From school to university: sharing safeguarding information
Insight
Practically speaking, the line between a 17 and 18-year-old is largely an arbitrary one, but legally it is hugely important. Overnight, a 17-year-old child becomes an 18-year-old adult and is no longer covered by the safeguarding protections afforded to a legal “child”. Around the same time the transition to the “big wide world” of higher education can be a watershed moment and many may want to leave troubled school years behind them. But when it comes to ongoing safeguarding issues, is this a good idea? What are the roles, and mutual responsibilities, of schools and universities when a pupil about whom there are safeguarding concerns transitions to higher education?
Who is a child and who is a “adult at risk”?
- A child is anyone aged under 18.
- An “adult at risk” is an adult who has care and support needs, is experiencing or is at risk of experiencing abuse or neglect, and as a result of those needs is unable to protect themself against the abuse or neglect. This is a relatively high threshold. While U18s cease to be children when they turn 18, adults may move in and out of the scope of the definition of adult at risk.
The gap in guidance
There is ample guidance and information on what should be shared between schools when a child with safeguarding needs leaves one school to join another school, not least in the statutory guidance Keeping Children Safe in Education (KCSIE). But what if, for example, a pupil on the cusp of going to university is known to be a suicide risk or to have a drug or alcohol problem? This is a very real concern to many schools but also to universities, who have far less guidance and almost no regulation. This does not generally form part of the mandatory information provided at the application stage. What and how much safeguarding information can, and / or should, be passed on?
Unfortunately, clear, easy-to-follow rules or directly applicable statutory guidance do not exist when it comes to sharing medical, mental health and other safeguarding information between schools and universities. We have useful comparable or analogous material, such as KCSIE, provisions under the Care Act 2014 for adults at risk, and the Government’s Guidance on Information Sharing for Safeguarding Practitioners, which cover certain scenarios. What is lacking is a sweep-up set of rules, guidance or support infrastructure governing the transition from a child in education to a young adult in education, including what to share, when, and with whom.
Duty of care considerations
While universities have a general duty of care to deliver educational and pastoral services to the standard of an ordinarily competent institution, they do not have a defined legal duty to safeguard their students like schools do. This has been the subject of recent media attention and a parliamentary debate, as discussed in this article.
Information sharing and data protection
Data protection law provides an overall statutory regime governing the collecting and sharing of personal data. In 2018 the new Data Protection Act (DPA) introduced a specific ground for processing sensitive data for safeguarding purposes, but this only applies to the protection of U18s or “adults at risk”.
The legislation does set out a number of other grounds on which decisions to share sensitive personal information (other than with explicit consent) may potentially be based, including where a “substantial public interest” condition is met. There is however no “silver bullet” to justify sharing in this particular scenario. The key reasons are as follows:
- Legal definition of safeguarding. First, as stated above: the safeguarding-specific processing condition in the DPA only applies to protecting under 18s or “adults at risk”.
- Absence of statutory guidance. KCSIE refers throughout to “children”, and its specific obligations and recommendations (including around sharing the safeguarding file and other relevant information for pupil support with destination schools and colleges in England) no longer apply when the pupil is over 18 and / or out of the school system.
- Doubts as to the duty of care. Where a HEI can show that it is at risk from legal claims in duty of care / negligence cases, this might provide a lawful basis to process relevant health or other sensitive data of candidates and students. However, this does not justify speculative enquiries or routine sharing, especially in circumstances where the actual duty of care on HEIs remains a topic of legal debate.
Data protection law itself is not the enemy of sharing (a point that was discussed in the recent parliamentary debate referred to above). As a general rule, “data protection” should never stand in the way of a person’s safety and should not be an excuse for avoiding a difficult conversation. However, it does form part of a system of checks and balances to prevent unnecessary or disproportionate sharing of sensitive personal data of adults without their consent. As such, the data protection position merely reflects the broader legal framework here, and the choice of successive governments not to legislate for this particular issue.
Checklist for sharing and drawing up a policy
The key questions for the sharing party (usually the school) that should form part of a policy / protocol will be as follows:
- In what cases, and on what occasions, should we consider sharing information?
- What is the purpose for sharing the information?
- Data protection law requires a lawful purpose for sharing. This purpose should be recorded, securely, as a matter of internal record.
- If there is a clear purpose, consideration should be given as to what information is necessary to assist that purpose (for example do any documents, let alone a whole file, need to be shared, or can a no-names conversation be held first?).
- Has the individual consented to the sharing, or is there any issue in seeking consent from them?
- If not consent, is there another legal justification for sharing?
- For non-sensitive personal data, such as contact data, it can be as simple as establishing a legitimate interest (of any party) to share that will outweigh any possible prejudice to the individual, and
- For sensitive data, eg sexual life, criminal allegations or medically confidential data, it would require an additional condition to share without explicit consent.
- If we are clear of the purpose and believe there are legal grounds to disclose on a “names” basis, consider:
- Exactly what needs to be shared (for example, can we consider redaction, minimisation or anonymisation of third parties?),
- With whom at the higher education institution the information should be shared (ideally this would be a trained DSL or equivalent who has been properly identified), and
- How the school should share the information: both to ensure data security and to put the identified recipient on notice of the stated purpose of sharing, reminding them of the confidentiality of the material and care that should be taken in storing or further sharing it.
This should all form part of a risk assessment in sharing or reaching out to universities. Breaching confidentiality is one of the potential risks to be managed and mitigated, but so of course is not sharing information that could be important.
For the receiving party (university), the key questions are:
- What is the purpose for which this information is being shared with us? Do we agree with it?
- Is the right person taking receipt, and are they properly trained and supported?
- Does the child / young adult concerned know we have the information? When is it appropriate to hold it without their knowledge, or specifically against their wishes?
- Does the university have the right infrastructure for processing the information appropriately, ie
- Clear definition of roles,
- Secure storage, filing and access protocols, and
- Procedures on when to share and when to act?
- What are the risks and benefits, including to the student body as a whole, in this information: whether in holding it, or not accepting, recording, or acting on this information? In other words, when is it appropriate for the university pro-actively to take on a duty of care?
- How long should the university hold the information, and how much of it (particularly if, as months or years pass, it has not yet proven necessary or useful)?
- Have we, in fact, received all we need? Are there any other organisations or sources of information who could lawfully assist in building up the picture (families, carers, authorities, student bodies), and what safeguards and protocols should we consider in doing so?
- Does the university need to do anything immediately?
There is a question for universities of when merely being in receipt of certain information places them under a specific duty of care. Assuming the university has the right infrastructure for supporting students generally, it should be considered how the receipt of the information feeds into those processes and whether the circumstances require special measures or monitoring for an individual.