The ICO has recently published new guidance on the sharing of children and young people’s data for safeguarding purposes by those in the education sector. The purpose of the new guidance is to assure those working in the sector that data protection is not a barrier to sharing information for safeguarding purposes and that information can be shared in compliance with data protection laws.
The ICO published a detailed ten step guide to sharing information to safeguard children in 2023. This is complementary to the new guidance and should be read by those responsible for safeguarding children in the education sector.
Who does the guidance apply to?
The guidance applies to all schools, nurseries, universities and colleges with students under the age of 18 and other educational settings such as pre or post school clubs, groups and activities.
The ICO has advised that it plans to introduce similar guidance to assist other sectors in this regard, particularly the health sector, local authorities and those in the voluntary and private sectors.
What does the guidance say?
Capacity
The ICO lists the capacity of children and young people to exercise their own data protection rights as one of the key considerations for the education sector when looking to share data for safeguarding purposes. By exercising their own capacity, the ICO means obtaining the consent of the child or young person to share the data in question. The ICO says that those in the education sector must use their discretion and judgement to assess whether a child or young person has the capacity to exercise their own rights in this regard. However, guidance is available to aid that judgement.
In Scotland, in line with section 208(3) of the Data Protection Act 2018, it is presumed that a child aged 12 or over has sufficient age and maturity to understand their rights unless there is evidence to the contrary. In England, Northern Ireland and Wales the approach is slightly different, and the capacity of a child or young person is assessed on their understanding following the Gillick competence test.
The ICO highlights that while it is good practice to consult and obtain the consent of the child or young person, if capable of granting consent, safety and wellbeing are of most importance and the duties to report child protection concerns are not to be disregarded where the child disagrees. This shows that those in the education sector have an obligation to observe data protection laws and should follow the ICO’s guidance to ensure compliance. However, safeguarding duties should not be overlooked and data protection cannot be a barrier to the protection of children.
Duty of confidentiality
The common law duty of confidentiality sits concurrently with data protection laws. Both must be observed and the ICO advises that neither takes precedence over the other. Anyone receiving information about the wellbeing or safety of a child or young person must consider whether the information was disclosed in confidence and act proportionately when deciding whether to share that information to safeguard a child or young person. The guidance does not go into great detail on how to balance these obligations and instead provides links to guidance from other organisations, including the Scottish Government and NHS Scotland.
The ICO also refers the education sector to existing guidance on confidentiality and safeguarding children, for example the Scottish Government’s Getting it right for every child.
Information sharing with local partnerships
The ICO recognises that information may have to be shared with local safeguarding organisations such as local authorities, health and social care organisations or the police. In situations where sharing occurs on a regular basis the ICO advises that a formal data sharing arrangement should be in place. This ensures compliance and maintains a record of what information is being shared and each party’s obligations.
In the absence of such an arrangement, where sharing information is required to safeguard the child, the data should be shared but the decision, what was shared and with whom should subsequently be recorded in a formal document and safely stored.
Key takeaways and next steps
Overall, the guidance and supporting case studies set out a series of considerations and steps that the education sector must bear in mind and undertake to ensure that the duty to safeguard children and young people is balanced with obligations under data protection legislation. Ensuring compliance with data protection laws and keeping the data of children and young people safe provides another layer of protection, which is particularly important when safety concerns are raised.
In terms of next steps for organisations in the education sector, we recommend training for all staff. Training is essential for staff to be able to make decisions on data sharing in a manner that is compliant with data protection requirements and that effectively safeguards children and young people. Organisations should also review any data sharing arrangements in place and ensure that any agreements or policies are compliant with the legislation and sufficiently protect the rights of children and young people.
If you require advice regarding the sharing of data to safeguard children or have other data protection concerns, please contact David Gourlay or any other member of our data protection team.
This article was co-authored by Aleks Werecka, Trainee Solicitor in our Commercial team.
