Data Protection – Everything You Need to Know Part 2

Data Protection – Everything You Need to Know But Were Afraid to Ask – Part 2

‘It used to be expensive to make things public and cheap to make them private. Now it’s expensive to make things private and cheap to make them public.’- Prof Clay Shirky, NYU.

In Part 1, I outlined how the protection of personal data has become a critical risk area for business, not-for-profits and charities as the regulator, the Information Commissioner’s Office (ICO), takes a tougher stance on enforcement of the rules.  A series of high profile incidents have heightened public concern about privacy and the misuse of personal data. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018.  In Part 2, I explain what will change when the GDPR comes into force from 25 May 2018.

What will change under the GDPR in 2018?

The GDPR will introduce a series of explicit rights for individuals in respect of their personal data, some of which are new, and some are enhancements of the existing position:

  • Right to access data (to be told whether personal data are being processed and access a copy)
  • Right to erasure (if consent is withdrawn, or there is no legal basis for holding the data individuals may request erasure)
  • Right to portability (the right to require data to be transferred to another data controller in a machine readable format)
  • Right to rectification – an individual’s right to have inaccuracies corrected or include a supplementary statement
  • Right to restrict processing – data to be held in limbo while any disputes are resolved
  • Right to be informed – i.e. to be told what information is being processed and for what purpose
  • Right to object – the right to stop personal data being processed by withdrawing consent or some other legal basis.

The key changes

  • The definition of ‘personal data’ will be widened to include IP addresses, genetic and biometric data.
  • Organisations will need to keep proper records of their data processing activities and make these available to the regulator if requested.
  • Data processors (as well as data controllers) have direct obligations for the first time. These include an obligation to: maintain a written record of processing activities carried out on behalf of each controller; designate a Data Protection Officer where required; appoint a representative (when not established in the EU) in certain circumstances; and notify the controller without undue delay on becoming aware of a data breach. How data protection matters are addressed in supply and other commercial agreements will need to be reviewed – especially the allocation of liability for data breaches.
  • The £10 fee for accessing records will be abolished and the time limit for dealing with a request to access or correct a record will be shortened from 40 days to 1 month. Extensions of up to 2 months may be allowed if the request is complex. Requests may be refused if they are ‘manifestly unfounded or excessive’
  • The right to request erasure of data has been strengthened. Under current rules the erasure can be requested if processing it causes unwarranted and substantial damage or distress. There will be specific circumstances where erasure can be requested e.g. the individual withdraws consent to processing, or the data was unlawfully processed in the first place. There will be very limited grounds to refuse to erase, e.g. to comply with a legal obligation in performing a public interest task or for public health purposes.
  • New right to ‘data portability’ – individuals will be allowed to obtain and re-use their personal data for their own purposes across different services (e.g. for use on a price comparison site). Organisations must provide the data free of charge in a machine readable format e.g. a .csv file within 1 month of a request.
  • There will be significantly harsher penalties for data breaches – the current limit of £500,000 will increase to 20 million euros or 4% of an organisation’s global turnover, whichever is greater
  • An explicit right for individuals affected by a breach of the rules by a data controller or a data processor to bring a claim for compensation which need not be for financial loss, it could cover personal distress and anxiety.
  • Special rules will apply to children’s personal data – privacy notices must be child-friendly. Before offering online services to children under 16 (most likely set at under 13 in the UK), parent or guardian’s permission will be required (except for online counselling and preventative services). (Note this does not affect the existing law for offline transactions where the capacity of the child may be relevant).
  • New privacy notices will be required which provide information about retention periods for data, the rights of the data subject, the right to withdraw consent, the right to complain to the ICO, whether it is a statutory or contractual requirement to provide the data, and whether any of the data will be used for automated decision-making about the individual.
  • There are potentially onerous new obligations on accountability and information governance. There is an explicit duty to put in place appropriate organisational measures to demonstrate compliance with the rules, which could include data protection policies, staff training, internal audits of data held and processing activities, privacy impact assessments when implementing new technologies or activities, reviews of internal HR policies and regular reviews of security arrangements. If your organisation has more than 250 employees there will be a more onerous duty to maintain records of processing activities. These records may be called for by the ICO as part of an investigation and may form an important part of your defence to any enforcement action.
  • Mandatory duty to appoint a Data Protection Officer for public authorities or organisations which undertake large scale monitoring of individuals or large scale processing of ‘sensitive personal data’. Note it is the scale of the processing, not the size of the organisation that matters. The DPO’s role is to (a) inform and advise the organisation and its employees about their data protection obligations, monitor compliance with data protection laws, conduct internal audits, train staff and coordinate data protection activities, be the first point of contact with ICO and supervisory bodies, as well as customers and suppliers whose data is being processed. The DPO is expected to report directly to the Board and must be given adequate resources and authority to perform their role. The role does not necessarily have to be an employee- it can be contracted out.
  • Duty to report data breaches to the ICO where it is likely to result in a risk to the rights and freedoms of individual affected; also a duty to notify the individuals affected if there is a high risk to their rights and freedoms. Notification must be made within 72 hours. The notification must detail the number of individuals and records involved, a description of the likely consequences of the data breach and the measures to be taken to (a) deal with the breach and (b) mitigate possible adverse effects. Failing to notify a breach can result in a fine of up to 10 million euros or 2% of the organisation’s global turnover!

What do we need to do to prepare for GDPR?

  • Ensure Board members and management are aware of the new duties and are taking active steps to prepare, including securing resources and budgets required.
  • Designate a Data Protection Officer to take responsibility for compliance and decide where this role will sit within your organisation’s overall governance structure.
  • Review all policies and procedures which are relevant to data protection and privacy.
  • Conduct information audit and privacy impact assessments – understand what personal data your organisation holds, where it comes from and with whom you share it; identify the legal basis for processing the information, document your findings. Is there a clear audit trail showing how and when individuals gave their consent to processing of their personal data and opted into marketing communications?
  • Review your privacy notices- see examples of good practice here
  • Take extra care if you are collecting information about children – bear in mind the new requirement to obtain parent or guardian’s consent to processing data about children in most cases.
  • Prepare to deal with subject access requests within the shorter time period of 1 month
  • When contracting out work to third parties (e.g. payroll providers, HR consultants, fulfilment houses)- check what measures they have in place to ensure compliance with the new duties – are they signed up to any certification schemes or codes of conduct? Ensure you have appropriate contractual clauses in place to protect your organisation against their failures.
  • Have robust procedures for detecting and investigating data breaches and internal reporting so that notification can be made to the authorities within the 72 hour period.
  • Review insurance covers to determine what risks or incidents are covered or excluded.

The new GDPR represents a step-change in the level of risk for organisations collecting, holding and processing personal data. It will be essential to begin preparations now, identifying resources, reviewing current procedures and policies in readiness.  Elderflower Legal offers specialist legal, governance and company secretarial services to help keep your organisation compliant elderflowerlegal.co.uk.

 

Elderflower Legal & Secretarial offers a cost-effective outsourced company secretarial service to small business, charities, social enterprises and academy trusts. For a fixed monthly fee we can provide peace of mind to directors and board members that compliance duties are being met, returns filed by the deadlines and risks properly identified.
Contact us today for a no-obligation chat or check out our website at elderflowerlegal.co.uk or call 01625 260577.
Find out for more details of our service packages here.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Read More

Data Protection – What You Need to Know

Data Protection – Everything You Need to Know But Were Afraid to Ask

We thought digital was the new oil, but discovered it is also the new asbestos”- Christopher Graham, former Information Commissioner, 2016.

The protection of personal data has become a critical risk area for business, not for profits and charities. The regulator, the Information Commissioner’s Office (ICO), is taking a tougher stance on enforcement of the rules.  A series of high profile incidents have heightened public concern about privacy and the misuse of personal information. Now organisations will need to prepare for even more stringent rules: in spite of Brexit, the new EU-wide General Data Protection Regulation (GDPR) will still come into force on 25 May 2018.

What should we already be doing?

The existing rules on data protection cover the collection, storage and processing of personal data about individuals. They give individuals a right to request data held by organisations (a “subject access request”) and the right to correct errors. They also create offences where data is lost or stolen due to ineffective security or carelessness – which can lead to significant fines. Particular care must also be taken around marketing activities where contact is made with prospects, supporters, donors or service users. The general principle is that you must have the consent of the person you are contacting before sending them a communication. When you collect information on a paper form or via a website, or over the phone, you must tell people in a ‘privacy notice’ why you are collecting the information, what it will be used for and who it may be shared with. They must be given the option to specifically ‘opt in’ to different types of marketing communications by ticking a box. Pre-ticked boxes are not allowed. The reputational and financial risks of getting it wrong can be very serious. In 2014, the organisers of Park Life Festival were fined £70,000 by the ICO for sending unsolicited and inappropriate marketing text messages. In December 2016, the ICO announced fines for the RSPCA (£25,000) and British Heart Foundation (£18,000) over the inappropriate handling and sharing of donors’ personal information without permission.

The current rules

The Data Protection Act 1998 governs the holding and processing of personal data. ‘Personal data’ means any information which identifies any living individual, whether in digital form, on disk, USB sticks, and includes photos, video and sound recordings. ‘Processing’ personal data means obtaining, recording or holding the information on computer systems, in the cloud or in a paper filing system. More stringent rules apply to ‘sensitive personal data’ which includes information about racial or ethnic origin, political opinions, religious beliefs, trade union membership, physical or mental health, sexual life, details of any offences committed or alleged.

Businesses and charities routinely handle the personal information of employees, volunteers, service users, and suppliers. It is therefore very likely that these activities will be caught by the provisions of the Act. A ‘data controller’ is a person or entity that determines the purposes for which personal data is processed. They may also be processing the data. A ‘data processor’ is usually, but not always, a service provider who handles the data but doesn’t control it. Under the current law, the legal responsibility for compliance falls directly on the data controller and not on the data processor. If you are a ‘data controller’ under the Act and fail to register your organisation with the Information Commissioner, you can be fined.

The Act says that all personal data must be:

  • Fairly and lawfully processed (i.e. you must be transparent with individuals about what you’re doing with their data and why, you must have a lawful basis for collecting and processing the information and you process it in a way that individuals would reasonably expect);
  • Processed for specified purposes only (i.e. you must tell people why you are collecting data and what it will be used for from the outset and not then use it for other purposes);
  • Adequate, relevant and not excessive;
  • Accurate and, where necessary, kept up to date (you have positive duty to keep the information up to date and correct any errors);
  • Not kept for longer than is necessary (so employment applications, CVs etc should be securely destroyed after a reasonable period);
  • Processed in line with the rights of the individual;
  • Kept secure (i.e. employ reasonable security precautions); and
  • Not transfer the data to countries outside the European Economic Area, unless the information is adequately protected. Care must be taken if any of your data is stored on cloud based servers in the United States or other countries which do not have a ‘safe harbour’ arrangement in place (e.g. via cloud based accounting, HR or CRM systems). Some transfers are still permitted e.g. if the individual specifically consents, or if there is a suitable contract in place with the data handler to protect the data.

Non-compliance can result in an enforcement notice preventing a business from processing data, effectively preventing many businesses from operating, together with significant fines up to £500,000. Managers and directors can also be prosecuted personally for non-compliance if the offence was committed “with their consent or connivance”.

Individuals have a right to ask your organisation to disclose what personal data you hold about them by submitting a subject access request and paying a fee of £10. You must respond within 40 days. If you fail to respond the requester can make a complaint to the ICO. So you need to be careful about the records, notes and correspondence you keep about employees, job applicants and service users, since it could all be disclosable to them upon request!

The key steps to ensure compliance are:

  • Ensure your organisation is registered with the ICO as a data controller
  • Prepare a Data Protection Policy
  • Put in place appropriate ‘privacy warnings’ for clients and customers giving them the required notices and informing them of their rights
  • Ensure that you hold no more personal data than is necessary for the business activities that you perform
  • Establish procedures for staff to follow when processing personal data. (Demonstrating that procedures were put in place might be a defence in the event of a complaint brought against you)
  • Train, and regularly refresh, all your staff in best practice
  • Put in place contracts with your suppliers which assist in the protection of information
  • Check your insurance and evaluate your risks of suffering a data breach or security incident

Data controllers must put in place adequate technical and organisational measures to safeguard personal data from destruction, accidental loss, unauthorised access or disclosure.  Data breaches can occur through unauthorised entry into IT networks, loss of mobile devices or memory sticks, or even simple errors like leaving confidential papers in unsecured waste bins. In recent years, the ICO has toughened its stance on prosecuting data breaches. For example, in July 2014, the ICO fined a Thomas Cook subsidiary, Think W3 Limited, £150,000 after a hacker stole more than 1 million customers’ personal details – including credit and debit card numbers – due to poor data security measures on its website. In March 2014 the ICO imposed a penalty of £200,000 on the charity British Pregnancy Advice Service (BPAS) for exposing thousands of personal details of patients to a malicious hacker. The charity failed to realise its website was storing the name, address, date of birth and telephone number of anyone who had requested a call back for advice on pregnancy issues. The personal data was not stored securely and a vulnerability in the website’s code allowed the hacker to access the system and locate the information.

Social media such as Facebook or LinkedIn company pages can also be subject to the Act. A data controller who runs an online forum has a responsibility to take reasonable steps to check the accuracy of any personal data that is posted on its site by third parties and presented as a ‘matter of fact’. For example, the operator of a site which invites service users to post reviews and feedback on service providers would be subject to this duty.

Special rules for electronic marketing

The Privacy and Electronic Communications Regulations (PECR) were introduced in 2003 to complement the Data Protection Act. They introduced specific rules about sending marketing and advertising by electronic means, including email, telephone, text messages, picture messages and fax. ‘Marketing’ covers not just the sale of products and services, but also the promotion of aims and ideals. In many cases, organisations need consent send individuals marketing or to pass their details on. There is a limited exception for existing customers and clients known as the “soft opt in”, but only for commercial products or services – not campaigning and fundraising activities. Organisations will need to demonstrate through appropriate records that consent was knowingly and freely given. Consent may sometimes be time-limited, depending on the circumstances. Organisations must always say who they are and provide contact details.  Individuals can ‘opt out’ of cold calls by registering with the Telephone Preference Service. You must not continue to send marketing messages to a person who objects or has opted out. Particular care must be taken if your organisation uses bought-in lists for marketing. Appropriate due diligence should be carried out on the quality of the list before proceeding, including obtaining assurances about whether the individuals have ‘opted in’ to receive marketing. Beware of the temptation to sell your own lists of supporters to others without permission. Pharmacy2U was fined £130,000 by the ICO for selling on their customer list, when customers had not given their consent for personal data to be sold on. This can be a particular issue to focus on where mergers, acquisitions or outsourcing are taking place.

Be careful about sharing data

A particular area of risk is the sharing of personal data. Charities may sometimes have a legitimate need to share or disclose data to other agencies and organisations in order to best serve the needs of their service users, or to protect vulnerable beneficiaries. There are a number of lawful routes for sharing data:

  • The person has knowingly given their express consent to the passing on information (usually on a paper form or website sign-up).
  • The processing is necessary in relation to a contract which the individual has entered into; or because the individual has asked for something to be done so they can enter into a contract.
  • The processing is necessary because of a legal obligation that applies to your organisation, except an obligation imposed by a contract (for example, a safeguarding duty).
  • The processing is necessary to protect the individual’s “vital interests”. This condition only applies in cases of life or death, (e.g. where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident).
  • The processing is necessary for administering justice, or for exercising statutory, governmental, or other public functions.
  • The organisation needs to process the data for the purpose of its own ‘legitimate interests’ or the legitimate interests of the third party that the information is disclosed to. The burden is on the organisation to demonstrate that is the case and that the individual is not harmed.

You can share without an individual’s knowledge in cases where personal data is processed for:

  • the prevention or detection of crime;
  • the apprehension or prosecution of offenders; or
  • the assessment or collection of tax or duty.

However, the sharing of information must be fair and transparent. People should generally be aware of which organisations are receiving their personal data, and what it is being used for. The best way to achieve this is to make sure a clear privacy notice is included on application forms, membership forms, website forms etc. that which sets out all this information. It is good practice to keep records of data that has been shared and the reason(s) for sharing. If you regularly share or disclose data to other organisations, you should consider having a Data Sharing Agreement with them, setting out respective responsibilities, requirements for security and for secure deletion of data when no longer required.

Many organisations have come a cropper for sharing personal data for non-legitimate reasons. This can be where they sell a mailing list of supporters to another organisation, or where they pass on personal data to another agency where they shouldn’t have done so and this causes harm to someone (e.g. passing on information about an employee’s health condition to a third party).

Right to object – individuals have a clear right to object to your processing their personal data and this must be brought to their attention when you first collect the data from them. If you are processing data for marketing purposes you must stop as soon as you receive the objection- there are no grounds to refuse or exemptions.

Other legal rules can also apply to disclosing or sharing personal data, such as information obtained in confidence and the Human Rights Act 1998 (Article 8 right to private and family life, home and correspondence).

In Part 2 of this post, we will examine the more stringent rules coming in May 2018 when the new General Data Protection Regulation enters into force.

 

Elderflower Legal & Secretarial offers a cost-effective outsourced company secretarial service to small business, charities, social enterprises and academy trusts. For a fixed monthly fee we can provide peace of mind to directors and board members that compliance duties are being met, returns filed by the deadlines and risks properly identified.
Contact us today for a no-obligation chat or check out our website at elderflowerlegal.co.uk or call 01625 260577.
Find out for more details of our service packages here.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Read More

Could a Company or Charity Secretary Provide Peace of Mind?

Retaining a professional company secretary or charity secretary can bring peace of mind

With an increased focus on effective governance arrangements in companies, not for profits, academy trusts, clubs and social enterprises, and an ever-expanding burden of red tape and compliance duties, Mark Johnson argues that a professional company secretary or charity secretary can add real value to your organisation and provide peace of mind for directors or committee members.

Does any of this sound familiar to you…?

“Sorry we couldn’t get the Board papers out in advance – there just wasn’t time, so can we just scan through the papers during the meeting and take them as approved..?

“The minutes weren’t circulated after the meeting because Jean didn’t have time this month what with her mother being so ill; so most of the action points were unfortunately overlooked. But don’t worry we’ll pick them up at next meeting in 3 months’ time…

“I’m sure this issue has come up in previous meetings, if only we could find the minutes and records to look back through. They used to be on John’s laptop before he stepped down..

“The Board has been grappling with this issue for a while now: like a bad smell, it keeps coming back to every meeting – but no one seems to get hold of it, find out what the answer is, nail it and allow us to move on! I would ask our lawyers, but I worry they would make an industry out of it and it could end up costing us a fortune…

“I sometimes worry about whether we are keeping up to date with our responsibilities – law and policy can change really fast in this area and none of us really has the time to research the latest position. I don’t really know what would happen if we got it wrong – I just hope we’re properly insured…if only we could find the policy documents.

“I know our policies and procedures probably need a thorough review and updating, but we’re all volunteers and we just don’t have the time and capacity to move it forward.

“I just assumed that the Treasurer would file the accounts and annual return by the deadline. It came as a very unpleasant surprise when we all got fined for missing the deadline.

“It came as a nasty shock when we realised were responsible for thousands of pounds in redundancy payments. We assumed the manager who signed the contract had read it properly, but it seems not, and the Board were really unaware of what we had taken on. This could mean we have to close down.”

Don’t leave it to chance

Running a company, charity, club or social enterprise involves a wide range of legal and compliance duties. Effective governance requires proper systems for planning meetings, analysing information, following up action points, and keeping on top of compliance and legal responsibilities. Sometimes you don’t know what you don’t know until it is too late! Unfortunately, ignorance of the law is no defence. It can often be very difficult for busy directors and volunteer board members to keep on top of everything. But the consequences of getting it wrong can be very serious. Some recent examples you may have heard about:

  • Charity was fined £200,000 for a breach of data protection laws – hackers broke into their website and stole data about service users. There was no data protection policy in place and staff had not been trained on the importance of data security.
  • The Trustees didn’t really understand how the organisation’s business model worked- they all had busy day jobs and they trusted the highly charismatic leader- after all, she brought in so much funding, and enjoyed a high public profile. What could possibly go wrong? They were devastated when the black hole in the finances came to light and the organisation went bust and they were all ‘named and shamed’ by the media.
  • The Trustees weren’t aware that the wife one of their fellow trustees was a shareholder in a business which had been awarded a contract worth £150,000 by the Trust; the Trustee hadn’t declared his interest, but the auditor picked this up at year end as a ‘related party transaction’ and once it was made public in the annual report and accounts, the media had a field day. The trust is now under investigation for governance failures and accounting irregularities.
  • A local charity was forced to abandon a fundraising event because the required licences from the local authority had not been applied for in time. Tickets had to be refunded. The organisers faced a backlash from the angry public.
  • A housing association signed a contract to deliver a high profile new project and later found that it did not have the necessary powers in its constitution to carry out the activity- the project had to be unwound and thousands of pounds and management time were wasted.
  • The marquee blew over during the event, causing  injury to a child. After consulting some rabid claims management consultants, the parents sued the committee members. They all thought they were insured, but the policy hadn’t been renewed. They ended up paying £10,000 each from their own pocket to settle the case.

All of these problems could probably have been avoided if a professional company secretary or charity secretary had been employed to keep on top of the paperwork, ensure compliance with regulations, analyse risks and sort out problems. Professional company secretaries holding Chartered Status with ICSA- the Governance Institute have undertaken rigorous academic and practical training across a wide range of areas, including corporate law, corporate governance, risk management, strategy and finance.

Start your New Year on the right footing. Consider retaining an ICSA qualified professional company secretary or charity secretary to help you:

  • manage the paperwork,
  • ensure effective meetings
  • keep on top of compliance duties
  • identify and manage risks
  • enhance board performance.

 

Elderflower Legal & Secretarial offers a cost-effective outsourced company secretarial service to small business, charities, social enterprises and academy trusts. For a fixed monthly fee we can provide peace of mind to directors and board members that compliance duties are being met, returns filed by the deadlines and risks properly identified.
Contact us today for a no-obligation chat or check out our website at elderflowerlegal.co.uk or call 01625 260577.
Find out for more details of our service packages here.
If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Read More

Do you understand your responsibility for safeguarding children?

Do you understand your responsibility for safeguarding children?

Recent disturbing revelations about the horrific abuse suffered by young players in football, as well as the continuing wide-ranging inquiry into historical sex abuse have thrown the spotlight firmly on the role and responsibility of trustees, directors and managers of sports clubs, charities, social enterprises and businesses, as well as their front-line staff and individually regulated professionals, in detecting and preventing abuse and understanding their responsibility for safeguarding children.

It is becoming evident that adults within some organisations were aware of abuse taking place, or at least of concerns about members of staff or those associated with the organisation, but failed to act. In some cases, leaders within the organisation failed to investigate concerns thoroughly enough and, at the extreme, they may even have sought to hide or cover up the abuse.

Whether you are a trustee, director, officer, manager, paid professional or volunteer, if your club, association, charity or business works with or provides services to children and young people, you will have statutory responsibility for safeguarding children and their welfare. You must understand what your organisation’s and your personal responsibilities are.  If you fail to fulfil your responsibility for safeguarding children, you may open up your organisation and yourself to significant liability. This could take the form of a civil claim for damages for assault or negligence, based on a breach of a duty of care owed to children under your supervision, your organisation’s vicarious liability for the acts of its staff and volunteers; or a criminal prosecution could be brought for statutory offences related to failure to carry out Disclosure and Barring Service (DBS) checks on staff, failure to notify DBS of known incidents involving a member of staff,  health and safety breaches (including failure to maintain a safe system of working), or in extreme cases where there is a cover up, failure to report an arrestable offence, or conspiracy to pervert the course of justice. Directors and officers may be personally liable for certain offences alongside the organisation, if the offence has been committed with their ‘consent or connivance’. Involvement in such proceedings could be very costly, attract adverse media coverage and have a devastating impact on your reputation. Insurance policies may not assist, since most policies will typically exclude liability for deliberate acts of abuse committed by staff or volunteers.

The Safeguarding System

Whilst local authorities, through their children’s social care teams, play the lead role in safeguarding children and protecting them from harm, everyone who comes into contact with children and families has a role to play in protecting them. Children includes everyone under the age of 18.

‘Safeguarding’ the welfare of children is defined as:

  • protecting children from maltreatment;
  • preventing impairment of children’s health or development;
  • ensuring that children grow up in circumstances consistent with the provision of safe and effective care; and
  • taking action to enable all children to have the best outcomes.

Sections 10 and 11 of the Children Act 2004 place duties on a range of organisations and individuals to ensure their functions, and any services that they contract out to others, are discharged having regard to the need to safeguard and promote the welfare of children. Various other specific statutory duties also apply to other organisations working with children and families.

More generally, Article 3 of the United Nations Convention of the Rights of the Child, which is part of UK law, provides that all children have the right to have their welfare considered paramount in all decisions taken about them. Article 12 provides for the right of the child to be heard and Article 19 provides for the child’s right to be protected from abuse and neglect.

Safeguarding is everyone’s responsibility

Everyone who works with children – including teachers, GPs, nurses, midwives, health visitors, early years professionals, youth workers, police, NHS staff, nursery staff, crèche volunteers, scout leaders, holiday camp staff, voluntary and community organisations, sports club staff, freelance coaches – has a responsibility for keeping them safe. No single staff member can have a full picture of a child’s needs and circumstances and, if children and families are to receive the right help at the right time, everyone who comes into contact with children has a role to play in identifying concerns, sharing information and taking prompt action.

Organisations working with children must provide training for their staff on how to identify and respond early to the needs of all vulnerable children, including: unborn children; babies; older children; young carers; disabled children; and those who are in secure settings.  There is a particular need to be alert to the potential need for early help for a child who:

  • is disabled and has specific additional needs;
  • has special educational needs;
  • is a young carer;
  • is showing signs of engaging in anti-social or criminal behaviour;
  • is in a family circumstance presenting challenges for the child, such as drug or alcohol abuse, mental health problems and domestic violence;
  • has returned home to their family from care; or
  • is showing early signs of abuse and/or neglect.

Safeguarding issues can also manifest themselves via peer on peer abuse. This is could include bullying (including cyberbullying), involvement with gangs, gender based violence/sexual assaults and sexting. Specific duties apply to children thought be at risk of exposure to extremism or radicalisation under the ‘prevent’ duty. (A duty to refer children and young people who show active opposition to fundamental British values, including democracy, the rule of law, individual liberty and mutual respect and tolerance of different faiths and beliefs to the Channel programme); and certain professionals working in health, social care or education settings have a duty to report suspected female genital mutilation (FGM).

Staff must be trained to identify the symptoms and triggers of abuse, harm and neglect, to share that information and work together to provide children and young people with the help they need.

Section 11(4) of the Children Act 2004 requires each person or body to which the duty applies to have regard to any guidance given to them by the Secretary of State. The latest statutory guidance is entitled Working Together to Safeguard Children 2015 and is intended to provide a national framework within which agencies and professionals at local level – individually and jointly –work together to safeguard and promote the welfare of children.

Minimum Requirements

Organisations who work with children must have in place certain minimum arrangements that reflect the importance of safeguarding and promoting the welfare of children, including:

  • a clear line of accountability for the commissioning and/or delivery of services designed to safeguard and promote the welfare of children;
  • a senior board level lead who takes leadership responsibility for the organisation’s safeguarding arrangements;
  • a culture of listening to children and taking account of their wishes and feelings, both in individual decisions and the development of services;
  • Disclosures – staff should know what to do if a child tells them they are being abused or neglected. Staff should know how to manage the requirement to maintain an appropriate level of confidentiality, whilst at the same time liaising with relevant professionals such as the designated safeguarding lead and children’s social care. Staff should never promise a child that they will not tell anyone about an allegation, as this may ultimately not be in the best interests of the child;
  • clear whistleblowing procedures to notify senior management if there are concerns about the behaviour of colleagues, which are set out in staff training and codes of conduct. If internal channels fail, the NSPCC whistleblowing helpline on 0800 028 0285is available for staff who do not feel able to raise concerns regarding child protection failures internally. There should be a culture that enables issues about safeguarding and promoting the welfare of children to be addressed;
  • a Child Protection Policy and procedures which set out clearly how to spot the signs of abuse or harm, the processes for sharing information with other professionals and agencies and the circumstances in which concerns should be reported to a designated internal lead or a referral made to local authority children’s services here, or in urgent cases immediately to the Police and/or the NSPCC hotline on 0808 800 5000;
  • a designated lead for safeguarding (or, for health provider organisations, named professionals). Their role is to support other staff in their organisation to recognise the needs of children, including rescuing them from possible abuse or neglect. These roles should always be explicitly defined in job descriptions. The post holder should be given sufficient time, funding, supervision and support to fulfil their child welfare and safeguarding responsibilities effectively;
  • safe recruitment practices for individuals whom the organisation will permit to work regularly with children, including policies on when and how to check the identity of an applicant and obtain a criminal record check from the Disclosure and Barring Service and keep it up to date. More information is available on the DBS website. Certain employers can be liable to prosecution and a fine of up to £5,000 if they allow staff to have unsupervised access to children without undertaking the necessary check.
  • appropriate supervision and support for staff, including undertaking regular safeguarding training to keep up with developments in the law and best practice in what is a fast-changing environment. Employers are responsible for ensuring that their staff are competent to carry out their responsibilities for safeguarding, promoting the welfare of children and creating an environment where staff feel able to raise concerns and feel supported in their safeguarding role;
  • staff should be given a mandatory induction, which includes familiarisation with child protection responsibilities and procedures to be followed if anyone has any concerns about a child’s safety or welfare;
  • all post holders should have regular reviews of their own practice to ensure they improve over time; and
  • clear policies must be in place for dealing with allegations against people who work with children. Such policies should make a clear distinction between an allegation, a concern about the quality of care or services or a complaint. An allegation may relate to a person who works with children who has:
    • behaved in a way that has harmed a child, or may have harmed a child;
    • possibly committed a criminal offence against or related to a child; or
    • behaved towards a child or children in a way that indicates they may pose a risk of harm to children.
  • a staff behaviour policy (or code of conduct) which should among other things include – acceptable use of technologies, staff/children relationships and communications including the in appropriate use of social media.
  • Appropriate record-keeping and document retention policies concerning any allegations or referrals made.
  • The Safeguarding Vulnerable Groups Act 2006 (SVGA) places a legal duty on certain employers and ‘personnel suppliers’ to make a referral to the Disclosure and Barring Service of any person who has:
    • harmed or poses a risk of harm to a child or vulnerable adult;
    • satisfied the harm test; or
    • received a caution or conviction for a relevant offence.

This enables the central DBS record to be updated so that subsequent employers are aware of previous incidents. A regulated activity provider is an organisation or individual that is responsible for the management or control of ‘regulated activity’, paid or unpaid, or a person who makes arrangements for people to work in that activity. This will usually be an employer or a voluntary organisation. Clear-cut examples of a ‘regulated activity provider’ include:

  • providers of health and social care services providing care, supervision and advice to children
  • schools, nurseries, crèches and Further Education colleges that provide education to children
  • a specialist educational establishment that provides education to vulnerable groups, such as alternative education.

However, it could also extend to any form of teaching, training, instruction, care or supervision of children (always including any such activities involving overnight stays), as well as driving vehicles used for conveying children, or even moderating an online forum to which children have access. It is fair to say that the law is not very clear on precisely where the boundary is on regulated activities. In seeking to exempt some volunteers who have less frequent contact with children (less than once a week or less than four times in any 30 day period), or those who work ‘under the regular and day to day supervision of others’, it seems an unfortunate gap has been created which could be exploited by serial abusers, who could move on to a new setting without incidents having been recorded. A regulated activity provider can also be a person who simply manages volunteers in a regulated activity position, such as a scout leader or manager in a charitable organisation.

A ‘personnel supplier’ is an employment agency or business that makes arrangements with a person to find them employment. Or they may place that person with other employers. A personnel supplier can also be an educational institution which arranges for its students to undertake work experience placements as part of their studies.

The importance of sharing information and not turning a blind eye

Early sharing of information is often the key to providing effective early help where there are emerging problems. Indeed, sharing information can be essential to put in place effective child protection services. High profile Serious Case Reviews (SCRs) have shown how poor information sharing in the past has contributed to the deaths or serious injuries of children. Fears about sharing information cannot be allowed to stand in the way of the need to promote the welfare and protect the safety of children.

The seven golden rules to sharing information

  1. Remember that the Data Protection Act 1998 and the Human Rights Act are not absolute barriers to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately.
  2. Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
  3. Seek professional advice if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible.
  4. Share with the informed consent of the alleged victim where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgement, there is good reason to do so, such as where their safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be certain of the basis upon which you are doing so. Where you have consent, be mindful that an individual might not expect information to be shared.
  5. Consider safety and well-being: Base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.
  6. Necessary, proportionate, relevant, adequate, accurate, timely and secure: Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely.
  7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

What happens if a referral is made?

Within one working day of a referral being received, a local authority social worker should make a decision about the type of response that is required and acknowledge receipt to the referrer. The referrer should actively chase up if they have not received a response. For children who are in need of immediate protection, action must be taken by the social worker, or the police or NSPCC if removal is required, as soon as possible after the referral has been made to local authority children’s social care.

Final thoughts

Trustees, directors and officers must take leadership responsibility for putting in place the right systems and policies for tackling abuse and protecting the welfare of children. The courts have been very willing to expand the boundaries of corporate responsibility for harm caused to children and it is likely that new specific criminal offences allowing individuals and organisations to be prosecuted for ‘failure to report’ concerns or a ‘failure to act’ may emerge in the wake of current inquiries. A Government consultation on introducing new offences closed on 13 October 2016. It is essential that organisations act now rather than face catastrophic consequences by getting it wrong.

 

Mark Johnson is a specialist legal and corporate governance consultant working with charities, social enterprises, academy trusts and service businesses. If you need help managing risk, reviewing policies and procedures or in reviewing any aspect of your governance, please get in touch today. Find out more at elderflowerlegal.co.uk or call 01625 260577.

The information above is provided for general guidance only and is not a substitute for professional advice which may depend on your specific circumstances. If you would like to be kept up to date on more topics like this, then why not sign up to receive our regular newsletter.

Read More
Toggle Sliding Bar Area
Go to Top