KCSIE 2018 and GDPR: how they can work together

20th November 2018

Schools will no doubt be aware that KCSIE 2018, statutory guidance for schools on safeguarding, came into force last month. The emerging consensus is that this latest edition involves “tweaks” and “minor” changes. There is no radical departure from what preceded it, and certainly no revolution in how schools should keep children safe.

On the face of it, the updates in KCSIE 2018 that make reference to GDPR and the Data Protection Act 2018 are of a similar ilk. They simply ensure that the guidance reflects the new data protection regime we have lived with for some months now. When it comes to safeguarding in schools, the old Data Protection Act 1998 has officially been consigned to the history books, where it now belongs. Not particularly noteworthy you might say.

Fears about sharing information

We would disagree. The DfE authors have not merely set about amending KCSIE 2018 to ensure it keeps up-to-date with changes in data protection law. Rather their changes to the guidance reflect a deep concern, on the DfE’s part, that schools and practitioners are feeling seriously conflicted between their data protection and safeguarding duties. In bold, and at times also underlined, the text in part two of the guidance states that:

“The Data Protection Act 2018 and GDPR do not prevent, or limit, the sharing of information for the purposes of keeping children safe. Fears about sharing information must not be allowed to stand in the way of the need to promote the welfare and protect the safety of children.” (KCSIE 2018, paragraph 75).

Allaying the fears

This is not the end of the story. We cannot say that safeguarding “trumps” data protection and leave it at that. What is not in either bold or underlined in KCSIE 2018 is the preceding paragraph, paragraph 74, which acknowledges that schools should be aware of their data protection duties to process information fairly and lawfully and to keep the information they hold safe and secure. Subsequent paragraphs state that “relevant staff” should have “due regard” to the data protection principles and they should be “confident of the processing conditions…which allow them to store and sharing information for safeguarding purposes” including special category personal data.

What we appear to end up with is this. Promoting and protecting children’s welfare and security is paramount. Unfounded fears about what GDPR prevents or limits should be allayed in this area, but that does not mean GDPR can be jettisoned. Safeguarding and data protection can, and must, work together.

The seven “golden rules” to sharing information

So, how can schools put this in place? KCSIE helpfully provides a link to recently updated DfE guidance on “Information Sharing: Advice for Practitioners Providing Safeguarding Services to Children, Young People, Parents and Carers”, which is available via: The seven “golden rules” are especially useful and we have summarised them below:

  1. Data protection and human rights laws provide a framework to ensure personal data is shared appropriately. They are not barriers to justified information sharing
  2. Be open and honest with the individual (and/or their family) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so
  3. When in doubt, seek advice from other practitioners without disclosing the identity of individuals (where possible)
  4. Where possible, share information with consent and respect the wishes of those who do not consent to having their information shared
  5. Consider safety and well-being: base your information sharing decisions on consideration of the safety and well-being of the individual and others who may be affected by their actions
  6. Necessary, proportionate, relevant, adequate, accurate, timely and secure: ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely, and
  7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

Related Blogs

View All