The Information Commissioner’s Office (ICO) is currently collaborating with the Children’s Commissioners Office on a resource for all UK organisations whose work involves safeguarding children. It will give practical advice and tools which staff can use to assist if sharing personal data in the context of safeguarding (such as privacy notices, DPIAs and case studies to illustrate best practice).
During the ICO’s national conference in July (DPPC 2022), representatives from the regulator answered several queries from participants and as an interim support the ICO have made available responses to a series of FAQs, a selection of which are discussed below.
The regulator emphasised that the UK GDPR is not a barrier to personal data sharing; it provides a framework for data sharing fairly and proportionately. The ICO would not penalise organisations for sharing personal data to protect a child.
Is consent needed to share a child’s data for safeguarding purposes?
No. The ICO’s FAQs considers this issue when discussing what lawful basis should be relied upon by organisations sharing personal data. In safeguarding situations, relying on a legal obligation, a public task, or a specific legitimate interest applicable to your organisation is more appropriate than the lawful basis of consent.
But does a child needed to be told when sharing their personal data?
The default position is yes, since any organisation processing a child’s personal data must inform that child of how their personal data is used, including who it is shared with. The usual way to inform is by providing clear and accessible privacy information.
The FAQ points out that there are, however, situations where the right to be informed does not apply, and an example given by the ICO are situations where informing a child could cause further harm.
How are organisations expected to prepare for sharing personal data in emergency situations, such as safeguarding?
Last year a statutory code was introduced by the ICO, covering personal data sharing for all organisations, with supporting resources available online. This made clear that in urgent or emergency situations, organisations should share data as necessary and proportionate for
- preventing serious physical harm to a person;
- preventing loss of human life;
- protection of public health;
- safeguarding vulnerable adults or children;
- responding to an emergency; or
- an immediate need to protect national security.
In such situations, organisations should always factor in the risks involved in not sharing data – which might be more harmful than sharing. The Code points out that all types of organisations might have to face an urgent but foreseeable situation at some point. In those cases, decisions are often taken rapidly, with less time to consider issues, increasing risk and making it difficult to make sound judgements. With this in mind, the ICO expects organisations to plan ahead for such eventualities. It recommends having procedures about how your organisation should use personal information in an emergency or urgent situation, and train staff accordingly.
How should organisations share personal data?
The Code advises organisations to consider having a data sharing agreement (DSA) which
- sets out the purpose of the data sharing;
- covers what happens to the data at each stage;
- sets standards; and
- makes the roles and responsibilities of all parties clear.
Having a DSA in place helps demonstrate your organisation meets obligations under the UK GDPR. It also helps identify and mitigate risks. While in some urgent or emergency situations, it may not be possible to arrange for a DSA before the necessary disclosure, the guidance recommends documenting the action taken promptly after the event, if it was not possible to do so at the time.
How can we prevent shared data from being misused further down the line?
One reason the ICO recommend organisations use DSA is that these can limit what will happen to the data. Detailed guidance on DSA explains how the wording could include instructions on what to do or not do with the personal data, including any restrictions about onward sharing and details about how long it can be kept.
How long should organisations keep data in safeguarding situations?
There aren’t any set time limits in data protection law. Organisations should only keep personal data for as long as they need it, so it always depends on your reason(s) for processing the data. It is important to remember that you shouldn’t keep data for longer than you need it or ‘just in case’. Organisations must justify and document how long they need to keep it. More information on data retention is available in the ICO’s storage limitation guidance.
Do organisations have to share personal data requested by the police?
Data protection law does not force organisations to disclose personal data with law enforcement authorities such as the police. It provides a framework to allow sharing personal data, provided organisations have taken the necessary steps, just as they would before sharing with any external organisation (for example, determining an appropriate lawful basis for sharing). Specific guidance is available on the ICO website:
Are organisations required to complete any risk assessment before sharing personal data?
Potentially yes. Under the UK GDPR, a data protection impact assessment (DPIA) is mandatory if using (‘processing’) personal data is likely to result in a high risk to people.
A DPIA helps to identify and minimise risks, so even when you are not legally required to carry one out, it can be very beneficial to follow the DPIA process.
The ICO provide detailed guidance on completing DPIA with a template form that can be used.
What other support for schools is available from the ICO?
The ICO recommends that all organisations provide data protection and information governance training to staff on a regular basis, with mandatory annual training on the fundamentals. Training helps to tackle some of the cultural and organisational barriers to data sharing. On the ICO website there are free training resources used for their internal training which can be adapted for any organisation.
General school resources on data protection for teachers are also available on the ICO website (bespoke for different UK regions, and tailored for primary or secondary schools).
The regulator has also set up an advisory panel to ensure they remain responsive to children’s issues, support organisations, and engage with children, parents and schools on data protection issues.
A free dedicated advice service is also provided by the ICO.