Data Protection and Safeguarding

Posted  10th March 2021

The session was centred on how GDPR and Safeguarding crossover when it comes to information sharing and processing.

How does GDPR relate to Safeguarding in a general sense?

There is a general idea that Safeguarding trumps GDPR.
However, it’s not a case then when dealing with a situation or request, choosing to follow one set of rules or the other. The idea is that the two areas work in conjunction with each other. Finding the balance between both areas, is key.
The majority of schools have a great Safeguarding set-up in place already and it’s about building GDPR guidelines in and around this so they can work hand-in-hand. One not restricting the other.
The rules around safeguarding information sharing is not about whether you can actually share data, but rather thinking twice about how you share it.

Do we want to be more transparent? Do we need consent? Is there a need to inform people what we’re doing with the information? Is anyone’s safety at risk?


When it comes to Safeguarding, what are the rules on information sharing?

Fears of information sharing must not stand in the way of the needs, welfare, protection and safety of children. It ties back to how the two aspects work hand-in-hand. Keeping Children Safe in Education built in rules when it comes to information sharing. They have brought out a separate document named “The Seven Golden rules for information Sharing.” The rules are as follows:

  1. The GDPR, Data Protection Act 2018 and Human Rights law are not barriers to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately: Think about how you share it responsibly, safely and transparently.

  2. Be open and honest with individuals (and/or their families where appropriate) from the outset about why, what, how and with whom information will / could be shared, and seek their agreement, unless it’s unsafe or inappropriate to do so: Consent isn’t always necessary. Blanket approaches shouldn’t be used as an excuse to not share information. The ICO is likely to look further into cases where a blanket approach has been used, e.g., ‘We can’t share this due to Safeguarding’. Make sure your privacy notices are up to date and are easily accessible - this will help with transparency.

  3. Seek advice from other practitioners, or your information governance lead, if you’re in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible: Practitioners could be defined as a number of things – it could be the Safeguarding or Data Protection expert, your DSL or even sometimes SEN related. Double checking with your practitioners, even if you think the information is suitable to be shared is a much safer option before progressing.

  4. Where possible, share information with consent, and where possible, respect the wishes of those who don’t consent to having their information shared. Under the GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk. You’ll need to base your judgement on the facts of the case. When you are sharing / requesting personal information from someone, be clear of the basis upon which you are doing so. Where you don’t have consent, be mindful that an individual might not expect information to be shared: It’s always useful to be as transparent as possible. Sometimes consent is over used, as it’s been made part of the way to communicate with individuals. Consent isn’t needed at every opportunity, however as good practice, informing individuals at the start of processes of how you will be using their data can help in the long run.

  5. Consider safety and well-being. Base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions: We may need to consider things like public safety. We may need to act quickly. We may need to share it without telling individuals about it – every situation is different.

  6. Necessary, proportionate, relevant, adequate, accurate, timely and secure - ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up to-date, is shared in a timely fashion, and is shared securely (see principles): Example of this situation would be if the police ask for ALL of the information, do they really need all of it? You are allowed to raise that objection. You cannot just assume it’s okay to give them all of the information. Also make sure you’re sending this protectively as Safeguarding data is some of the most sensitive information.

  7. Keep a record of your decision and the reasons for it – whether it’s to share information or not. If you decide to share, then record what you’ve shared, with whom and for what purpose.

* It’s important to note that each situation is different and these rules should be applied per situation. Not necessarily used as a hard and fast rule every time.

Day-to-day Examples of where GDPR and Safeguarding Overlap:

  1. Transfer of student files to new settings safely (July): Think about putting something more secure around it when sending those on to another setting. Make sure you assess all the risks around the transfer and keep a clear record to help with paper trail. Only send what is really necessary, as it might not be needed to send the whole file.

  2. Recruitment and keeping of ID: No DBS certificate should be kept on file for longer than 6 months. ID’s can be kept as long as it’s kept for the right reason, for e.g., proof of right to work. Make sure you know your Single Central Record is kept in a safe place, where it’s stored and who has access to it and is updated regularly. Such as removing old employees.

  3. Visitors in School: Do you need to ID visitors? Do you need to see a DBS? Is it always necessary and proportionate for the purpose of visit? Make sure your privacy policies are up to date and accessible. Think about how long you will be keeping the visitors info for and have clear justifications if you are to keep it longer than necessary.

Main Data Protection Principles and how they apply to Safeguarding Information:

  1. Lawful basis and not always needing consent: Safeguarding is a fair processing condition by itself, provided it’s used for safeguarding individuals who are / can be at risk. Hence, why Safeguarding can’t be used as a “blanket” approach as not every document will have a Safeguarding element to it.

  2. Data minimisation: Make sure the information that you use is proportionate and necessary to the purpose and not more than what is necessary.

  3. Keep information accurate and up to date: Distinguish between fact and opinion and keep a detailed record of this where possible. Ensure information is updated regularly in combination with this.

  4. Data Retention: Set applying periods for everything you have. The principle is not to keep information longer than what is necessary. Safeguarding data is one of the most difficult areas to put a time frame on, as there’s currently no set one. Keeping Children Safe says child protection information should be kept till the child turns 25, provided that the principle / copy of the data is help by the Local Authority Social Services Record. However, being 100% sure whether they have sufficient copies is another consideration in itself.

  5. Security: You must put in place appropriate security on data. Ensure access controls on Safeguarding information is very tight and control who and how many persons have access to the information. The less staff that have access to it, the better. Thus ensure appropriate levels of access.

  6. Accountability: How can you prove that you apply to Data Protection rules? Having the right policies in place and ensuring these are actually being followed is a good place to start. In combination with this, ensure there’s training in place to help make sure staff have the appropriate awareness of how to follow the Data Protection principles. The ICO does actually look at whether training has been done, as well as how often it has been done with staff.

If you require any support in any of these steps, or would like to talk to someone surrounding some support for your school please do not hesitate to call us on 0203 326 9174 or email tara.jones@judicium.com.


The Rise of Internal SARs from Staff and How it Affects HR Processes
  October 02 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 2nd October, with our Data Protection Consultant Sam Hall.

Read more

Get your Data Protection Ready for Summer Holidays
  July 10 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 10th July, with our Data Protection Consultant Lane Baker.

Read more

6 Years On: Why Your Data Protection Culture Matters
  June 05 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 5th June, with our Data Protection Consultant Bethany Parker.

Read more

Data Protection: Demystifying Data Mapping
  May 08 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from 8th May, with our Data Protection Consultant Jessica Gant.

Read more

Data Protection: What is a Lawful Basis?
  March 20 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 20th of March with Data Services Consultant Patrick Ballantine.

Read more

Tricky Subject Access Requests
  February 14 2024

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 14th of February with Data Services Consultant Sam Hall.

Read more