Skip to content
Company Logo

Data Protection, Information Sharing and Confidentiality

Scope of this chapter

This chapter sets out the general principles regarding data protection and information-sharing.

See related guidance below for Greater Manchester-specific information.

Related guidance

Amendment

In December 2024, this chapter was revised in line with updated government guidance.

December 6, 2024

Effective information sharing underpins integrated working and is a vital element of both early intervention and safeguarding. Research and experience have repeatedly shown that keeping children safe from harm requires practitioners to record, analyse and understand the significance of the information they have about:

  • A child's health and development and any exposure to possible harm;
  • A parent who may need help, or may not be able to care for a child adequately and safely; and
  • Those who may pose a risk of harm to a child.

It is vital that information is shared in an appropriate and timely fashion. Often, it is only when information from a number of sources has been shared and is then put together, that it becomes clear that a child has suffered, or is likely to suffer, significant harm. Practitioners should be proactive in sharing information as early as possible to help identify, assess and respond to risks or concerns about the safety and welfare of children. This includes when problems first emerge, or where a child is already known to local authority children's social care (e.g. they are being supported as a child in need or have a child protection plan).

Information sharing should always be necessary, proportionate, relevant, accurate, timely and secure. A record should be kept of what has been shared, with whom and for what purpose and the reasoning behind it.

Practitioners should also be alert to sharing important information about any adults with whom that child has contact, which may impact on the child's safety or welfare.

Information sharing is essential for the identification of patterns of behaviour for example when a child is at risk of going missing or has gone missing, when multiple children appear associated to the same context or locations of risk, or in relation to children in the secure estate where there may be multiple local authorities involved in a child's care.

All practitioners should be particularly alert to the importance of sharing information when a child moves from one local authority into another, due to the risk that knowledge pertinent to keeping a child safe could be lost.

It will be for local safeguarding partners to consider how they will build positive relationships with other local areas to ensure that relevant information is shared in a timely and proportionate way.

Those providing services to adults and children, GPs for example, may be concerned about the need to balance their duties to protect children from harm against their general duty of care towards their patient or service user, e.g. a parent.

Some practitioners face the added dimension of being involved in caring for or supporting more than one family member - the abused child, siblings, and an alleged abuser. However, the Children Act 1989 determines that where there are concerns that a child is, or may be, at risk of significant harm, the overriding consideration is the welfare of the child.

The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 supersede the Data Protection Act 1998. Practitioners must have due regard to the relevant data protection principles which allow them to share personal information.

It is important however, that practitioners understand the data protection principles which allow them to share personal information. The UK GDPR and Data Protection Act 2018 emphasise the need for organisations to be transparent and accountable in relation to their use of data. All organisations handling personal data must ensure they have comprehensive and proportionate arrangements for collecting, storing, and sharing information. This also includes arrangements on informing service users about the information they will collect and how this may be shared.

To effectively share information:

  • All practitioners should be confident of the lawful bases and processing conditions which allow them to store, and share information. This includes information which is considered sensitive, such as health data. This is known under data protection legislation as 'special category of personal data';
  • Where practitioners need to share special category data, for example where information obtained is sensitive and needs more protection, they need to identify both a lawful basis for processing under Article 6 of the UK GDPR and a special category condition for processing in compliance with Article 9 (see: Information Commissioner's Office, Lawful basis for processing);
  • Schedule 1 of the Data Protection Act 2018 has 'safeguarding of children and individuals at risk' as a processing condition that allows practitioners to share information, including without consent (where, in the circumstances consent cannot be given, it cannot be reasonably expected that a practitioner obtains consent, or if to gain consent would place a child at risk).

Personal Data - Under the UK GDPR, personal data covers information which could be used to identify a person (also sometimes called the 'data subject'). This includes for example, a person's name, address, or an identification / file number.

Special category data - Under the UK GDPR, special category data relates to information about individuals which is particularly sensitive and so needs greater protection before it is shared. This includes for example, information about a person's race and ethnic origin, their health and sexual orientation.

Lawful Bases for Sharing Information (UK GDPR Article 6) - The UK GDPR provides practitioners with a number of lawful bases for sharing information. It is not necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child, providing there is a lawful basis for the sharing.

Consent is also a lawful basis in UK GDPR and would cover sharing where the individual has given clear consent for you to process their personal data for a specific purpose; e.g. provision of Early help services. The UK GDPR sets a high standard for consent to share information, and requires that it must be specific, time limited and able to be withdrawn.

Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement. Consent is one lawful basis for processing information, but there are five others. You must always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing.

The UK GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of 'informed' consent. Generally, you can assume that adults have the capacity to consent unless you have reason to believe the contrary. However, you should ensure that the information you provide enables them to be fully informed.

Conditions for sensitive processing - To lawfully process special category data, you must identify both a lawful basis under Article 6 of the UK GDPR and a separate condition for processing under Article 9. Article 9 contains 10 conditions which allow the processing of special category data. These include explicit consent and also 'substantial public interest'. Schedule 1, Part 2 of the Data Protection Act 2018 details what would be covered by the substantial public interest condition, and this includes the safeguarding of children and individuals at risk (18(1)):

This condition is met if -

  1. The processing is necessary for the purposes of:
    1. Protecting an individual from neglect or physical, mental or emotional harm; or
    2. Protecting the physical, mental or emotional well-being of an individual.

  2. The individual is:
    1. Aged under 18; or
    2. Aged 18 or over and at risk.

Where there is a clear risk of significant harm to a child, or serious harm to adults the basis on which you can share information - including sensitive information - is therefore clear. In other cases, for example, neglect, the indicators may be more subtle and appear over time. In these cases, decisions about what information to share, and when, may be more difficult to judge. Practitioners should discuss with their line manager or designated safeguarding lead the need to share information when there are concerns about a child or young person. The information shared should be proportionate and a record should be kept of what has been shared, with whom and for what purpose and the reasoning behind it.

  1. All children have a right to be protected from abuse and neglect. Protecting a child from such harm takes priority over protecting their privacy, or the privacy rights of the person(s) failing to protect them. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) provide a framework to support information sharing where practitioners have reason to believe failure to share information may result in the child being at risk of harm;
  2. When you have a safeguarding concern, wherever it is practicable and safe to do so, engage with the child and/or their carer(s), and explain who you intend to share information with, what information you will be sharing and why. You are not required to inform them, if you have reason to believe that doing so may put the child at increased risk of harm (e.g., because their carer(s) may harm the child, or react violently to anyone seeking to intervene, or because the child might withhold information or withdraw from services);
  3. You do not need consent to share personal information about a child and/or members of their family if a child is at risk or there is a perceived risk of harm. You need a lawful basis to share information under data protection law, but when you intend to share information as part of action to safeguard a child at possible risk of harm, consent may not be an appropriate basis for sharing. It is good practice to ensure transparency about your decisions and seek to work cooperatively with a child and their carer(s) wherever possible. This means you should consider any objection the child or their carers may have to proposed information sharing, but you should consider overriding their objections if you believe sharing the information is necessary to protect the child from harm;
  4. Seek advice promptly whenever you are uncertain or do not fully understand how the legal framework supports information sharing in a particular case. Do not leave a child at risk of harm because you have concerns you might be criticised for sharing information. Instead, find out who in your organisation/agency can provide advice about what information to share and with whom. This may be your manager/supervisor, the designated safeguarding children professional, the data protection/information governance lead (e.g., Data Protection Officer), Caldicott Guardian, or relevant policy or legal team. If you work for a small charity or voluntary organisation, follow the NSPCC's safeguarding guidance;
  5. When sharing information, ensure you and the person or agency/organisation that receives the information take steps to protect the identities of any individuals (e.g., the child, a carer, a neighbour, or a colleague) who might suffer harm if their details became known to an abuser or one of their associates;
  6. Only share relevant and accurate information with individuals or agencies/organisations that have a role in safeguarding the child and/or providing their family with support, and only share the information they need to support the provision of their services. Sharing information with a third party rarely requires you to share an entire record or case-file – you must only share information that is necessary, proportionate for the intended purpose, relevant, adequate and accurate;
  7. Record the reasons for your information sharing decision, irrespective of whether or not you decide to share information. When another practitioner or organisation requests information from you, and you decide not to share it, be prepared to explain why you chose not to do so. Be willing to reconsider your decision if the requestor shares new information that might cause you to regard information you hold in a new light. When recording any decision, clearly set out the rationale and be prepared to explain your reasons if you are asked.

Information on children and families can be held in many different ways, including in case records or electronically on a variety of IT systems which are accessible to different practitioners. Information may be shared face to face, over the telephone or via secure email.  Whenever information is shared, a record of this should be made in the individual's record and the information should not be kept any longer than is necessary. In some rare circumstances, this may be indefinitely, but if this is the case, there should be a review process scheduled at regular intervals to ensure data is not retained where it is unnecessary to do so.

Working Together to Safeguard Children states:

You do not need consent to share personal information. It is one way to comply with the data protection legislation, but not the only way. The UK GDPR provides a number of bases for sharing personal information. It is not necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child provided that there is a lawful basis to process any personal information required.

The legal bases that may be appropriate for sharing data in these circumstances could be 'legal obligation' or 'public task' which includes performance of a task in the public interest or the exercise of official authority. Each of the legal bases under GDPR has different requirements.

It is good practice to be transparent and to inform parents/carers that you are sharing information for these purposes and seek to work co-operatively with them, where it is safe to do so.

Working Together to Safeguard Children states that:

  • …'all organisations and agencies should have arrangements in place that set out clearly the processes and the principles for sharing information. The arrangement should cover how information will be shared within their own organisation/agency; and with others who may be involved in a child's life;
  • …all practitioners should not assume that someone else will pass on information that they think may be critical to keeping a child safe. If a practitioner has concerns about a child's welfare and considers that they may be a child in need or that the child has suffered or is likely to suffer significant harm, then they should share the information with local authority children's social care and/or the police. All practitioners should be particularly alert to the importance of sharing information when a child moves from one local authority into another, due to the risk that knowledge pertinent to keeping a child safe could be lost.

Information Sharing: Advice for Safeguarding Practitioners supports frontline practitioners working in child or adult service who have to make decisions about sharing personal information on a case- by-case basis. The guidance can be used to supplement local guidance and encourage good practice in information sharing'.

For further information about Information Sharing Protocols please go to the LSCP website.

The UK General Data Protection Regulation (UK GDPR) and Data Protection Act 2018 ensure that personal information is obtained and processed fairly and lawfully; only disclosed in appropriate circumstances; is accurate, relevant and not held longer than necessary; and is kept securely.

They balance the rights of the information subject (the individual whom the information is about) with the need to share information about them.

Caldicott Guardian Principles

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information sharing. Good information sharing is essential for providing safe and effective care. There are also important uses of information for purposes other than individual care, which contribute to the overall delivery of health and social care or serve wider public interests. The principles apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes.

The Eight Caldicott Principles

  1. Justify the purpose(s) for using confidential information;
  2. Use confidential information only when it is necessary;
  3. Use the minimum necessary confidential information;
  4. Access to personal confidential data should be on a strict need-to-know basis;
  5. Everyone with access to confidential information should be aware of their responsibilities;
  6. Comply with the law;
  7. The duty to share information for individual care is as important as the duty to protect patient confidentiality;
  8. Inform patients and service users about how their confidential information is used.

The Guardian plays a key role in ensuring that the NHS, Local Authority Social Services Departments and partner organisations satisfy the highest practicable standards for handling patient/client identifiable information.

The Domestic Violence Disclosure Scheme

The Domestic Violence Disclosure Scheme (DVDS) gives members of the public a formal mechanism to make enquires about an individual who they are in a relationship with, or who is in a relationship with someone they know, where there is a concern that the individual may be violent towards their partner. This scheme adds a further dimension to the information sharing about children where there are concerns that domestic violence and abuse is impacting on the care and welfare of children within the family.

Members of the public can make an application for a disclosure, known as the 'right to ask'. Anybody can make an enquiry, but information will only be given to someone at risk or a person in a position to safeguard the victim. The scheme is for anyone in an intimate relationship regardless of gender.

Partner agencies can also request disclosure is made of an offender's past history where it is believed someone is at risk of harm. This is known as 'right to know'.

If a potentially violent individual is identified as having convictions for violent offences, or information is held about their behaviour which reasonably leads the police and other agencies to believe they pose a risk of harm to their partner, a disclosure will be made. See: Domestic Violence Disclosure Scheme: Guidance.

Article 8 in the European Convention on Human Rights states that:

Everyone has the right to respect for their private and family life, home and correspondence:

There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of rights and freedoms of others.

Child Sex Offender Disclosure Scheme

The Child Sex Offender Review (CSOR) Disclosure Scheme is designed to provide members of the public with a formal mechanism to ask for disclosure about people they are concerned about, who have unsupervised access to children and may therefore pose a risk. This scheme builds on existing, third-party disclosures that operate under the Multi-Agency Public Protection Arrangements (MAPPA).

Police will provide details confidentially to the person most able to protect the child (usually parents, carers or guardians) if they think it is in the child's interests.

The scheme is managed by the Police and information can only be accessed through direct application to them.

If a disclosure is made, the information must be kept confidential and only used to keep the child in question safe. Legal action may be taken if confidentiality is breached. A disclosure is delivered in person (as opposed to in writing) with the following warning:

  • That the information must only be used for the purpose for which it has been shared i.e. in order to safeguard children;
  • The person to whom the disclosure is made will be asked to sign an undertaking that they agree that the information is confidential and they will not disclose this information further;
  • A warning should be given that legal proceedings could result if this confidentiality is breached. This should be explained to the person and they must sign the undertaking. See: GOV.UK, Child sex offender disclosure scheme guidance.

If the person is unwilling to sign the undertaking, the police must consider whether the disclosure should still take place.

Serious Violence Duty

The Police, Crime, Sentencing and Courts Act 2022 requires ‘specified authorities’ for a local government area to work together and plan to prevent and reduce serious violence, including identifying the kinds of serious violence that occur in the area, the causes of that violence (so far as it is possible to do so), and to prepare and implement a Strategy for preventing, and reducing serious violence in the area.

‘Specified’ authorities are:

  • Police;
  • Probation Services;
  • Youth Offending Teams;
  • Integrated Care Boards;
  • Local authorities.

To recognise the importance of effective multi-agency information sharing, the Serious Violence Duty legislation includes specific provisions to support partners to share information, intelligence and knowledge to prevent and reduce serious violence.

These provisions create information-sharing gateways to permit disclosure to a specified authority of information held by specified authorities, local policing bodies and educational, prison or youth custody authorities and to enable local policing bodies to request information from specified authorities, educational authorities, prison or youth custody authorities within its police force area, or any other local policing body for the purposes of the Serious Violence Duty. The provisions will not replace existing data sharing agreements or protocols that are already established. The new information-sharing gateways for the purposes of the Serious Violence Duty are intended to enable the sharing of relevant data where existing powers alone would not be sufficient.

Section 16 Police, Crime, Sentencing and Courts Act 2022 provides a permissive information-sharing gateway that enables specified authorities, local policing bodies (PCCs or equivalents), educational, prison and youth custody authorities to disclose information to each other for the purposes of their functions under the Serious Violence Duty. Information-sharing to support effective collaboration with partnerships should be considered carefully and in line with data protection requirements ensuring that any disclosure is necessary and proportionate for the proposed purpose.

Personal information may be disclosed under section 16 by specified authorities (with the exception of health or social care authorities), local policing bodies (PCCs or equivalents), educational, prison and youth custody authorities. Any sharing of personal information must comply with data protection legislation (most importantly, the Data Protection Act 2018). There are restrictions on the disclosure of patient information and/or personal information by health or social care authorities.

The powers permit requests to be made for sharing information, or for information to be shared pro-actively, but do not oblige any specified authority to share information (either pro-actively or following a request).

Section 17 Police, Crime, Sentencing and Courts Act 2022 creates a power for local policing bodies (PCCs and equivalents) to request any specified authority and any educational, prison or youth justice authority within its police force area to supply it with such information as it may specify for the purpose of its functions relating to the Serious Violence Duty.

For more information see Serious Violence Duty - Preventing and Reducing Serious Violence: Statutory Guidance for Responsible Authorities.

Last Updated: December 4, 2024

v16