Sad little boy

Sharing information to safeguard children in nurseries 

The Information Commissioner’s Office and NDNA bring you practical tips for sharing information to safeguard children in nurseries.

Sharing information is central to effectively safeguarding children from harm and promoting their wellbeing. Data protection law allows you to share information when required to protect children from harm.  

As the data protection regulator, the Information Commissioner’s Office (ICO) offers practical advice to help you feel confident about sharing information in a fair, proportionate and lawful way. 

We have partnered with early years providers to raise awareness about data sharing with its myth-busting ‘Think.Check.Share campaign. We want to reassure nursery staff that they won’t be breaching data protection law if they share information in good faith to safeguard a child.  

1:  Understand the role of data protection in safeguarding   

Data protection is a framework to help you share information. It doesn’t prevent you from sharing information to safeguard a child. It can be more harmful not to share information that is needed to protect a child.  

Example: A member of staff at a nursery suspects that a carer has inflicted an injury on a child. They speak to the nursery’s safeguarding lead. The nursery follows procedures and does not hesitate to share information about the child and their injury with local safeguarding services. The nursey should also share their concerns with the carer, unless they believe that doing so would cause further harm to the child.  

Get advice from your data protection officer (DPO), expert or team about your information sharing plans. For smaller organisations, ask your umbrella group or governing body for advice. Always record decisions to share data as well as incidences where data sharing is not appropriate. There are likely to be other laws and duties outside data protection that you also have to comply with in your safeguarding work.  

2: Identify your purpose for sharing information 

Be clear about your purpose for sharing the information. You can share all the information you need to, with an appropriate person or authority, in order to safeguard a child. 

Example: A nursery assistant is working with a child at nursery and has identified concerns about their welfare. In a nursery there will be procedures in place for staff to raise concerns with a safeguarding lead or manager.  

The nursery is going to share this information with an organisation who can help and wants to know how much to share. It may be able to share a minimal amount of information to achieve its purpose, such as accessing direct support for a service to benefit the child.  

However, there will be times where multiple organisations are involved in an intervention, or where there are concerns about serious harm. In these cases, it may be necessary to share information more widely, or to share more information on a child’s circumstances. Remember to keep a record when sharing data or when deciding that it is not appropriate to share.  

It is not always clear how the details of a child’s history or circumstances are relevant to the concerns that have been identified. But the nursery will be sharing proportionately if it can link it back to a compelling reason to share. In these circumstances, that compelling reason is safeguarding the child. 
Documenting this link will not only help nursery to make its decision, but it helps the nursery to comply with the law. 

3: Develop clear policies for sharing information 

Put strong governance, policies and systems in place and keep everything under regular review. 

Build a culture of compliance and good practice throughout your organisation to help you to share information securely. 

Train everyone in your organisation in safeguarding and data protection to the level they need. Ensure that all nursery staff understand what they need to do to share information to safeguard children. Arrange regular refresher sessions of this training. 

Example: A nursery assistant notices a concerning pattern of behaviour by an adult towards a toddler in the adult’s care. The nursery assistant understands that she needs to promptly tell her manager her concerns. To protect the child, the nursery shares the information with local safeguarding services. 

4: Be transparent and clear about people’s rights  

Be clear about what happens to personal information at every stage; about how you’ll inform people about this, and how you’ll handle requests by people to access their information rights. You need to tell people about how and why their information is used. 

Make sure that you have policies and procedures that allow people to exercise their own rights under data protection law: 

  • the right to access information held about them (the right of subject access); 
  • the rights to have their information rectified, erased or restricted; 
  • the right to object; 
  • the right to portability of their information; and 
  • the right not to be subject to a decision based solely on automated processing. 

However, if you’re sharing information for safeguarding purposes, you might not be obliged to allow people to exercise all these rights. For example, if giving access to a person to information you hold about them would be likely to cause serious harm to a child. 

5: Assess the risks of sharing information  

When you are making a decision about sharing information about a child, it is very important to assess the risks. 

If you are an organisation that shares information on a regular or routine basis, a Data Protection Impact Assessment (DPIA) will help you to do that. A DPIA is a practical tool to help you plan for sharing information and mitigate the risks to children’s rights and freedoms. It helps you to ensure your sharing is done safely, lawfully and with accountability.  

However, there will be circumstances not covered by a DPIA, such as sharing information on a one-off basis or in an emergency. You can go ahead and share that information based on what is necessary and proportionate in the circumstances at the time to safeguard the child. 

6: Enter into a data sharing agreement 

Where there is regular data sharing, it may help all parties to also enter into a data sharing agreement (DSA), so everyone involved is clear on what information is being shared and how it will happen. 

Consult your DPO, expert or team, or for smaller organisations, your umbrella group or governing body about drawing up a data sharing agreement. 

7: Follow the data protection principles 

The seven data protection principles lie at the heart of data protection; follow them when handling or sharing personal information. They are all important. 

  • Lawfulness, fairness and transparency 
  • Purpose limitation (share only for your clear purposes) 
  • Data minimisation (share information that is adequate, relevant and limited to what is necessary for your purposes) 
  • Accuracy (keep the information up to date) 
  • Storage limitation (keep the information no longer than necessary for your purposes) 
  • Integrity and confidentiality (ensure appropriate security) 
  • Accountability (demonstrate your compliance with the principles) 

8: Share information using the right lawful basis 

Sharing information is always lawful when you choose the right lawful basis for you and for the circumstances.  

A lawful basis is a valid reason for processing personal information. Using the right lawful basis means you can share all the information you need to, with an appropriate authority or individual, in order to safeguard a child. 

Identify at least one lawful basis for sharing information before you start the sharing. Ensure you can demonstrate that you considered which lawful basis to use and keep a record of your decision.  

Consent is one lawful basis, but it is not required for sharing information in a safeguarding context. The most common lawful bases suitable for safeguarding purposes are public task, legitimate interests and legal obligation.  

Example: A nursery teacher notices a child in his class is demonstrating some concerning behaviour, including showing fear about being collected from nursery by a relative with whom they live. The teacher follows the nursery’s procedures and speaks to the safeguarding lead. The nursery contacts the local safeguarding service to share the information about the child. The nursery does not need to obtain the consent of the relative to share this information. 

9: Share information in an emergency 

In an emergency, don’t hesitate to share information to safeguard a child. You might not have time to follow all the usual processes. 

Make a record of what you shared, who with, and why, as soon as possible. 

Plan ahead for emergency or urgent situations so that everyone knows what to do and the processes to follow when time is of the essence.  

10: Look at further resources 

ICO resources: 

The ICO has a webpage dedicated to further guidance and resources to support organisations with sharing data. This includes the data sharing code of practice, which has a section on data sharing and children. The page also features a range of case studies and examples for different sectors. 

They have created a toolkit of free resources to promote responsible data sharing, including posters, videos, infographics and content for social media.  

This blog provides additional data protection tips for early years settings.  

NDNA resources about data: 

  • Find 10 GDPR tips for nurseries here
  • GDPR for nurseries and early years information here
  • NDNA’s GDPR factsheet here
  • NDNA’s GDPR Privacy Notice – England here
  • NDNA’s GDPR Privacy Notice – Wales here

Similar Articles

Gathering the views of children in your nursery 

In our last two blogs, we explored what the UNCRC (Incorporation) (Scotland) Act 2024 is…
Read more

Nursery leadership and management: How to build a team 

This blog will cover nursery leadership and management of a team. It will explain the…
Read more