Case studies

Due to the Data (Use and Access) Act coming into law on 19 June 2025, this guidance is under review and may be subject to change. The Plans for new and updated guidance page will tell you about which guidance will be updated and when this will happen.

Contents

Case studies are helpful in illustrating real-life situations, although precise circumstances will vary in the cases and scenarios you come across. Use these case studies to help you understand and think about how data protection:

interacts with safeguarding children and young people in your work; and
enables you to share information to protect children and young people and to prevent harm

In the case studies, we do not seek to provide any advice on safeguarding itself, which is outside our area of expertise.

Whilst precise arrangements and names of organisations may vary across different parts of the UK, the data protection message remains the same.

Sharing information about siblings at different schools

A school has concerns about the safety and wellbeing of a seven-year-old pupil, Poppy. She frequently comes to school looking dirty and dishevelled and has some visible injuries that the school suspects may not be accidental. The school makes an urgent referral to the local Multi-Agency Safeguarding Hub (MASH) and makes a note of what information it shares, with whom, and when, for its own records.

The school is aware that Poppy has a younger sibling at a local Early Years (EY) provider (a day nursery), who may also be at risk. The school includes this information in its referral to the MASH. It also contacts the EY provider to let them know about the concerns and that it has made a referral. The school again makes a note of the information it shares with the EY provider and its reasons for doing so.

In these circumstances, data protection law allows the school to share information that is relevant and necessary to safeguard the children both with the MASH and the EY provider, and enables that sharing to take place. The school has identified possible harm and a risk of further harm to a child and her sibling. It is fair and proportionate under data protection law to share information for the purpose of safeguarding those children.

Handling concerns in a school, and recording concerns and actions

A teaching assistant (TA) has some concerns that a twelve-year-old child, Nihal, is struggling with his mental health due to his parents’ separation. The TA discusses this with Nihal’s form teacher, who doesn’t think it is necessary to refer him to Child and Adolescent Mental Health Services (CAMHS) or similar at this time, but decides that the school should support and monitor him more closely.

However, the TA and teacher are moving to different roles within the school and will no longer be working closely with Nihal. They ensure that they put a note of their concerns and necessary actions on Nihal’s file in the school’s internal system. They also alert the school’s safeguarding lead about their concerns and action plan to ensure that the concerns are recorded and followed up. This would have been appropriate even if the staff members were not changing roles, but is especially important in this situation.

In this case, the teacher and TA aren’t sharing the information with a different controller outside the school, but they do still need to comply with data protection law. They liaise with the school’s DPO to ensure they are compliant in processing and storing this information.

Sharing information when investigation ultimately shows there is no safeguarding problem

The manager of an after-school club has a genuine concern that a nine-year-old child in their care, Ayanna, may be at risk from harm from her parent’s new partner. The manager is not sure whether there is a real problem, but they are concerned because Ayanna has made comments which have alerted them to the risk of actual or potential harm.

They know that Ayanna’s family is currently being supervised and supported by local social services for a number of reasons not directly connected with this new concern. They share their concerns and the information with social services. Even though the manager does not know for certain how serious the risk is, under data protection law they are able to share it as it is fair and proportionate. This is because they have a legitimate cause for concern about the risk of harm to the child. As a result of the information sharing, social services look further into Ayanna’s relationship with the parent and the new partner and decide there is no safeguarding problem.

Even though the social services team identifies that there is no actual safeguarding issue, it was still appropriate under data protection law for the manager to share the information. They had identified a risk of harm to Ayanna, and it was necessary and proportionate to share information to prevent harm.

As a result, they should not be concerned that we will take any action against them or their organisation for sharing the information. They acted in good faith about a genuine concern they had identified.

Choosing a lawful basis

Public task (state-funded school)

This example includes academies and free schools in England, as well as state schools in England, Northern Ireland, Scotland and Wales.

A fifteen-year-old pupil, Jack, confides in a subject teacher that he is worried and afraid about serious incidents involving adults at his home.

The teacher encourages Jack to talk and asks how he is feeling. She knows that she has to share the information with the school’s safeguarding lead who may decide to report the matter externally, and tells the pupil what she is going to do.

The safeguarding lead considers whether it is appropriate to share the information with local safeguarding agencies and the police. They are familiar with national safeguarding guidance relevant to their school, which guides their decision. They can seek local safeguarding advice as appropriate. They are also well-trained in data protection law and aware of our 10 step guide. They should ask the school’s DPO for advice if they are unsure.

The teacher and the safeguarding lead discuss their concerns with Jack, explaining why they need to share the information. They ensure he understands the reasons for sharing the information with safeguarding and law enforcement agencies. Although Jack is hesitant about it, the safeguarding lead is open and transparent with him.

Under data protection law the safeguarding lead does not need Jack’s consent to share the information. They know that they need a lawful basis under data protection law to share the information and are aware that consent is not an appropriate basis here. This is for several reasons, including the fact that consent must always be freely given, and there is an imbalance of power between Jack and the school’s staff.

It's important to remember that you don’t require the lawful basis of consent for sharing information in a safeguarding context. However, it’s always good to work with the knowledge and understanding of the people involved, such as Jack, or even with their agreement.

There is likely to be a different, more appropriate lawful basis for this information sharing. Since the setting is a state school, and the sharing is necessary, the safeguarding lead may decide to rely on the lawful basis of public task.

Legitimate interests – private school

Here we consider the data protection aspects of the last example in the setting of a private school, using the scenario described there for a public sector school, for a pupil named Zara. The roles of the school staff are similar, as are their responsibilities to Zara.

Private schools may have different safeguarding procedures in place but they generally report to authorities in their local area in a similar way to state schools.

It is usually appropriate for the school to consider using the lawful basis of legitimate interests. As before, the lawful basis of consent is not appropriate, for the same reasons, including the need for Zara to freely give her consent, and the imbalance of power that exists between her and the school.

Again, it’s good to work with the knowledge and understanding of Zara, or even her agreement. But this isn’t always the same as data protection consent.

To use legitimate interests, the school staff must carry out a three-part test:

identify a legitimate interest to share the information. In this case it is the safeguarding of Zara;
show that it is necessary to share it to achieve that purpose; and

balance it against Zara’s interests, rights and freedoms.

The school staff must also be satisfied that it can’t reasonably safeguard Zara in any less intrusive way.

The teacher and safeguarding lead should contact the school’s DPO for advice on satisfying this lawful basis. Our guidance on legitimate interests also provides useful assistance.

The analysis of this scenario may also be helpful for other private sector settings, such as day nurseries.

Note on DUAA: it introduces a new lawful basis of ‘recognised legitimate interests’. We will be issuing guidance to help you. Please see our guidance on The Data Use and Access Act 2025 (DUAA) - what does it mean for organisations? for more information.

Data sharing between old and new schools

A thirteen-year-old pupil, Connor, is transferring schools between two counties in Northern Ireland. There is a complex history around Connor, including his special educational needs, his physical health and a challenging family background. The new school is aware of some of Connor’s circumstances but doesn’t initially have the complete picture it needs to prepare for his arrival.

In line with Department of Education guidance and with child protection advice, the old school understands that it must share current, relevant pupil education, safeguarding and health records with the new school. It does so securely and speedily to avoid detriment to Connor, ensuring the new school has the information it needs to put in place effective support for him.

The key data protection points here are:

nothing in data protection law stands in the way of information sharing where it is justified and relevant, as it is here;

it’s important to share relevant information; and

this must be done in a secure, effective way.

Receiving requests for information from the police

A school receives a phone call from a local police officer, requesting information about a child, Jasmine, who has gone missing. The school is aware that Jasmine has been absent for several days without explanation, and staff have already been concerned about her welfare.

The receptionist who takes the call asks the officer to send a request in writing to a specified email address.

The police officer does so straight away, describing the information the police are looking for and their reasons for needing it. The school safeguarding lead and DPO review the request.

The school staff give careful consideration to the matter and decide it is appropriate to share the information with the police. They ensure that they make a record of the information they share, and why.

Under data protection law the school, as the controller of the personal information, has a duty to satisfy itself that the request is proportionate and reasonable and must only disclose information that is necessary.

If the requested personal information includes special category data about Jasmine the school must, in addition to identifying a lawful basis, satisfy itself that a condition under article 9 of the UK GDPR applies. In this case, because the condition it is relying on is article 9(2)(g) - reasons of substantial public interest, it also needs a linked condition in schedule 1 paragraph 10 of the Data Protection Act 2018 (DPA). This demonstrates that sharing the special category data is necessary for reasons of substantial public interest. We have guidance on special category data to help with this decision-making.

The school’s cooperation is part of a multi-agency effort to locate Jasmine, a missing child who may be at risk of harm. Even though the situation is not classified as an immediate emergency, timely and proportionate information sharing can help prevent harm and support the police in their protective role.

We have published guidance on sharing personal data with law enforcement authorities and a sharing personal data with law enforcement authorities toolkit.

Concerns about sharing information about harm to a child when parents object

A school shares information with social services about concerns they have for a young child, Ryan, in reception class. He has said things that suggest he might be coming to harm at home. The school knows it does not need to ask the parents' permission under data protection law to share the information. Staff decide not to inform them as they’re worried that this could lead to further harm to Ryan.

Social services do contact Ryan’s parents. One of the parents goes into the school and objects to the school sharing information about them and their child. They threaten to take legal action against the school and to remove Ryan from the school.

The school should feel confident it has done the right thing and followed local safeguarding procedures that are in place to protect children.

Under data protection law, there is no need to obtain permission to share information in this safeguarding scenario. The school does need to identify a lawful basis in data protection law to share it, but for safeguarding purposes, consent in a data protection sense is unlikely to be appropriate. This is for a number of reasons, including that consent must be freely given and there is a power imbalance between the school and the parents. Instead, the school should identify a different lawful basis, such as public task, since it is a public sector school.

However, in the interests of transparency, the school should bear in mind that it can be helpful, in the right circumstances, to work with the knowledge and understanding, and even the agreement, of the parents (and of the child if they are old enough).

Information sharing between school and GP to safeguard a child or young person

Both case studies illustrate that data protection law does not prevent information sharing between schools and GPs.

Information needed by a school

A ten-year-old child, William, is frequently missing school and his parents are telling his school that this is due to a health issue. However, they aren’t able to supply any supporting evidence that health professionals are involved. The school is therefore unsure about whether there is a genuine health concern that William needs support with from the school, or if there is some other reason why he is missing school. In that case, a referral to children’s social care might be appropriate.

The school arranges a meeting with the parents. If the discussions don’t provide the answers the school is seeking, the school may decide to contact William’s GP to find out whether there are any health issues. Even if the parents don’t give permission for this, the school can still contact the GP practice outlining what information they are requesting, why they are requesting it, and their concerns.

Information needed by a GP

A fifteen-year-old girl, Olivia, has mental health difficulties. Her parents are separated and have an acrimonious relationship, but share care of Olivia. The GP is concerned because each parent is giving conflicting information about how often the pupil is attending school. The GP is still not satisfied after speaking to Olivia. The GP contacts the school to find out whether Olivia is attending school or not, explaining their concerns. The GP does not need permission from either Olivia or her parents to do this.

Local authority’s urgent decision about data sharing to prevent harm

A local authority in Scotland is deciding as an emergency whether to share personal information about a young person Ross (who is under 18), with a younger person who is at most risk of harm, Eilidh, and her family. The authority has just learned there is an imminent risk of Ross committing very serious harm to Eilidh; it is considering sharing this information in order to protect her.

Protection and safety plans are already in place for Eilidh because of an allegation of a previous serious harm against her by Ross. The authority wishes to keep Eilidh safe from further harm. A number of agencies have also put a safety plan in place for Ross to safeguard him and others.

Working at pace, the authority’s social work and legal teams discuss the case in detail, following local and national child protection procedures.

From a data protection perspective, they refer to our 10 step guide and seek advice from their DPO.

Given the imminent risk of serious harm to Eilidh they agree:

to share a small amount of information (following the principle of data minimisation) on an emergency basis with Eilidh and her parents, in order to ensure she is kept safe; and

to record their decision-making process, and the decision to share the information, as soon as possible afterwards.

Key data protection points from this scenario:

In an emergency, our guidance on sharing information to safeguard children and young people makes clear that under data protection law, you should not hesitate to share information to prevent harm. It acknowledges that: “You might not have time to follow all the usual processes. Make a record of what you shared, who with, and why, as soon as possible.”

Decide what is proportionate. In this case the situation is an emergency. But even in an urgent situation, be clear that we will not penalise you or your organisation for a decision to share information to prevent harm that you take in good faith.

Where there is an allegation of a previous offence, as in this scenario, you should seek advice from your DPO about whether article 10 of the UK GDPR applies to the handling of that information. See our guidance What are the rules on criminal offence data?.

Higher or further education – sharing information about a young person who is under 18

At a town’s university, a 17-year-old student, Lee, is in the second term of his degree course. His subject tutor notices that his attendance at lectures and laboratory work has become sporadic, and he has not responded to emails. The tutor is concerned that something might be amiss.

The university has clear safeguarding procedures in place to ensure the wellbeing of students. The tutor contacts the safeguarding lead and they decide that there is cause for concern for the student. At this stage, there is no indication of an emergency, but they follow local procedures to check on him.

If there is serious concern for the immediate safety of Lee, the university staff should not hesitate to act to safeguard him. They should, of course, follow their university’s procedures. If they consider there is an urgent need for intervention or support from the NHS or the police, they understand that under data protection law they can share relevant information as needed to prevent harm to him.

The extent of any intervention that is appropriate will depend on the circumstances. We are not experts in safeguarding, but we are clear that in an urgent situation or in an emergency, it is essential to share information speedily to prevent harm, and data protection law allows that to happen.

The fact Lee is under the age of 18 is a relevant factor in their thinking, but the university staff know that many students remain at most risk of harm into young adulthood, especially when they are away from home for the first time.

The question about whether to share information about an at-risk student with their next of kin can be a difficult one to make, especially where a student is estranged from family and objects to the university contacting them. A good practice followed by some universities and colleges is to set up a system where, on enrolment, the student nominates a contact of their choice for use in case of illness or other need. This contact should be over 18 and in a position to support the student; they might be a family member or a friend.

We’ve published guidance on sharing personal data in an emergency - a guide for universities and colleges.

Sharing information about adults who work with children

A teacher helps to run an after-school music club with the help of an external provider who is a sole trader. They have concerns that the external provider may be causing harm to some of the children.

The teacher raises their concerns with the school’s safeguarding lead. The safeguarding lead follows the school’s safeguarding procedures. Given the seriousness of the matter, the school urgently shares information with children’s social services and the police.

Sharing information about the external provider with social services and the police is lawful because the school must safeguard and protect its pupils and has identified harm and a risk of further harm. The teacher does not need to get the person’s permission to share the information.

Safeguarding children and young people can involve sharing information not only about children and young people who are at risk of harm. It is also appropriate to share information about any adults who may pose a risk to children’s safety.

Sharing information about adults outside school

A 14-year-old pupil in Wales, Mari, tells her teacher that an adult she met through an online gaming platform has been sending her increasingly personal messages and has suggested they meet in person. Mari is upset and unsure what to do, but agrees to show the messages on her phone.

The teacher is concerned that the adult’s behaviour indicates potential grooming and a risk of harm to Mari. Following the school’s safeguarding procedures, the teacher immediately informs the Designated Safeguarding Lead (DSL) and shares the screenshots. The DSL recognises the urgency and contacts the police and children’s social care without delay.

Under data protection law, the school does not need Mari’s consent to share this information. The lawful basis is likely to be public task (for a state school) or legitimate interests (for an independent school). Sharing any special category data in the messages can be justified under article 9(2)(g) UK GDPR, substantial public interest, linked to schedule 1 paragraph 10 of the Data Protection Act 2018.

The DSL documents the decision-making process, what was shared, and with whom. They also ensure the school provides appropriate pastoral and online safety support to Mari.

This scenario demonstrates that even when concerns arise from online activity outside school hours, data protection law supports proportionate information sharing to safeguard children from harm.