Sharing safeguarding information with other staff

Sharing safeguarding information with staff
A question I get asked quite often is whether and how much information should be shared by the Designated Safeguarding Lead with other staff in the school. The general presumption has been that information should be shared on a need to know basis. Since the Data Protection Act 2018 (DPA) came into force, the questions has been asked more often, in relation to the General Data Protection Regulation (GDPR). The GDPR is a part of the DPA. In addition, I'm often asked whether full names can be used in information that is shared or only initials.
Background
Schools need to refer to the following guidance to answer these questions:
*Statutory Guidance 
Personal data is information which relates to a living individual; and special category data is highly sensitive information that is afforded extra protection under GDPR.

The guidance document Data Protection: a toolkit for schools (DfE, 2018) says 'GDPR does not prevent, or limit, the sharing of information for the purposes of keeping children safe. Lawful and secure information sharing between schools, Children’s Social Care, and other local agencies, is essential for keeping children safe and ensuring they get the support they need' (page 24).

Safeguarding and Child Protection information, usually held by the Designated Safeguarding Lead, is defined as 'special category data' under the DPA (Keeping Children Safe in Education (2019), paragraph 79).
Working Together to Safeguard Children (2018) says 'Effective sharing of information between practitioners and local organisations and agencies is essential for early identification of need, assessment and service provision to keep children safe.' (Chapter 1, paragraph 23).
The government's Information Sharing (2018) guidance sets out seven golden rules to sharing information (see page 9/10): 
  • necessary and proportionate
    • When taking decisions about what information to share, you should consider how much information you need to release;
    • Information must be proportionate to the need and level of risk;
  • relevant
    •  Only information that is relevant to the purposes should be shared with those who need it. This allows others to do their job effectively and make informed decisions;
  • adequate
    •  Information should be adequate for its purpose;
  • accurate
    •  Information should be accurate and up to date;
  • timely
    •  Practitioners should ensure that sufficient information is shared, as well as consider the urgency with which to share it;
  • secure
    • Wherever possible, information should be shared in an appropriate, secure way. Practitioners must always follow their organisation’s policy on security for handling personal information;
  • record
    •  In line with each organisation’s own retention policy, the information should not be kept any longer than is necessary.
These rules help us think about the information that DSLs might share, who with and why. 
What should DSLs consider before sharing information?
The Designated Safeguarding Lead (and Data Protection Officer) need to consider when releasing 'special category information' to 'relevant' staff that there is a clear purpose for them to know it, probably so that they can support the child by providing an effective 'service'. This consideration is likely to mean that not every member of staff needs access to the same information. Secondly, the DSL needs to consider the security of the information: could it be lost, misplaced or seen by anyone who would not have lawful authority. Finally, the DSL needs to know how the data that they have provided to others is to be securely destroyed when it is no longer required. 
In its 'top tips', the Data Protection: a toolkit for schools (DfE, 2018) says that consideration should be given to sharing the minimum amount of data that is needed to 'get the job done' and should be shared with the minimum number of people that need access to personal data (page 36).
Carrying out a Data Protection Impact Assessment (DPIA) is one way that schools can identify where there are issues and how these could be mitigated. A Data Protection Impact Assessment could be created for the specific issue of sharing safeguarding/welfare/medical issues with other staff (perhaps by role). An example DPIA can be found in the Data Protection: a toolkit for schools (DfE, 2018). 
There is a expectation of confidentiality on all staff
Whether the sharing of data with certain members of staff is necessary or not, all staff are bound by expectations of confidentiality. 
Guidance for Safer Working Practices (section 6) sets out the expectations of confidentiality: 'Staff may have access to special category personal data about pupils and their families which must be kept confidential at all times and only shared when legally permissible to do so and in the interest of the child. Records should only be shared with those who have a legitimate professional need to see them...Staff are expected to treat information they receive about pupils and families in a discreet and confidential manner.' (Guidance for Safer Working Practices, page 7)
Conclusions
Can safeguarding information be shared with all staff?
Only relevant staff should have access to the information, so that they can provide an effective servic e to the child and  ensure they get the support they need .
Can information shared using email?
Typically, email systems should not be treated as secure, as it is easy to send data to people who do not have lawful access, or be shared by people who don't have lawful authority to decide who should have access. DSLs and Data Protection Officers or Controllers can not be assured that special category data that has been shared has been securely deleted after the shared data is no longer relevant or required.
Should 'special category data' be printed and distributed to those who need it?
It is unlikely that this would be regarded as a secure method for information sharing.
Should initials be used in 'special category data' that is shared?
Firstly, initials are to be avoided since it may not be possible to identify the unique pupil (other students may share initials). Secondly, and more importantly, the use of initials indicates that consideration has already been given to privacy. This suggests that the person sharing the information is already concerned that the system for sharing is inherently insecure. Further consideration should therefore be given to the seven golden rules in Information Sharing (DfE, 2018), so that the information shared is compliant.
What works
One approach that schools might use would be to store the information electronically with different levels of access.

The Data Protection Toolkit (2018) has two very useful case studies. One looking at the sharing of medical information; the other describes a school using IT intelligently to reduce risk. (See pages 38 and 40)