string(11) "secondary-3"

Why, when and how should you share information?

Sharing information to tackle child sexual abuse

All Chapters

1
Sharing information to tackle child sexual abuse

Introduction

2
Why, when and how should you share information?
3
What information is needed as part of a multi-agency assessment?
a. Information about the child b. Information about the person(s) of concern c. Information about the child’s non-abusing parent(s)/carer(s)
4
What information could you or your organisation be sharing?
a. Family Help teams b. Statutory social work teams c. Fostering and Adoption Services d. Children’s social care specialist services e. Disabled children’s teams f. Local authority special educational needs and disabilities team g. Adult social care h. Police i. Probation Service j. Youth justice service k. Prison Service and Youth Custody Service l. Health practitioners m. Early years settings, schools and colleges n. Educational psychologists o. School counsellors p. Staff and volunteers in the voluntary and community sector
5
Who’s who in different organisations?
Previous Next

Page contents

Introduction

Sharing information about a child or family can feel daunting. Practitioners want to get it right, be sure they are protecting people’s privacy, and avoid making the wrong call. But when a child’s safety may be at risk, you shouldn’t hesitate to pass on the information that could help protect them.

As the Department for Education’s Information Sharing: Advice for Practitioners Providing Safeguarding Services for Children, Young People, Parents and Carers spells out:

Information sharing in a safeguarding context means the appropriate and secure exchange of personal information, between practitioners and other individuals with a responsibility for children, in order to keep them safe from harm. […] This includes informal sharing of information between practitioners to develop an accurate understanding of a child or family, and more formal processes of sharing information such as referrals into local authority children’s services.

Whatever your role, this resource is designed to complement your professional and statutory guidance, and advice from the Information Commissioner’s Office.

For more information about the essentials of sharing information to safeguard children, click on the headings below.

When there are concerns that a child is (or is at risk of) being sexually abused, or there are concerns about someone posing a risk of sexual abuse, the effective sharing of information is essential to:

  • protect children from being sexually abused
  • support early identification of child sexual abuse or risk of abuse
  • support children’s recovery and wellbeing, including through support for their non-abusing parents/carers
  • enable joint working between organisations to manage the risk to children and coordinate support
  • disrupt and investigate people who pose a risk to children.

All practitioners – regardless of the sector they work in – must take responsibility for sharing information in order to keep children safe from harm.

For more information about how to respond to concerns of child sexual abuse, please see our Child Sexual Abuse Response Pathway.

Information should be shared without delay when:

  • a child displays possible signs and indicators of sexual abuse – you can find out more about these, and how to record them, in our Signs and Indicators Template
  • a child tells someone they have been sexually abused
  • a child is believed to be at risk of sexual harm
  • a child displays concerning sexual behaviour towards another person
  • an adult poses a known or suspected risk to a child
  • sharing information would support a safeguarding plan, investigation, or legal process

You do not need to be absolutely sure that sexual abuse is happening before you share your concerns; reasonable belief, suspicion or concern is enough.

In this short video, the Information Commissioner, John Edwards, makes it clear that data protection law is not a barrier to sharing data to protect a child from harm.

Information sharing in a safeguarding context is supported by a range of legislation and guidance.

Key legislation

  • The Children Act 2004 establishes a duty on organisations to work together and share information to safeguard and promote children’s welfare.
  • Data protection legislation (the UK General Data Protection Regulation and the Data Protection Act 2018) provides a framework which enables organisations to share information when it is lawful, necessary and in the public interest to protect a child.
  • The Crime and Disorder Act 1998 enables organisations to share information in order to prevent or reduce crime and safeguard individuals at risk.
  • The Police Act 1996 allows and expects the police to share relevant information in order to prevent crime and protect children from harm.
  • The Domestic Abuse Act 2021 supports information sharing to identify, protect and support victims, including children affected by domestic abuse.
  • The Social Services and Well-being (Wales) Act 2014 establishes a statutory framework requiring public bodies to collaborate and share information to protect individuals from abuse or neglect.
  • The Children’s Wellbeing and Schools Act is introducing an Information Sharing Duty in England. These duties are likely to come into effect in late 2026, and we will update this resource at that point.

Statutory guidance

Other Government guidance

Professional guidance for the health sector

What does this mean for you?

The Department for Education’s Information Sharing: Advice for Practitioners Providing Safeguarding Services for Children, Young People, Parents and Carers explains in depth how the legal framework supports information sharing for the purposes of safeguarding children from abuse and neglect. It presents seven ‘golden rules for information sharing’.

  1. All children have a right to be protected from abuse and neglect. Protecting a child from such harm takes priority over protecting their privacy, or the privacy rights of the person(s) failing to protect them. The UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018 (DPA) provide a framework to support information sharing where practitioners have reason to believe failure to share information may result in the child being at risk of harm.
  2. When you have a safeguarding concern, wherever it is practicable and safe to do so, engage with the child and/or their carer(s), and explain who you intend to share information with, what information you will be sharing and why. You are not required to inform them, if you have reason to believe that doing so may put the child at increased risk of harm (e.g., because their carer(s) may harm the child, or react violently to anyone seeking to intervene, or because the child might withhold information or withdraw from services).
  3. You do not need consent to share personal information about a child and/or members of their family if a child is at risk or there is a perceived risk of harm. You need a lawful basis to share information under data protection law, but when you intend to share information as part of action to safeguard a child at possible risk of harm, consent may not be an appropriate basis for sharing. It is good practice to ensure transparency about your decisions and seek to work cooperatively with a child and their carer(s) wherever possible. This means you should consider any objection the child or their carers may have to proposed information sharing, but you should consider overriding their objections if you believe sharing the information is necessary to protect the child from harm.
  4. Seek advice promptly whenever you are uncertain or do not fully understand how the legal framework supports information sharing in a particular case. Do not leave a child at risk of harm because you have concerns you might be criticised for sharing information. Instead, find out who in your organisation/agency can provide advice about what information to share and with whom. This may be your manager/supervisor, the designated safeguarding children professional, the data protection/information governance lead (e.g., Data Protection Officer), Caldicott Guardian, or relevant policy or legal team. If you work for a small charity or voluntary organisation, follow the NSPCC’s safeguarding guidance.
  5. When sharing information, ensure you and the person or agency/organisation that receives the information take steps to protect the identities of any individuals (e.g., the child, a carer, a neighbour, or a colleague) who might suffer harm if their details became known to an abuser or one of their associates.
  6. Only share relevant and accurate information with individuals or agencies/organisations that have a role in safeguarding the child and/or providing their family with support, and only share the information they need to support the provision of their services. Sharing information with a third party rarely requires you to share an entire record or case-file – you must only share information that is necessary, proportionate for the intended purpose, relevant, adequate and accurate.
  7. Record the reasons for your information sharing decision, irrespective of whether or not you decide to share information. When another practitioner or organisation requests information from you, and you decide not to share it, be prepared to explain why you chose not to do so. Be willing to reconsider your decision if the requestor shares new information that might cause you to regard information you hold in a new light. When recording any decision, clearly set out the rationale and be prepared to explain your reasons if you are asked

It’s also important to ensure that you share information in a secure way and keep it securely.

Useful guidance on information sharing in the context of safeguarding children is presented by the Information Commissioner’s Office in the form of a 10-step guide to sharing information to safeguard children.

There is much more information about each of these steps on the Information Commissioner’s Office website, which also contains many case studies such as the following:

You are working with a child and have identified concerns about their welfare. You are going to share this information with an organisation who can help, and you want to know how much to share.

    • You may be able to share a minimal amount of information to achieve your purpose, such as accessing direct support for a service to benefit the child. In this scenario, it’s appropriate only to share this minimal information.
    • However, there will be times where multiple organisations are involved in an intervention, or where there are concerns about serious harm. In these cases, it may be necessary to share information more widely, or to share more information on a child’s circumstances.

It is not always clear how the details of a child’s history or circumstances are relevant to the concerns you’ve identified. But you will be sharing proportionately if you can link it back to a compelling reason to share. In these circumstances, that compelling reason is safeguarding the child.

Documenting this link will not only help you make your decision, but it helps you comply with the law.

The ICO’s guidance on Sharing information to safeguard children and young people in the education sector complements the 10 steps guide. While focusing on education settings, it is also relevant to other sectors such as health and local authorities. It features 12 case studies, such as this one which highlights that it is appropriate under data protection law to share information whenever a risk of harm is identified, even if ultimately there is found to be no safeguarding issue:

The manager of an after-school club has a genuine concern that a nine-year-old child in their care, Ayanna, may be at risk from harm from her parent’s new partner. The manager is not sure whether there is a real problem, but they are concerned because Ayanna has made comments which have alerted them to the risk of actual or potential harm.

They know that Ayanna’s family is currently being supervised and supported by local social services for a number of reasons not directly connected with this new concern. They share their concerns and the information with social services. Even though the manager does not know for certain how serious the risk is, under data protection law they are able to share it as it is fair and proportionate. This is because they have a legitimate cause for concern about the risk of harm to the child. As a result of the information sharing, social services look further into Ayanna’s relationship with the parent and the new partner and decide there is no safeguarding problem.

When an item of personal information is recorded, generated or processed in any way by an organisation, they have a legal responsibility for ensuring that it is (and remains) accurate and secure, and that they don’t hold more personal information than necessary.

If they then share the information with other organisations, they should inform those organisations of any subsequent updates or corrections to the information.

Some information is held by multiple organisations. For example, safeguarding concerns about a child may be recorded by children’s social care, the school, their GP and the police, each of which must share relevant information with others under legal frameworks (see above).

The organisations are joint holders of knowledge, but each has accountability and legal responsibility for the information that it recorded or generated.

Example

A child tells their teaching assistant that they have been sexually abused. The teaching assistant shares that with the Designated Safeguarding Lead (DSL).

  • The DSL records the information on the school recording system → the school is responsible for that record.
  • Children’s social care are informed, and record the same information in their case file → children’s social care are responsible for that record.
  • The police are informed, and record what the child has said in a crime or incident report → the police are responsible for that record.

The child’s information exists in multiple places, but legal responsibility for each record is organisation-specific.

Under UK GDPR, the individual who is the subject of the information has rights including:

  • access – the right to see what personal information is held about them (subject access request).
  • rectification – the right to correct inaccurate or incomplete information.
  • erasure (‘right to be forgotten’) – in some circumstances, they can request deletion of their personal data.
  • restriction of processing (which includes the sharing of information) – they can ask for limits on how their personal data is used.
  • objection – they can object to certain types of processing.

Depending on their age and maturity (sometimes called “Gillick competence” in health contexts), a child may be able to exercise the above rights in relation to information held about them. For example:

  • A child may request access to their GP records or counselling notes.
  • A child considered to be Gillick competent can request corrections or ask for sharing to be limited.

For a younger child, it is likely that their parent(s)/carer(s) will exercise those rights on the child’s behalf.

However, organisations’ duty to protect children overrides the individual’s control in terms of restricting sharing: a child or their parents/carers cannot prevent organisations from sharing information if there is a statutory safeguarding duty to do so. As a result, organisations may refuse requests to limit sharing if that would put the child or others at risk.

Similarly, while a child or their parents/carers can request deletion of a record, it may be appropriate for an organisation to refuse the request, retain the record and share it with others for legal, safeguarding or regulatory reasons.

The Information Commissioner’s Office website contains more information about the right to erasure – including when it does and does not apply, and advice on responding to an erasure request.

Lawful basis for sharing personal data

You must have a lawful basis under data protection law to share personal information. Article 6 of the UK General Data Protection Regulation (GDPR) sets out the different lawful bases for processing (including sharing) any personal data. The bases most likely to be relevant to safeguarding concerns are:

  • public task – processing is necessary to perform a task in the public interest
  • legitimate interests – your organisation has a legitimate reason that doesn’t override the individual’s rights
  • recognised legitimate interest – another option for organisations outside the public sector which are sharing information with public-sector organisations
  • consent – the individual has freely agreed
  • legal obligation – you need to process data in order to comply with the law.

Only one of these bases has to apply – and when sharing personal information for safeguarding purposes, a basis other than consent is likely to be more appropriate. Which one is appropriate will depend on a number of factors, including the circumstances and the type of organisation you are; the Information Commissioner’s Office has a lawful basis interactive guidance tool which can help you choose.

Special category data is a type of personal data that is more sensitive and therefore requires stronger protection. It includes an individual’s:

  1. racial or ethnic origin
  2. political opinions – e.g. membership of a political party or expressed political views
  3. religious or philosophical beliefs – e.g. beliefs affecting lifestyle or choices
  4. trade union membership – e.g. membership of a union, or activities related to it
  5. genetic data – e.g. DNA information used to identify the individual
  6. biometric data – e.g. fingerprints, facial recognition, or other biometrics used to uniquely identify the individual
  7. health – e.g. physical or mental health records, medical history, therapy notes, disabilities
  8. sex life or sexual orientation – e.g. sexual behaviour, preferences or orientation.

Additional conditions for sharing special category data

To share (or otherwise process) special category data, one of the legal bases for sharing personal data under Article 6 of the UK GDPR must apply (see the previous section) – but you also need to meet a condition under Article 9 of the UK GDPR. These conditions include:

  • explicit consent – the individual has clearly agreed in a way that is specific, informed, and unambiguous
  • employment, social security, or social protection law – required for statutory obligations
  • vital interests – processing is necessary to protect someone’s life
  • healthcare or social care – processing is necessary for medical purposes, public health or social care
  • legal claims – processing is necessary for establishing or defending legal claims
  • substantial public interest – e.g. safeguarding children, preventing serious crime.

In practice, practitioners wanting to share special category data in a safeguarding or child protection context often rely on Article 9(2)(g) – substantial public interest (processing is necessary to protect children’s health or safety). In that case they must also meet one of the 23 specific substantial public interest conditions (one of which is ‘Safeguarding of children and individuals at risk’) in Part 2 of Schedule 1 of the Data Protection Act 2018.

Previous chapter Next chapter

See also:

What information is needed as part of a multi-agency assessment?
What information could you or your organisation be sharing?
Who’s who in different organisations?