After too long, in our view, without providing anything of real substance about safeguarding data in its guidance, the Information Commissioner’s Office (ICO) has recently published a "ten step guide to sharing information to safeguard children". This is on the back of a recent consultation on the Government’s update of its own 2018 Information Sharing Guidance for Practitioners which, until recently, was the primary source of official guidance on the issue.
The Commissioner John Edwards has further supported this push via blog posts on LinkedIn (see here), emphasising key points which the Farrer & Co safeguarding unit has been championing for some time:
- Serious case reviews have shown, time and time again, that poor information sharing among organisations and agencies is a contributing factor in failures of safeguarding, and
- You will not get into trouble with the ICO for trying to trying to prevent or lessen a serious risk or threat to a child’s mental and physical wellbeing.
The latter is a direct quote from the Commissioner, which is of course reassuring.
What does the new guidance do?
While the guidance changes nothing in the law, it should provide some long-overdue comfort to practitioners and organisations with safeguarding responsibilities who just want to get on with their primary task of keeping children safe.
What it does not do is provide much detail on the underlying data protection issues that can still cause concern: in particular, retention of safeguarding record, balancing the interests of parents and children, what happens when a child turns 18, and the lawful basis to share safeguarding data in certain legitimate contexts where, for example, the processing is not a direct intervention to protect a child. These remain nuanced and fact-specific questions that require care and consideration. But the new guidance will provide a useful resource and checklist for schools needing to consider the often-complex questions involved in deciding when and how to share personal information in a safeguarding context.
What are the key messages?
This is the ICO’s most substantive pronouncement specifically on the subject since the GDPR came into force. Under that legislation, and more specifically with the Data Protection Act 2018 (DPA 2018), there has always been a clear legislative framework for the lawful sharing of personal data for safeguarding purposes. Before now, however, ICO guidance has done little more than re-state what the legislation says.
The purpose of this new guidance seems to be to clarify and reassure in an area where unhelpful assumptions, typically of the "data protection says no" variety, can undermine the aims and principles of safeguarding. As such, it will be reassuring to schools seeking to comply with both safeguarding and data protection obligations.
At the same time, it is worth remembering that the oft-heard adage “child protection trumps data protection” is not always helpful: the point is that data protection and child protection in fact go hand in hand. Not only should compliance not be an obstacle to safeguarding, it is in fact an essential part of good practice. It provides a system of checks and balances, both in protecting children’s dignity and privacy, and ensuring fair, accurate and adequate sharing of information about children and adults, wherever necessary for the purpose.
The ICO is clearly keen to dispel any sense that the two regimes are in conflict, confirming that: “Data protection law allows you to share information when required to identify children at risk of harm and to safeguard them from harm. Data protection law … helps you to share information in a fair, proportionate and lawful way. It can be more harmful not to share information that is needed to protect a child or young person.”
In line with the Commissioner’s summary, the guidance acknowledges that one of the recurring themes of serious case reviews into cases of child abuse and neglect has been the contributory factor of flaws in information sharing procedures. It is clear from the guidance that the ICO is keen to convey the message that data controllers will not face enforcement action from the regulator “when [they] share information in good faith to help identify and safeguard a child you believe is at risk of harm.”
What are the 10 steps?
Beyond that overarching principle, however, there are obviously a number of key details as to the practicalities involved in deciding what to share, with whom, and how. To this end, the guidance takes the helpful structure of laying out 10 key considerations.
Drawing and expanding on the seven “golden rules” of information sharing set out in the existing government guidance, the 10 steps will provide a useful checklist for safeguarding professionals and data protection compliance leads. We recommend schools review the list in full, but we have summarised and commented below on what we consider to be the key elements of each of these steps.
Step 1: Be clear about how data protection can help you share information to safeguard a child.
This essentially restates the principles outlined above, noting that data protection provides a framework for lawful sharing of data rather than an obstacle.
Step 2: Identify your objective for sharing information, and share the information you need to, in order to safeguard a child.
This highlights the importance of identifying the purpose for sharing the data (usually clear in a safeguarding context) but also notes that an important consideration is how much personal data needs to be shared for that purpose (linking to key GDPR principles of purpose limitation and data minimisation).
Step 3: Develop clear and secure policies and systems for sharing information.
The guidance reminds practitioners that strong governance, policies and systems are key and that for any organisation that works with children, data protection and safeguarding need to be at the heart of organisational culture, compliance and training.
It also notes that routine sharing of information between organisations in a safeguarding context should be subject to clear rules and procedures, including by putting in place key data protection compliance documentation such as a data protection impact assessment (DPIA) and a data sharing agreement.
Helpfully, the guidance acknowledges that it may well still be necessary (and lawful) to share information on an irregular basis (perhaps most obviously for schools in the context of referrals to statutory agencies such as the local authority or the police).
Step 4: Be clear about transparency and individual rights.
While acknowledging the general importance of being clear with individuals about how their personal information is used (eg via the school’s privacy notice), and giving effect to other UK GDPR rights, the guidance acknowledges that data protection law provides a number of exemptions from these rights (eg the right of access and the right to have information rectified or erased), which may apply in a safeguarding context (notwithstanding the absence of a catch-all "safeguarding exemption" to data subject rights, itself a common misconception). One example being where disclosing information under a subject access request would be likely to cause serious harm to a child.
Balancing these respective rights and obligations, and when / how to seek the views of relevant professionals, can often be one of the most complex elements in this area. While the ICO guidance only proves high level principles, it is helpful to see their acknowledgement that safeguarding considerations may mean individuals’ rights may need to be restricted in some way in certain situations.
Step 5: Assess the risks and share as needed.
While a DPIA will often be the best way to carry out a risk assessment for regular data sharing, the ICO acknowledges that one-off sharing, including in urgent / emergency situations, may well still be necessary even if it has not been included in a DPIA, or if time does not allow.
Step 6: Enter into a data sharing agreement.
As the guidance confirms, it is not a mandatory requirement of the UK GDPR for data controllers to enter into formal agreements when sharing personal data. However, it is recommended for any regular or large-scale sharing arrangements, to provide clarity on what is being shared, for what purposes / lawful grounds, and what particular arrangements might be needed for eg deletion / return / retention of the data.
Even in smaller scale irregular contexts, it is often advisable for the school as the organisation sharing data with, say, a statutory agency, to record and document in writing (even if not via a formal agreement) that it has considered the purpose for which the data is necessary and the lawful basis for sharing. It can also specify any particular constraints or restrictions (eg around purpose and onward use) and clarify any decisions on identification or, otherwise, redactions and ciphering.
Step 7: Follow the data protection principles.
These core UK GDPR principles should be at the heart of any data protection decision, action etc, and cover key requirements including lawfulness, fairness and transparency; purpose limitation and data minimisation (ie only sharing what is necessary for the specific purpose) and ensuring appropriate security arrangements are in place.
Step 8: Share information using the right lawful basis.
The guidance runs through the most relevant lawful bases under both Articles 6 and 9 of the UK GDPR which may apply in safeguarding contexts. It notes that consent is one lawful basis, “but is not required for sharing information in a safeguarding context. In fact, in most safeguarding scenarios you will be able to find a more appropriate lawful basis.”
Indeed, as the guidance notes, there is a specific lawful basis contained in the DPA 2018 relating to the safeguarding of children and individuals at risk, when relying on the "substantial public interest" condition contained in Article 9 of the UK GDPR, in respect of sensitive / special category personal data. However, that basis does (in the DPA 2018) require an assessment to be made first as to whether consent can or should be obtained, so it is interesting to see the ICO clarify that, in most cases, it will not be appropriate.
Step 9: Share information in an emergency.
The message here is clear that “in an emergency, don’t hesitate to share information to safeguard a child. You might not have time to follow all the usual processes.”
After the event, the guide recommends that data controllers make a record of what was shared, with whom, and why. It also acknowledges that some situations may be “urgent” but not an emergency, but that it is up to the data controller to adopt a proportionate approach appropriate to the context.
Step 10: Read our data sharing code of practice.
Finally, the guide points out to more general ICO guidance on data sharing which will continue to be relevant to these issues.
Overall, the ICO is clearly keen to reassure data controllers taking these decisions. Whilst this clarity when it comes to the legal right to share does not remove all the complexity, nuance and emotion from the process, it is certainly helpful to have this guidance, and the messaging around it, as an indication of the ICO’s regulatory approach.
This publication is a general summary of the law. It should not replace legal advice tailored to your specific circumstances.
© Farrer & Co LLP, November 2023