By Olaf van Tol and Mark Orchison
In recent years, data protection laws have been developed in many countries to reassure individuals about their personal data security. Schools are expected to take particular care to protect student data as part of their child protection obligations. In many respects, safeguarding the well-being of students fits comfortably with the protection of their personal data.
March 2021: Gain support and guidance on this topic
CIS members can join our virtual Data Protection, Cybersecurity & Safeguarding Workshop 2–4 March 2021 | Register
However, some schools feel torn between protecting sensitive information about students or staff members and safeguarding their students.
In this blog, we seek to navigate the intersection between protecting personal data and keeping children safe by addressing one example of where a school’s duties may intersect; namely, the transfer of child protection information from one school to another when a student moves between schools. We explore the legal considerations and inconsistencies on an international level, the steps CIS and 9ine are taking together with our members to address these in the long-term, and some practical short-term tips on balancing data protection requirements with safeguarding children.
In some countries, it is very clear that data protection should not be used as a barrier to prevent sharing information for the purposes of keeping children safe. For example, in England, government guidance clearly states that information sharing is vital to identify and tackle all forms of abuse and neglect. This is bolstered by local data protection law which permits the sharing of special category data without consent for the purposes of safeguarding where it is not reasonable to obtain consent or where obtaining consent would be detrimental to the intended safeguarding purpose (Data Protection Act 2018 (schedule 1, para 18)).
There are differences of opinion in the European Union because the General Data Protection Regulation (GDPR) provides an overall position on data protection and the local laws of Member States have not necessarily picked up on the nuances required to assist schools in these difficult situations. This means that arguments abound regarding which lawful bases under the GDPR are appropriate to share sensitive data about students or staff.
Some legal professionals have considered that substantial public interest could be appropriate when required for crime prevention. Some have argued that explicit consent is the only basis available, and others have looked to vital interests (circumstances of life or death) as a means to justify sharing child protection files.
Every situation must, of course, be considered on a case by case basis. However, if the need is so serious that vital interests can be relied upon in the European Union to share special category data between schools, then this may prove helpful to schools in other countries who have similar provisions.
For example, in Brazil, where personal data can be processed "where necessary to protect the life and physical well-being of the data subject" (General Personal Data Protection Law (LGPD) Article 7). Or in Japan, where the sharing of sensitive personal information to protect life or body of a data subject is a recognised lawful basis Act No. 57 of 2003, Article 23. China, also, has begun public consultations for forthcoming new legislation that may allow for processing data in instances where it is necessary for "the protection of life, health and property of the data subject."
Transferring child protection files between schools
International schools often feel powerless to share child protection files with other schools when a student moves on, particularly if that student is moving to a school in a different country. In many instances, it is not reasonable to ask for consent from the student or their parents due to the sensitivity of the information concerned or the risk of harm that may follow. For instance, a student may have disclosed information about physical abuse within their home.
In England, statutory guidance is clear:
“When children leave the school or college, the designated safeguarding lead should ensure their child protection file is transferred to the new school or college as soon as possible, ensuring secure transit, and confirmation of receipt should be obtained. For schools, this should be transferred separately from the main pupil file. Receiving schools and colleges should ensure key staff such as designated safeguarding leads and SENCOs or the named person with oversight for SEN in a college, are aware as required.
In addition to the child protection file, the designated safeguarding lead should also consider if it would be appropriate to share any information with the new school or college in advance of a child leaving. For example, information that would allow the new school or college to continue supporting victims of abuse and have that support in place for when the child arrives.” Keeping Children Safe in Education 2020, paragraphs 87 and 88.
However, the law is not as clear in many other countries, and frequently little assistance is given by way of guidance or consistent legal opinion to help schools decide whether to share information. In the absence of clear laws, legal or regulator opinions, there is a risk that schools will choose not to share essential information for fear of breaching data protection law. This could be disastrous for the protection of children, and clarity is required.
CIS and 9ine have started to work with CIS members and law firms to address this inconsistency and prepare guidance on this issue for schools that are based in the EU. If you would like to be a part of this project, please contact Jane Joyce.
Carrying out a risk assessment
In the meantime, however, a step in the right direction is to adopt a formal risk management process to balance the need to safeguard children against the requirements of data protection. This needs to take into account the uniqueness of each situation in order to assess the risks of not sharing the information as well as the risks of so doing.
By considering the individuals concerned, the relevant local law, and the circumstances of the particular case, it is hoped that schools can form a view as to the different risk levels involved in each case and thus adjust their responses to those risks depending on their risk tolerance.
- Schools identify the purpose of sharing information and decide on the minimum level of personal data necessary to achieve that purpose.
- Schools should then consider their legal framework to ensure they understand their safeguarding and data protection requirements regarding the personal data identified. Data protection principles should be followed wherever possible and, where lawful bases are required, such as under Articles 6 and 9 of the GDPR, these should be identified with documented reasoning as to why they are considered appropriate in the circumstances.
- The risks associated with sharing that personal information can then be considered. In a child protection situation, there might be a risk of harm to the child, together with other individuals and, maybe, the society at large. There may also be a risk of the school being vulnerable to legal action as a result of a claim for breach of privacy, or even defamation, brought by the individual/s whose data is being shared because the lawful bases being relied upon are not robust.
- The risks of not sharing the data will then need to be identified. These might be that a child in need will not receive the support they require in a new school environment. Or, maybe, that harm might befall others if a safeguarding allegation about an individual is not shared and that individual has exposure to more children, perhaps as a result of a change of job.
- Once the risks are identified, a risk assessment can be undertaken to consider the likelihood and severity of those risks. By using a guide like the very basic matrix provided below, the likelihood may be measured by whether it would be "very rare, unlikely, possible, likely or almost certain to occur. Severity may be measured by "insignificant, minor, moderate, major or severe." By combining these two factors, schools will be able to judge better the risks of sharing data and not sharing data.
The advantage of using a risk-based approach is that schools can consider the complexities and uniqueness of each situation, using a simple and consistent methodology that can be used to bolster the decision-making process. Of course, any assessment should be documented. Any decisions should be recorded for future reference, in case there is a need to explain the reasoning behind the school’s decision or justify the approach taken in any particular case.
Please note that data sharing across borders may also be subject to additional provisions of the GDPR and/ or other local laws, but an in-depth discussion of these is beyond the scope of this blog.
Olaf van Tol is our IT Systems Manager at CIS and Mark Orchison is Founder & CEO at 9ine.
- Workshop: CIS members can learn more by joining us on 2–4 March 2021 for the Data Protection, Cybersecurity & Safeguarding Workshop.
- Get involved: If you’d like to be involved in a CIS & 9ine project looking to provide clarity on the issues discussed in this article, please contact Jane Joyce.
- Reference: 9ine's Privacy Framework
- Reference: Information sharing Advice for practitioners providing safeguarding services to children, young people, parents and carers (UK government 2018)
- Reference: Keeping children safe in education (2020), paragraphs 87 and 88
- Reference: Statutory guidance for schools and colleges (UK government 2020)
- Blog: Data protection and privacy implications of online and remote learning
- Blog: Should we record virtual counselling sessions? And other questions … answered
- Blog: Realities and solutions to promote online safety, navigate Edtech and protect data
- Blog: Learning from young people: How schools and universities can protect students from peer-on-peer abuse
- Blog: International Taskforce on Child Protection Report April 2020