Privacy vs Child Protection

GDPR (Mis)Interpretations

"I recently delivered a presentation at a safeguarding conference with the title ‘Data Protection versus Child Protection – Why is data protection seen as being more important?’ The reason for choosing this deliberately provocative sub-title was to highlight the confusion surrounding the new data protection legislation (GDPR) and the conflict with a school’s statutory duty to safeguard its pupils."

Most of us are now familiar with the term “GDPR”, which is fast becoming the modern-day equivalent of the “health and safety” excuse for not being able to do something. The MyConcern customer services team probably speak with a few hundred different schools every week, so I think that we are hearing from a representative cross-section of the school community. Drawn from this sample, some of my recent favourite GDPR excuses include:

Consent from the parent is needed before we can share any data with social services;
Freedom of Information means that parents have a legal right to see all the safeguarding records we hold about their child;
GDPR means that we must delete all data about a pupil when they leave the school; and
We cannot use name badges in school any more because they display personal data!

“We Must Delete Data”

The General Data Protection Regulation, which was enacted into UK law as part of the new Data Protection Act 2018, does not support any of these statements. I hope that this article will help direct those who need to know about these issues to examine the relevant legislation and statutory guidance. I am going to focus on just one of these erroneous statements: “we must delete data.”

Some schools have been receiving advice and guidance from their local authority on GDPR, data sharing and data retention, which has either been misinterpreted or the original advice was incorrect. One myth that needs busting is that of data deletion versus data retention. An extremely common (mis)interpretation of the GDPR is that once a child leaves a school, the school MUST delete all records about that child, which includes safeguarding records.

The Impact Of Premature Data Deletion

Let’s park that statement for a moment, and consider the impact that premature data deletion has had on the lives of real people in a recent high-profile case. The Empire Windrush first carried migrants from the Caribbean to the United Kingdom in 1948; between 1948 and 1970, half a million people from the West Indies immigrated into the UK. Landing cards which would have provided evidence that these people have a legal right to remain in Britain were destroyed sometime after 2009; even the exact date of destruction is unclear. Immigration Minister, Caroline Nokes, has admitted that some Windrush migrants may have been deported back to the Caribbean, causing life-changing disruption and distress to those affected. The justification for destroying the landing cards was under the Data Protection Act 1998: data should not be kept longer than necessary, a provision which is also included within the GDPR.

How Long Is “Necessary”?

Primary schools are often advised to destroy all records about a pupil once that pupil has been transferred to a secondary school. If you are a responsible safeguarding professional in a primary school, how do you know that the secondary school is equally diligent in its record-keeping? What will happen to those records in a few years’ time? How will your school prove that it discharged its duty responsibly and in accordance with the law if you have destroyed all evidence?

As further evidence in support of data retention, consider the historical records that may, or may not, be available to the Independent Inquiry into Child Sexual Abuse, which according to the IICSA web site was “set up because of serious concerns that some organisations had failed and were continuing to fail to protect children from sexual abuse.” At the same safeguarding conference I was presenting at, I had the opportunity to listen to Alex Renton speak about his traumatic childhood experiences of abuse at a boarding school. What records do you think persist from those days? To prevent further loss of important evidence, the IICSA has instructed public bodies not to delete any data until further notice.

Trivial Issues Or Important Evidence?

Based on just the few examples I have cited in the previous paragraphs, there is clearly a strong case for giving due consideration to whether data deletion or destruction is always necessary. Who is capable of deciding, at a particular point in time, whether the records you have kept, regarding seemingly insignificant or trivial welfare issues, will not be relied upon in a later investigation? Issues which can be clearly identified as being “child protection” issues make the decision to retain data much easier. So, when a child leaves your school, will you be deleting safeguarding records that may become important evidence in future years?

The advice, and in some cases, directives, being issued by local authorities to schools to delete data should perhaps be examined a bit more closely. The school is defined in law as the “Data Controller”. It is the school and its senior leaders that are responsible for adhering to the Data Protection Act. It will be the school that will suffer consequences for failing to adhere to the law. It must therefore be the school’s decision on when, or whether, it is appropriate to delete data.

Building A Bigger Picture

The Data Protection Act 2018 provides us with a wider definition, than has previously been the case, for what constitutes child abuse. Many of the schools we work with use MyConcern to record what may be seen, in isolation, as small seemingly unimportant issues. Built into a chronology over several months or even years, these isolated records can reveal a picture which raises alarm bells. It may not be immediately evident to the safeguarding lead in a primary school that this pattern exists when data is forwarded on to the secondary school, prior to the primary school permanently deleting their records.

“Legitimate Interest”

Regarding the GDPR, there are two articles which do require the Data Controller to delete data. However, either Article 17 (the “Right to be Forgotten”) or Article 18 (the “Right to Restriction of Processing”) must be invoked by the data subject, so it is not an automatic act that data must be deleted. It is quite possible that one of the lawful bases stipulated in Article 6 will still apply. If there are reasonable grounds to suspect that a child may have, or may be in the future, subject to child abuse (using the new definition), then this is a “legitimate interest” under the GDPR to continue to retain those records.

A School’s Statutory Duty

In conclusion, by reading the relevant legislation, a school’s statutory duty is extremely clear in respect of safeguarding and child protection. The recent hype and attention surrounding data protection and privacy has shifted the focus too much away from best practice in safeguarding. It is appropriate and proportionate to retain your safeguarding records after a pupil has left your school, at least until there is specific guidance from the relevant authorities, such as IICSA, on how safeguarding records should be handled.

Finally, if in doubt about what the GDPR or new Data Protection Act actually means for safeguarding, then you should visit the Information Commissioner’s web site; better still, you could contact the ICO and request guidance or advice on a specific issue from one of their case officers. We have found the ICO to be extremely accommodating in helping to disseminate best practice and offer support to organisations. The ICO web site contains numerous downloadable resources, written in plain English, that help you to understand your responsibilities.