Safeguarding and data - what you need to know

Under GDPR (General Data Protection Regulation), an EU member state can provide exemptions and conditions to specific data processing. Here’s what you need to know about how these exemptions apply in the UK, and the implications for safeguarding and data:

What you need to know about safeguarding, GDPR and the Data Protection Act 2018

  • Under GDPR, an EU member state can provide exemptions and conditions to specific data processing. The UK has done this in relation to children, and adults at risk, in the Data Protection Act 2018 Schedules 2, 3, and 4. The exemptions are also in in Article 23 and Chapter IX of the GDPR.
  • Parts of the Data Protection Act 2018 became operational from 25 May when GDPR was implemented.
  • The Data Protection Act sits alongside GDPR and Schedules 1, 2, 3, and 4 set out how personal data can be used in the public interest, such as in safeguarding.
  • It means that GDPR did not change the various lawful basis’ for sharing information, with or without a person’s consent.
  •  Voluntary and community organisations, schools, health services and local authorities can lawfully use their own judgement to process personal data for safeguarding purposes, without consent if it’s justified, to protect a child or an adult at risk. This is in Schedule 1 Part 2 of the Data Protection Act.
  •  But organisations must have an appropriate policy document in place to do so and for every instance, make a record of which condition is used (i.e. public interest) and how they have judged it to be lawful. The Information Commissioners Office (ICO) mentions working through a specific test in every case, which would be within your safeguarding procedures to raise and escalate concerns. This is in Schedule 1 Part 4 of the Data Protection Act.
  • In cases of safeguarding children and adults at risk, organisations do not have to tell people that they are processing their data, for instance if it will cause them harm or prevent a referral, nor give them access to their data, nor delete their data if requested to. This is in Schedule 3, Parts 1 and 5 of the Data Protection Act.
  • Organisations should make reference in their safeguarding procedures to the Data Protection Act 2018 exemptions and the exemptions that are available in Article 23 and Chapter IX of the GDPR.

ICO information

The Information Commissioner’s Office has produced a guide setting out how the exemptions apply to children’s data and the data of adults at risk. Visit: https://ico.org.uk/for-organisations/ guide-to-the-general-data-protection-regulation-gdpr/children-and-the-gdpr/ how-do-the-exemptions-apply-to-children-s-personal-data/ and https://ico.org.uk/media/for-organisations/documents/2258303/ico-introd… Under GDPR (General Data Protection Regulation), an EU member state can provide exemptions and conditions to specific data processing.

Here’s what you need to know about how these exemptions apply in the UK, and the implications for safeguarding and data.

NSAB NSCB Information Sharing Agreements Newcastle Safeguarding Adults Board (NSAB) and Newcastle Safeguarding Children’s Board (NSCB) have agreed Information Sharing Agreements for safeguarding children and adults at risk, and have produced a GDPR Frequently Asked Questions (FAQs) note on information sharing.

  •  NSAB Information Sharing Agreement
  • NSCB Information Sharing Agreement
  • FAQs on Safeguarding Data Protection Act legislation Schedule 1 Special categories of personal data and criminal convictions etc.
  • Part 2 Substantial public interest conditions: Safeguarding of children and of individuals at risk http://www.legislation.gov.uk/ ukpga/2018/12/schedule/1/part/2/enacted
  • Schedule 1 Special categories of personal data and criminal convictions etc
  • Part 4 Appropriate Policy Document and Additional Safeguards http://www.legislation.gov.uk/ ukpga/2018/12/schedule/1/part/4/enacted
  • Schedule 2 Exemptions etc. from the GDPR PART 1 Adaptations and restrictions based on Articles 6(3) and 23(1)
  • Information required to be disclosed by law etc or in connection with legal proceedings http://www.legislation.gov.uk/ ukpga/2018/12/schedule/2/enacted
  • Schedule 3 Exemptions etc from the GDPR: Health, Social work, Education, and Child Abuse Data Part 1 GDPR provisions to be restricted Part 5 Child Abuse Data: Exemption from Article 15 of the GDPR: child abuse data http://www.legislation.gov.uk/ ukpga/2018/12/schedule/3/enacted

 

Organisation support category