8.1 Information Sharing

Effective sharing of information between practitioners and local organisations and agencies is essential for early identification of need, assessment and service provision to keep children safe.

Missed opportunities to record, understand the significance of and share information in a timely manner can have severe consequences for the safety and welfare of children.

Information should be shared as early as possible to help identify, assess and respond to risks or concerns about the safety and welfare of children, whether this is when problems are first emerging, or where a child is already known to local authority children’s social care (e.g. they are being supported as a child in need or have a child protection plan).

Information should also be shared about any adults with whom that child has contact, which may impact the child’s safety or welfare.

Information sharing is also essential for the identification of patterns of behaviour when a child is at risk of going missing or has gone missing, when multiple children appear associated to the same context or locations of risk, or in relation to children in the secure estate where there may be multiple local authorities involved in a child’s care.

The Data Protection Act 2018 and General Data Protection Regulations (GDPR) do not prevent the sharing of information for the purposes of keeping children safe. Fears about sharing information must not be allowed to stand in the way of the need to promote the welfare, and protect the safety, of children, which must always be the paramount concern. To ensure effective safeguarding arrangements:

• all organisations and agencies should have arrangements in place that set out clearly the processes and the principles for sharing information. The arrangement should cover how information will be shared within their own organisation/agency; and with others who may be involved in a child’s life
• all practitioners should not assume that someone else will pass on information that they think may be critical to keeping a child safe. If a practitioner has concerns about a child’s welfare and considers that they may be a child in need or that the child has suffered or is likely to suffer significant harm, then they should share the information with local authority children’s social care and/or the police. All practitioners should be particularly alert to the importance of sharing information when a child moves from one local authority into another, due to the risk that knowledge pertinent to keeping a child safe could be lost
• all practitioners should aim to gain consent to share information, but should be mindful of situations where to do so would place a child at increased risk of harm. Information may be shared without consent if a practitioner has reason to believe that there is good reason to do so, and that the sharing of information will enhance the safeguarding of a child in a timely manner. When decisions are made to share or withhold information, practitioners should record who has been given the information and why

Under the Data Protection Act 2018 and the General Data Protection Regulation (GDPR), to share information effectively:

• all practitioners should be confident of the lawful bases and processing conditions under the Data Protection Act 2018 and the GDPR which allow them to store and share information including information which is considered sensitive, such as health data, known under the data protection legislation as ‘special category personal data’
• where practitioners need to share special category personal data, for example, where information obtained is sensitive and needs more protection, they should always consider and identify the lawful basis for doing so under Article 6 of the GDPR, and in addition be able to meet one of the specific conditions for processing under Article 9. In effect, the Data Protection Act 2018 contains ‘safeguarding of children and individuals at risk’ as a processing condition that allows practitioners to share information, including without consent (where in the circumstances consent cannot be given, it cannot be reasonably expected that a practitioner obtains consent or if to gain consent would place a child at risk). However, practitioners should be mindful that a data protection impact assessment for any type of processing which is likely to be high risk must be completed, and therefore aware of the risks of processing special category data.

The Partnership has considered what changes are required to the Procedures to ensure compliance with the General Data Protection Regulations (GDPR) - implemented through the Data Protection Act 2018. We have taken into consideration guidance from the Information Commissioner’s Office [ICO] which says: ‘The biggest change is for public authorities, who now need to consider the new ‘public task’ basis first for most of their processing, and have more limited scope to rely on consent or legitimate interests’. As a result, the Partnership recommends that ‘legal obligation’ and ‘public task’ (as defined in the GDPR) are relied on as the primary basis for processing information to establish whether or not there is a need to safeguard the welfare of a child. This means that, whilst families will be informed when personal data is being shared or processed, their consent is not required.

The significance of this change is that it is no longer necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child (i.e. removing the distinction between information sharing for the purposes of assessing need or child protection). It does, of course, continue to be good practice to inform parents / carers that you are sharing information for these purposes and to seek to work cooperatively with them. Agencies should also ensure that parents / carers are aware that information is shared, processed and stored for these purposes.

The Working Together Guidance published in July 2018 by the Department for Education, continues to emphasise the use of consent. The BSCP is working to ensure that the approach taken in these Procedures is consistent with the Data Protection Act 2018, the guidance published by the ICO and the statutory guidance published by the Department for Education. In the meantime, references to consent and information sharing in the Procedures will be highlighted with a link to the advice above. In addition, the information sharing protocol has been withdrawn pending a full revision in line with the new legislation.

Sharing information enables practitioners and agencies to identify and provide appropriate services that safeguard and promote the welfare of children. Below are common myths that may hinder effective information sharing.

Data protection legislation is a barrier to sharing information

No – the Data Protection Act 2018 and GDPR do not prohibit the collection and sharing of personal information.  It is one way to comply with the data protection legislation but not the only way. The GDPR provides a number of bases for sharing personal information. It is not necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child provided that there is a lawful basis to process any personal information required. The legal bases that may be appropriate for sharing data in these circumstances could be ‘legal obligation’, or ‘public task’ which includes the performance of a task in the public interest or the exercise of official authority. Each of the lawful bases under GDPR has different requirements. It continues to be good practice to ensure transparency and to inform parent/ carers that you are sharing information for these purposes and seek to work cooperatively with them.

Consent is always needed to share personal information

No – you do not necessarily need consent to share personal information. Wherever possible, you should seek consent and be open and honest with the individual from the outset as to why, what, how and with whom, their information will be shared. You should seek consent where an individual may not expect their information to be passed on. When you gain consent to share information, it must be explicit, and freely given. There may be some circumstances where it is not appropriate to seek consent, because the individual cannot give consent, or it is not reasonable to obtain consent, or because to gain consent would put a child’s or young person’s safety at risk.

Personal information collected by one organisation/agency cannot be disclosed to another

No – this is not the case, unless the information is to be used for a purpose incompatible with the purpose for which it was originally collected. In the case of children in need, or children at risk of significant harm, it is difficult to foresee circumstances where information law would be a barrier to sharing personal information with other practitioners.

The common law duty of confidence and the Human Rights Act 1998 prevent the sharing of personal information

No – this is not the case. In addition to the Data Protection Act 2018 and GDPR, practitioners need to balance the common law duty of confidence and the Human Rights Act 1998 against the effect on individuals or others of not sharing the information.

IT Systems are often a barrier to effective information sharing

No – IT systems, such as the Child Protection Information Sharing project (CP-IS), can be useful for information sharing. IT systems are most valuable when practitioners use the shared data to make more informed decisions about how to support and safeguard a child.

Information sharing is vital to safeguarding and promoting the welfare of children and young people. The following documents will provide further information about effective information sharing.

BSCP Multi-Agency Information Sharing Code of Practice
 This Code of Practice outlines the principles and practice which govern the sharing of information between agencies, for the purposes of identifying, safeguarding and promoting the welfare and protection of all children and young people. 

Seven Golden Rules of Information Sharing
 This document from HM Government sets out the golden rules for information sharing, and a flowchart of key questions for information sharing.

HM Government - Information Sharing Advice for Practitioners
 This HM Government advice is non-statutory and has been produced to support practitioners in the decisions they take when sharing information to reduce the risk of harm to children and young people.

ICO's data sharing code and supporting resources.

The ICO's data sharing code and supporting resources is to help safeguarding professionals share data appropriately.