Safeguarding vs. Privacy: Finding the Balance

If you’ve ever hesitated before hitting “send” on an email about a student concern, you’re not alone. For educators, the tension between safeguarding responsibilities and privacy rights, especially under GDPR, is a daily challenge. We want to protect our pupils, but we also need to protect their personal data. So how do we walk that line without falling off either side?

Let’s start with two real-life scenarios.

 

Case Study 1: Sharing Too Much

A primary school teacher became concerned when a pupil started showing signs of anxiety and withdrawing from classroom activities. Wanting support, the teacher emailed a wide group of colleagues with a detailed account of the pupil’s behaviour and personal circumstances.

Although the intention was to help, the level and breadth of information shared went beyond what was necessary. Under UK GDPR, personal information should only be shared with staff who genuinely need it in order to provide support. In this situation, the message reached colleagues who were not directly involved, leading to an avoidable breach of the pupil’s privacy.
The school’s Data Protection Officer later offered guidance, reminding staff that safeguarding is important, but it does not justify unrestricted or overly broad information sharing.

 

Case Study 2: Sharing Too Little

In another school, a member of staff overheard a student making worrying comments about self-harm. Unsure whether the concern was serious, and worried about “getting it wrong” or mishandling confidential information, the staff member chose not to pass the concern on.

Later, the student required significant support, and it became clear that earlier reporting could have enabled help to be put in place much sooner. The staff member had misunderstood data protection laws, thinking they prevented sharing.
In fact, UK GDPR explicitly allows the sharing of personal data when it is necessary to safeguard a child or protect their wellbeing. In this scenario, not reporting the concern carried a much greater risk than sharing it appropriately.

 

GDPR: What Educators Need to Know

Under the UK General Data Protection Regulation (GDPR), schools are considered data controllers. That means they must ensure personal data is:

  • Processed lawfully, fairly, and transparently
  • Collected for specified, explicit purposes
  • Limited to what is necessary
  • Kept accurate and up to date
  • Stored securely

But GDPR also makes clear that safeguarding trumps privacy when a child is at risk. The key is proportionality, sharing the right information with the right people at the right time.

 

How Data Protection and Safeguarding Duties Work Together

It’s easy to think of GDPR and safeguarding as being in conflict, but in reality they are designed to complement each other. Safeguarding duties set out in statutory guidance, such as Keeping Children Safe in Education (KCSIE), require schools to act swiftly when a child may be at risk. Data protection laws don’t override those responsibilities; instead, they help ensure that any information shared during safeguarding processes is handled appropriately.

Under UK GDPR, schools must identify a lawful basis for sharing personal data. In safeguarding contexts, this is often “public task” or “vital interests,” both of which allow information to be shared without consent when necessary to protect a child. The law recognises that waiting for consent could introduce delay and increase risk.

At the same time, GDPR emphasises proportionality. Only the minimum relevant information should be shared – enough for the DSL, external agencies, or other professionals to act effectively, but no more than is necessary. This principle ensures that children’s privacy is still respected even in urgent or high‑risk situations.

Rather than opposing forces, GDPR and safeguarding should be seen as working in partnership: one focused on preventing harm, the other on preventing unnecessary exposure of personal information. Used together, they support safer, more responsible practice across schools.

 

Practical Tips

  1. Know your safeguarding lead
    Always report concerns through your Designated Safeguarding Lead (DSL). They’re trained to assess risk and determine what information needs to be shared, and with whom.
  2. Use secure systems
    Avoid casual emails or verbal disclosures. Use your school’s safeguarding platform or secure reporting tools to log concerns.
  3. Keep it factual
    Record what you saw, heard, or were told without speculation. Stick to objective observations.
  4. Ask yourself: is this necessary?
    Before sharing, consider whether the recipient needs the information to act in the child’s best interests.
  5. Don’t let GDPR paralyse you
    GDPR is not a barrier to safeguarding, it’s a framework to ensure data is handled responsibly. If a child is at risk, you are legally and ethically obliged to act.

 

Balancing safeguarding and privacy isn’t easy but it’s essential. GDPR doesn’t ask us to choose between protecting children and protecting data. It asks us to do both, thoughtfully and responsibly.

So next time you’re unsure, remember safeguarding is a lawful basis for sharing data. But share just enough, with just the right people, and always with the child’s best interests at heart.

/by
You might also like
Schoolboy branded ‘Harry2’ to comply with Data Protection
Let us help you out of the maze "Lawful Basis for Processing in Schools & Universities: Which One Should I Use?"
“You’ve Got (Subject Access) Mail!” - Navigating SARs in Schools Without Losing Your Sanity
New Tech, Same Responsibilities: Data Protection in the Age of AI and EdTech
Curtain Up, Camera Out: Navigating Photos, Videos and GDPR at the School Play
GDPR Sentry can help you fill the knowledge gap Bringing Up Baby: Raising Biased AI
Dear Educators, Meet the UK’s Cyber Bill
Deal or No Deal; How Will Brexit Affect GDPR?