ICO Guidance: Organisations will not be censured for sharing information aimed at protecting children/young persons at risk
Published: October 3rd, 2023
6 min
The Information Commissioner's Office (ICO) has issued guidance that makes clear that organisations "will not get in trouble" if they share information to protect children and young people at risk of serious harm. The commissioner has thus addressed concerns from organisations and frontline workers that are worried about sharing sensitive information for fear of falling foul of data protection law. The document offers a 10 step guide on data protection considerations when sharing personal information for child safeguarding purposes:
Step 1: Be clear about how data protection can help you share information to safeguard a child.
Step 3: Develop clear and secure policies and systems for sharing information.
Step 4: Be clear about transparency and individual rights.
Step 5: Assess the risks and share as needed.
Step 6: Enter into a data sharing agreement.
Step 7: Follow the data protection principles.
Step 8: Share information using the right lawful basis.
Step 9: Share information in an emergency.
Step 10: Read our data sharing code of practice.
According to the ICO, the need to improve data sharing practices has been highlighted in recent serious case reviews in the UK where children have died or been seriously harmed through abuse or neglect. Poor information-sharing among organisations and agencies was identified as one of the factors contributing to failures to protect the children. John Edwards, UK Information Commissioner, said: "My message to people supporting and working with children and young people is clear: if you think a child is at risk of harm, you can share information to protect them. You will not get in trouble with the ICO for trying to prevent or lessen a serious risk or threat to a child's mental and physical wellbeing. Data protection law helps organisations share data when required. Our guide will support senior leaders to put strong policies, systems and training in place, so their staff are encouraged and empowered to share data in an appropriate, safe and lawful way."
Forbes Comment:
In the course of defending claims for local authorities involving child protection and data protection issues I regularly encounter uncertainty and concern about exactly what can be shared by local authorities without falling foul of data protection rules, which can of course result in potentially expensive damages claims. It is important to note that the GDPR and Data Protection Act (2018) does not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe. Where practitioners need to share special category personal data, they should be aware that the Data Protection Act 2018 includes 'safeguarding of children and individuals at risk' as one of conditions that allows practitioners to share information with others without consent. Information can be shared legally without consent, if a practitioner is unable to, cannot be reasonably expected to gain consent from the individual, or if to gain consent could place a child at risk. Relevant personal information can also be shared lawfully if it is to keep a child or individual at risk safe from neglect or physical, emotional or mental harm, or if it is protecting their physical, mental, or emotional well-being. Practitioners looking to share information without consent should consider which processing condition in the Data Protection Act (2018) is most appropriate in the particular circumstances of the case. The 10 step guidance from the ICO is a welcome additional reminder of the need above all to ensure the safety of the vulnerable young persons and not to be primarily concerned with data protection rules, always ensuring that guidance is followed.
For further information please contact John Myles