General Data Protection Regulations
The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 supersede the Data Protection Act 1998. Practitioners must have due regard to the relevant data protection principles which allow them to share personal information.
The GDPR and Data Protection Act 2018 place greater significance on the need for organisations to be transparent and accountable in relation to their use of data. All organisations handling personal data must ensure they have comprehensive and proportionate arrangements for collecting, storing, and sharing information in place. This also includes arrangements on informing service users about the information they will collect and how this may be shared.
The GDPR and Data Protection Act 2018 do not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe.
To effectively share information:
- All practitioners should be confident of the processing conditions which allow them to store, and share, the information that they need to carry out their safeguarding role. Information which is relevant to safeguarding will often be data which is considered 'special category personal data' meaning it is sensitive and personal;
- Where practitioners need to share special category personal data, they should be aware that the Data Protection Act 2018 includes 'safeguarding of children and individuals at risk' as one of conditions that allows practitioners to share information with others without consent;
- Information can be shared legally without consent, if a practitioner is unable to/cannot be reasonably expected to gain consent from the individual, or if to gain consent could place a child at risk; and
- Relevant personal information can also be shared lawfully if it is to keep a child or individual at risk safe from neglect or physical, emotional or mental harm, or if it is protecting their physical, mental, or emotional well-being.
Practitioners looking to share information without consent should consider which processing condition in the Data Protection Act 2018 is most appropriate in the particular circumstances of the case. This may be the safeguarding processing condition or another relevant provision.
Seven Gold Rules including reference to GDPR and Data Protection 2019
- Remember that the General Data Protection Regulations, Data Protection Act 2018 and human rights laws are not barriers to justified information sharing but provide a framework to ensure that personal information about living individuals is shared appropriately;
- Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so;
- Seek advice from other practitioners or your information governance lead if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible;
- Where possible share with consent and, where possible, respect the wishes of those who do not consent to having their information shared. Under the GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful reason to do so, such as where safety may be at risk. You will need to base your judgment on the facts of the case. When you are sharing or requesting personal information from someone, be clear of the basis upon which you are doing so. Where you do not have consent, be mindful that an individual might not expect information to be shared;
- Consider safety and well-being: Base your information sharing decisions on considerations of the safety and wellbeing of the individual and others who may be affected by their actions;
- Necessary, proportionate, relevant, accurate, timely and secure: Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those people who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely (Practitioners must always follow their organisation's policy on security for handling personal information); and
- Keep a record of your decision and the reasons for it - whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.