sharing information.
• The GDPR and Data Protection Act 2018 do not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe.
To effectively share information:
o all practitioners should be confident of the processing conditions, which allow them to store, and share, the information that they need to carry out their safeguarding role. Information which is relevant to safeguarding will often be data which is considered ‘special category personal data’ meaning it is sensitive and personal
o where practitioners need to share special category personal data, they should be aware that the Data Protection Act 2018 includes ‘safeguarding of children and individuals at risk’ as a condition that allows practitioners to share information without consent
o information can be shared legally without consent, if a practitioner is unable to, cannot be reasonably expected to gain consent from the individual, or if to gain consent could place a child at risk.
o relevant personal information can be shared lawfully if it is to keep a child or individual at risk safe from neglect or physical, emotional or mental harm, or if it is protecting their physical, mental, or emotional well-being (page 5).
• The role of the Safeguarding Partners, as they replace LSCBs, includes supporting information sharing. They can require a person or body to comply with a request for information (page 8).
• Practitioners should share no more data than is necessary, while ensuring that it is relevant to enable others to do their job effectively and make informed decisions (page 9).
• Information should be retained within line with the organisation’s retention policy. ‘In some rare circumstances, this may be indefinitely, but if this is the case, there should be a review process scheduled at regular intervals to ensure data is not retained where it is unnecessary to do so.’ (page 10)
• The Myth-busting guidance (page 13) is also included in Working Together to Safeguard Children: July 2018. This is clear that:
o ‘GDPR and Data Protection Act 2018 do not prohibit the collection and sharing of personal information. …, the Data Protection Act 2018 balances the rights of the information subject (the individual whom the information is about) and the possible need to share information about them. Never assume sharing is prohibited – it is essential to consider this balance in every case. You should always keep a record of what you have shared.
o ‘When you gain consent to share information, it must be explicit, and freely given. There may be some circumstances where it is not appropriate to seek consent, either because the individual cannot give consent, it is not reasonable to obtain consent, or because to gain consent would put a child or young person’s safety or ‘ at risk. Where a decision to share information without consent is made, a record of what has been shared should be kept.’
o ‘In the case of children in need, or children at risk of significant harm, it is difficult to foresee circumstances where information law would be a barrier to sharing personal information with other practitioners.’
• We are reminded that IT systems are most valuable when practitioners use the data that has been shared to make more informed decisions about how to support and safeguard a child (page 14).
The DfE’s Data protection: A toolkit for schools is another useful source of information and support in this area. On page 21 it reminds us:
‘GDPR does not prevent, or limit, the sharing of information for the purposes of keeping children safe. Legal and secure information sharing between schools, Children’s Social Care, and other local agencies, is essential for keeping children safe and ensuring they get the support they need. Information can be shared without consent if to gain consent would place a child at risk. Fears about sharing information must not be allowed to stand in the way of promoting the welfare and protecting the safety of children. As with all data sharing, appropriate organisational and technical safeguards should still be in place.’
Actions for schools
• Ensure your data protection policies are GDPR compliant and includes that ‘information related to safeguarding can be shared lawfully if it is to keep a child or individual at risk safe from neglect or physical, emotional or mental harm, or if it is protecting their physical, mental, or emotional well-being.’
• Ensure that the information sharing element of your Safeguarding Policy is up to date and clear.
• Ensure that this is shared with all staff through training.
• Read the DfE’s Data protection: A toolkit for schools, if you have not already done so.