1.1 Sharing information is vital for safeguarding and promoting the welfare of children to facilitate early intervention to ensure that children with additional needs receive the services they require and that children are protected from abuse and neglect.
1.2 Often, it is only when information from a number of sources has been shared and is then put together that it becomes clear that a child is at risk of suffering Significant Harm.
1.3 A key factor in many Serious Case Reviews has been a failure to record information, to share it, to understand the significance of the information shared, and to take appropriate action in relation to known or suspected abuse or neglect.
1.4 Practitioners are often concerned about sharing information and uncertain about when they can do so lawfully. This chapter provides a summary of the general principles to be followed by all practitioners on this issue.
2. The General Data Protection Regulations
2.1 The General Data Protection Regulations (GDPR) – implemented through the Data Protection Act 2018 states that ‘legal obligation’ and ‘public task’ (as defined in the GDPR) are relied on as the primary basis for processing information to establish whether or not there is a need to safeguard the welfare of a child. This means that, whilst families will be informed when personal data is being shared or processed, their consent will not be required.
2.2 When is the lawful basis for legal obligations likely to apply? In short, when you are obliged to process the personal data to comply with the law
2.3 What is the ‘public task’ basis? Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. This can apply if you are either:
• carrying out a specific task in the public interest which is laid down by law; or
• exercising official authority (for example, a public body’s tasks, functions, duties or powers) which is laid down by law.
2.4 If you can show you are exercising official authority, including use of discretionary powers, there is no additional public interest test. However, you must be able to demonstrate that the processing is ‘necessary’ for that purpose.
2.5 ‘Necessary’ means that the processing must be a targeted and proportionate way of achieving your purpose. You do not have a lawful basis for processing if there is another reasonable and less intrusive way to achieve the same result.
2.6 The significance of this change is that it is no longer necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child (i.e. removing the distinction between information sharing for the purposes of assessing need or child protection). It does, of course, continue to be good practice to inform parents / carers that you are sharing information for these purposes and to seek to work cooperatively with them. Agencies should also ensure that parents / carers are aware that information is shared, processed and stored for these purposes.
2.7 Information should only be shared on a “need to know” basis, i.e. necessary for the purpose for which they are sharing it and shared only with those people who need it.
2.8 Practitioners should ensure that the information they share is accurate, factual and up-to-date; where opinion is given, this should be made clear to the recipient.
2.9 Information should always be shared and stored securely.