watermark
London Safeguarding Children Board: Child Protection Procedures 5th Edition London SCB Powered by tri.x Powered by tri.x
regsiter for alerts Search

4. Sharing and Processing Personal Information

Text Size: View this website with small text View this website with medium text View this website with large text View this website with high visibility


For amendment and updates see the Amendments and Archives tab above.


Contents

4.1

Introduction

4.2

Why is information sharing important?

4.3

The legal bases for sharing and processing personal information

4.4

Definitions

 

4.4.1

Legal obligation

 

4.4.2

Public task

 

4.4.3

The lawful basis

 

4.4.4

Processing

 

4.4.5

Personal data

 

4.4.6

The limits of Public Task and Legal Obligation

 

4.4.8

Seven key principles for processing personal data

4.5

The responsibilities of professionals

 

4.5.1

When to inform families that their personal information will be shared

 

4.5.2

If the decision is to share, is the right information being shared in the right way?

 

4.5.3

Records management considerations

 

4.5.4

The exchange of personal information between agencies

4.6

The rights of individuals regarding their personal data

 

4.6.2

The right to be informed

 

4.6.3

The right of access

 

4.6.4

The right to rectification

 

4.6.5

The right to erasure - when it does not apply?

4.7

Organisational responsibility

Appendix 1: Relevant legislation and law

Appendix 2: The Common Law Duty of Confidentiality

Appendix 3: Common myths that may hinder effective information sharing

Appendix 4: Public Task & Legal Obligation

 

4.1

Public Task

 

4.2

Legal Obligation

Appendix 5: Public interest and proportionality

Appendix 6: ‘Controllers’ and ‘Processors’

Appendix 7: Retention of Records (Local Authorities)


4.1

Introduction

 

4.1.1

This chapter:

  • Outlines the importance of sharing information about children and their families in order to safeguard and promote the welfare of children (as defined in Statutory Guidance: Working Together to Safeguard Children 2018);
  • Explains the lawful basis for sharing and processing personal information;
  • Summarises the key responsibilities of professionals who share and process this personal information and/or have responsibility for deciding how to process it;
  • Outlines the responsibilities of the multi-agency partnership to promote effective information sharing.

4.2

Why is information sharing important?

 

4.2.1

Effective sharing of information between practitioners and agencies is essential for the early identification and assessment of need or risk and the provision of services to safeguard and promote the welfare of children. Serious case reviews (SCRs) have frequently highlighted that where information about need and risk isn’t shared in a timely manner, they can go unrecognised or be under-estimated. Consequently, actions required to safeguard and promote the welfare of children was not taken. Where courts have been critical of the sharing of information, it has been where consideration was not given to the basis upon which information was being provided rather than the sharing of that information.

4.2.2

Practitioners should be proactive in sharing information, whether this is when problems are first emerging, or where a child is already known to local authority children’s social care (e.g. they are being supported as a child in need, have a child protection plan or are looked after). Practitioners should be cognisant of the need to share information about other children and any adults with whom that child has contact, which may impact the child’s safety or welfare.

4.2.3

Information sharing is essential for the identification of patterns of behaviour when a child has gone missing, when multiple children appear to be associated with the same context or locations of risk, or in relation to children in the secure estate where there may be multiple local authorities involved in a child’s care.

4.2.4

The statutory guidance in s10 of the Children Act 2004 makes it clear that effective information sharing supports the duty to co-operate to improve the well-being of children.


4.3

The legal bases for sharing and processing personal information

 

4.3.1

Local authorities and partner agencies are advised to rely on ‘legal obligation’ and ‘public task’, as defined in the Data Protection Act 2018, as the lawful basis to process any personal information required to establish whether there is a need to safeguard or promote the welfare of a child. The Data Protection Act 2018 incorporates the General Data Protection Regulations [GDPR] into British law.

4.3.2

This guidance does not make reference to the sharing of information by consent. The reason for this is that the definition of consent set out within the the Data Protection Act 2018 is specific and time limited, i.e. would not allow for information that had been shared to be used for any other purpose nor retained by the recipient [1].

[1] GDPR defines consent narrowly because it was primarily concerned with limitations of data sharing for commercial purposes. It is no longer a satisfactory basis for sharing information for the purposes of promoting the wellbeing of or safeguarding children.


4.4

Definitions

 

4.4.1

Legal obligation

The processing of information is necessary for you to comply with the law (not including contractual obligations). (See Appendix 4: Public Task & Legal Obligation for further information)

4.4.2

Public task

The processing of information is necessary for you to perform a task in the public interest or for your statutory functions, and the task or function has a clear basis in law. Public task can be used as a lawful basis for processing by any organisation who is exercising official authority or carrying out a specific task in the public interest. The focus is on the nature of the function, not the nature of the organisation (see Appendix 4: Public Task & Legal Obligation for further information).

4.4.3

The lawful basis

If ‘public task’ or ‘legal obligation’ is used as the framework for processing personal information, there must be a clear basis in either statute or common law for the relevant task, function or power for which you are using the personal data. In the case of processing information in order to safeguard and promote the welfare of children the legal bases are: The Children Act 2004 and Working Together to Safeguard Children 2018 (Statutory Guidance).

4.4.4

Processing

The collection, storage and sharing of personal data by organisations.

4.4.5

Personal data

Personal data is information that relates to an identified or identifiable individual.


The limits of Public Task and Legal Obligation

4.4.6

Using public task and legal obligation as the legal basis to process personal information in order to safeguard and promote the welfare of children does not mean there are no restrictions on sharing and processing information.

In summary, people have to be informed that their data will be recorded and shared and the purpose explained to them; the data processing needs to be proportionate to the purpose – that is safeguarding and promoting the welfare of children; it needs to be accurate and kept only as long as necessary.

4.4.7

Information about data processing should be provided both to the individuals concerned and through the publication of a data processing notice (“privacy notice”) by the relevant organisation.


Seven key principles for processing personal data

4.4.8

The GDPR sets out seven key principles which should be applied when processing personal information:

  • It should be processed lawfully, fairly and in a transparent manner;
  • Purpose limitation – it should be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;
  • Data minimisation – the data collected should be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;
  • Accuracy – the data collected should be accurate and, where necessary, kept up to date. In addition, every reasonable step must be taken to ensure that personal data which is inaccurate is erased or rectified without delay;
  • Storage limitation - the personal data collected  should be kept for no longer than is necessary for the purposes for which it was processed [personal data may be stored for longer periods solely for archiving purposes in the public interest (see Appendix 7: Retention of Records table);
  • Integrity and confidentiality (security) – the personal data should be processed in a manner that ensures appropriate security, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).”;
  • Accountability - The controller shall be responsible for, and be able to demonstrate compliance with the above.

4.5

The responsibilities of professionals

 


When to inform families that their personal information will be shared

4.5.1

Professionals should seek to discuss any concerns with the family prior to making referrals to children's social care. However, there will be some circumstances where professional should not inform the family, for example, where to do so would:

  • Place a child or adult at risk of harm;
  • Prejudice the prevention or detection of a serious crime.

4.5.2

Professionals should always talk to their agency's designated safeguarding children lead if they are in any doubt about a decision to share personal information about a family which relates to the safety or wellbeing of a child.


If the decision is to share, is the right information being shared in the right way?

4.5.3

Professionals should share information in an appropriate manner. This means:

  • Share the information which is necessary for the purpose for which it is being shared;
  • Share the information with the person or people who need to know;
  • Check that the information is accurate and up-to-date;
  • Share it in a secure way;
  • Establish with the recipient whether they intend to pass it on to other people; and
  • Inform the person to whom the information relates, and, if different, any other person who provided the information, if professionals have not already done so and it is safe to do so.


Records management considerations

4.5.4

Professionals should record decisions about whether or not to share information and the basis for that decision. If the decision is to share, the record should include what information was shared and with whom. In particular, professionals in all agencies must ensure that in the child or parent’s record, they:

  • Include the date a piece of information was created or recorded and whether it comprises fact, opinion, hypothesis or a combination of these together with the identity of the person recording the information;
  • All persons with access to personal records should be aware of their responsibility for maintaining confidentiality of those records;
  • Employees should only have access to those records and parts of records required to carry out their role;
  • Access to records should be limited to as small a number of people as reasonably possible to fulfil the organisations business requirements – this should be achieved through restricting access to physical locations where paper records are stored and by restricting access to computer records;
  • Access to records by staff members within the organisation should be logged and regularly audited;
  • Requests for information from internal and external sources, should be recorded including who is making the request and the purpose for which the information is sought;
  • A record of information disclosed should be kept – this should identify the person to whom it has been provided and the purpose;
  • Particular care should be taken during the transportation of personal records outside of the organisational site, for example security envelopes and approved carriers should be used where necessary.


The exchange of personal information between agencies

4.5.5

  • The professional requesting information about a child and their family from another agency and the professional in the agency that provides it must record the event contemporaneously and date it, in accordance with their own procedures. Both professionals must also record the reason for request and the nature of the need or risk of harm identified at time of request;
  • The recording must indicate if the subject child or their parent/s have been informed;
  • Unless they are already known, a telephone call received from a professional seeking information must be verified before information is divulged, by calling their agency back;
  • A record of any information given or received by 'phone or in person must be made, as well as reasons for not informing at time or subsequently, alongside details of the risk of harm;
  • Transmission of personal and sensitive information by fax should only happen when unavoidable. The number / address to which it is being sent should be checked very carefully (preferably by a colleague) and reassurance provided and recorded about the security of its handling by the other agency;
  • All faxes containing personal information should have a cover sheet which contains a confidentiality statement (e.g. 'This fax is confidential and is intended only for the person to whom it is addressed'). Faxes should be sent to 'Safe Haven' fax machines. If there is any doubt about being able to ensure confidentiality agreement should be reached by both parties that the recipient will stand by the fax machine and provide confirmation to the sender that the fax has been received;
  • Personal information should only be sent by secure email and not by “ordinary” or internet e-mail systems. E-mails containing confidential information should have a confidentiality warning (e.g. 'This e-mail is confidential and is intended for the person to whom it is addressed');
  • Agencies should provide clear advice to their staff about the nature of their “day to day” email system and how to send information by email securely.

4.6

The rights of individuals regarding their personal data

 

4.6.1

The following rights for individuals provided by the GDPR apply to information sharing for the purposes of safeguarding and promoting the welfare of children – not all of these rights are of central to the work of frontline practitioners and managers so further information is only provided for the first 4 rights.

  • The right to be informed;
  • The right of access;
  • The right to rectification;
  • The right to erasure;
  • The right to restrict processing;
  • The right to data portability;
  • The right to object;
  • Rights in relation to automated decision making and profiling.


The right to be informed

4.6.2

  • Individuals have the right to be informed about the collection and use of their personal data. However, there will be some circumstances where professional should not inform the family, for example, where to do so would:
    • Place a child or adult at risk of harm;
    • Prejudice the prevention or detection of a serious crime.
  • You must provide individuals with information including: your purposes for processing their personal data, your retention periods for that personal data, and who it will be shared with. This is called ‘privacy information’ [2].
  • You must provide privacy information to individuals at the time you collect their personal data from them unless it would increase the risk to a child or
  • If you obtain personal data from other sources, you must provide individuals with privacy information within a reasonable period of obtaining the data and no later than one month.
  • There are a few circumstances when you do not need to provide people with privacy information, such as if an individual already has the information or if it would involve a disproportionate effort to provide it to them.
  • The information you provide to people must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language.

[2] The agency’s published privacy notice should contain this information.


The right of access

4.6.3

Individuals have the right to access their personal data:

  • This is commonly referred to as subject access;
  • Individuals can make a subject access request verbally or in writing;
  • You have one month to respond to a request;
  • Fees are no longer charged in most circumstances.


The right to rectification

4.6.3

  • The GDPR includes a right for individuals to have inaccurate personal data rectified, or completed if it is incomplete;
  • An individual can make a request for rectification verbally or in writing;
  • You have one calendar month to respond to a request;
  • In certain circumstances you can refuse a request for rectification.


The right to erasure - when it does not apply?

4.6.4

The right to erasure does not apply to data processing if it is necessary:

  • To comply with a legal obligation;
  • For the performance of a task carried out in the public interest or in the exercise of official authority [Public task];
  • For the establishment, exercise or defence of legal claims.

4.7

Organisational responsibility

 

4.7.1

Concerns about processing personal information must not obstruct the need to promote the welfare, and protect the safety, of children, which must always be the paramount concern. To ensure effective safeguarding arrangements local authorities and their partner agencies are expected to ensure that:

  • All agencies have arrangements in place that clearly set out the principles underpinning the processing of information and particularly for sharing information – both internally and with other appropriate agencies;
  • That there is a shared understanding across agencies about what information should be processed, including when information can be shared, with whom and under what circumstances, and the dangers of not doing so;
  • Where possible, develop common documentation, systems and a joint approach to multi-disciplinary and multi-agency information processing;
  • There is confidence and trust with partners and families regarding the processing of personal information;
  • Information processing leads to less repetition in the provision of personal information for children and their families;
  • Encourage children and their parents to see information sharing in a positive light, as something which makes it easier for them to receive the services they need;
  • Understand and apply good practice in processing information at an early stage as part of preventative work;
  • Appropriate agency-specific guidance is produced to complement guidance issued by central government, and such guidance and appropriate training is made available to new staff as part of their induction and ongoing training;
  • Guidance and training specifically covers the sharing of information between professions, organisations and agencies, as well as within them, and arrangements for training take into account the value of multi-agency as well as single agency training.

4.7.2

Local authorities and their partner agencies should ensure that all professional in contact with children and their families:

  • Understand what to record and when to share information if they believe that a child may be a child in need, including those children who have suffered, or are likely to suffer, significant harm;
  • Are aware of and understand this guidance and the legislative and statutory framework which underpins it;
  • Know whether they are a data processor and/or a data controller and the responsibilities these roles entail including their legal duties to report data breaches.

4.7.3

In addition, local authorities should appoint a senior manager and a lead information officer, who will be rsponsible for decisions rlating to information processing and who can determine controversial issues

4.7.4

Organisational responsibilities under Children Act 2004 and Working Together to Safeguard Children 2018:

Section 11 of the Children Act 2004 names organisations and agencies and specifies their safeguarding duties. Working Together 2018 further identifies organisations and sectors as having safeguarding responsibilities. Relevant points in these responsibilities are included in this guidance and hence are not detailed separately.


Appendix 1: Relevant legislation and law

 
  • The Data Protection Act 2018 - the Act incorporates the General Data Protection Regulation (GDPR)
  • The Human Rights Act 1998;
  • The common law duty of confidence.

Appendix 2: The Common Law Duty of Confidentiality

 

Click here to view the Common law duty of confidentiality (Rotherham Doncaster and South Humber NHS Foundation Trust Website).

Common law is not set out in a single document like an Act of Parliament. It is a form of law based on previous court cases decided by judges and is also referred to as ‘judge-made’ or case law. The law is applied by reference to previous cases and is said to be ‘based on precedent’.

The general position is that, if information is given in circumstances where it is expected that a duty of confidence applies, that information cannot normally be disclosed without the information provider’s consent. In practice this means that all patient/service user information, whether held on paper, computer, visually, by audio recording or held in the memory of the professional, must not normally be disclosed without the consent of the patient/ service user.

It should be noted that the duty:

  • Applies regardless of the service user’s age;
  • Applies regardless of the service user’s mental or physical health or condition;
  • Continues when staff are no longer employees of the Trust.

Appendix 3: Common myths that may hinder effective information sharing

 

3.1

Data protection legislation is a barrier to sharing information

  • No – the Data Protection Act 2018 and GDPR do not prohibit the collection and sharing of personal information, but rather provide a framework to ensure that personal information is shared appropriately. In particular, the Data Protection Act 2018 balances the rights of the information subject (the individual whom the information is about) and the possible need to share information about them.

3.2

Consent is needed to share personal information

  • No – the legislation provides ‘public duty’ and legal obligation as a basis for sharing for personal information.

3.3

Personal information collected by one organisation/agency cannot be disclosed to another

  • No – this is not the case, unless the information is to be used for a purpose incompatible with the purpose for which it was originally collected.

3.4

The common law duty of confidence and the Human Rights Act 1998 do not prevent the sharing of personal information.

3.5

In addition to the Data Protection Act 2018 and GDPR, practitioners need to balance the common law duty of confidence and the Human Rights Act 1998 against the effect on individuals or others of not sharing the information. (Amended from Working Together to Safeguard Children).


Appendix 4: Public Task & Legal Obligation

 


4.1 Public Task

4.1.1

You can rely on this lawful basis if you need to process personal data:

  • ‘In the exercise of official authority’. This covers public functions and powers that are set out in law; or
  • To perform a specific task in the public interest that is set out in law.

4.1.2

It is most relevant to public authorities, but it can apply to any organisation that exercises official authority or carries out tasks in the public interest.

4.1.3

You do not need a specific statutory power to process personal data, but your underlying task, function or power must have a clear basis in law.

4.1.4

The processing must be necessary. If you could reasonably perform your tasks or exercise your powers in a less intrusive way, this lawful basis does not apply.

4.1.5

Document your decision to rely on this basis to help you demonstrate compliance if required. You should be able to specify the relevant task, function or power, and identify its statutory or common law basis.


4.2 Legal Obligation

4.2.1

You can rely on this lawful basis if you need to process the personal data to comply with a common law or statutory obligation.

4.2.2

This does not apply to contractual obligations.

4.2.3

The processing must be necessary. If you can reasonably comply without processing the personal data, this basis does not apply.

4.2.4

You should document your decision to rely on this lawful basis and ensure that you can justify your reasoning.

4.2.5

You should be able to either identify the specific legal provision or an appropriate source of advice or guidance that clearly sets out your obligation.


Appendix 5: Public interest and proportionality

 

A public interest can arise in a wide range of circumstances e.g. to protect children or other people from harm, to promote the welfare of children or to prevent crime and disorder. There are also public interests, which in some circumstances may weigh against sharing, including the public interest in maintaining public confidence in the professionalism of certain services. The key factor in deciding whether or not to share personal information is proportionality (i.e. whether the proposed sharing is a proportionate response to the need to protect the public interest in question). In making the decision professionals must weigh up what might happen if the information is shared against what might happen if it is not, and make a decision based on a reasonable judgement.

Professionals must record the context in which the information was shared, the perceived level of risk of harm at the time, the data requested, the data shared and with whom. Agencies may have a standard form for this or ensure that there is a signed and dated entry in the case notes.


Appendix 6: 'Controllers' and 'Processors'

 

Staff need to be aware whether they are a data controller and or a data processor.

The GDPR applies to ‘controllers’ and ‘processors’. 

  • A controller determines the purposes and means of processing personal data;
  • A processor is responsible for processing personal data on behalf of a controller.

    The controller would normally be the manager; or
  • If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach;
  • However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.

Appendix 7: Retention of Records (Local Authorities)


Click here to view Appendix 7: Retention of Records table.