Practitioners “will not get into trouble” by sharing information to protect children at risk, the data protection watchdog has said.
The UK Information Commissioner’s Office (ICO) issued the message in releasing guidance today designed to allay frontline professionals’ fears that they will fall foul of data protection rules by sharing information in safeguarding cases.
The 10-point guidance cites the frequency with which case reviews have found inadequate information sharing to have contributed to failures to protect children.
Arthur and Star cases
This includes the reviews into the murders of Star Hobson and Arthur Labinjo-Hughes by the Child Safeguarding Practice Review Panel, which found that inadequate information sharing meant professionals were not able to build up a picture of what life was like for either child.
In Arthur’s case, reviewers found that practitioners did not share information with the wider family because they did not have the boy’s father’s consent, meaning they missed the opportunity to reappraise the risks he was facing.
“Locally, child protection practitioners need to feel empowered to share information without consent but we recognise that this is not commonplace,” said the panel, in its May 2022 report on the two cases.”
UK Information Commissioner John Edwards issued a similar message today.
“My message to people supporting and working with children and young people is clear: if you think a child is at risk of harm, you can share information to protect them,” he said. “You will not get in trouble with the ICO for trying to prevent or lessen a serious risk or threat to a child’s mental and physical wellbeing.”
What the ICO information sharing guidance says
- Be clear about how data protection can help you share information to safeguard a child – the ICO stresses data protection is a framework to help practitioners share information and that staff should seek advice from their data protection team, follow existing policies in relation to safeguarding and not worry about getting into trouble with the watchdog.
- Identify your objective for sharing information, and share the information you need to, in order to safeguard a child – practitioners should define their purpose and use this to justify how much information they share, and with whom, documenting what they do. “You can share all the information you need to, with an appropriate person or authority, in order to safeguard a child,” the ICO stresses.
- Develop clear and secure policies and systems for sharing information – organisations should put in place systems for routine and one-off information sharing, train practitioners to the level that they need in safeguarding and data protection and provide staff with access to advice from its data protection team.
- Be clear about transparency and individual rights – while practitioners should normally tell people how their personal information will be used and allow them to exercise their rights under data protection law, this might not be required in safeguarding cases, where a child may thereby come to serious harm.
- Assess the risks and share as needed – carrying out a data protection impact assessment (DPIA), with the help of your organisation’s data protection team, can help practitioners assess the risks of sharing information in particular cases.
- Enter into a data sharing agreement – it is helpful to have a data sharing agreement (DSA) with organisations with which you share information, setting out what will be shared and how, and organisations’ responsibilities for complying with data protection law.
- Follow the data protection principles – lawfulness, fairness and transparency; purpose limitation (share only for clear, specified, legitimate purposes); data minimisation (share information that is adequate, relevant and limited to what is necessary for your purposes); accuracy; storage limitation (keep the information no longer than necessary for your purposes); integrity and confidentiality, and accountability (demonstrate your compliance with the principles).
- Share information using the right lawful basis – the most common bases for sharing information in a safeguarding context are public task (carrying out a public function), legal obligation (complying with the law) and legitimate interests (sharing is necessary for the organisation’s legitimate interests unless there is a good reason to protect the individual’s data). Consent is not required to share information in safeguarding cases.
- Share information in an emergency – practitioners should not hesitate to share information in an emergency, though should document what they do.
- Read the ICO’s data sharing code of practice.
The proposed DfE guidance, which drew on the panel’s report into the Arthur and Star cases, was designed to address concerns that practitioners were not sharing information where they had not obtained consent.