Information sharing and data protection

Little girls playing outside - for early years data protection page

An introduction to information sharing for early years settings, nurseries and childminders including information on data collection, sharing and GDPR.

It is important you are confident about when and when not to share information in the early years sector.

All early years staff must know the circumstances under which they may share personal data with other agencies about individuals.

The government's guidance on information sharing and safeguarding is called . 

It is important that we do not let concerns about sharing information stand in the way of protecting children who may be at risk of abuse or neglect.

Safeguarding and GDPR

On May 25 2018 an EU law called the came into effect.

It replaced the Data Protection Act 1998 and it gives individuals greater control over their own personal data.

  • The GDPR principles

All data collected must be:

1. processed fairly, lawfully and in a transparent manner in relation to the data subject

2. collected for specified, explicit and legitimate purposes and not further processed for unrelated or incompatible other purposes

3. adequate, relevant and limited to what is necessary in relation to the purposes for which data is processed

4. accurate and up to date

5. kept in a form that permits identification of data subjects for no longer than is necessary for the purpose for which the data was collected

6. processed in a way that ensures appropriate security of the personal data including protection against unauthorised processing, accidental loss, destruction or damage using appropriate technical and organisational measures.

  • Sensitive information

Special category data — including information relating to safeguarding concerns — needs greater protection than other types of data.

The most relevant conditions for recording and keeping sensitive safeguarding and welfare information include:

1. getting explicit consent

2. needing the data to carry out your obligations under employment, social security or social protection law, or a collective agreement

3. needing the data for reasons of substantial public interest according to UK laws, taking into account proportionality and safeguarding.

  • Safeguarding

Where there are concerns about a child being at risk due to possible neglect or abuse, Local Safeguarding Partners (LSPs) procedures advise that it is best practice in most circumstances to seek consent before making a child protection referral. 

If consent is withheld and the concern remains that a child may be at risk of significant harm, the referral should still be made.

Practitioners should follow LSP safeguarding procedures at all times and this remains unchanged by GDPR.

  • Processing safeguarding data lawfully

The GDPR defines the different kinds of lawful basis needed to process data.

Where there is a safeguarding concern, it's unlikely the lawful basis of 'consent' would be appropriate. For children's social work the 'public task' basis is more likely to be appropriate.

For early years settings, information could be processed under the 'legal obligation' basis.

The Data Protection Act 2018 supplements GDPR and includes a new category of child abuse data, defined as physical injuries (non-accidental), physical and emotional neglect, ill treatment and sexual abuse.

The Act allows all organisations to process data for safeguarding purposes lawfully and without consent where necessary for the purposes of:

  • protecting an individual from neglect or physical and emotional harm; or
  • protecting the physical, mental or emotional wellbeing of an individual.

This covers situations where a child may be at risk of significant harm due to neglect or abuse and also applies to referrals made to the local authority for any child considered to be a 'child in need'.

Remember: Practitioners should follow LSP safeguarding procedures at all times and this remains unchanged by GDPR.

Protecting your data

The government's National Cyber Security Centre has produced a downloadable leaflet for early years providers explaining how to protect sensitive information about your setting and the children in your care from accidental damage and online criminals.

Download: Early years practitioners: using cyber security to protect your settings.

Helpful resources

Statutory guidance

Non-statutory guidance


For more details about GDPR compliance



   Learn more about 91ɫƵ membership  Contact us