1.7 Information Sharing and Confidentiality
1. Introduction
1.1 The effective sharing of information between practitioners, agencies and organisations is essential for the early identification of need, assessment and service provision to keep children and young people safe. Rapid Reviews and Child Safeguarding Practice Reviews have repeatedly highlighted that missed opportunities to record, understand the significance of and share information in a timely manner can have severe consequences for the safety and welfare of children and young people.
1.2 Sharing information means the sharing of “individual level data” (i.e. personal information). It is an intrinsic part of any practitioner’s job when working with children and young people. Decisions about how much information to share, with whom and when, can have a profound impact on individuals’ lives.
1.3 Data protection law is not a barrier to sharing information when it is necessary, proportionate, and justified to do so. The most important consideration is to safeguard and promote the welfare of the child or young person – this includes safeguarding and promoting the welfare of unborn children or children who’s identity has yet to be established.
1.4 The use of terminology like GDPR (General Data Protection Regulation), lawful basis, data processing, data controller / processor, special category data and references to the Data Protection Act can give the impression that there are numerous barriers to information sharing. There are not. “No practitioner has ever been disciplined nor removed from a professional register for data sharing to safeguard and promote the welfare of children or young people”. See also the “Common myths that hinder effective information sharing” in Working Together 2023.
2. In What Circumstances Can Information Be Shared?
2.1 Information can be shared to safeguard and promote the welfare of children.
2.2 Working Together 2023 is the statutory guidance for “all organisations and agencies who have functions relating to children”. Specifically, it applies to all local authorities, clinical commissioning groups, police and all other organisations and agencies (which are listed in Chapter 2). It applies, in its entirety, to all schools. It applies to all children up to the age of 18 years whether living with their families, in state care, or living independently and should be complied with unless exceptional circumstances arise.
2.3 Working Together is a guide to “inter-agency working to safeguard and promote the welfare of children”. It says that “practitioners should be proactive in sharing information as early as possible to help identify, assess and respond to risks or concerns about the safety and welfare of children, whether this is when problems are first emerging, or where a child is already known to local authority children’s social care” (Paragraph 25 and Appendix A). Information guidance sharing therefore applies to all children and young people in all circumstances, not only when undertaking an assessment of risk. Working Together is clear that child protection “is part of safeguarding and promoting welfare”.
Working Together defines safeguarding as:
- Protecting children from maltreatment;
- Preventing impairment of children’s mental and physical health or development;
- Ensuring that children are growing up in circumstances consistent with the provision of safe and effective care;
- Taking action to enable all children to have the best outcomes
2.4 Sharing information early helps to ensure that a child or young person receives the right services at the right time and helps to prevent a risk or need from becoming more acute.
2.5 Practitioners should be alert to the need to share important information about any adults with whom a child or young person has contact that may impact the child or young person’s safety or welfare. Similarly, human rights concerns, such as respecting the right to a private and family life would not prevent sharing information where there are safeguarding concerns.
3. Justification – The Legal Basis for Sharing Information
3.1 The General Data Protection Regulation was incorporated into law in the UK by the Data Protection Act 2018. You must have a legal basis for sharing information; these are set out within the UK GDPR (Articles 6 and 9). Whilst there is no single “best” basis, the most relevant for the purposes of safeguarding and promoting the welfare of children are legal obligation (article 6(1)(c) and public task (article 6(1)(e). You must always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing.
3.2 Legal Obligation – Article 6(1)(c)
The processing of information is necessary for you to comply with the law – relevant legislation would include the Children Act 1989 and Section 11 of the Children Act 2004 which places duties on a range of organisations, agencies and individuals to ensure their functions, and any services that they contract out to others, are discharged having regard to the need to safeguard and promote the welfare of children.
3.3 Public Task – Article (6)(1)(e)
Where a specific task is carried out in the public interest which is laid down by law; or the processing is needed in the exercise of official authority (e.g. a public body’s tasks, functions, duties or powers) which is laid down by law.
3.4 Other Bases
3.4.1 The other bases for sharing information are vital interest, legitimate interest, contract and consent. UK GDPR sets a high standard for consent: it must be specific, freely given, unambiguous, time limited and capable of being withdrawn by the Data Subject at any time. The fact that consent can be withdrawn usually means that it is not the appropriate lawful basis for sharing information for safeguarding purposes. Additionally, in some circumstances, seeking consent from a person you believe is neglecting or abusing a child is likely to undermine safeguarding procedures and may increase the risk of harm to the child or another person.
3.4.2 Consent means offering individuals real choice and control. The UK GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of ‘informed’ consent. Generally, you can assume that adults, and children aged 13 and over, have the capacity to consent unless you have reason to believe the contrary. However, you should ensure that the information you provide enables them to be fully informed.
3.5 Schedule 1 of the Data Protection Act 2018 (Para 18 Part 2) provides conditions that need to apply if the information that is being shared is criminal data or special category personal data (See Section 6.5 below) for social care or substantial public interest purposes in Article 9 UK GDPR.
- Paragraph 2 and Paragraph 6 of Schedule 1 provides for special category and criminal information to be shared when exercising duties under the Children Act 1989 and 2004;
- Paragraph 18 of Schedule 1 allows practitioners who would usually rely on consent to share criminal data or special category data for the purposes of ‘safeguarding of children and individuals at risk’ in circumstances where consent cannot be given, consent cannot be reasonably expected to be obtained by practitioner, or if obtaining consent would prejudice safeguarding a child.
3.6 The police and other law enforcement agencies must also share information for the purposes of safeguarding and promoting the welfare of children. The framework for the police is set out in Section 35(2)(b) of the Data Protection Act 2018 and in Schedule 8 (which sets out the conditions for processing special category data).
3.7 The most important consideration is whether sharing information is likely to assist in safeguarding and promoting the welfare of a child; if it does then information can be shared without consent.
4. Who Is Responsible for Sharing Information and How?
4.1 All practitioners, agencies and organisations are responsible for sharing information. Practitioners are responsible for lawfully sharing the information they hold and must not assume that someone else will pass on information that may be critical to safeguard and promote the welfare of a child.
4.2 Local Safeguarding Partners are responsible for ensuring that relevant information is shared in a timely and proportionate way, both within the local area and across local authority boundaries. Guidance and protocols are in place setting out the legal basis for sharing information between agencies in Norfolk.
4.3 Information sharing must be necessary and proportionate to the circumstances of the child or young person. It must be undertaken securely, and the nature of the information requested / provided should be recorded. If information is withheld, then that should also be recorded.
4.4 In an emergency, you should go ahead and share data as is necessary and proportionate. You should always document the action you took after the event if you cannot do it at the time.
5. Principles of Information Sharing
5.1 Practitioners should use their judgement when making decisions about what information to share and must follow their organisational procedures or consult with their manager, information governance or data protection lead if in doubt.
5.2 When sharing information, practitioners must ensure that it is:
- Necessary and proportionate to the circumstances;
- Relevant to the circumstances;
- Adequate and sufficient for its purpose;
- Accurate and up to date;
- Timely, particularly in an emergency;
- Exchanged securely; and
- The details of the information shared (or withheld) should be recorded.
5.3 The Golden Rules – remember that:
5.3.1 Safeguarding and promoting the welfare of a child will almost always be more important than protecting their confidentiality or the confidentiality of the person(s) responsible for their care and wellbeing;
5.3.2 Wherever it is practicable and safe to do so, discuss your concern(s) with the child’s carer(s) and tell them who you intend to share information with, what information you will be sharing and why, unless that may put the child at risk of harm.
5.3.3 You do not need consent to share information.
5.3.4 Seek advice promptly if you are uncertain or do not fully understand the legal framework that supports information sharing – but do not leave a child at risk because you have concerns about the possible consequences of information sharing.
5.3.5 When sharing information, ensure you and the person or organisation that receives the information you have shared takes steps to protect the identities of any individuals (e.g. the child, a carer, a neighbour or a colleague) who might suffer harm if their details became known to an abuser or one of their associates.
5.3.6 Only share information with individuals or organisations that have a role in safeguarding the child or providing their family with support, and only share the information they need to support the provision of their services. Sharing information with a third party rarely requires you to share an entire record or case-file: you must only share information that is necessary and proportionate for the intended purpose. That purpose should be made clear at the point when information is requested or provided.
5.3.7 Record the reasons for your information sharing decision, regardless of whether you decide to share information. When another practitioner or organisation requests information from you and you believe sharing information cannot be justified, explain why. Reconsider your decision if the requestor shares new information that might cause you to regard information you hold in a new light.
5.3.8 If information has been shared, then the subject(s) of that information sharing have the right to challenge and may have the right to erasure of the information if the sharing of information was not necessary or proportionate. However, the right to erasure does not apply if information has been shared on the basis of “legal obligation” or “public task” – see Section 3, Justification – The Legal Basis for Sharing Information above.
6. Terminology
6.1 Data Controllers and Data Processors
6.1.1 Your employer (local authority, health service, police, school etc) is what is known as a “Data Controller”. Data Controllers are required to demonstrate compliance with all of the data protection principles as well as the other UK GDPR requirements. When sharing information, you will be doing so on behalf of your agency. It is important that all practitioners ensure that one of the legal bases for sharing information applies (see Section 3, Justification – The Legal Basis for Sharing Information above) and that they abide by the principles for sharing information. (See Section 5, Principles of Information Sharing above).
6.2 Data Protection Impact Assessment (DPIA)
6.2.1 A DPIA is usually only required if large amounts of information affecting many data subjects is being shared (see paragraph 3.6 above) – not for individual episodes of information sharing. There may be occasions when there is a concern about sharing a specific piece of information in which case, practitioners should consult with their designated safeguarding lead and / or information governance lead to evaluate the privacy risks that may arise from sharing that information.
6.2.2 If a new DPIA is required or an existing one is revised, there is a legal requirement to seek the advice of your organisation’s data protection officer (See UK GDPR Article 35(2)).
6.3 Processing Data
6.3.1 Processing information for the purposes of this guidance simply means collecting, recording, accessing, sharing or otherwise making use of the information available to practitioners.
6.4 Personal Data
6.4.1 Personal data may be shared within the guidelines set out above. It includes information that would directly or indirectly identify an individual. There may also be other information about the person linked to the personal data, which would then also be personal data.
6.4.2 Personal data that has been “pseudonymised” (where details have been replaced with a key) or “de-identified” (where identifying details have been removed) can still be personal data – even if an indirect identification requires access to an additional database.
6.5 Special Category Data
6.5.1 Special category data is personal data, as set out below, which is more sensitive and needs more protection:
- Racial or ethnic origin;
- Political opinions;
- Religious or philosophical beliefs;
- Trade union membership;
- Genetic data;
- Biometric data (where used for identification purposes);
- Health;
- Sex life; and
- Sexual orientation.
6.5.2 Special category data can be shared so long as one of the conditions for processing special category data are met (See Article 9, UK GDPR) as well as the legal basis for processing noted in Section 3, Justification – The Legal Basis for Sharing Information, above. These include:
- Reasons of substantial public interest (Article 9(2)(g)) which includes the processing of information to prevent or detect unlawful acts, protecting the public and safeguarding of children and individuals at risk; and
- Health or Social Care (Article 9(2)(h)) which includes the processing of information for the purposes of preventive medicine, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services.