DPO and Safeguarding: Managing the SCR and Safeguarding Data

DPO and Safeguarding: Managing the SCR and Safeguarding Data

Posted  18th May 2022

This is a summary taken from Judicium’s DPO ‘Sofa Session’ from the 18th of May with Head of Data Services Craig Stilwell, LLB (Hons), L.P.C., PC.dp GDPR and Head of Safeguarding Hannah Glossop, MA QTS. This session was focused on: what needs to be kept on the single central record and tips to improve records management, the importance of recording safeguarding data accurately, and the overriding principles in sharing safeguarding data with other individuals/agencies.

The Importance of Managing Safeguarding Data Properly 

One of the most important points to take from today’s session is how GDPR and safeguarding interlink.

KCSIE clearly states that DPA and UK GDPR do not prevent the sharing of information for the purposes of safeguarding and that fears about sharing information must not stand in the way of the need to safeguard children.

However, schools must comply with the 7 principles of data protection.

  1. Lawfulness, fairness and transparency:
    • This means having a fair reason for using personal data. NB: Safeguarding is a lawful basis in itself (built within the UK GDPR legislation).
  1. Purpose limitation:
    • To ensure that the data is used only for the fair reason you have established.
  1. Data minimisation:
    • To only process data that is necessary and keep use/amount to a minimum.
  1. Accuracy:
    • To keep data accurate and up to date.
  1. Storage limitation:
    • School's need to follow retention procedures to ensure that they don't keep data for longer than is necessary. There isn't a set time limit, particularly with safeguarding, so schools need to justify the reasons why data may be kept for as long as it is.
  1. Integrity and confidentiality:
    • To ensure that data is kept secure from accidental or deliberate loss using appropriate measures.
  1. Accountability:
    • Are safeguarding and data protection policies and training in place?

KCSIE's 7 Golden Rules of Information Sharing

  1. GDPR and the DPA are not barriers to information sharing, instead providing a framework for appropriate sharing.

  2. Be open and honest with the individual (and/or family where appropriate) about the sharing of the information, unless it is safe or inappropriate to do so.

  3. Seek advice if you are unsure about sharing the information concerned.

  4. Where possible, share information with consent (Under the GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk).

  5. Consider safety and well-being.

  6. Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those relevant individuals who need to have it, is accurate and up to date, is shared in a timely fashion, and is shared securely.

  7. Keep a record of your decision and the reasons for it.


All schools are required to ensure staff are appropriately trained on data protection. This should be comprehensive and specific to the post-holder, e.g., a midday supervisor who handles little personal data should have less training than a member of SLT. Furthermore, every maintained school and college in the UK is required to appoint a data protection officer (DPO).
Consideration is also needed for induction training, refresher training and training for governors.
Safeguarding training should take place at least annually for all staff, no matter how frequently they come onto site.
DSLs and any Deputy DSLs should update their advanced (previously level 3) training at a minimum every two years.
Many safeguarding teams meet regularly to discuss students and concerns which provides a great opportunity to review how safeguarding data is shared.

The Single Central Record (SCR)

The SCR is an essential document in school and keeps an accurate record of all pre-appointment checks.

But what should be recorded on the SCR?

KCSIE guidance is minimal (Paragraph 252) but does state each school’s SCR must indicate whether the following checks have been carried out or certificates obtained, and the date on which each check was completed, or certificate obtained:
  • an identity check,
  • a barred list check (for those in regulated activity)
  • a prohibition from teaching check
  • further checks on people who have lived or worked outside the UK
  • a check of professional qualifications, where required
  • a check to establish the person’s right to work
  • an enhanced DBS check requested/certificate provided

For further information regarding these safer recruitment checks please see our previous sofa session summary notes here.

Schools and colleges are free to record any other information they deem relevant on the SCR.

MATs must maintain the single central record detailing checks carried out in each academy within the MAT. Whilst there is no requirement for the MAT to maintain an individual record for each academy, the information should be recorded in such a way that allows for details for each individual academy to be provided separately, and without delay.

From a data protection perspective, the importance is on:
  • Accurate Reporting - Schools regularly review SCR and may have governor audits to ensure accuracy. An extra tip is to consider putting the names of who carried out checks so you can reference for accuracy.
  • Retention and Destruction Management – It’s important to treat leavers on SCR in the same way as staffing records, e.g., normally a leaver tab and then delete after six years.
  • Security – Limit who has access to these tabs and who can edit.

Improving Records Management

It is important to remember that safeguarding data does not just include pupil records! It also includes SCR, personnel files and allegations of abuse made against staff.

Safeguarding records
  • Whether you are using an electronic or paper-based system, the key is to ensure there is a clear chronology for each student.
  • Records should include:
    • a clear and comprehensive summary of the concern.
    • details of how the concern was followed up and resolved.
    • a note of any action taken, decisions reached and the outcome.
  • The file should only be accessed by those who need to see it.
  • Where children leave the school or college (including in year transfers) the DSL should ensure their child protection file is transferred to the new school or college as soon as possible
    • Within 5 days for an in-year transfer
    • Within the first 5 days of the start of a new term
  • The safeguarding file should be transferred securely and separately from the main pupil file and confirmation of receipt should be obtained.

Personnel files
  • Ensure two references are clearly available
  • DBS certificates not needed

Allegations of abuse made against staff
  • The file of the person accused should include:
    • a clear and comprehensive summary of the allegation.
    • details of how the allegation was followed up and resolved.
    • a note of any action taken, and decisions reached and the outcome as categorised above.
    • a copy provided to the person concerned, where agreed by children’s social care or the police.
    • a declaration on whether the information will be referred to in any future reference.
  • Schools and colleges have an obligation to preserve records which contain information about allegations of sexual abuse for the Independent Inquiry into Child Sexual Abuse (IICSA), for the term of the inquiry.
  • All other records should be retained at least until the accused has reached normal pension age or for a period of 10 years from the date of the allegation if that is longer.

Low level concern log
  • All low-level concerns should be recorded in writing. The record should include:
    • details of the concern
    • the context in which the concern arose
    • action taken
    • the name of the individual sharing their concerns (If the individual wishes to remain anonymous then that should be respected as far as reasonably possible.)
  • Schools and colleges can decide where these records are kept, but they must be kept confidential, held securely, and comply with the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR)

Data Protection Considerations

Schools should consider the principle of storage limitation as well as access levels, duplication and security.

Schools are very good at protecting safeguarding data but make sure that only those who need to see the data see it. There may be certain aspects all staff need to be aware of and other aspects they don’t. Don’t make assumptions!

Data Sharing
  • Data sharing must also follow the principles we mentioned earlier. There is an ICO data sharing code of practice on their website which you can follow. Other considerations include sharing securely and data sharing agreements.

Retention policy/schedule
  • Check to ensure this is being followed and consider having an appointed person responsible for overseeing retention and destruction.

Electronic data
  • Schools are good at archiving/transferring/deleting physical data, but they must do the same for electronic data too.
  • Effective management, limited access, and clear outs.
  • There are very good, secure systems schools can use such as My Concern, CPOMs that help make sure you have effective controls in place.

5 Key Takeaways 

  1. Remember that GDPR should not be a block to effective safeguarding! GDPR and safeguarding can work hand in hand to support effective information sharing.
  2. Regularly audit safeguarding records.
    • Do they give you a detailed chronology? Will someone else be able to understand what has happened previously with the student/staff member?
  3. Think carefully about contingency plans.
    • Who will access the SCR if the SBM is off sick?
    • Does more than one person hold the key to the filing cabinets where paper safeguarding records are kept?
  4. Is electronic data backed up sufficiently?
  5. Is the retention policy being followed?

Helpful Information:

UK GDPR - https://uk-gdpr.org/

Information sharing: advice for practitioners providing safeguarding services - https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1062969/Information_sharing_advice_practitioners_safeguarding_services.pdf

KCSIE – https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1021914/KCSIE_2021_September_guidance.pdf

Judicium also offer a range of GDPR e-learning designed for schools. You can see current course availability here.

The Safeguarding Service is also providing CPD accredited open training courses for DSLs, ALL staff and Governors, including Level 3 equivalent DSL training. The upcoming dates and links to book are below:

Tuesday 14th June- Advanced Safeguarding Training Refresher

Wednesday 6th July- Advanced Safeguarding Training (for new DSLs)

You can follow us on Twitter: @JudiciumSG       @JudiciumEDU