Safeguarding and data protection are two crucial responsibilities for school leaders which could be perceived to have conflicting priorities.

Safeguarding is quite rightly a highly sensitive issue where schools must tread carefully, but there are circumstances where data-sharing needs to be encouraged.

The difficulty comes in knowing when and how to apply the right approach in order to avoid making serious mistakes with sensitive information.

Record-keeping is one area where a restrictive data protection approach could potentially create big problems in the future. The Independent Inquiry into Child Sexual Abuse (IICSA), for example, has suggested that any records relating to sexual abuse should stay where a disclosure was made as well as being transferred when the child moves on (Jay et al, 2022).

However, the statutory guidance Keeping children safe in education (DfE, 2023) says that the entire child protection file should transfer to the next school and doesn’t indicate that separate records should be held by each school for these types of incidents.

There is no one answer to the question of how long your school should keep safeguarding records – context and the seriousness of the allegations matter. However, as a rule of thumb it is advisable to keep records in relation to disclosures about sexual abuse, sexual assault, and sexual violence under regular review. The IICSA has also recommended increasing the retention period for this data to a minimum of 75 years.

One of the biggest myths of data protection is that you can’t share anything without parental consent. Schools are often caught in the middle of a tug of war between people who tell them that their data cannot be shared, but in most cases, it is the school’s judgement call that will be respected.

The Information Commissioner’s Office (ICO) has stated that when a headteacher makes a decision in relation to a specific safeguarding issue the ICO or the courts are very unlikely to interfere with that judgement if the head says they can’t disclose that for safeguarding reasons.

Its guidance A 10-step guide to sharing information to safeguard children (ICO, 2023) states in step two: “You will be sharing proportionately if you can link it back to a compelling reason to share. In these circumstances, that compelling reason is safeguarding the child.”

Schools are being asked to be experts in lots of areas, and safeguarding and data protection have perhaps the highest stakes because the risks are so great. Let’s quickly consider some common records we keep and how long we should keep them for:

• Student records: For general records these should be kept until the child is 25 and for SEND students with an Education, Health, and Care Plan (EHCP) until they turn 31. The EHCP goes up to 25 hence the extended period here. Safeguarding records can be kept longer (also bearing in mind our advice above) but this should only occur with good reason, and it should be reviewed. If a child is leaving to another school, then the file should be transferred to their new setting (but consider whether you also need to keep records of any particular disclosures).
• Removing staff members from the single central record (SCR): KCSIE (DfE, 2023) says that staff members “should be removed” from the SCR “once they no longer work at the school or college”. It does not use the wording “must”, creating something of a grey area. However, we suggest you take the staff member off at the point they leave in line with KCSIE.
• Low-level concerns log: Once a staff member has left the school their name should be removed from the record given that low-level concerns do not follow staff or relate to references, unless in specific circumstances. You could decide to keep them on the log or record anonymously if you wish to establish a pattern of trends across staff.
• Allegations of abuse/harm log: To be kept securely by the headteacher in an area that a new headteacher would have access to. You might consider giving one other person access to the log but given the nature of the information, consider carefully who that will be. Details of substantiated, unsubstantiated, and unfounded accusations should be kept until that person reaches pension age or for 10 years if longer. This is the current guidance in KCSIE (DfE, 2023) but further guidance is likely to follow in light of the IICSA report already cited.
• Disclosure and Barring Service (DBS) certificates: Personnel files should not have a DBS certificate on them. Certificates should be kept for no longer than six months if you do decide to retain them. This rule also applies to the screenshot that is sent through from companies outsourced to conduct DBS checks for the school. The six-month period is in place in case there are any discrepancies on the certificate.
• Personnel files: We would expect personnel files to include evidence of right to work (ID), self-declaration form, references, application form, and interview notes. Personnel files are kept for six years after a person has left.
• Letter of assurance from contractor or agency: Once an individual from an external organisation who has worked within the school, for example a contractor or agency member, has not been active for a year then they could be deleted or removed, unless there is further opportunity for them to be used, for example as a volunteer or contractor.

Craig Stilwell and Helen King work for Judicium Education, who supports schools with their safeguarding matters and carries out safeguarding audits. Craig is Head of Data Services and Helen is Head of Safeguarding. . Visit www.judiciumeducation.co.uk/safeguarding-service or follow @JudiciumEDU

The Headteacher Article

Further information & resources;

• DfE: Keeping children safe in education, last updated September 2023: https://www.gov.uk/government/publications/keeping-children-safe-in-education--2
• ICO: A 10 step guide to sharing information to safeguard children, accessed September 2023: https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/data-sharing/a-10-step-guide-to-sharing-information-to-safeguard-children/#step-2
• Jay et al: The report of the Independent Inquiry into Child Sexual Abuse, 2022: https://webarchive.nationalarchives.gov.uk/ukgwa/20221215051709/https:/www.iicsa.org.uk/key-documents/31216/view/report-independent-inquiry-into-child-sexual-abuse-october-2022_0.pdf