7.8 Recording, Data Protection and information sharing
The Diocese is currently seeking further specialist advice regarding data protection and information sharing for countries outside the EU and EEA and the environment as it might develop in the event of a no-deal Brexit. If you have any specific safeguarding-related enquiries, particularly where these may relate to cross-border sharing, please contact the Diocesan Safeguarding Team.
Opening a church safeguarding case file
Good record-keeping is an important part of the safeguarding task. A record, called a case file, should be opened whenever a safeguarding concern or allegation occurs in a church. The record should include key contact details, dates of when the information became known and the nature of the concern. The record should include ongoing actions with dates, other key documents on the case file (e.g. observation notes, reports, consent forms, etc.) and the case closure date. Records should use straightforward language and be concise and accurate so that they can be understood by anyone not familiar with the case. Please see the Safeguarding Referral Form.
Record retention and security
The safeguarding case files, whether electronic or paper, must be stored securely by the incumbent and the local Safeguarding Officer. This should include identifying who should have access to them. Records in relation to safeguarding issues, even if they have not been proven, should be maintained in accordance with the Church of England’s retention guidance. If the incumbent moves from the church, the records should be passed to the new incumbent.
Data Protection and information sharing
In May 2018, the UK General Data Protection Regulation (GDPR) and the UK Data Protection Act 2018 replaced the UK Data Protection Act 1998. The GDPR contains the principles governing the use of personal data. It should be noted that the GDPR and the UK Data Protection Act 2018 place greater significance on organisations being accountable and transparent in relation to their use of personal data. Chaplaincies handling personal data need to have the proper arrangements for collecting, storing and sharing information.
Personal information in relation to safeguarding will often be sensitive and is likely to be classed as what is called “special categories of personal data” under the GDPR, which means extra care will need to be taken when handling such data. Nevertheless, it is important to be aware that the UK Data Protection Act 2018 includes specific reference to processing data in relation to the “safeguarding of children and individuals at risk” and allows individuals to share, in certain situations, personal data without consent. There are also provisions that allow the sharing of personal data without consent for the prevention or detection of unlawful acts or to protect members of the public from dishonesty, malpractice or seriously improper conduct. However, you should always seek legal advice before relying on these provisions. “The GDPR and UK Data Protection Act 2018 do not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe” and this can equally be said to apply to vulnerable adults.
It is important that your chaplaincy knows the supervisory authority in relation to data protection and information sharing in your country, especially when a complaint is received by an individual regarding the handling of their data. The CNIL website is a very good source to establish the supervisory authorities for your country.
Reporting concerns about vulnerable adults
Refer to the Quick Guide in Section 7.1.
Sharing without consent
There may sometimes be circumstances in which information can be shared legally without consent if a person is unable to or cannot reasonably be expected to gain consent from the individual concerned or if gaining consent could place somebody at risk.
It may be possible to share lawfully relevant personal data without consent if it is to keep a child or vulnerable adult safe from neglect or physical, emotional or mental harm, or if it is protecting their physical, mental or emotional well-being. You may be able to share data, at least initially, without identifying the individual concerned, both within the church and with local child/adult services. Ultimately, the most important consideration is whether the sharing of information is likely to support the safeguarding of a child, young person or vulnerable adult.
The decision to share information without consent is a very serious matter. You should never make these decisions on your own. If you believe it is necessary to share personal data, this should always be discussed beforehand with the Diocesan Safeguarding Advisor (DSA). You should also take legal advice on the matter to ensure that you are not only acting in accordance with safeguarding policy and legislation but in accordance with the legal provisions applicable to data protection in the relevant legal jurisdiction.