Data Protection Law: Safeguarding Discussions And Legal Bounds

does data protection law apply to discussing safeguarding matters

Data protection laws and safeguarding guidelines both aim to protect individuals, but they can sometimes seem at odds with each other. The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 govern how organisations, businesses, and governments handle personal information. These laws outline strict rules for processing and sharing data, requiring that it be done fairly, lawfully, and with transparency. On the other hand, safeguarding often requires the sharing of sensitive information to protect individuals, particularly children, from harm. While data protection laws like the GDPR and the Data Protection Act provide a framework for responsible information sharing, they do not prevent or restrict it. In fact, exemptions and conditions are built into these laws to allow for justified information sharing in the public interest, such as in safeguarding cases.

Characteristics Values
Data protection laws GDPR, Data Protection Act 2018
Safeguarding laws Keeping Children Safe in Education
Data protection and safeguarding Work in conjunction with each other
Safeguarding information sharing Not about whether data can be shared, but how it is shared
Safeguarding and consent Consent is not always necessary
Information sharing Be open and honest about why, what, how, and with whom information is shared
Practitioners DSL, Safeguarding or Data Protection expert
Consent Informed consent, explicit consent, implicit consent
Personal data Racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, biometrics, health, sex life, sexual orientation
Lawful basis for sharing information Public task, legal obligation, legitimate interests
Special category data Substantial public interest conditions
Data retention Keep information for no longer than necessary
Security Put in place appropriate security measures
Accountability Have the right policies in place and ensure they are followed

lawshun

The General Data Protection Regulation (GDPR) and Safeguarding: working in conjunction

The General Data Protection Regulation (GDPR) and safeguarding policies work in conjunction with each other. While the GDPR is a legal framework that sets guidelines for the collection and processing of personal information, it also provides consumers with more control over how their personal data is handled and disseminated by companies. This means that companies must inform consumers about what they do with their data and notify them of any breaches.

In the context of safeguarding, the GDPR allows for exemptions and conditions to specific data processing activities. For example, voluntary and community organisations, schools, health services, and local authorities can lawfully use their own judgement to process personal data for safeguarding purposes without consent, as long as it is justified to protect a child or an adult at risk. This is outlined in Schedule 1 Part 2 of the Data Protection Act.

However, organisations must have an appropriate policy document in place and keep a record of which condition is used for each instance. The Information Commissioner's Office (ICO) also mentions working through a specific test in every case, which would be within your safeguarding procedures to raise and escalate concerns (Schedule 1 Part 4 of the Data Protection Act).

It is important to note that organisations are not required to inform individuals that they are processing their data if it will cause them harm or prevent a referral, nor are they required to give individuals access to their data or delete their data upon request in cases of safeguarding children and adults at risk (Schedule 3, Parts 1 and 5 of the Data Protection Act).

When working with safeguarding matters, it is crucial to find a balance between following GDPR guidelines and ensuring the protection of individuals. This may include considering the need for transparency, consent, and the safety and well-being of the individuals involved.

Overall, the GDPR and safeguarding policies work together to protect individuals' personal data while also allowing for necessary information sharing in the interest of protecting children and adults at risk.

lawshun

In data protection law, a 'lawful basis' is needed to share information. While consent is one of the six lawful bases, it is not always necessary or appropriate.

When consent is not needed

In some cases, consent is not needed to share information. For example, it is necessary to share information with government agencies for tax purposes. If you have an accountant, you will need to share staff information so they can organise your accounts.

In the UK, the Data Protection Act 2018 outlines how personal data can be used in the public interest, such as in safeguarding. Voluntary and community organisations, schools, health services, and local authorities can lawfully use their own judgement to process personal data for safeguarding purposes, without consent, if it is justified to protect a child or an adult at risk. This is outlined in Schedule 1 Part 2 of the Data Protection Act.

Organisations must have an appropriate policy document in place and, for every instance, make a record of which condition is used (e.g. public interest) and how they have judged it to be lawful.

In cases of safeguarding children and adults at risk, organisations do not have to inform people that they are processing their data, nor give them access to their data, nor delete their data if requested to.

When consent is needed

Consent is needed when processing personal data in most cases. Consent must be freely given, specific, informed, and unambiguous. The data subject must be notified about the identity of the controller, what kind of data will be processed, how it will be used, and the purpose of the processing operations. The data subject must also be informed about their right to withdraw consent at any time.

When consent may not be needed but is recommended

In some cases, consent may not be legally required but is still recommended. For example, when sharing someone's information because it is required by law, such as sharing employee details with HMRC in line with tax and employment laws.

Other lawful bases

The other five lawful bases for processing data, aside from consent, are: contract, legal obligations, vital interests of the data subject, public interest, and legitimate interest.

'Legitimate interest' can be used as a lawful basis for straightforward processing of personal data, particularly when it is something the person would reasonably expect. For example, passing on customer information to a debt collection agency when they have not paid for a product. However, the processing must still be transparent, and the customer should be made aware that their information may be passed on in cases of non-payment.

Safeguarding matters

When it comes to safeguarding matters, the two areas of data protection and safeguarding work in conjunction with each other. It is not a case of choosing to follow one set of rules or the other. The rules around safeguarding information sharing are about thinking carefully about how you share data.

While consent is not always necessary, it is important to be transparent, and blanket approaches should be avoided. It is useful to inform individuals at the start of processes about how their data will be used.

Golden rules for information sharing

The Information Commissioner's Office (ICO) has outlined seven golden rules for information sharing:

  • Think about how you share information responsibly, safely, and transparently.
  • Be open and honest with individuals about why, what, how, and with whom information will/could be shared, and seek their agreement unless it is unsafe or inappropriate to do so.
  • Seek advice from practitioners or your information governance lead if you are in any doubt about sharing the information, without disclosing the identity of the individual where possible.
  • Where possible, share information with consent, and where possible, respect the wishes of those who do not consent to having their information shared. Under the GDPR and Data Protection Act 2018, you may share information without consent if there is a lawful basis to do so, such as when safety may be at risk.
  • Consider safety and well-being, basing your information-sharing decisions on the safety and well-being of the individual and others who may be affected by their actions.
  • Ensure that the information you share is necessary, proportionate, relevant, accurate, timely, and secure.
  • Keep a record of your decision and the reasons for it, whether you decide to share information or not. If you decide to share, record what you have shared, with whom, and for what purpose.

lawshun

Safeguarding and GDPR exemptions

The General Data Protection Regulation (GDPR) is a European Union law that safeguards the personal data of EU citizens by standardising data handling. It grants EU citizens privacy rights, such as the right to rectification or the right to be forgotten, and prevents businesses from unauthorised use of their personal data.

The UK's implementation of the GDPR is the Data Protection Act 2018, which outlines exemptions from some rights and obligations in specific circumstances. These exemptions are detailed in Schedules 2-4 of the Data Protection Act 2018, and they complement the exceptions already built into certain UK GDPR provisions.

The following paragraphs will discuss how these exemptions apply to safeguarding matters.

Firstly, it is important to note that voluntary and community organisations, schools, health services, and local authorities can lawfully use their judgement to process personal data for safeguarding purposes without consent if it is justified to protect a child or an adult at risk. This is outlined in Schedule 1, Part 2 of the Data Protection Act. However, organisations must have an appropriate policy document in place and record which condition is used and how they have judged their actions to be lawful.

In cases of safeguarding children and adults at risk, organisations are exempt from certain obligations. They do not have to inform individuals that they are processing their data if doing so will cause harm, prevent a referral, or compromise safety. Additionally, they are not required to provide access to or delete an individual's data upon request. These exemptions are outlined in Schedule 3, Parts 1 and 5 of the Data Protection Act.

Furthermore, when it comes to information sharing in safeguarding matters, the GDPR, Data Protection Act, and Human Rights Law provide a framework to ensure that personal information is shared responsibly, safely, and transparently. While consent is not always necessary, organisations should still seek the agreement of individuals whenever possible and be open and honest about why, how, and with whom information will be shared.

In conclusion, while the GDPR and Data Protection Act provide exemptions and conditions for specific data processing situations, organisations must still carefully consider each case and ensure they have appropriate policies and justifications in place. The key is to find a balance between safeguarding and data protection, ensuring that personal data is handled securely and responsibly while also prioritising the needs, welfare, protection, and safety of individuals, especially children.

Thermodynamics and DND: A Lawful Game?

You may want to see also

lawshun

Data protection principles

Data protection laws, such as the General Data Protection Regulation (GDPR) and the Data Protection Act 2018, outline several key principles that govern the handling of personal information. These principles are essential for organisations to follow to ensure compliance with legal requirements and to protect individuals' privacy rights. Here are the main data protection principles:

Lawfulness, Fairness, and Transparency

This principle states that personal data should be processed lawfully, fairly, and in a transparent manner. Organisations must ensure their data collection practices are legal and that individuals are informed about the collection, use, and processing of their personal data. Transparency requires the use of clear and plain language, making it easy for individuals to understand how their data is being used.

Purpose Limitation

Personal data should only be collected for specified, explicit, and legitimate purposes. The specific purposes for processing data should be determined at the time of collection, and further processing should not be incompatible with those initial purposes. However, processing for archiving, scientific research, or statistical purposes may be allowed with certain restrictions.

Data Minimisation

The processing of personal data must be limited to what is necessary and relevant for the stated purposes. Organisations should only collect and retain the minimum amount of data required to fulfil their purposes. They should also ensure that the period for storing personal data is kept to a strict minimum.

Accuracy

Organisations must ensure that personal data is accurate and, where necessary, kept up to date. They should take reasonable steps to rectify or erase inaccurate data without delay. Controllers should accurately record the information they collect, along with the source of that information.

Storage Limitation

Personal data should only be kept for as long as it is necessary for the purposes for which it was collected. Time limits should be established for erasing data or for periodic reviews to ensure it is not retained longer than needed.

Integrity and Confidentiality

Organisations must ensure appropriate security and confidentiality of personal data. This includes protecting data from unauthorised or unlawful access, accidental loss, destruction, or damage. Organisations should implement technical and organisational measures to safeguard personal information, such as encryption, access controls, and backup solutions.

Accountability

The controller is responsible for demonstrating compliance with all the above data protection principles. They must take responsibility for their data processing activities and be able to provide evidence of their compliance, such as through appropriate records and measures.

lawshun

Safeguarding and data protection: recording decisions

Recording decisions is a crucial aspect of safeguarding and data protection. Here are some key insights on this topic:

The Importance of Record-Keeping

Record-keeping is essential for building a comprehensive picture of an individual's needs and circumstances. It helps identify concerns early on, build trust with those involved, and ensure their safety and well-being. Effective records can also aid in decision-making, evidence-gathering, and demonstrating a commitment to safeguarding culture during inspections and audits.

Key Elements of Record-Keeping

Records should include factual and accurate information about welfare concerns and significant events. It is important to document the times, dates, and names of individuals involved. Additionally, follow-up actions, decisions made, and the rationale behind them should be clearly stated. Records should be secure, confidential, and separate from general records, ensuring accessibility only to relevant staff.

The Designated Safeguarding Lead's Role

The Designated Safeguarding Lead (DSL) is responsible for maintaining up-to-date child protection files and establishing an effective system for recording concerns. They must decide on the necessary actions and interventions in line with guidance and legal requirements. However, the responsibility for the information recorded rests with the individual who documented it.

The Format of Records

Settings have the flexibility to choose between electronic and paper record-keeping systems, depending on their preferences and circumstances. Regardless of the format, records should be secure, confidential, and legible. Each record should refer to the child by name and include their voice or impact statement.

Transitioning Records

When a child transitions to a new setting, such as moving from primary to secondary school, it is crucial to transfer their safeguarding file within five school days. In cases of significant information, a handover is recommended to facilitate immediate support in the new setting.

The FACTS Approach to Record-Keeping

One effective way to improve the quality of record-keeping is by using the FACTS approach:

  • Factual: Ensure all information is based on facts, clearly distinguishing between facts and opinions.
  • Analysis: Analyse and explain why a particular situation is a concern and what the potential risks are.
  • Child's Voice: Include the child's perspective and their words whenever possible.
  • Timely: Make records promptly, preferably on the same day an incident or concern is identified.
  • Share: Ensure that all concerns are shared with the DSL or relevant authorities using established procedures.

Language Considerations

The language used in records is crucial, especially in cases of exploitation or safeguarding older children. Victim-blaming language should be avoided as it can reinforce shame and guilt and create barriers between professionals and the individuals being safeguarded. Instead, use neutral and objective language that focuses on the facts and avoids minimising or misrepresenting the individual's experience.

Long-Term Considerations

It is important to remember that records will remain in a child's file until they reach a certain age (e.g., 25 years in the UK). These records may be accessed by the individual or their parents and can have a significant emotional impact, especially if they do not accurately reflect their circumstances or lived experience. Therefore, it is essential to review and reflect on the language and content of these records to ensure they are accurate, sensitive, and respectful.

Frequently asked questions

No, data protection laws such as the UK's Data Protection Act 2018 and the General Data Protection Regulation (GDPR) do not stop information sharing. They provide a framework to ensure that information is shared in a responsible, safe, and transparent manner.

No, consent is not always required. If a child is at risk or there is a perceived risk of harm, you can override the need for consent. However, it is important to seek advice from practitioners or your information governance lead if you are uncertain about sharing information in a particular case.

It is crucial to protect the identities of individuals who might suffer harm if their details become known to potential abusers. Only share relevant and accurate information with individuals or organizations that have a role in safeguarding the child and/or providing family support. Additionally, keep a record of your information-sharing decisions, including the reasons for sharing or not sharing information.

Written by
Reviewed by
Share this post
Print
Did this article help you?

Leave a comment