Golden Rules for Safeguarding and Data Sharing

This blog is based on Judicium’s Safeguarding and Data Protection ‘Sofa Session’ from the 2nd of April, with Helen King and Sofia Mastrangelo. This session focused on the guidance on sharing safeguarding data and concerns, retention rules, and managing SARs in relation to safeguarding and considering exemptions.

Poll 1

Introduction

When it comes to safeguarding, two key pieces of statutory guidance that professionals should be familiar with are Working Together to Safeguard Children 2023 and Keeping Children Safe in Education (KCSIE) 2024. These documents highlight the importance of information sharing, referencing "data protection" 24 and 25 times, respectively.

While safeguarding and data protection may seem at odds, the guidance is clear: data protection laws should never prevent information sharing when it comes to protecting children. In this blog, we will explore what the statutory guidance says about safeguarding and data sharing, examine the implications for practitioners, and outline the seven golden rules for information sharing.

What Does the Guidance Say?

The Working Together to Safeguard Children (WTTSC) 2023 guidance is unequivocal:

• Data protection laws, including the UK GDPR and the Data Protection Act 2018, should not create a barrier to sharing information to safeguard children.
• Personal data can be shared without consent if it is necessary to fulfil a legal obligation or to carry out a public task related to safeguarding.
• Special category data (such as health or ethnicity data) can also be shared when safeguarding requirements apply.

The emphasis is on proactive information sharing. Delays caused by uncertainty or fear of breaching data protection laws have historically led to tragic outcomes, as highlighted in several child safeguarding practice reviews.

What Are the Implications for Safeguarding Practitioners?

To safeguard children effectively, practitioners need to be confident in their responsibilities regarding data sharing. This includes:

• Understanding the Legal Basis: Knowing when and how data can be shared lawfully.
• Timely Action: Avoiding delays in information sharing, as hesitation can have serious consequences.
• Collaborative Working: Ensuring multi-agency collaboration so that relevant information is shared appropriately.
• Proactivity in Sharing Concerns: Practitioners should assume responsibility for passing on safeguarding concerns, rather than waiting for others to act.

What Does KCSIE 2024 Say About Information Sharing?

The latest KCSIE (Keeping Children Safe in Education) 2024 guidance reinforces key principles:

1. Proactivity in Sharing Information: Schools and colleges must act early to identify, assess, and respond to safeguarding risks.
2. Clarification on Consent: Consent is not always required for sharing information when there is a lawful basis, such as "legal obligation" or "public task".
3. Serious Harm Test: Schools must not share information if doing so could lead to serious harm (e.g., if a child is in a refuge). When in doubt, schools should seek legal advice.
4. Record-Keeping Requirements: Safeguarding records must be processed securely, with a clear record of concerns, actions, and outcomes maintained.

The Seven Golden Rules for Information Sharing

The Information Sharing: Advice for Practitioners document outlines seven key principles to guide professionals when making decisions about information sharing:

1. Data Protection is Not a Barrier to Safeguarding: The UK GDPR and Data Protection Act 2018 allow lawful data sharing to protect children. Fear of breaching confidentiality should never delay action.
2. Be Open and Honest: Where appropriate, inform families about what information will be shared, with whom, and why, unless doing so places a child at risk.
3. Seek Consent Where Appropriate, But Do Not Delay: Consent is not required when there is a safeguarding risk, and practitioners should act promptly.
4. Be Clear on Purpose: Only share information that is necessary and relevant for safeguarding purposes.
5. Ensure Accuracy and Clarity: Data should be factual, accurate, and distinguish between opinions and evidence.
6. Share Securely and Responsibly: Share information only with those who need it and follow legal and organisational security protocols.
7. Keep a Record: Document what information was shared, with whom, why it was shared, and any decisions made.

Lessons from Recent Reviews

In April last year, the NSPCC published a thematic review analysing child safeguarding practice reviews conducted between 2017 and 2023. It identified four key challenges faced by professionals:

• Understanding why information is being shared and how to act on it.
• Knowing when they can share information.
• Understanding how to collaborate effectively across agencies.
• Recognising the roles and safeguarding responsibilities of other professionals.

The review found that 56.5% of rapid reviews completed in England in 2021 cited a lack of coordination or handover between services as a significant learning point. Misinterpretation of data protection laws and uncertainty around consent led to missed opportunities for intervention.

Why This Matters

The importance of information sharing is underscored by tragic cases such as Victoria Climbié (2003), Arthur Labinjo-Hughes, and Star Hobson. Reviews following these cases have highlighted how fragmented information led to a failure to fully understand the lived experiences of these children.

In Arthur’s case, photos of bruising sent to the police were not shared with the multi-agency safeguarding hub (MASH), and critical background information was missed. These failures resulted in devastating outcomes, outcomes that could have been avoided if information had been shared effectively.

Retention Rules for Safeguarding Data

Retention rules for safeguarding data are another critical area of consideration:

• Safeguarding records related to children should be retained until the child’s date of birth plus 25 years, after which they should be reviewed.
• Records relating to child sexual abuse should be retained indefinitely, as recommended by the Independent Inquiry into Child Sexual Abuse (IICSA).
• Allegations against staff that are found to be false or malicious must not be retained on personnel files. However, records of unsubstantiated or founded allegations should be kept until the individual reaches normal pension age or for 10 years, whichever is longer.

Data Minimisation Rules for Safeguarding Data

One of the principles of the UK GDPR is Data Minimisation meaning that personal data should be limited to what is necessary for the purposes of processing. If the child no longer attends your school all records should follow the child, including safeguarding data, and therefore these files should be forwarded to the child’s next school.

These should be shared securely and/or in some circumstances where the DSL feels there needs a conversation to be had with the school to provide a background this is fine. 

Poll 2

Exemptions and Subject Access Requests

Safeguarding data may be exempt from subject access requests (SARs) under the safeguarding exemption, but this should not be used as a blanket exemption. Each case should be assessed individually, considering:

• Whether disclosing the information might cause serious harm to the physical or mental health of the child or others.
• Whether the information could reveal that the child is at risk of abuse.
• The contents of court proceedings or adoption records.

Where exemptions apply, schools should discuss the disclosure with their Data Protection Officer (DPO) and ensure that redaction protocols are followed appropriately.

If a request comes from a solicitor, parent/guardian informing you that the court has instructed the disclosure of a child’s records including any safeguarding concerns you should request to see a copy of the court order in the first instance. (There would usually be a point made in the request for permission for the court order to be shared with the school).

This can be redacted to just include the part with the instruction to share.

When reviewing the court order, you should look to check the following:

1. The court order includes the court stamp
2. Date and signed by magistrate
3. If in the instance the solicitor is sharing the court order, ensure they act on behalf of the claimant/respondent
4. The court will detail who it should be shared with i.e. claimant/respondent solicitors to bring it to court (therefore ensure you are sharing with the correct party)

Usually, these records can be unredacted however, again, if you have any concerns then you need to discuss this with your DPO.

Quick Fire Tips to Take Away

• Safeguarding records should follow the child to their next school.
• If the child has left formal education, records should be retained for 25 years from the date of birth.
• Allegations of sexual abuse should be retained indefinitely or for 75 years, as recommended by IICSA.
• Safeguarding exemptions apply but should be assessed case by case.
• When safeguarding a child is at stake, data protection must never be a barrier to sharing information.

By embedding these principles into everyday practice, safeguarding professionals can ensure that children are protected and information is shared effectively.

Additional Info

Meeting digital and technology standards in schools and colleges - Guidance from GOV.UK

Judicium Education’s Safeguarding Service is intended to assist schools in meeting the statutory requirements and guidance for schools and colleges on safeguarding children and safer recruitment. For more information, please visit here.

We also offer bespoke Safeguarding Training options and eLearning packages.

You can find information regarding our Data Protection Officer (DPO) service here.

Jedu is Judicium's online GDPR compliance tracking software for schools. Our platform is suitable for single schools to large MATs and is designed to assist schools with two critical needs: To enable trustees, Governors and other SLT to monitor GDPR compliance; and to assist you managing your data protection.

If you would like more information on how we can support you or more information regarding Jedu, please get in touch with us.

If you require any support in any of these steps or would like to talk to someone surrounding some support for your school, please do not hesitate to call us on 0345 548 7000 or email georgina.decosta@judicium.com.

 Follow us on Twitter: @DPOforSchools and @JudiciumEDU

© This content is the exclusive property of Judicium Education. The works are intended to provide an overview of the sofa session you attend and/or to be a learning aid to assist you and your school. However, any redistribution or reproduction of part or all of the contents in any form is prohibited. You may not, except with our express written permission, distribute or exploit the content. Failure to follow this guidance may result in Judicium either preventing you with access to our sessions and/or follow up content.