Skip to main content
Home

Safeguarding condition

Contents

At a glance

  • This condition may be appropriate if you need to use personal information to safeguard a “vulnerable individual”.
  • This condition defines safeguarding as either protecting a “vulnerable individual” from neglect or physical, mental or emotional harm or protecting the physical, mental or emotional well-being of a “vulnerable individual”. 
  • It defines a “vulnerable individual” as either someone aged under 18 or an adult who meets the condition’s definition of ‘at risk'. 

In detail

What is the safeguarding condition?

Using and sharing personal information plays an important role in safeguarding. The UK GDPR enables you to handle personal information for safeguarding purposes by providing a recognised legitimate interest condition for this situation. 

Annex 1 of the UK GDPR states:

“6. This condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual.”

We call this the ‘safeguarding condition’. 

In the context of the safeguarding condition, protecting a “vulnerable individual” or their well-being includes both protecting one person and a group of people who share a common characteristic (eg serious health conditions or care needs). 

Further reading – ICO guidance

  • Our Data sharing page contains guidance on sharing personal Information between organisations for safeguarding reasons

How do we apply the safeguarding condition?

To use the safeguarding condition, you must:

  • ensure what you want to do with the personal information counts as safeguarding;
  • be satisfied that the person you want to safeguard is either a child or an ‘at risk’ adult; and
  • demonstrate that your processing of personal information is necessary to safeguard that person.

The UK GDPR provides definitions for each element of the safeguarding condition. Safeguarding in this context means:

  • protecting a “vulnerable individual” from neglect or physical, mental or emotional harm; or
  • protecting the physical, mental or emotional well-being of a “vulnerable individual”.

Only one of these needs to apply for your use of personal information to be necessary for safeguarding.

The safeguarding condition only applies where the person involved is a “vulnerable individual”. The UK GDPR defines a “vulnerable individual” as:

  • a child (ie someone aged under 18); or
  • an adult who is ‘at risk’. 

All children and young people under the age of 18 are regarded in this context as “vulnerable”. However, for adults it depends on whether they are ‘at risk’. A person is ‘at risk’ if you have reasonable cause to suspect they:

  • need care and support;
  • are either experiencing or are at risk of neglect or physical, mental or emotional harm; and
  • as a result of those needs, are unable to protect themselves against the neglect, harm or risk.

You don’t need to have explicit confirmation that the adult meets the ‘at risk’ criteria, though in some cases you might have this. When deciding whether someone is ‘at risk’ or not, you should take an objective and reasonable view, given all the information you have.
 
In order to be accountable, you should document your assessment of how the adult meets the criteria to be ‘at risk’ of vulnerability, including any evidence that supports your decision.

Once you have determined that what you want to do counts in this context as safeguarding a “vulnerable individual”, you must determine if using personal information is necessary to safeguard them. 

This doesn’t mean it has to be absolutely essential to handle personal information for safeguarding but you must ensure it is more than just useful. You should handle it in a targeted and proportionate way to help safeguard them. 

Example

A children’s welfare charity runs a youth club for 11 to 16 year olds in its area. 

Over several weeks, the group leader notices a deterioration in one child’s appearance and behaviour which suggests they are experiencing physical neglect at home. 

The charity decides it is necessary to share relevant personal information about the child with the local authority’s child protection team to protect the child from neglect. It relies on recognised legitimate interest and the safeguarding condition in order to share this information. 

If you’re handling special category data for safeguarding purposes, such as health information, you must also comply with article 9 of the UK GDPR. (For more information, see Can we use recognised legitimate interest for special category data?.)

Likewise, if you’re handling criminal offence data for safeguarding purposes, you must also comply with article 10 of the UK GDPR. (For more information, see Can we use recognised legitimate interest for criminal offence data?). 

Remember, you must still meet all your other data protection obligations. (For more information, see What else do we need to consider?.) 

Further reading – ICO guidance

Is this condition appropriate for safeguarding in all circumstances?

No, depending on the circumstances, recognised legitimate interest may not be the appropriate lawful basis for you to rely on for safeguarding. But this doesn’t mean there won’t be a lawful basis for you to use.

The legal obligation lawful basis is likely to be more suitable if you need to handle personal information for safeguarding to comply with a law (either a statute or in common law) or a similar provision. This may include organisations in regulated industries who are subject to regulatory requirements to ensure the fair treatment of their customers who may be at risk of harm (depending on the circumstances). 

Public authorities or organisations with similar public tasks or official functions should use either public task or legal obligation as their lawful basis for safeguarding. (For more information, see Can public authorities use recognised legitimate interest?.) 

For everyone else, recognised legitimate interest is likely to be appropriate when you are handling personal information for safeguarding reasons (subject to meeting the criteria of this condition).   

If someone is in immediate danger, vital interests may be the appropriate lawful basis. 

Further reading – ICO guidance

How do we deal with changes in someone’s situation?

You may find that someone’s circumstances change and they no longer meet the definition of a “vulnerable individual” (as defined by this condition). This means you can’t rely on recognised legitimate interest if you need to use personal information to safeguard that person.

Therefore, you must identify a different lawful basis and update your privacy information. However, using a new lawful basis does not impact on the lawfulness of how you’ve handled personal information up to this point.

In many cases, you may find the legitimate interests lawful basis is appropriate. But you must satisfy its three-part test. 

If you handle personal information to safeguard children, you should plan in advance for the impact on your lawful basis when they turn 18 years old. Once they reach adulthood, they will no longer count as a child under the safeguarding condition. 

In many circumstances it’s likely that a child in need of safeguarding will continue to be ‘at risk’ once they are 18 years old. However, you must decide if you can continue to rely on recognised legitimate interest as your lawful basis. This is because adults don’t automatically meet the definition of a “vulnerable individual” for the purposes of the safeguarding condition. If you can’t do this, you must identify a new lawful basis. (For more information, see How do we apply the safeguarding condition?.) 

If the circumstances change for whatever reason and you need to apply a new lawful basis, remember you must still comply with all your other data protection obligations. (For more information, see What else do we need to consider?.) 

Further reading – ICO guidance