The DfE recently updated their guidance for practitioners providing safeguarding services for children, young people, parents and carers. We have highlighted the changes below and what that might mean regarding data protection and data sharing.
The guidance highlights Seven Golden Rules for sharing information (including personal information):
- All children have a right to be protected from abuse and neglect. Protecting a children from such harm takes priority over protecting their privacy, or the privacy rights of the person(s) failing to protect them. The DfE guidance points towards using a data protection framework which is something that the DPE Knowledge Bank provides. If you are worried about sharing information relating to abuse and neglect, we would advise checking with us first by emailing
This email address is being protected from spambots. You need JavaScript enabled to view it. as a follow up question to your SAR. - When you have a safeguarding concern, wherever it is practicable and safe to do so, engage with the child and/or their carer(s), and explain who you intend to share information with, what information you will be sharing and why. Remember you are not required to inform them if you have reason to believe that in doing so it may cause harm to another person. If you are worried or unsure, then we would advise checking with us first by emailing
This email address is being protected from spambots. You need JavaScript enabled to view it. . - You do not need to consent to share personal information about a child and/or members of their family if a child is at risk or there is a perceived risk of harm. As the DfE guidance says you do need a lawful basis to share information under data protection law. Generally speaking consent is not always the best option for asking to share data, which is also what the DfE guidance says. It is always advisable to be as transparent as possible when it comes to details about how you process and share data. If you are unsure about what legal basis you might be able to share data or whether you should be sharing data, contact us and ask about your specific case by emailing
This email address is being protected from spambots. You need JavaScript enabled to view it. . - Seek advice promptly whenever you are uncertain or do not fully understand how the legal framework supports information sharing in a particular case. Your DSL is best placed to help with this decision and have the relevant information and should be consulted in these cases. If you are unsure about the legality of sharing information then email us for legal advice relating to a specific case on
This email address is being protected from spambots. You need JavaScript enabled to view it. . - When sharing information, ensure you and the person or agency/organisation that receives the information take steps to protect the identities of the individuals who might suffer harm if their details became known to an abuser or one of their associates. Whenever data is shared or a data breach occurs damage is assessed by trying to measure the risk to any individuals concerned. When sharing information it is always best to have this at the forefront of your mind.
- Only share relevant and accurate information with individuals or agencies/organisation that have a role in safeguarding the child and/or providing their family with support and only share the information they need to support the provision of their services. This takes into account the data minimisation principle of data protection which assumes that you only share what you need to share.
- Record the reasons for your information sharing decision, irrespective of whether or not you decided to share information. We recommend documenting decisions for sharing and not sharing information. Circumstances might change which might mean you do decide to share the information in the future. Documenting decisions mean that you can explain why a decision was made, for example in the case of a complaint.
It's important to remember that data protection laws do not prevent data sharing but are to protect people when data is shared about them; to make sure it is done in a safe and responsible way. Our customers can do this by using our data protection framework either by using the guidance in our Best Practice Libraries or contacting us to ask a question.
It is important to ensure you have the right legal basis for sharing any personal data and if the information is ‘special category data’, you will also need to find a condition for processing the information under Article 9 of UK GDPR.
Often we see schools asking for consent when they are not sure about sharing or processing personal data. This is not always correct and we would advise contacting us in that instance to check if the lawful basis is not clear.
The full guidance: DfE Information Sharing. We also recommend reviewing: Keeping Children Safe in Education.
In your organisation check with your data protection lead and the DSL.
Previous DPE article about sharing information in a school setting:
https://dataprotection.education/best-practice-update/398-ico-10-step-guide-to-sharing-information-to-safeguard-children