Can I Really Share Safeguarding Information Under GDPR?"
Jon: Founder, Safeguard-Me
James: DSL
James: I've got a question. We've just had a safeguarding concern about a student, and I need to share information with social services. But I'm worried about GDPR. Can we actually share this information legally?
Jon: Absolutely. This is one of the biggest misconceptions about GDPR—people think it stops them from sharing safeguarding information. It doesn't. In fact, GDPR supports information-sharing when it's necessary to protect a child.
James: Really? Because I've heard horror stories about organisations being fined for sharing data.
Jon: Those fines are usually for inappropriate sharing—like sharing data without a legal basis, or sharing more information than necessary. But safeguarding is different. When you're sharing information to protect a child, you have a legal basis under GDPR.
James: What's the legal basis?
Jon: Usually, it's one of two things: legal obligation (because safeguarding is a legal duty) or vital interests (because you're protecting someone's life or wellbeing). Both of these are recognised under GDPR as lawful reasons to process and share personal data.
James: Okay, so I can share information. But are there any rules I need to follow?
Jon: Yes, a few. First, only share what's necessary. Don't send the entire case file if a summary will do. Second, share it securely—use encrypted email or a secure platform like Safeguard-Me. Third, document your decision—record what you shared, with whom, why, and when.
James: That makes sense. What about parents? Do I need their consent to share information with social services?
Jon: No. If you're sharing information to protect a child, you don't need parental consent. In fact, asking for consent could put the child at greater risk—especially if the concern involves the parents themselves.
James: Got it. What about access to records? Can parents request to see safeguarding files under GDPR?
Jon: They can make a Subject Access Request (SAR), yes. But there are exemptions. You don't have to disclose information if it would:
- Harm the child
- Prejudice an ongoing investigation
- Reveal information about third parties (like other children or staff) without their consent
James: So we can refuse a SAR?
Jon: In some cases, yes—but you need to be able to justify your decision. If a parent makes a SAR, come to me first, and we'll review it together. We have one month to respond, so there's time to get it right.
James: What about retention? How long do we need to keep safeguarding records?
Jon: It depends on the type of record. For safeguarding case files, the standard is until the child reaches 25. For serious cases—like allegations of abuse—we may need to keep records longer, or even indefinitely. We have a retention schedule that sets this all out.
James: And what happens when the retention period expires?
Jon: We review the records and, if it's safe to do so, we delete them securely. That means shredding paper files and securely deleting digital files. GDPR says we shouldn't keep data longer than necessary, so it's important to follow the schedule.
James: This is really helpful. I think my biggest worry was that GDPR would stop me from doing my job.
Jon: I hear that a lot. But GDPR isn't the enemy—it's actually a framework that helps us handle sensitive data responsibly. The key is understanding the rules and applying them correctly.
James: So, to summarise: I can share safeguarding information if it's necessary to protect a child, I don't need parental consent, I should share securely and document my decision, and I need to follow retention policies.
Jon: Exactly. And if you're ever unsure, just ask me. It's better to check than to guess.
James: Thanks. I feel much more confident now.
Jon: Anytime, James. Safeguarding is a team effort, and GDPR is just one part of doing it well.
Key Takeaways
✅ GDPR supports safeguarding—it doesn't prevent information-sharing
✅ Legal bases for safeguarding: legal obligation and vital interests
✅ Share only what's necessary, share it securely, and document your decision
✅ You don't need parental consent to share safeguarding information
✅ Subject Access Requests can be refused if disclosure would harm a child
✅ Follow retention policies and delete records securely when they expire
✅ Legal bases for safeguarding: legal obligation and vital interests
✅ Share only what's necessary, share it securely, and document your decision
✅ You don't need parental consent to share safeguarding information
✅ Subject Access Requests can be refused if disclosure would harm a child
✅ Follow retention policies and delete records securely when they expire
Need a GDPR-compliant safeguarding solution? Safeguard-Me's platform provides encrypted storage, role-based access, and audit trails to keep your data secure and compliant. Start your free passport today.