How to balance your data obligations with your duty to safeguard a child
The Information Commissioner’s Office (ICO) is the independent regulator of information rights. The UK General Data Protection Regulations (UK GDPR) sets out an individual’s data rights. This extends to children and young people, who are generally treated with additional care under the UK GDPR.
As a children’s services provider, you must balance data rights with the care and support provided to children and young people. A key part of this is safeguarding children or young people at risk of harm, which will undoubtedly involve sharing data. Such data may include special category data, such as health information, which needs to be afforded additional caution. The UK GDPR allows you to share information in a safe, proportionate and lawful way.
The ICO's ten steps on sharing information for safeguarding purposes
The ICO has published practical guidance on sharing information for safeguarding purposes. The guidance is aimed at those involved in safeguarding children, at all levels and in all sectors, across the UK. The guidance contains ten steps to follow.
- Data protection is a framework to help you share information and doesn’t prevent the sharing of information to safeguard a child. It can be more harmful not to share information if it is required to protect a child. Always seek advice from your data protection officer or other expert, such as a solicitor or your local Caldicott Guardian, and work to balance your obligations in the best interests of the child.
- Be clear about your purpose for sharing any information. You should keep a record of decisions made about sharing or not sharing information, and the reason for the same.
- Ensure that you have strong governance, policies and systems in place. These should be regularly reviewed to ensure they comply with the most recent legislation and guidance. This includes ensuring that everyone within your organisation is trained in safeguarding and data protection at the level they need. This training should be appropriate for your organisation and refreshed where necessary. Aim to build a culture of compliance and good practice at all levels throughout your organisation.
- Tell people how and why their information is being used. Individuals have the right to know what happens to their personal data. However, when sharing information for safeguarding purposes, you may not be able to give everyone equal rights, so you may need to rely on relevant exemptions such as to enable information to be disclosed if required by law or if there is the possibility of serious harm to the physical or mental health of an individual.
- When deciding to share information, be sure to fully assess the risks and keep a record of this assessment. This can be done via a data protection impact assessment. However, if sharing data on a one-off basis or in response to an emergency, you can share information that is necessary and proportionate to safeguard the child.
- Consider implementing a data sharing agreement between you and any third parties with whom you are sharing information. This is not mandatory but may be beneficial for routine sharing of information. The benefits include clarity around the information being shared, how it will be shared and what to do if things go wrong.
- There are seven data protection principles: lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity and confidentiality and accountability. These should always be followed when handling and sharing personal information as well as when preparing policies, procedures and impact assessments.
- A lawful basis is the valid reason for processing personal data. Identifying the correct lawful basis for sharing in the circumstances will allow you to share the information you need to safeguard a child. The ICO has a helpful tool to assist – Lawful basis interactive guidance tool | ICO.
- In an emergency, there may be limited time to follow due process. Do not hesitate to share information when it is to safeguard a child. Record what you shared, how and why as soon as you can after the event. It may be useful to create a plan for these emergency situations so everyone is aware of the processes to follow.
- Read the ICO’s data sharing code – Data sharing: a code of practice | ICO.
We echo the guidance provided by the ICO. The importance of robust policies and procedures surrounding data protection cannot be underestimated. We would recommend that all polices and procedures are kept under review and updated as required. Our data protection experts can support providers with this.
Our dedicated Health and Social care team can also provide assistance on safeguarding matters.
More Health & Social Care articles from around RWK Goodman:
View more articles related to Health and Social Care