What is the lawful basis for sharing information in safeguarding?

For most safeguarding information sharing, the lawful basis is 'public task' under Article 6(1)(e) of UK GDPR — the processing is necessary for the performance of a task carried out in the public interest. Schools and local authorities have a statutory public task in relation to child protection. Where there is an immediate risk to life, 'vital interests' under Article 6(1)(d) may also apply. Where consent is available and meaningful, it can be relied upon, but it is not required for safeguarding sharing. For special category data (health, ethnicity, etc.), an additional Article 9 condition is needed — typically Article 9(2)(g) (substantial public interest) with Schedule 1, Part 2 of the DPA 2018.

Can schools share information without parental consent?

Yes, in safeguarding contexts. Consent is one of six lawful bases under UK GDPR — it is not a prerequisite for all sharing. Where the purpose of sharing is to protect a child from harm, the public task basis (Article 6(1)(e)) typically applies, and parental consent is not required. Indeed, seeking parental consent before sharing can sometimes be actively harmful — for example, where a parent is the suspected perpetrator, or where warning the family might increase risk to the child or cause evidence to be destroyed. KCSIE 2025 and Working Together 2026 both confirm that schools may share without consent where there is reasonable cause to suspect a child is at risk of significant harm.

What are the 7 golden rules of information sharing?

HM Government's Information Sharing guidance sets out 7 golden rules: (1) Data protection law is not a barrier — it provides a framework for lawful sharing; (2) Be open and honest about how information may be shared, unless doing so is unsafe; (3) Seek advice from colleagues or the DPO if in doubt, without identifying the individual; (4) Share with informed consent where possible, but you may override that consent in the public interest; (5) Base decisions on the safety and wellbeing of the person and others; (6) Ensure sharing is necessary, proportionate, relevant, accurate, timely, and secure; (7) Record your decision and the reasons for it, whether you share or not.

Information Sharing & GDPR in Safeguarding: When Can Schools Share?

Q: Does UK GDPR prevent sharing information for safeguarding?

No. This is one of the most persistent misconceptions in safeguarding practice. UK GDPR does not prevent information sharing — it provides a framework for sharing information lawfully, fairly, and proportionately. HM Government's Information Sharing guidance (2023) is explicit: 'Data protection legislation does not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe.' The Data Protection Act 2018 also includes specific exemptions that allow certain data protection principles to be disapplied where sharing is necessary for safeguarding purposes.

Q: What is the DPA 2018 safeguarding exemption?

The Data Protection Act 2018, Schedule 2, paragraph 26 provides an exemption from certain UK GDPR provisions — including the right of access (subject access requests), the right to be informed, and the right to restrict processing — where applying those provisions would be likely to prejudice the safeguarding of children or vulnerable adults. In practice, this means that if complying with a subject access request (for example, a request from a parent) would reveal information held for child protection purposes in a way that could harm the child, the school may withhold that specific information under this exemption. The exemption is not a blanket power to ignore data rights — it must be applied on a case-by-case basis and documented.

By The Safeguard Hub Team · June 2026 · Last reviewed June 2026 · ⏳ 16 min read

The Safeguard Hub — Information sharing, UK GDPR, and the safeguarding framework for schools

The most important thing to understand about GDPR and safeguarding

UK GDPR does not prevent information sharing for safeguarding purposes. It provides a framework for sharing lawfully, fairly, and proportionately. Citing "GDPR" as a reason not to share safeguarding information is almost always incorrect — and can put children at risk. HM Government's Information Sharing guidance (2023) states clearly: "Data protection legislation does not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe."^[1]

Why Information Sharing Matters in Safeguarding

Failures of information sharing — not failures of data protection — feature in the majority of serious case reviews and child safeguarding practice reviews where children were seriously harmed or killed. The pattern is consistent: different agencies held different pieces of information that, if combined, would have revealed the full risk picture. Because they did not share — whether from uncertainty about the legal basis, reluctance to breach confidentiality, or poor systems — the risk was never seen whole.

Working Together to Safeguard Children 2026 identifies timely, accurate information sharing as a cornerstone of effective multi-agency safeguarding. KCSIE 2025 requires DSLs to understand when and how to share information and to act on that understanding — not to wait for perfect certainty before acting.^[2]

At the same time, information sharing must be proportionate and purposeful. Sharing personal information unnecessarily, inaccurately, or insecurely causes real harm — to individuals, to professional trust, and to the effectiveness of safeguarding systems. The framework exists to enable sharing, not to make it a free-for-all.

The Legal Framework

Information sharing in safeguarding sits within a framework of three overlapping legal instruments:

Legislation	Key role in information sharing
UK General Data Protection Regulation (UK GDPR)	The primary data protection framework, retained from EU GDPR after Brexit. Sets out six lawful bases for processing personal data, the seven data protection principles, and individual rights. Does not prevent safeguarding sharing — it provides the lawful basis for it.
Data Protection Act 2018 (DPA 2018)	Supplements UK GDPR. Schedule 2, paragraph 26 creates a specific safeguarding exemption allowing certain GDPR obligations (including subject access rights) to be disapplied where compliance would prejudice safeguarding. Schedule 1, Part 2 provides conditions for processing special category data in the substantial public interest.
Human Rights Act 1998, Article 8	Enshrines the right to respect for private and family life. A qualified right — can be overridden where necessary and proportionate in the public interest (including child protection). Information sharing must be assessed against Article 8 where it involves sensitive personal data, but the right is rarely absolute in safeguarding contexts.
Children Act 1989 / 2004	Places statutory duties on authorities and practitioners in relation to child welfare and protection. Section 47 creates a duty to investigate where significant harm is suspected — and to share information necessary for that investigation. Section 10 of the 2004 Act creates a duty to promote cooperation between agencies, underpinning multi-agency information sharing.
Common law duty of confidentiality	Applies where information is shared in a confidential relationship (e.g. between a pupil and a counsellor). Can be overridden in the public interest — specifically, where disclosure is necessary to prevent serious harm to the individual or others. This is a long-established principle that predates GDPR.

The Six Lawful Bases: Which Applies to Safeguarding?

UK GDPR Article 6 requires that all processing of personal data has a lawful basis. There are six; only one is required. Consent is one of the six — not a prerequisite that applies in all situations. In safeguarding, two bases are most commonly relevant:

Lawful basis	Article	When it applies in safeguarding
Public task	6(1)(e)	Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority. This is the primary basis for most safeguarding information sharing by schools. Schools have a statutory public task under education legislation and KCSIE 2025. Local authorities have a statutory public task under the Children Acts.
Vital interests	6(1)(d)	Processing is necessary to protect someone's life or the life of another. Applies where there is an immediate risk to life — e.g. a child who has made a disclosure about suicidal intent or is in immediate danger. A fallback basis; public task is usually sufficient.
Legal obligation	6(1)(c)	Where processing is required to comply with a legal duty — e.g. the mandatory FGM reporting duty under the Serious Crime Act 2015, or the duty to refer under s.47.
Consent	6(1)(a)	Applies where the data subject has given freely given, specific, informed consent. Useful in some early help contexts, but not required for safeguarding referrals. Consent cannot be relied upon in contexts where the data subject would be harmed by knowing of the sharing (e.g. where the parent is a suspected perpetrator).
Contract / Legitimate interests	6(1)(b),(f)	Rarely the primary basis in child protection; may apply in some early help or third-sector contexts.

Special Category Data

Some personal data is "special category" under UK GDPR Article 9 — it is more sensitive and requires an additional condition on top of an Article 6 lawful basis. Special category data includes: health data, ethnic or racial origin, religious or philosophical beliefs, sexual orientation, and biometric data.

In safeguarding, the most commonly relevant Article 9 condition is Article 9(2)(g): processing necessary for reasons of substantial public interest, with an appropriate policy document in place. This is supported by DPA 2018, Schedule 1, Part 2, paragraph 18 — statutory and government purposes — and paragraph 19 — administration of safeguarding systems. Schools should have an Appropriate Policy Document in place covering their processing of special category data; their DPO can advise on this.

The DPA 2018 Safeguarding Exemption

One of the most practically important — and least understood — provisions in data protection law for schools is the DPA 2018, Schedule 2, paragraph 26 safeguarding exemption.

This provision allows schools to disapply certain GDPR obligations — including the duty to provide information to data subjects and the duty to respond to subject access requests — where doing so would be likely to prejudice the safeguarding of children or vulnerable adults.

Practical example: the parental subject access request

A parent submits a subject access request (SAR) for all information the school holds about their child. The child is on a child protection plan and the school holds confidential records about concerns regarding that parent's behaviour. Under the DPA 2018, Schedule 2, paragraph 26, the school may withhold the specific child protection information from its SAR response where disclosing it would be likely to prejudice the safeguarding of the child — for example, by alerting the parent to what is known. The exemption must be applied on a case-by-case basis and documented. The DSL and DPO should make this decision together.

The 7 Golden Rules of Information Sharing

HM Government's Information Sharing: Advice for Practitioners Providing Safeguarding Services to Children, Young People, Parents and Carers (2023) sets out seven golden rules that should guide every information sharing decision.^[1]

Data protection law is an enabler, not a barrier

The law provides a framework that enables lawful sharing — it does not prevent it. GDPR must not be used as a reason to withhold information that should be shared for safeguarding purposes. If information sharing is necessary to keep a child safe, the legal framework supports it.

Be open and honest — unless it is unsafe to do so

From the outset, be transparent with individuals (children, parents, carers) about what information may be shared, with whom, and why — as part of the school's privacy notice and in individual conversations. However, where being open would increase risk to the child or others (e.g. where the suspected perpetrator is the parent), transparency should be withheld until it is safe.

Seek advice when in doubt — without identifying the individual

If you are uncertain whether information should be shared, seek advice from a senior colleague, the DPO, or the local authority's designated officer — without naming the individual if possible. This is a "named professional consultation" and is explicitly provided for in statutory guidance. Uncertainty about whether to share is not a reason to default to not sharing.

Share with consent where appropriate — but you may share without it

Where meaningful consent can be obtained and does not compromise safety, seek it. Respect wishes not to share where possible. However, you may share without consent — and override an explicit refusal to consent — where in your professional judgement doing so is necessary to protect a child or prevent serious harm. Document the decision and your reasoning.

Consider safety and wellbeing above all

The primary consideration in every information sharing decision is the safety and wellbeing of the child and others who may be affected. Data protection principles are important, but they are subordinate to the protection of life and the prevention of serious harm. Where there is a conflict, child safety takes precedence.

Necessary, proportionate, relevant, accurate, timely and secure

Information shared must be: necessary for the stated purpose; proportionate to the risk (don't share more than needed); relevant to the recipient's role; accurate and up to date; timely (shared when it is still useful); and secure (via encrypted email, secure referral systems, or other protected channels — never unencrypted email for sensitive child protection information).

Record your decision — whether you share or not

Every information sharing decision must be documented: what was shared, with whom, for what purpose, the lawful basis, and — critically — the reasoning. Where you decide not to share, document that decision and the reasons too. The record is your protection if the decision is later questioned, and it is essential for accountability and learning.

The question practitioners most often struggle with is: when can I share without consent, or against a person's expressed wishes? The answer is clearer than most people think.

You may share without consent — or override a refusal to consent — where any of the following apply:

There is reasonable cause to suspect significant harm to a child (Children Act 1989, s.47 threshold) — this is the primary safeguarding trigger and overrides most privacy considerations
There is an immediate risk to life — of the child, of others, or of the person themselves
Seeking consent would compromise the safety of the child or others — for example, where alerting the family would increase risk or cause evidence to be destroyed
A statutory duty to report exists — such as the mandatory FGM reporting duty under s.5B of the Serious Crime Act 2015, which requires reporting regardless of consent
A court order or statutory authority requires or authorises the sharing

Where none of these apply, seek consent — or consider whether early help can be offered with the family's agreement rather than through a formal referral.

⚠️ The danger of defaulting to "we need consent"

One of the most consistently dangerous practices in safeguarding is using the requirement for consent as an excuse for inaction. If a DSL declines to refer a child to children's services because the parent has refused consent to share information, and that child is subsequently seriously harmed, the DSL — and the school — will face very difficult questions. Working Together 2026 and KCSIE 2025 are clear: where there is reasonable cause to suspect significant harm, refer — with or without consent.

Confidentiality vs Safeguarding: The Distinction Schools Get Wrong

Confidentiality in schools most often arises in two contexts: disclosures by pupils and information shared with pastoral staff, counsellors, or the DSL.

Pupil disclosures

School staff must never promise confidentiality to a pupil before they make a disclosure. The correct response is: "I want to help you, but I can't promise to keep this secret — if I'm worried about your safety I may need to tell someone who can help. But I'll only share what I have to, and I'll tell you if I do."

Once a disclosure has been made, the DSL must be informed. The DSL then makes the referral decision. The pupil should be told that information will be shared and — where safe to do so — kept informed of what is happening. Their wishes about sharing should be heard and considered, but they do not override the duty to refer where the threshold is met.

Information from third parties

Where a member of the public, another professional, or a parent shares information about a child in confidence, that confidence may be overridden where there is a safeguarding concern. The common law duty of confidentiality has long recognised that the public interest in preventing serious harm takes precedence over the duty of confidence. This principle is unchanged by UK GDPR.

The "need to know" principle

Within the school, information about a child's safeguarding situation should be shared only with those who need to know it in order to keep the child safe. Not every teacher needs to know the full detail of a child protection history — but the class teacher does need to know enough to recognise and respond to indicators. The DSL should make deliberate decisions about what is shared with whom within the school, documented in the child's record.

Common Myths — Debunked

The myth	The reality
"We can't share this because of GDPR."	GDPR does not prevent safeguarding sharing. The public task lawful basis (Article 6(1)(e)) covers most safeguarding referrals. This statement, used to justify inaction, is almost always wrong and potentially dangerous.
"We need the parent's consent to refer."	Consent is not required for a s.47 referral. Where seeking consent would compromise the child's safety or is refused in circumstances where significant harm is suspected, you refer anyway and document your reasoning.
"The child told us in confidence so we can't share."	Pupils cannot receive a promise of absolute confidentiality. Staff must never make such a promise. Where the disclosure meets the referral threshold, the duty to share overrides the confidence — though the child should be told what will happen.
"We can only share the minimum possible."	Proportionality is a principle — not a requirement to share so little that the receiving agency cannot understand the risk. Share what is necessary for the purpose. If the social worker needs to understand the pattern of concern, share the pattern.
"We need to send the referral by encrypted email only."	Secure sharing is required, but MASH referral forms are typically submitted through local authority secure portals, telephone followed by written confirmation, or agreed secure channels. Check your local MASH's preferred method — and never send unencrypted sensitive personal data by standard email.
"The other agency's data belongs to them so we can't hold it."	Information shared with the school as part of a multi-agency safeguarding process can and should be held on the child's safeguarding record, stored securely, and retained for the required period. It was shared for a purpose — to keep the child safe — and the school can use it for that purpose.

Recording Information Sharing Decisions

Golden rule 7 requires that every information sharing decision is recorded — whether information was shared or not. A good record includes:

Date and time of the decision
What information was considered for sharing
The decision — to share or not to share
The reasoning — the factors weighed, the risks considered, the lawful basis applied
With whom information was shared (name, role, agency, contact details)
How it was shared (phone, MASH portal, secure email)
Confirmation that receipt was acknowledged
Name and role of the person making the decision

Where information is not shared, the record is equally important — it shows that the decision was made deliberately and with reasoning, not by default. If a subsequent incident raises questions about why information was not shared earlier, a contemporaneous record of the decision is your protection.

Multi-Agency Information Sharing

Working Together 2026 requires that practitioners share information across agency boundaries in a timely, accurate, and proportionate way. Schools must understand how this works in practice:

MASH referrals: The MASH (Multi-Agency Safeguarding Hub) is the primary channel for school-to-children's-services information sharing. All referrals should follow the local MASH's referral process — typically a standardised form submitted through a secure portal or followed up in writing within 24 hours of a verbal referral.
Child Protection Conferences: Schools are expected to provide a written report to every Initial and Review Child Protection Conference at which the child is discussed. This report should include safeguarding-relevant information about the child's attendance, behaviour, wellbeing, peer relationships, and any observations relevant to the concerns on the plan.
Core group meetings: Where a child is on a Child Protection Plan, the school is part of the core group and shares information at regular (at least four-weekly) meetings. Information shared in core groups is shared on a "need to know" basis and must be kept confidential to the professional group.
Police information sharing: Where police are involved in a safeguarding investigation, the school may be asked to share information under a formal information sharing agreement (ISA) or police notice. The school should always check with the DSL before sharing directly with police — to ensure the sharing does not compromise an ongoing investigation.
Information sharing agreements (ISAs): Formal ISAs between schools, local authorities, police, and health services set out the basis on which information is shared routinely. Schools should know what ISAs they are party to and ensure they follow their terms.

KCSIE 2025: What Schools Must Do

KCSIE 2025 requires:^[3]

The DSL to understand the school's information sharing obligations and the legal framework that supports them
All staff to know that safeguarding information may be shared without consent where necessary to protect a child
The school to have a clear data protection policy and privacy notice that covers safeguarding information sharing, aligned with UK GDPR
Child protection records to be held securely, separately from the main pupil file, and to follow the child when they transfer schools — shared directly with the receiving school's DSL, not through the general school transfer process
The school to have an Appropriate Policy Document for the processing of special category data in a safeguarding context (required by DPA 2018)
The DSL to be the school's primary point of contact for information sharing with external agencies in safeguarding contexts — not individual teachers or other staff

Frequently Asked Questions

Does UK GDPR prevent sharing information for safeguarding?

No. This is the most important misconception to correct. UK GDPR provides the framework for lawful sharing — including the public task basis (Article 6(1)(e)) which covers most safeguarding sharing by schools. HM Government guidance explicitly states that data protection law does not prevent or limit sharing for child protection purposes. Using GDPR as a reason not to share safeguarding information is almost always incorrect and potentially harmful.

What is the lawful basis for sharing information in a safeguarding referral?

For most safeguarding referrals, the lawful basis is public task under UK GDPR Article 6(1)(e) — the processing is necessary for a task carried out in the public interest. Schools and local authorities have a statutory public task in relation to child protection. Where there is an immediate risk to life, vital interests (Article 6(1)(d)) may also apply. For special category data, Article 9(2)(g) with DPA 2018 Schedule 1, Part 2 is the usual additional condition.

Can a school share information without parental consent?

Yes. Consent is one of six lawful bases — not a universal requirement. Where there is reasonable cause to suspect significant harm, the school should refer to children's services regardless of whether parental consent has been obtained or has been refused. Where seeking consent would increase risk to the child (e.g. the parent is the suspected perpetrator), it should not be sought at all. Document the decision and the reasoning in every case.

What is the DPA 2018 safeguarding exemption?

DPA 2018, Schedule 2, paragraph 26 allows schools to disapply certain GDPR obligations — including responding fully to subject access requests — where compliance would be likely to prejudice the safeguarding of a child or vulnerable adult. The most common application is withholding child protection information from a parental SAR where disclosure would risk harm to the child. The exemption must be applied case-by-case and documented. The DSL and DPO should make this decision together.

What should I do if a pupil asks me to keep what they tell me secret?

Never promise absolute confidentiality. Before a pupil has said anything, you can say: "I want to help you, but I can't promise to keep secrets — if I think you're at risk, I'll need to share what you tell me with someone who can help. I'll only tell who I have to, and I'll tell you first." Once a disclosure has been made, it must be reported to the DSL. The pupil should be told, where safe to do so, who will be told and what will happen next. Their wishes are heard but do not override the duty to refer.