Skip to main content
Home

Safeguarding compatibility condition

Contents

In detail

What is the safeguarding compatibility condition?

Using personal information, including sharing it with other organisations, plays an important role in safeguarding. Data protection law allows you to reuse personal information for safeguarding purposes by providing a specific compatibility condition for this situation.

Annex 2 says:

“Safeguarding vulnerable individuals

8. This condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual.” 

We call this the ‘safeguarding compatibility condition’ (although this term is not used in the legislation itself).

In the context of the safeguarding compatibility condition, protecting a “vulnerable individual” or their wellbeing refers to both: 

  • protecting one person; and
  • protecting a group of people who share a common characteristic (eg serious health conditions or care needs).

Further reading – ICO guidance

Our data sharing page contains guidance on sharing personal information between organisations for safeguarding reasons.

How do we apply the safeguarding compatibility condition?

To apply the safeguarding compatibility condition, you must:

  • ensure the purpose you want to reuse the personal information for counts as safeguarding;
  • be satisfied that the person you want to safeguard is either a child or an ‘at-risk’ adult; and
  • ensure that reusing personal information is necessary to safeguard that person.

The UK GDPR provides definitions for each element of the safeguarding condition. Safeguarding in this context means:

  • protecting a “vulnerable individual” from neglect or physical, mental or emotional harm; or
  • protecting the physical, mental or emotional wellbeing of a “vulnerable individual”.

Only one of these needs to apply for your reuse of personal information to be necessary for the safeguarding condition.

The safeguarding condition only applies where the person involved is a “vulnerable individual”. The UK GDPR defines a “vulnerable individual” as:

  • a child (ie someone under the age of 18); or
  • an adult who is ’at risk’. 

All children and young people under the age of 18 are viewed as “vulnerable” in this context. But for adults, it depends on whether they are ’at risk’. A person is ’at risk’ within the meaning of this condition if you have reasonable cause to suspect they:

  • need care and support;
  • are either experiencing or are at risk of neglect or physical, mental or emotional harm; and
  • as a result of those needs, are unable to protect themselves against such neglect, harm or risk.

You don’t need to have explicit confirmation that the adult meets the criteria of being ’at risk’, though you might have this in some cases. When deciding whether someone is ‘at risk’, you should take an objective and reasonable view based on all the information you have.
 
To be accountable, you should document your assessment of how the adult meets the criteria of being at risk of vulnerability, including any evidence that supports your decision.

If you decide that what you want to do counts as safeguarding a “vulnerable individual”, you must determine if using personal information is necessary to safeguard them. 

Example

A youth club runs activities for children in the area. One of the children who regularly attends the club has spoken to a club worker about personal problems they face at home. The worker is concerned that the child may be at risk from an abusive parent and shares this with other club organisers for advice on what to do. 

The youth club decides it’s necessary to further use this information from the child. The purpose of the use is to inform social services that it has concerns about a safeguarding risk and to seek appropriate advice. It determines that it can rely on the safeguarding compatibility condition to reuse the information in this way. It also relies on the lawful basis for recognised legitimate interest lawful basis and its safeguarding condition.

 

What is our lawful basis?

As with any reuse of personal information, you must satisfy a lawful basis. If you originally collected the information based on consent, you must still consider whether it is reasonable to ask for consent from the person involved to reuse their information. However, given the nature of safeguarding, it’s unlikely that seeking consent is appropriate or practical in such circumstances.

In many cases, it’s likely that the recognised legitimate interest lawful basis is appropriate, as it has a safeguarding condition for this specific purpose. This recognised legitimate interest condition is similarly worded to the annex 2 compatibility condition. This may mean it’s straightforward for you to meet its requirements. 

However, if you’re a public authority, you can’t use recognised legitimate interest if the safeguarding is part of your public tasks or official functions. In this case, it’s more likely that the public task lawful basis is appropriate.

If someone is in immediate danger, the vital interests lawful basis may be more appropriate.

If you are handling special category data for safeguarding purposes, such as health information, you must also satisfy an article 9 condition for processing. There is a specific substantial public interest condition for safeguarding that is likely to be valid in these circumstances.

If you are handling criminal offence data for safeguarding purposes, you must also comply with article 10 of the UK GDPR.

Further reading – ICO guidance