Data Protection Act

The Data Protection Act 1998 defines UK law on collecting, holding, using, processing, disclosure and protection of personal data. Any organisation or individual holding personal data is legally obliged to comply with the Act. The Act defines eight data protection principles (outlined below). The Act applies both to manual data and data processed by computers.

Data Protection Principles

Data may only be used for the specific purposes for which it was collected. The data controller must know what s/he intends to do with the data collected and must not use the data for other purposes. Data must not be disclosed to other parties without the consent of the individual whom it is about, unless there is legislation or other overriding legitimate reason to share the information e.g. the prevention or detection of crime or to protect a child. Individuals have a right of access to the information held about them, subject to certain exceptions e.g. information held for the prevention or detection of crime. 

Personal information may be kept for no longer than is necessary and must be kept up to date. Personal information may not be sent outside of Europe unless that country has an adequate level of protection. All organisations that process personal information must register with the Information Commissioner’s Office. The departments of a company that are holding personal information are required to have adequate security measures in place. Those include technical measures (e.g. firewalls) and organisational measures (e.g. staff training, procedure and processes for who has access, to what purpose and in what circumstances). The subject has the right to have factually incorrect information corrected. Application of the Data Protection Act for agencies working in child protection

The Data Protection Act is applicable to child protection work but is not a barrier to sharing information. The Data Protection Act exists to ensure that information is collected, stored and used appropriately and is shared in a proportionate manner. For child protection the welfare and safety of the child is paramount – in order to achieve this there needs to be cooperation and coordination between agencies, who will need to share information when required and work to a multi-agency plan of intervention. If a question arises as to “how/what/when/with whom” information should be shared, a line manager should be consulted in the first instance. In specific circumstances legal advice can be sort or consultation made with the local authority Caldicott Guardian.

Information sharing in child protection work is more fully discussed in section 3.1.2d of these procedures.

Recording professional opinion in child protection work

The Data Protection Act covers expression of opinion about individuals. Health professionals, teachers and social workers and other involved agencies will need to routinely record professional opinions in child protection work and such opinion is a crucial aspect of ensuring that the child is safeguarded. When recording an opinion it is good practice to make it clear that it is an opinion and to ensure that when an opinion is disclosed it is not presented as a fact.

The Information Commissioner’s Office has published a paper “Data Protection Good Practice Note : How does the Data Protection Act apply to professional opinions?” which discusses the issues in more detail. 

Further Information

A paper that fully discussed the application of the Data Protection Act in social care can be found here.

The Department for Education website has a useful “Pocket Guidance” on information sharing and a guide on information sharing for practitioners and managers, both of which contain further information in regard to the application of the Data Protection Act

SB 12-5-11