Information Sharing in Safeguarding: A Guide for UK Charities
A practical guide to information sharing in safeguarding for UK charities, covering the legal framework, when you can share without consent, information sharing agreements, multi-agency safeguarding hubs, and practical steps for compliance.
Information sharing is one of the most difficult areas of safeguarding practice. Share too little and a vulnerable person may come to harm. Share too much and you breach data protection law and the trust of the people you support. Getting this balance right is a core professional skill for anyone working in the UK charity sector — and the legal framework, while complex, provides clearer guidance than many practitioners realise.
TL;DR: UK law permits — and in some cases requires — charities to share personal information for safeguarding purposes, even without consent. The Data Protection Act 2018, the Children Act 1989 and 2004, and the Care Act 2014 all provide legal gateways for sharing. Serious case reviews — now called child safeguarding practice reviews — have repeatedly identified failure to share information between agencies as a contributing factor in harm to children. The Charity Commission assessed 3,132 serious incident reports in 2024-25, with safeguarding among the top three categories (Charity Commission Annual Report 2024-25).
What Is the Legal Framework for Information Sharing in Safeguarding?
The legal framework is built from several overlapping pieces of legislation that together create both the power and the duty to share information where safeguarding concerns arise. The key principle is that data protection law is not a barrier to sharing — it provides a structured framework for doing so lawfully.
UK GDPR and the Data Protection Act 2018
The UK GDPR requires a lawful basis for any sharing of personal data. For safeguarding information sharing, the relevant bases are:
- Legal obligation (Article 6(1)(c)): Where sharing is necessary to comply with a legal duty, such as safeguarding obligations under the Children Act or the Care Act.
- Vital interests (Article 6(1)(d)): Where sharing is necessary to protect someone's life or prevent serious harm.
- Public task (Article 6(1)(e)): Where sharing is necessary for the performance of a task in the public interest — applicable to many charity services, particularly those commissioned by statutory bodies.
- Legitimate interests (Article 6(1)(f)): Where the charity has a legitimate interest in sharing that is not overridden by the individual's rights — applicable in some safeguarding contexts.
For special category data (health, ethnicity, criminal records), Schedule 1 of the DPA 2018 provides additional conditions, including the safeguarding of children and individuals at risk (paragraph 18) and the prevention or detection of unlawful acts (paragraph 10).
Definition: An information sharing agreement (ISA) is a formal document between two or more organisations that sets out the legal basis, purpose, scope, and practical arrangements for sharing personal data in defined circumstances — typically to support multi-agency safeguarding or service delivery.
The Children Act 1989 and 2004
Section 47 of the Children Act 1989 imposes a duty on local authorities to investigate where they have reasonable cause to suspect that a child is suffering, or is likely to suffer, significant harm. Section 11 of the Children Act 2004 places a duty on key agencies (including charities delivering statutory functions) to make arrangements to safeguard and promote the welfare of children.
The statutory guidance Working Together to Safeguard Children (2023 revision) is explicit: "No practitioner should assume that someone else will pass on information which they think may be critical to keeping a child safe. If a practitioner has concerns about a child's welfare and considers that a referral to local authority children's social care is required, they should make the referral themselves."
The Care Act 2014
Section 42 of the Care Act 2014 establishes the framework for adult safeguarding, creating a duty for local authorities to make enquiries where an adult with care and support needs is experiencing or at risk of abuse or neglect. Section 45 provides for the establishment of Safeguarding Adults Boards (SABs), which coordinate multi-agency safeguarding activity.
The Care Act statutory guidance states that "early sharing of information is the key to providing an effective response where there are emerging concerns."
The Crime and Disorder Act 1998
Section 115 of the Crime and Disorder Act 1998 provides a power (not a duty) to share information for the purposes of preventing crime and disorder. This can be relevant for charities working with individuals involved in the criminal justice system or where safeguarding concerns involve criminal behaviour.
When Can Charities Share Information Without Consent?
This is the question that causes most anxiety in practice. The short answer is: in safeguarding situations, consent is desirable but not required. Many charity professionals report feeling uncertain about when they can share without consent — a knowledge gap that can delay critical referrals.
Where There Is a Risk of Serious Harm
If you believe a child or adult is at risk of serious harm, you can share relevant information with the appropriate statutory agency (typically children's social care or adult social care) without the individual's consent. The legal basis is the vital interests provision under GDPR and/or the legal obligations under the Children Act or Care Act.
The key test is proportionality: share only the information that is necessary and relevant to the safeguarding concern. Do not share the person's entire case file — share the specific information that the receiving agency needs to assess the risk and take appropriate action.
Where Consent Cannot Be Obtained Safely
There are circumstances where seeking consent could itself increase the risk of harm — for example, where a child might be at greater risk if a parent knows a referral has been made, or where an adult might be subjected to further abuse if a perpetrator learns that information has been shared. In these situations, the duty to protect overrides the duty to seek consent.
Where the Individual Lacks Capacity to Consent
Where an adult lacks the mental capacity to consent to information sharing, decisions should be made in their best interests under the Mental Capacity Act 2005, following the principles of the Act.
Where There Is a Legal or Statutory Duty
Certain statutory duties require information sharing regardless of consent. For example, the duty to refer under the Modern Slavery Act 2015, the duty to report under the Female Genital Mutilation Act 2003, and the Prevent duty under the Counter-Terrorism and Security Act 2015.
What Are Information Sharing Agreements?
Information sharing agreements (ISAs) are the formal mechanism through which organisations agree to share personal data on an ongoing basis. They are particularly important for charities that routinely work alongside statutory services — a common arrangement for organisations delivering commissioned services, working in multi-agency teams, or supporting individuals with complex needs.
What an ISA Should Contain
A well-drafted ISA typically includes:
Purpose and scope: What the agreement covers, why information is being shared, and what categories of data are included.
Legal basis: The specific GDPR articles and DPA 2018 conditions that authorise the sharing.
Data items: A schedule of the specific data fields that will be shared — not a blanket "all relevant information" clause.
Security arrangements: How data will be transmitted securely (encrypted email, secure portal, direct system-to-system integration), and how it will be stored by the receiving organisation.
Retention and deletion: How long shared data will be retained by each party and how deletion will be managed.
Governance: Who is responsible for the agreement, how breaches will be handled, and how the agreement will be reviewed and updated.
Individual rights: How the parties will coordinate responses to subject access requests that span the shared data.
| ISA Element | Purpose | Common Pitfall |
|---|---|---|
| Purpose and scope | Defines what sharing is covered | Too broad — covering "all safeguarding" rather than specific scenarios |
| Legal basis | Establishes lawful authority | Relying solely on consent when legitimate interests or legal obligation applies |
| Data items | Specifies what is shared | No schedule — leading to over-sharing |
| Security | Protects data in transit | Sharing via unencrypted email |
| Retention | Prevents indefinite holding | No deletion timelines specified |
| Governance | Ensures accountability | No named owner or review date |
The ICO's Data Sharing Code of Practice
The ICO's Data Sharing Code of Practice (updated 2021) provides detailed guidance on how to set up and manage information sharing arrangements. It emphasises that sharing should be based on a clear understanding of the legal basis, a documented assessment of necessity and proportionality, and appropriate security measures. Charities should treat this code as the primary reference document when establishing or reviewing ISAs.
What Are Multi-Agency Safeguarding Hubs (MASH)?
Multi-Agency Safeguarding Hubs — known as MASH — are the primary mechanism through which safeguarding referrals are received, triaged, and coordinated in most local authority areas in England. Understanding how MASH operates is essential for any charity that makes safeguarding referrals.
A MASH brings together professionals from multiple agencies — typically children's social care, police, health, education, and probation — in a single team. When a safeguarding referral is received, the MASH team can immediately access information from each agency's systems to build a fuller picture of the risk. MASH or equivalent multi-agency triage arrangements now operate in the majority of local authority areas in England.
How Charities Interact with MASH
Making referrals: Charities make safeguarding referrals to MASH using the local authority's referral form, which typically requests the child's or adult's details, the nature of the concern, and any relevant background information held by the referring organisation.
Providing information: After a referral, MASH may request additional information from the charity — for example, case notes, attendance records, or risk assessments. Charities should respond promptly, sharing only the information that is relevant and proportionate to the concern.
Receiving feedback: MASH should provide feedback to the referring organisation on the outcome of the referral, though in practice this does not always happen. Charities should follow up if they do not receive feedback within a reasonable timeframe.
Recording referrals and information shared with MASH in your case management system creates the audit trail that demonstrates your organisation acted appropriately and in accordance with its safeguarding procedures.
Practical Steps for Charities
1. Establish Clear Internal Policies
Your organisation needs a written information sharing policy that covers: the legal framework, when information can be shared without consent, who has authority to make sharing decisions, and how sharing decisions are recorded. This policy should be reviewed annually and all staff should receive training on it.
2. Train All Staff and Volunteers
Information sharing is not just for designated safeguarding leads. Every staff member and volunteer who works with service users needs to understand the basic principles: when to share, what to share, who to share with, and how to record sharing decisions. Regular training is widely recognised as the most effective way to reduce both inappropriate sharing and failure to share when it matters.
3. Record Every Sharing Decision
Whether you decide to share or not to share, record the decision and your reasoning. This creates an audit trail that protects both the individual and the organisation. Your case management system should have a structured mechanism for recording safeguarding concerns, referrals, and information sharing decisions.
4. Use Secure Methods
Never share safeguarding information via unencrypted email, text message, or social media. Use your local authority's secure referral portal, encrypted email (such as .gov.uk CJSM email), or direct system integration where available. If you must share by phone, follow up with a written record.
5. Review Your Information Sharing Agreements
If your organisation works regularly with statutory agencies — local authority children's or adult social care, police, NHS trusts — you should have information sharing agreements in place. Review them annually. Ensure they name a responsible officer, specify the data items covered, and include clear security and retention provisions.
6. Know Your Local Safeguarding Arrangements
Every local authority area has a Safeguarding Children Partnership (replacing the former LSCBs) and a Safeguarding Adults Board. These partnerships publish local information sharing protocols that charities in the area should follow. Make sure your designated safeguarding lead has access to and understands the local protocols for your area.
Multi-Agency Working: Beyond Referrals
For many charities, information sharing goes beyond making individual referrals. Organisations working in multi-agency settings — for example, those co-located in family hubs, participating in Team Around the Family meetings, or delivering services commissioned through integrated care systems — share information routinely as part of coordinated support delivery.
In these settings, clear protocols become even more important. Each agency must understand what information it can access, what it can contribute, and how shared records are governed. Using a case management system that supports multi-agency collaboration — with appropriate access controls so that each agency sees only the data it is authorised to access — is increasingly recognised as best practice.
Sector experience consistently suggests that multi-agency teams using shared digital platforms for case coordination achieve faster response times to safeguarding concerns than those relying on email and phone-based information exchange.
Frequently Asked Questions
Does GDPR prevent me from making a safeguarding referral?
No. This is the most common and most dangerous misconception in safeguarding practice. The UK GDPR provides multiple lawful bases for sharing personal data in safeguarding situations, including legal obligation, vital interests, and public task. The ICO has been clear and consistent: data protection law does not prevent — and should never be used as a reason not to make — a safeguarding referral. If in doubt, share.
Do I need to tell the individual before sharing their information?
In most cases, yes — you should inform the individual that you are making a referral and explain why. However, there are important exceptions: you should not inform the individual if doing so would increase the risk of harm (for example, alerting an abuser), if it would prejudice a criminal investigation, or if the individual lacks capacity. Record your decision and the reasons for it.
What if I share information and it turns out the concern was unfounded?
Sharing information in good faith based on a genuine safeguarding concern is protected, even if the concern is later found to be unfounded. The test is whether you had reasonable cause for concern at the time of sharing, not whether the concern was ultimately substantiated. You cannot be penalised under GDPR for acting in good faith to protect someone from harm.
How do small charities without a legal team handle information sharing?
Start with your local Safeguarding Children Partnership or Safeguarding Adults Board, which will have published local protocols and may offer free training. The NSPCC's information sharing guidance and the ICO's Data Sharing Code of Practice are both free and practical. Consider whether your designated safeguarding lead would benefit from a qualification such as the Level 3 Award in Education and Training or a specialist safeguarding course. For ongoing support, organisations like the National Council for Voluntary Organisations (NCVO) and local Councils for Voluntary Service (CVS) offer guidance and peer networks.
What records should I keep of information I have shared?
Record the date and time of sharing, who you shared with (name, role, and organisation), what information you shared, the legal basis for sharing, whether the individual consented (and if not, why consent was not sought), and the method of sharing. This record should be stored securely in the individual's case file within your case management system.
Recommended Next Pages
Case Management and Safeguarding – How case management systems support safeguarding workflows and compliance.
Multi-Agency Case Management – Practical guidance on coordinating support across multiple organisations.
Case Management, GDPR, and Data Protection for Charities – In-depth guidance on GDPR compliance for charity case records.
Last updated: February 2026
For more information about information sharing and safeguarding in your organisation, contact our team or schedule a demo.