ICO launches new guidance for education sector on data-sharing to support child safeguarding
The Information Commissioner’s Office (“ICO”) has recently published guidance for the education sector on complying with data protection law when sharing data to safeguard children and young people. This guidance provides sector specific advice and case studies to run alongside the ICO’s 10 step guide to sharing information to safeguard children. Its message is clear: data protection law is not a barrier to safeguarding, it is a framework to support it.
Here are some of the key takeaways:
Consider the correct lawful basis
Education providers must identify a lawful basis before sharing information. While consent is a lawful basis, it is often not the most appropriate in a safeguarding context because consent must be freely given and there is usually a power imbalance between an education provider and a child or a child’s parent.
For state schools, the most appropriate lawful basis for sharing safeguarding concerns will typically be public task. In contrast, a private school or private nursery is more likely to rely on legitimate interests, which involves a three-part test:
- 1. Identify a legitimate interest to share the information, such as safeguarding a child
- 2. Demonstrate that sharing the information is necessary to achieve that purpose
- 3. Balance this against the data subject’s interests, rights and freedoms
Education providers should note that the Data Use and Access Act 2025 introduces a new lawful basis of ‘recognised legitimate interest’. For certain public interest purposes, including safeguarding, this will remove the obligation to carry out the balancing test at step three above once these provisions come into force. The ICO has released initial guidance on this but more is expected to follow.
Consider the capacity and wishes of the child
Education providers should consider the capacity of the child or young person to exercise their own data protection rights when deciding whether to share information. The ICO suggests that, in many cases, it is reasonable to assume that a child has capacity from the age of 12. Even when consent is not relied upon as the lawful basis for sharing information, organisations should still listen to and consider the views of the child alongside safeguarding considerations because open communication and transparency can improve the effectiveness of safeguarding decisions. The ICO emphasises, however, that a child’s wishes should not override a duty to report a child protection concern.
Establish formal data sharing arrangements
Where an education provider regularly shares information with other organisations, such as the local authority, a health and social care organisation or the police, the ICO recommends agreeing formal data sharing arrangements between those organisations. However, in emergency situations, the absence of a formal arrangement should not prevent an organisation from raising a safeguarding concern. In such cases, organisations should keep a detailed record of what was shared, with whom and why. Even where a formal arrangement exists, an education provider may not have time to follow the usual process in an emergency. The ICO is clear that organisations should not hesitate to share information to prevent harm.
The ICO has published 12 helpful case studies to show how these considerations may apply in practice.
If you have any questions on the ICO’s new guidance or how it may impact your organisation’s safeguarding and data protection practices, please contact our education law experts for tailored advice.
Share:
Enjoy That? You Might Like These:
articles
articles
