GDPR Guidance from the London Child Protection Procedures Editorial Board
The Editorial Board of the London Child Protection Procedures has considered what changes are required to the Procedures to ensure compliance with the General Data Protection Regulations (GDPR) – implemented through the Data Protection Act 2018. As a result, the Board recommends that ‘legal obligation’ and ‘public task’ (as defined in the GDPR) are relied on as the primary basis for processing information to establish whether or not there is a need to safeguard the welfare of a child. This means that, whilst families will be informed when personal data is being shared or processed, their consent will not be required.
Over the coming weeks, the Editorial Board will be working to ensure the chapters in the Procedures are updated accordingly, but in the meantime, references to consent and information sharing will be highlighted with a link to this advice. In addition, the information sharing chapter (Chapter 4 in Part B1 Practice Guidance), will be removed pending a full revision in line with the new legislation.
The significance of this change is that it is no longer necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child (i.e. removing the distinction between information sharing for the purposes of assessing need or child protection). It does, of course, continue to be good practice to inform parents / carers that you are sharing information for these purposes and to seek to work cooperatively with them. Agencies should also ensure that parents / carers are aware that information is shared, processed and stored for these purposes.
For local consideration:
We would also recommend that where consent has previously been relied upon for sharing information but is unlikely to meet the criteria for consent under the GDPR, organisations make and publicise the following statement:
Where we have previously sought the opinion of a family and called it consent, but this consent is not GDPR compliant and we are confident that this would now fall within the legal obligation or public task bases, we will continue to hold and/or share that information on the basis of legal obligation or public task.
NB The Article 29 Working Party (the group of EU data protection authorities charged with agreeing European-wide guidance on GDPR) has said that whilst, once GDPR is implemented you will not be able to move from use of consent as the legal basis to share information to another legal basis, they have allowed that, where consent has been used prior to the GDPR and it does not meet the threshold of consent as defined by the GDPR, you will be able, retrospectively, to move to another legal basis for sharing.