Confidentiality encompasses a number of ways that you can respect an individual’s privacy or personal wishes, in which you would typically deter from passing on information they have shared. In all professions, unless consented to, personal details should remain confidential unless there are other parties which need to know.
Upholding confidentiality also entails close attention to data protection laws and cyber security. In a survey of schools in the UK taken in 2021, 36% of primary schools reported security breaches in the last 12 months, 58% in secondary schools, and 75% in further education colleges. Confidentiality has never been more important for those working in childcare to get right, given that much of the data retained about children in their care is kept in online databases.
Confidentiality derives from common law, which are broad legal obligations that come from case law, as opposed to statutory law. Common law on confidentiality ensures that someone who has been given information in confidence generally cannot misuse it or use it to their advantage.
There are criteria that must be met for common law on confidentiality to apply:
1. The information shared should be confidential by nature. This means that if the information shared is already common knowledge, it is unlikely to be able to stand as confidential information.
2. The person receiving the information must have known that the information was provided in confidence. It can be signalled by a label classifying it as confidential, or be secured in a system which suggests confidentiality. It can also be reasonably assumed that there is a level of confidence involved, based on the relationship between the two parties.
3. For confidentiality to be breached, the information must have been used in a way that disadvantages the person who shared it, without their consent.
Confidential personal data concerning children may include:
Rules about confidentiality often refer to particular types of information, as some types of information must be disclosed and should never be promised to be kept secret, for example, information that threatens a life.
In regards to childcare, there are more specific policies which refer to confidentiality, as the nature of confidentiality changes when working with children. It can be a confusing topic for some, so it is important that childcare practitioners are given ample opportunity to understand how each policy impacts their interaction with confidentiality. More about confidentiality in different settings can be found in our knowledge base.
The role of confidentiality in the effective safeguarding of children is paramount. When working with children, no matter the sector, the safety and protection of the child supersedes all other roles. In childcare, a strong understanding of confidentiality is key, and anyone who works with children should be given extensive training on the topic.
Training for those working in Early Years settings, including nurseries and childminders, will be even more fine-tuned to recognising non-verbal cues, such as physical signs of abuse, as younger children may have an issue articulating what has happened to them.
The organisation’s safeguarding and data protection policies should outline clearly the procedures for receiving, logging, sorting and sharing information. Find out more about data protection in Early Years in our knowledge base.
As children come from a range of different settings, parents and carers must be assured that the personal information they share will be kept private. This is important for building trusting working relationships between childcare workers and families, based upon mutual respect. If confidentiality fails to be maintained, it can lead to a breakdown in trust.
A negative perception of childcare workers or institutions may result in important information not being shared by the family or child again in the future. Additionally, people who work with children must ensure that the environment feels safe enough for the child to be able to make disclosures. If they believe that the confidentiality will be breached, they may be reluctant to share information.
Confidentiality helps to avoid children and young people being exploited by others who may misuse that information.
In some cases of breached confidentiality, large fines may be issued and legal proceedings may occur, in line with data protection policies. A data breach is when information has either been misplaced, been shared with someone or been retrieved by someone who is not authorised.
Examples of breaching confidentiality might be:
Many breaches of confidentiality are accidental, sometimes occurring through a technological error, though this does not diminish the individual from responsibility. Breaching confidentiality could put the child in danger of further abuse, for example, in instances where abusive family members are made aware that a child has made a disclosure at school.
In sectors that interact with children, it is recognised that the timely sharing of relevant information is a very important tool to help prevent young people coming to any harm, and for the effective safeguarding of their welfare.
In the past, poor information sharing has been at the root of many failures where children’s welfare is concerned, in the education, health and social care sectors. Thus, there are many instances that information must be shared, with different policies providing guidance on this.
Legislation on confidentiality in childcare is not limited to one policy, but is covered by a range of Acts and guidance policies. It is up to the organisation to ensure that all staff are aware of how confidentiality impacts their role, based on these documents.
The Data Protection Act was replaced by the GDPR (General Data Protection Act), with an aim to let individuals have a larger say over how their data is shared. It is a common myth that the new GDPR Act prohibits the sharing of information, but this is false. It simply ensures that only relevant and accurate information is being shared, by consent of the individual.
There are five main principles of the GDPR:
1. There must be a lawful reason for obtaining the data, and the process must be clear.
2. The information gathered should only be used for the purpose stated.
3. Only necessary information should be collected, and nothing more.
4. All data collected must be accurate, and the systems and processes must be in place to keep the information current.
5. The data must be secured.
Organisations working with children such as nurseries and schools interact with sensitive data every day, which must be handled in a more protective manner. Databases should be secured from viruses and cyber-attacks. You can read more about data protection in educational settings in our knowledge base.
The Children Act 2004 was created to establish clear safeguarding guidelines to protect the wellbeing of children and young people. Chapter 1.9 details the protocol on sharing information, in accordance with the guidance on Working Together to Safeguard Children, and states that some information must be shared to rapidly identify any child who is at risk of harm.
The Act instructs childcare practitioners to share information, where relevant and necessary, about:
Under Article 8 of the Human Rights Act 1998, each individual has the right to respect for their family and private life, their home and their correspondence. This means that all individuals are entitled to privacy in their sexuality, their identity, their relationships with others, and their messages and communications. However, the Children Act 2004, as listed above, overrides this in instances where there is a threat to the child or to others.
After the murder of Victoria Climbié in February 2000, the Every Child Matters initiative began, which paved the way for the Keeping Children Safe in Education (KCSIE) guidance. Eight-year-old Climbié was failed by multiple agencies involved in the responsibility for her welfare, after they neglected to act properly on information which suggested she was being severely abused by her carers.
Social workers, police, educational institutions and healthcare providers all failed to share and act upon relevant and accurate information in a timely manner. KCSIE, in conjunction with the guidance on Working Together to Safeguard Children, outlines procedures for staff in educational settings to safely record and report particular types of information.
The government outlines seven ‘golden rules’ when it comes to sharing information.
These are as follows:
1. Whilst the GDPR has changed how organisations must operate regarding the sharing of data, it does not prevent the sharing of information entirely. Instead, it acts as a guide as to how to go about it in an appropriate manner.
2. When a child, young person, parent or carer shares information with you, be transparent with them about how this information will be used and who it may be shared with, unless for any reason the anonymity of other parties is necessary.
3. If there is ever uncertainty about the nature and sharing of information, ask the DSL (Designated Safeguarding Lead) or another knowledgeable figure, being sure to keep the information you are privy to confidential as you do so.
4. Seeking consent to share information is the best way to confidently disclose that information, as legally, consent is a requirement. However, you are entitled to share information without consent if you believe that there is a lawful need to. Your decision must be removed from feeling or instinct, and be based on factual information. If you then tell the individual that you will be sharing this information, you must be clear about why, and what the consequences of sharing the information might be. You can still share information if there is a lawful need, with the individual’s consent.
5. You should consider that decisions you make about sharing information could impact your health and wellbeing, as well as that of others.
6. When sharing information, ensure that it is:
– Necessary. Consider if it is absolutely essential that you share this information, and ensure you tell only those individuals who absolutely need to know.
– Proportionate. Understand clearly what needs to be shared, and in how much detail.
– Relevant. Unless it is essential, only share the information which relates to the case.
– Adequate. Ensure that you have given enough information for the situation to be understood thoroughly.
– Accurate. Only give information as it has been relayed to you, and as you have observed objectively. Try to use the exact wording where possible.
7. Keep a log of your decision and why you decided to either share or not share the information. If you choose to share, write down who it has been shared with and why.
When working with children and young people, you are often exposed to a high volume of personal information. Young people should be viewed as citizens with the right to have their personal information kept confidential.
However, consent is not always needed, and confidentiality should be set aside immediately if there is a risk to the child, to yourself, or to someone else. Those who work with children should receive regular training in signs of abuse, neglect and bullying, and should disclose their concerns at once to the relevant parties (usually a DSL) if they believe a child is at risk.
There may also be the opportunity to log these concerns on an automated system, which will notify the relevant parties.
Under no circumstance should a childcare practitioner make promises to children that they will not pass on the information they are being told. They should explain to the child that the information will be recorded, and may be passed on for their own protection.
The child should not be led to think that the adult is able to keep secrets for them, or keep important information confidential. It might appear that a child will confide in more depth if they believe that the information they share will remain private; however, this is misleading and may also leave the practitioner in a vulnerable position.
Some instances where confidentiality can be broken may be:
Additionally, sharing of some personal information is vital. This may include:
Some organisations may be involved in the dissemination of information, as they are listed in the GDPR legislation as the key organisations with duties for safeguarding children.
These are:
Breaking confidentiality where it is deemed necessary is an act of professionalism, and enables these agencies to provide help, support and/or intervention where necessary. It should not be seen as inappropriate, and a practitioner should never second-guess passing on information that they believe is vital for other parties/agencies to know.
Sharing of such information is a part of the duty of individuals or agencies working with children. For more advice on how and when to share information, visit the government website.