Safeguard-Me Blog 2026

GDPR and Safeguarding: When Data Protection Must Not Be a Barrier

2025-12-29 22:23

Data Protection Must Not Be a Barrier, including GDPR

Data protection laws, including the UK and EU General Data Protection Regulation (GDPR) and the Data Protection Act 2018, are explicitly designed to be a framework for appropriate information sharing, not a barrier. The common misconception that these regulations prevent data sharing often hinders important functions, particularly in areas like safeguarding and public safety. This blog explains:
  • Lawful bases for sharing,
  • consent vs vital interests,
  • What “minimum necessary” really means,
  • How to keep safeguarding records secure,
  • Retention schedules,
  • Handling subject access requests (SARs), and
  • Building simple information governance that staff can actually follow.

It also includes a 3-question quiz and an Q&A section (with a couple of longer answers).

Are you protecting children… or protecting data?

Here’s the tension most organisations feel:
  • Share too little, and you risk a child staying unsafe.
  • Share too much, and you risk breaching privacy and losing trust.
The good news: GDPR is not designed to block safeguarding. It’s designed to make information handling lawful, fair, and secure.
This week’s goal is simple: make sure your team knows when to share, what to share, and how to record it.

1) Start with the principle: safeguarding comes first (but still needs structure)

In safeguarding, the question isn’t “Can we share?”
It’s:
  • What’s the purpose of sharing?
  • What’s the lawful basis?
  • Who genuinely needs to know?
  • How will we keep it secure and recorded?
When staff don’t have clarity, they either freeze (“GDPR says no”) or overshare (“just in case”). Both create risk.

2) Lawful basis for sharing: the bit that removes the fear

You don’t always need consent to share safeguarding information.
Common lawful bases you’ll rely on include:
  • Legal obligation (e.g., statutory duties)
  • Public task (where applicable)
  • Vital interests (to protect someone’s life)
  • Legitimate interests (in some non-statutory settings)
The key is not memorising the list. It’s knowing this: You can share information to protect a child when it’s necessary and proportionate.

3) Consent vs vital interests: the practical difference

Consent is often misunderstood in safeguarding.

When consent can be appropriate

  • Routine information sharing with parents/carers
  • Non-urgent support referrals (where safe)
  • Sharing general programme information

When consent is not appropriate (or not required)

  • When seeking consent would increase risk
  • When a child may be harmed if you delay
  • When you suspect abuse/neglect and need to escalate
“Vital interests” is often used in emergencies, but safeguarding decisions are broader than emergencies. The real test is:
  • Is sharing necessary to protect the child or others?
  • Is it proportionate to the risk?

4) Secure systems: the fastest way to reduce GDPR risk

Most breaches happen through everyday habits:
  • Sending sensitive info to the wrong person
  • Using personal email/WhatsApp
  • Storing documents in random folders
  • Leaving paper records unsecured
Practical controls that work:
  • Use role-based access (people only see what they need)
  • Keep safeguarding records in one secure system
  • Avoid downloading and re-uploading files unnecessarily
  • Lock down sharing permissions
  • Use strong passwords and MFA
If you’re using safeguarding software or digital safeguarding records, check that:
  • Access is restricted and audited
  • Entries are time-stamped
  • Records can’t be edited without trace

5) Retention schedules: keep what you need, for as long as you need

Retention is where organisations drift.
A good retention approach:
  • Defines what you keep (and why)
  • Defines how long you keep it
  • Defines who can authorise deletion
  • Includes secure disposal (not just “delete from desktop”)
The aim isn’t to keep everything forever. It’s to keep defensible, necessary records.

England & Wales

Good practice is to keep safeguarding records for a minimum of 75 years, or in some cases, permanently.
The Independent Inquiry into Child Sexual Abuse (IICSA) recommends that, where an organisation has identified that it holds records that are known to relate to allegations or cases of child sexual abuse, that material should be retained for 75 years with review periods as appropriate. This reflects the requirement to retain records relating to looked-after children and care homes until the individual’s 75th birthday. Those relating to adoption are kept for 100 years.
Allegations that are found to be unfounded should be removed from a person’s record.

Scotland

Covenants of responsibilities for those convicted of a sexual offence and records of concerns relating to potential/actual sexual offending should be retained for 100 years.
Records relating to child protection concerns or adult protection concerns should be retained for 50 years.
For looked-after children, the Scottish Government’s guidance sets a precedent for 100-year retention, and SCVO and NRS support long-term retention where safeguarding or legal accountability is involved
Current best practice guidance, such as that contained in the Section 61 Code of Practice on Records Management, under the Freedom of Information (Scotland) Act 2002, advises that:
Authorities should define how long they need to keep particular records, should dispose of them when they are no longer needed and should be able to explain why records are no longer held. This final point is a distinct point of difference from England and Wales.

6) Subject Access Requests (SARs): don’t panic, follow a process

SARs can feel scary because safeguarding records are sensitive.
A calm SAR process includes:
  • A named lead (DPO/manager)
  • A clear triage step (what’s being requested?)
  • Checking identity
  • Reviewing redactions carefully (especially third-party info)
  • Considering safeguarding exemptions where relevant
Most importantly: staff should know not to respond informally. SARs need a controlled process.

7) Information governance: make it usable, not a policy graveyard

Information governance sounds heavy, but it can be simple.
Minimum viable governance:
  • One-page “what to do if…” guide for staff
  • Clear do/don’t rules (channels, storage, sharing)
  • A decision log template for complex cases
  • Regular spot checks (are records consistent?)
When governance is clear, staff confidence rises and safeguarding gets faster.

Quick quiz: GDPR and safeguarding

  1. Which statement is most accurate?
  • A) GDPR prevents sharing safeguarding information without consent
  • B) You can share anything as long as it’s for safeguarding
  • C) GDPR allows safeguarding information sharing when it’s necessary and proportionate
  1. When might seeking consent be unsafe?
  • A) When it could increase risk to the child or delay protection
  • B) When it’s inconvenient
  • C) When the record is long
  1. What’s a strong way to reduce data protection risk in safeguarding?
  • A) Store records across multiple personal devices
  • B) Use one secure system with role-based access and clear logging
  • C) Avoid recording anything sensitive
Answer key: 1) C 2) A 3) B

Q&A: Data protection and safeguarding

Q1: Do we need consent to share safeguarding concerns?

Not always. If sharing is necessary to protect a child and proportionate to the risk, you can share without consent.

Q2: What does “minimum necessary” mean in practice?

Share only what the other person needs to take action: relevant facts, context, and risk level — not every detail.

Q3 : How do we decide what to share and what to record?

Use a simple three-step test:
  1. Purpose: What action are we trying to enable?
  2. Proportionate content: What facts are relevant to that action?
  3. Audience: Who genuinely needs to know to take that action?
Then record:
  • What was shared
  • With whom
  • When
  • Why (your rationale)
  • What happened next
This protects children and protects your organisation, because it shows you acted thoughtfully rather than emotionally.

Q4: What are common GDPR mistakes in safeguarding?

Using personal messaging, oversharing “just in case”, poor access control, and unclear retention.

Q5: How should we handle SARs involving safeguarding records?

Have a defined process and keep it centralised.
Good practice:
  • Route SARs to a named lead (DPO/manager)
  • Verify identity
  • Locate records in a secure system
  • Review for third-party information and redaction
  • Consider safeguarding exemptions where relevant
  • Respond within required timescales
The biggest risk is informal responses or partial disclosure without proper review.

Quick checklist: Week 45 GDPR safeguarding health check

  • Staff know GDPR is not a barrier to safeguarding
  • Lawful bases are understood in plain English
  • Secure system in place for digital safeguarding records
  • Clear retention schedule exists and is followed
  • SAR process is documented and staff know where to route requests
  • Information governance is practical (one-page guidance + spot checks)