Jump to...
Safeguarding and GDPR
On 25 May 2018, an EU law called the General Data Protection Regulation (GDPR) came into effect. It replaced the Data Protection Act 1998 and it gives individuals greater control over their own personal data.
The GDPR principles
All data collected must be:
- processed fairly, lawfully and in a transparent manner in relation to the data subject
- collected for specified, explicit and legitimate purposes and not further processed for unrelated or incompatible other purposes
- adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed
- accurate and up to date
- kept only as long as needed to identify individuals for the intended purpose.
- processed securely to prevent unauthorised access, loss, or damage using suitable technical and organisational measures.
Sensitive information
The most relevant conditions for recording and keeping sensitive safeguarding and welfare information include:
- Getting explicit consent
- Needing the data to carry out your obligations under employment, social security or social protection law, or a collective agreement
- Needing the data for reasons of substantial public interest according to UK laws, taking into account proportionality and safeguarding.
Where there are concerns about a child being at risk due to possible neglect or abuse, Local Safeguarding Partners (LSPs) procedures advise that it is best practice in most circumstances to seek consent before making a child protection referral.
If consent is withheld and the concern remains that a child may be at risk of significant harm, the referral should still be made.
Practitioners should follow LSP safeguarding procedures at all times and this remains unchanged by GDPR.
Processing safeguarding data lawfully
The GDPR defines the different kinds of lawful basis needed to process data.
Where there is a safeguarding concern, it’s unlikely the lawful basis of ‘consent’ would be appropriate. For children’s social work the ‘public task’ basis is more likely to be appropriate.
For early years settings, information could be processed under the ‘legal obligation’ basis.
The Data Protection Act 2018 supplements GDPR and includes a new category of child abuse data, defined as physical injuries (non-accidental), physical and emotional neglect, ill treatment and sexual abuse.
The Act allows all organisations to process data for safeguarding purposes lawfully and without consent where necessary for the purposes of:
- protecting an individual from neglect or physical and emotional harm; or
- protecting the physical, mental or emotional wellbeing of an individual.
This covers situations where a child may be at risk of significant harm due to neglect or abuse and also applies to referrals made to the local authority for any child considered to be a ‘child in need’.
Remember: Educators should follow LSP safeguarding procedures at all times and this remains unchanged by GDPR.
Areas to consider
Appointing a data protection officer
For most settings, appointing an individual who takes the lead on data compliance will be enough, although for larger early years provider chains may need to appoint a data protection officer.
Privacy notices
When you collect any data, you must tell people exactly how you are going to use it, who might you share it with, how long you will keep it as well as information on consent and complaint.
Individual rights
People now have new and enhanced rights on the collection, access and deletion of their data so you must ensure your setting has mechanisms to allow individuals to exercise these rights.
Consent
GDPR requires early years providers to have a legitimate reason for processing any personal data. Where you rely on consent for processing data, you must be able to demonstrate that the consent was freely given. Pre-ticked boxes or inactivity are not enough; people have to actively opt-in.
Data agreements
Early years providers are obliged to have written arrangements with anybody processing data for them. Providers must make sure that anyone processing data meets GDPR requirements.
New projects
Data protection must be incorporated into new projects and services at the development stage, not simply as an after-thought.
Breach notification
You are obligated to notify the Information Commissioner’s Office (ICO) of a data breach within 72 hours of becoming aware of it.
Fines
One of the key drivers of compliance is that organisation’s can be fined significant amounts if they are not. However, you should focus on the benefits of ensuring you are handling your data properly.
Helpful resources
Statutory guidance
Working Together to Safeguard Children
The Early Years Foundation Stage Framework
Non-statutory guidance
What to do if you are worried a child is being abused
Additional resources
Early years practitioners: using cyber security to protect your settings
Protecting your data
