Information sharing and safeguarding – but what about GDPR?

What do you think the number one area schools have been questioning me about lately is?

You may/may not be surprised to know that it is actually around sharing of safeguarding information, particularly in relation to changes to data protection that GDPR has brought with it.

My standard answer is that very little has changed regarding information sharing in relation to safeguarding children.

Sharing information to protect the welfare of a child remains very much in the public interest, which takes priority over protection of privacy.

As one participant on my recent Advanced Safeguarding course put it, in regard to information sharing, ‘Safeguarding trumps everything.’

Myth busting

The newest edition of ‘Working Together to Safeguard Children’ includes a new succinct ‘Myth busting’ page on information sharing and sets out the major principles we all need to adhere to very clearly:

‘Sharing information enables practitioners and agencies to identify and provide appropriate services that safeguard and promote the welfare of children. Below are common myths that may hinder effective information sharing.

Data protection legislation is a barrier to sharing information:  No – the Data Protection Act 2018 and GDPR do not prohibit the collection and sharing of personal information, but rather provide a framework to ensure that personal information is shared appropriately. In particular, the Data Protection Act 2018 balances the rights of the information subject (the individual whom the information is about) and the possible need to share information about them.

Consent is always needed to share personal information: No – you do not necessarily need consent to share personal information. Wherever possible, you should seek consent and be open and honest with the individual from the outset as to why, what, how and with whom, their information will be shared. You should seek consent where an individual may not expect their information to be passed on. When you gain consent to share information, it must be explicit, and freely given. There may be some circumstances where it is not appropriate to seek consent, because the individual cannot give consent, or it is not reasonable to obtain consent, or because to gain consent would put a child’s or young person’s safety at risk.

Personal information collected by one organisation/agency cannot be disclosed to another: No – this is not the case, unless the information is to be used for a purpose incompatible with the purpose for which it was originally collected. In the case of children in need, or children at risk of significant harm, it is difficult to foresee circumstances where information law would be a barrier to sharing personal information with other practitioners.

The common law duty of confidence and the Human Rights Act 1998 prevent the sharing of personal information:  No – this is not the case. In addition to the Data Protection Act 2018 and GDPR, practitioners need to balance the common law duty of confidence and the Human Rights Act 1998 against the effect on individuals or others of not sharing the information.

IT Systems are often a barrier to effective information sharing: No – IT systems, such as the Child Protection Information Sharing project (CP-IS), can be useful for information sharing. IT systems are most valuable when practitioners use the shared data to make more informed decisions about how to support and safeguard a child.’

– Working Together to Safeguard children 2018 (p.20)

Seven Golden Rules for Information Sharing

More detailed guidance in information sharing can be found in the new statutory document (yes, yet another important safeguarding publication out this year to add to the list) ‘Information sharing advice for safeguarding practitioners’ (July 2018), which again is succinct and practical. It shares the ‘Seven Golden Rules for Information Sharing’:

  1. General Data Protection Regulation (GDPR), Data Protection Act 2018 and human rights law are not barriers to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately.
  2. Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
  3. Seek advice from other practitioners, or your information governance lead, if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible.
  4. Where possible, share information with consent, and where possible, respect the wishes of those who do not consent to having their information shared. Under the GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be clear of the basis upon which you are doing so. Where you do not have consent, be mindful that an individual might not expect information to be shared.
  5. Consider safety and well-being: base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.
  6. Necessary, proportionate, relevant, adequate, accurate, timely and secure: ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely (see principles).
  7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.’

As well as these 7 Golden Rules, the guidance provides detailed advice on what exactly is ‘necessary, proportionate, relevant, adequate, accurate, timely and secure’ and when and how to share that information. The whole document will take you 10 minutes to read (especially if you have read the above points on myth busting which it repeats) and will most certainly put your mind at rest.

Myths in relation to Prevent – providing clarity

There will be an opportunity to explore more myths – this time around the Prevent Duty in a few weeks’ time with my very accessible and practical course entitled ‘Prevent: Supporting establishments to comply with Radicalisation and Extremism Responsibilities’. All are welcome – particularly Designated Safeguarding Leads who may have been mystified with previous training on Prevent. Questions, discussion and ideas will all be shared and participants will leave with clarity, purpose and even enthusiasm. As participants said:

Claire Speller, Raising Standards Leader Inclusion and Wellbeing, Venturers Academy:
‘Absolutely recommend this training! Very engagement focused, and great delivery of what could have been a ‘dry’ topic. I took away with me a real appreciation of the importance of whole staff understanding /knowledge/confidence to address all issues.’

Sinead Walsh, Designated Senior Person for Safeguarding, Oasis Academy New Oak:
‘I went on Mandy’s Prevent training and found the information on fundamental British values extremely useful. I was able to take this back to my school and share with the children. In our recent Ofsted inspection the children were clearly able to answer what they knew by Democracy and Mutual Tolerance and Respect.’