Skip to main content
Home

Safeguarding condition

Contents

In detail

What is the safeguarding condition?

Using personal information, including sharing it with other organisations, plays an important role in safeguarding. In some circumstances, it can be more harmful to people to not share information for this purpose. The UK GDPR enables you to handle personal information for safeguarding purposes and provides a recognised legitimate interest condition for this.

Annex 1 of the UK GDPR states:

6. This condition is met where the processing is necessary for the purposes of safeguarding a vulnerable individual.

We call this the ‘safeguarding condition’.

In the context of the safeguarding condition, protecting a "vulnerable individual" or their well-being includes both protecting one person and a group of people who share a common characteristic (eg serious health conditions or care needs).

Further reading – ICO guidance

Our Data sharing page contains guidance on sharing personal information between organisations for safeguarding reasons

Is it appropriate to use recognised legitimate interest for safeguarding in every situation?

No. This always depends on the circumstances. Recognised legitimate interest may not be the appropriate lawful basis for you to rely on for safeguarding. But there are other lawful bases you can consider using instead.

The legal obligation lawful basis is likely to be more suitable if you need to handle personal information for safeguarding to comply with a law (either a statute or in common law). This may include organisations in regulated industries who are subject to regulatory requirements to ensure the fair treatment of their customers who may be at risk of harm (depending on the circumstances).

If safeguarding is part of your public tasks or functions, your lawful basis is likely to be public task. (For more information, see Can public authorities use recognised legitimate interest?.)

For everyone else, recognised legitimate interest is likely to be appropriate when you’re handling personal information for safeguarding purposes, subject to meeting the criteria of this condition. However, if you can’t meet its requirements, the legitimate interests lawful basis may be appropriate. But you must satisfy its three-part test, which includes balancing the interests, rights and freedoms of the person whose information you want to use.

If someone is in immediate danger, vital interests may be the appropriate lawful basis.

Further reading – ICO guidance

Legal obligation

Legitimate interests

Vital interests

How do we apply the safeguarding condition?

To use the safeguarding condition, you must:

  • ensure what you want to do with the personal information counts as safeguarding;
  • be satisfied that the person you want to safeguard is either a child or an ‘at risk’ adult; and
  • demonstrate that your processing of personal information is necessary to safeguard that person.

The UK GDPR provides definitions for each element of the safeguarding condition. Safeguarding in this context means:

  • protecting a "vulnerable individual" from neglect or physical, mental or emotional harm; or
  • protecting the physical, mental or emotional well-being of a "vulnerable individual".

Only one of these needs to apply for your use of personal information to be necessary for the safeguarding condition.

The safeguarding condition only applies where the person involved is a "vulnerable individual". The UK GDPR defines a "vulnerable individual" as:

  • a child (ie someone aged under 18); or
  • an adult who is ‘at risk’.

All children and young people under the age of 18 are regarded in this context as "vulnerable". However, for adults it depends on whether they are ‘at risk’. A person is ‘at risk’ within the meaning of this condition if you have reasonable cause to suspect they:

  • need care and support;
  • are either experiencing or are at risk of neglect or physical, mental or emotional harm; and
  • as a result of those needs, are unable to protect themselves against the neglect, harm or risk.

You don’t need to have explicit confirmation that the adult meets the ‘at risk’ criteria, though in some cases you might have this. When deciding whether someone is ‘at risk’ or not, you should take an objective and reasonable view, given all the information you have.

As part of your accountability responsibilities, you should document your assessment of how the adult meets the criteria to be ‘at risk’ of vulnerability, including any evidence that supports your decision.

Once you’ve determined that what you want to do counts in this context as safeguarding a "vulnerable individual", you must determine if using personal information is necessary to achieve this.

This doesn’t mean it has to be absolutely essential to handle personal information for safeguarding but you must ensure it is more than just useful. You should handle it in a targeted and proportionate way.

Example

A children’s welfare charity runs a youth club for 11 to 16 year olds in its area.

Over several weeks, the group leader notices a deterioration in one child’s appearance and behaviour which suggests they are experiencing physical neglect at home.

The charity understands that as a child they are a "vulnerable individual" and wants to protect them from physical neglect. The charity decides it is necessary to share relevant personal information about the child with the local authority’s child protection team to protect the child from harm. It relies on recognised legitimate interest and the safeguarding condition to share this information.

In some circumstances, applying the safeguarding condition may be appropriate if you’re asked by another organisation to share personal information with them for safeguarding purposes. For example, the police may ask you for personal information to help locate a missing person who is at risk of harm.

Remember, you must still meet all your other data protection obligations when using personal information for safeguarding. For example, you must comply with:

(For more information on your other obligations, see What else do we need to consider?.)

Further reading – ICO guidance

Documentation

How do we deal with changes in someone’s situation?

You may become aware that someone’s circumstances have changed and they no longer meet the definition of a "vulnerable individual". In this situation, you can’t rely on recognised legitimate interest if you need to use personal information to safeguard this person.

For example, if you handle personal information to safeguard children, you should plan in advance for the impact on your lawful basis when they turn 18 years old. Once they reach adulthood, they will no longer count as a child under the safeguarding condition. (For more information, see How do we apply the safeguarding condition?.)

In many circumstances it’s likely that a child in need of safeguarding will continue to be ‘at risk’ once they are 18 years old. However, you must decide if you can continue to rely on recognised legitimate interest as your lawful basis. This is because adults don’t automatically meet the definition of a "vulnerable individual" for the purposes of the safeguarding condition.

If you decide that you can’t continue to rely on recognised legitimate interest to safeguard that person, you must identify a different lawful basis and update your privacy information. However, using a new lawful basis doesn’t impact on the lawfulness of how you’ve handled personal information up to this point.

In many cases, you may find the legitimate interests lawful basis is appropriate. But you must satisfy its three-part test.

If the circumstances change for whatever reason and you need to apply a new lawful basis, remember you must still comply with all your other data protection obligations. (For more information, see What else do we need to consider?.)

Further reading – ICO guidance

Legitimate interests