Multi-Agency Information Sharing Protocol

Information sharing and the law 

There are many pieces of legislation in England and Wales that provide legal justification for the sharing of personal information. In respect of safeguarding and promoting the welfare of children, the relevant acts of Parliament are: 

The Data Protection Act (2018) 

  • https://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

The Children Act (1989) & 2004 (as amended by the Social Work Act 20

Keeping Children Safe in Education 2023 

Information Sharing Advice for practitioners providing safeguarding services for children, young people, parents and carers (May 2024) 

The Caldicott Principles and Golden Rules of Information Sharing provide a common framework for understanding information sharing arrangements: 

All professionals must understand their responsibilities in relation to data protection legislation, which is not a barrier to sharing information but a framework to ensure that personal information about living persons is used and shared appropriately. Information sharing must be necessary, proportionate, relevant, accurate, timely and secure; ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those people who need to have it, is accurate and up to- date, is shared in a timely fashion, and is shared securely. Access to personal information should be on a need-to-know basis. 

  • Be open and honest with the person who is the subject of the information (children/young people and their families) from the outset about why, what, how and with whom information will or could be shared and have clear privacy notices for our work on our forms.
  • Seek advice from the Data Protection Officer/Information Governance team if you are unsure.
  • Be accountable by keeping a record of your decision to share and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose. 

Necessity, proportionality, and relevance 

Once a professional has considered the legality of sharing a person’s personal information and decided about the matter of consent, they need to consider three further tests before they share any personal information with another professional or organisation.  

Some professionals find it useful to remember this as the NP&R test. It is vital all three tests are considered, not either or. 

  • N – Necessity: The information shared should be limited to what is essential to achieve the lawful purpose, ensuring it is neither excessive nor insufficient.
  • P – Proportionality: The extent of information shared must be appropriate to the specific circumstances. However, the protection of life must always take precedence.
  • R – Relevance: Only information directly related to the case should be shared, with careful consideration given to the specific context and safeguarding needs.

The Criminal Procedures Investigations Act 1996 (CPIA) 

All partners must ensure that they are mindful of the requirements of the Criminal Procedures Investigation Act 1996 (CPIA) in relation to the disclosure of information. Permission must be sought to share or store the information outside of the MASH. 

The Data Protection Act (2018), Duty of confidence 

All partners must ensure that information held may have been gathered where a duty of confidence is owed to both the holder of the information and to the person subject of that information (i.e. The common law presumption that certain information will be confidential). However, duty of confidence is not an absolute bar to disclosure, as information can be shared where consent has been provided or where there is a strong enough public interest to do so. 

The Data Protection Act (2018) identifies: “processing of personal data that is necessary for the performance of a task carried out in the public interest or in the exercise of the controller’s official authority includes processing of personal data that is necessary for the administration of justice.” 

While a professional should always ensure they consider the proportionality and necessity of sharing any item of personal information, doing so for the protection of children or other vulnerable persons clearly fulfils the public interest test. 

All information shared with a partner agency must also be relevant to the concern under review. All partner agencies agree that: 

  • Sharing information within the MASH takes place where relevant and necessary. 
  • Information should not be shared outside the MASH except as agreed for the purpose of referring a family on for services and interventions. 
  • Must be used only for the purposes of safeguarding children and improving their wellbeing. 
  • Should only be passed on to third parties with the permission of the agency who provided the information. 

Consent 

The starting point for any sharing of information is that practitioners should be open and honest with individuals and families from the outset about why, what, how and with whom information will or could be shared. 

Consent should be obtained from a person who is legally competent to do so. The Data Protection Act 2018 together with the GDPR identifies that a child of 16 years and over can consent to their information being shared. 

The local authority is responsible for clarifying that the partnership has received consent for relevant cases before any action is decided. 

Children and young people 

In most circumstances for those under 16, specific consent must come from a parent who holds parental responsibility or a carer who has obtained this from a court. There should be consideration about whether there is capacity to consent for 16-18 years olds as per the Mental Capacity Act 2005. 

Consent should not be a barrier to sharing information where an agency believes there is a safeguarding response required or to promote the welfare of a child provided that there is a lawful basis to process any personal information required as detailed in Working Together 2023.   

It is good practice to seek consent from the parent/carer before any referral is made to the local authority.   

There are however a few exceptions in the following circumstances: 

Police referrals and notifications 

  • Police referrals and notifications are made on the basis that there is a considered need for a safeguarding response or to promote the welfare of a child. 

Where there are child protection concerns 

  • When suspected that if attempts are made to seek consent this will place the child at risk of significant harm the referrer must stipulate safeguarding concerns in writing and indicate the escalation of need, risk, or harm to the child for a decision to be made to override consent based on the concerns raised.
  • When the referrer has sought consent, and the parent has refused permission – if this is the case and the referrer believes that by not referring the concerns and it is likely to escalate and may place the child at risk of significant harm/potential harm the referrer must consider and record the overriding of consent.
  • If the rationale for a refusal to consent is unclear to the local authority, the case should be immediately discussed with the referrer and a decision should be made as to whether to proceed or not.
  • Decisions to overrule consent must be recorded and clarified based on safeguarding concerns.
  • Where it is believed the aims of the multi-agency safeguarding arrangements to safeguard and promote the welfare of children might be compromised if agencies were to seek consent, the disclosing agency must consider and record the grounds to override consent. 

If there is a significant change in the way the information is to be used at any time, or a change in the relationship between the agency and the individual, consent should be sought again. It is also important to remember that individuals have a right to withdraw or limit consent at any time.