The Ultimate Guide to Confidentiality in Childcare

child shush

Over the years many local authorities have made changes to improve record keeping in children’s services, including early years settings.

Sometimes practitioners can be confused about confidentiality. There can also be breakdowns in the communication chain, creating a gap in the safety net through which a child may fall.

The following guidelines should enable you to avoid these pitfalls.

Confidential information

Confidential information is ‘personal information of a private or sensitive nature’. Private information is information that:

● relates to an identifiable legal or natural person

● is not in the public domain or common knowledge

● would cause them damage, harm or distress if the information were made public

(Source: Statement on confidentiality – GOV.UK)

Early years practitioners have a professional, but ‘confidential relationship’ with families. Therefore, information families share should be treated as confidential. 

Where third parties share information about an individual, you need to check if that is confidential, both in terms of the subject sharing the information and the person whom the information concerns.

Information shared in the context of a nursery education and early years setting is confidential to the setting and, in some defined circumstances, to other staff within the organisation.

For example, a nursery manager may discuss a family in a supervision meeting with a senior manager for the purpose of professional support, clarification and accountability regarding your organisation’s procedures.

There may be times when confidential information about a family may need to be shared with others at senior level in the organisation – for example, you’d need to inform your committee or registered person about a high-profile case that may be reported in the press.

Breaching confidentiality

boy in white sweater holding his head beige background. High quality photo

A breach of confidentiality occurs when confidential information is not authorised by the person who provided it or to whom it relates, putting said person in danger or causing them embarrassment or distress.

It’s not a breach of confidentiality if the information was provided on the understanding that it would be shared with a limited number of people, or where there was consent to the sharing.

Exceptions

Confidential information may only be shared without authorisation from the person who provided it, or to whom it relates, if it’s in the public interest – ie where not sharing it could be worse than the outcome of doing so.

The decision should never be made as an individual, but with the backup of managers, who can provide support, and sometimes ensure protection.

The three critical criteria for sharing information without consent, or overriding refusal to give consent, are:

● Where there is evidence that a child is suffering, or is at risk of suffering, significant harm

● Where there is reasonable cause to believe that a child may be suffering, or at risk of suffering, significant harm

● To prevent significant harm arising to children and young people or serious harm to adults, including the prevention, detection and prosecution of serious crime

Children’s records

record
various medical record charts and folders in cabinet and on shelve sorted alphabetically and numerically

In a setting two kinds of records are kept on children. These may be kept electronically as part of your setting’s management software or may be paper based:

● Developmental records, including any observations and samples of children’s work that demonstrate their progress. These are maintained by the key person but can be accessed freely by the child, other educators working with the child and the child’s parents.

● Personal files, which are usually kept securely in the office. They contain confidential information, such as the registration form, contractual records and parental consent forms, as well as records regarding work undertaken with the family. Information regarding the setting’s concerns about a child are recorded and kept in here. It’s helpful to have a separate section in the file for this ongoing work.

4. Recording your concerns

The Continuum of Need outlined in the Local Safeguarding Partners Threshold Document provides educators and other practitioners with a means of locating where a child is within the continuum and how to provide for their needs.

If you have concerns about a child’s welfare, this comes under the ‘additional needs – integrated support’ section (Level 3). If you have concerns about possible child abuse, this comes under the ‘complex needs’ section (Level 4).

You must record all concerns about a child’s welfare or protection, and all actions taken as a result of your concerns, including relevant conversations, emails or other communication.

The records then build up as an ongoing and contemporaneous account of the work undertaken by your setting to promote the child’s welfare and/or protect them from harm.

Some local authorities, via their Local Safeguarding Partnership (LSP), have developed detailed recording systems, while others have left it up to agencies to develop their own systems. These should include a means of recording:

● marks or injuries on arrival – when a child arrives at your setting with a mark or injury that didn’t occur in the setting, ask the parent about it and record their explanation. Most of the time, the parent’s explanation will match how the injury appears and with what the child says, but when it doesn’t, or if the child has had an unusually high number of injuries, you may need to refer the child to social care

● concerns that arise from your observation about how a child presents, an injury or disclosure or observation of play or behaviour that arouses concern

● any discussion with the parent that took place as well as any consent to share information (which includes making a formal referral) and the reason why consent was either not sought or refusal for consent was overridden

● any decision made about the concern and the outcome of that

● any discussion with professionals about the child or any meetings attended and what the decisions or actions were

● information required by social care for making a referral; a form is helpful and enables you to gather the required information before making the call

Means of recording should enable you to gather information that is concise, non-judgemental and to the point. It should never become a task that is an end in itself, nor one in which the needs of the child become obfuscated beneath a pile of forms.

as a further note, the Local Safeguarding Children Board (LSCB) is now called the Local Safeguarding Partnership (LSP).

This change was implemented in the UK in 2019 as part of a government review to improve child protection and safeguarding arrangements. The LSP is a multi-agency partnership that brings together representatives from various organizations, including local authorities, health services, police, and education, to work collaboratively to safeguard children and young people.

Access to records

If there’s a dispute between a parent and your early years setting, or even with social care, the parent has a right to request to see confidential records concerning their child.

However, you’re not obliged to hand over the file on demand; the parent must make the request to see their file in writing – and if there’s confidential information in the file relating to third parties, each of these must be asked for consent to disclose entries.

This must be in writing to each individual named, including the parents. Most agencies will refuse consent as the parent should go directly to them to see any records.

Some individuals may wish to remain anonymous, such as another parent who shared concerns with you, and will refuse consent.

Make a copy of the file and delete any entry where consent has been refused to share.

What will remain in the file will be a trace of your work: your concerns and actions. Don’t hand this to the parent – instead, give them a copy and go through it with them so you can explain any areas of dispute identified.

The parent can take the cleaned copy with them, as they may need it to make their case, if there is one.

In each case, you should seek legal advice to make sure that you don’t inadvertently disclose third-party information. You should also seek legal advice if a parent is making a legal case against your setting.

What parents need to know

Parents need to know that sensitive information about them and their family will be kept confidentially; that your professional practice demands that some things are written down, including minor concerns or disputes; and that you’re obliged to record, in an accurate and non-judgemental manner, concerns about children’s welfare or abuse.

They need to know when you have made a note in their file and for what reason – unless it would put the child in danger.

They have a right to expect that information they share with you is treated as confidential, and to be informed that their consent will be sought, in most cases, if it must be shared; but they should be informed of circumstances where it may need to be shared without their consent.

Consent must be informed – that is, the parent needs to understand why information will be shared, what will be shared, who will see information, the purpose of sharing it and the implications for them of sharing that information.

The GDPR and Data Protection Act 2018 do not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe. To effectively share information:

● you should be confident of the processing conditions, which allow you to store, and share, the information that you need to carry out your safeguarding role. Information which is relevant to safeguarding will often be data which is considered ‘special category personal data’, meaning it is sensitive and personal

● where you need to share special category personal data, you should be aware that the Data Protection Act 2018 includes ‘safeguarding of children and individuals at risk’ as a condition that allows practitioners to share information without consent

● information can be shared legally without consent, if you are unable to or cannot be reasonably expected to gain consent from the individual, or if to gain consent could place a child at risk

● relevant personal information can be shared lawfully if it is to keep a child or individual at risk safe from neglect or physical, emotional or mental harm, or if it is protecting their physical, mental, or emotional wellbeing

(Source: Information sharing: advice for practitioners – GOV.UK

What is confidentiality?

Confidentiality derives from common law, which are broad legal obligations that come from case law, as opposed to statutory law. Common law on confidentiality ensures that someone who has been given information in confidence generally cannot misuse it or use it to their advantage.

There are criteria that must be met for common law on confidentiality to apply:

1. The information shared should be confidential by nature. This means that if the information shared is already common knowledge, it is unlikely to be able to stand as confidential information.

2. The person receiving the information must have known that the information was provided in confidence. It can be signalled by a label classifying it as confidential, or be secured in a system which suggests confidentiality. It can also be reasonably assumed that there is a level of confidence involved, based on the relationship between the two parties.

3. For confidentiality to be breached, the information must have been used in a way that disadvantages the person who shared it, without their consent.

Confidential personal data concerning children may include:

Group of kindergarten kids sitting closely on a floor together with teacher, providing group work. Children learning to cooperate while solving tasks.
  • Addresses, email addresses, telephone numbers.
  • Medical history.
  • Pictures.
  • Grades.
  • Educational needs.
  • Family history.
  • Social service records.
  • Psychological reports.
  • Sexual orientation.
  • Gender identity.

Rules about confidentiality often refer to particular types of information, as some types of information must be disclosed and should never be promised to be kept secret, for example, information that threatens a life.

In regards to childcare, there are more specific policies which refer to confidentiality, as the nature of confidentiality changes when working with children. It can be a confusing topic for some, so it is important that childcare practitioners are given ample opportunity to understand how each policy impacts their interaction with confidentiality. 

Why is confidentiality important in childcare?

The role of confidentiality in the effective safeguarding of children is paramount. When working with children, no matter the sector, the safety and protection of the child supersedes all other roles. In childcare, a strong understanding of confidentiality is key, and anyone who works with children should be given extensive training on the topic.

Training for those working in Early Years settings, including nurseries and childminders, will be even more fine-tuned to recognising non-verbal cues, such as physical signs of abuse, as younger children may have an issue articulating what has happened to them.

The organisation’s safeguarding and data protection policies should outline clearly the procedures for receiving, logging, sorting and sharing information.

As children come from a range of different settings, parents and carers must be assured that the personal information they share will be kept private. This is important for building trusting working relationships between childcare workers and families, based upon mutual respect. If confidentiality fails to be maintained, it can lead to a breakdown in trust.

A negative perception of childcare workers or institutions may result in important information not being shared by the family or child again in the future. Additionally, people who work with children must ensure that the environment feels safe enough for the child to be able to make disclosures. If they believe that the confidentiality will be breached, they may be reluctant to share information.

Confidentiality helps to avoid children and young people being exploited by others who may misuse that information.

In some cases of breached confidentiality, large fines may be issued and legal proceedings may occur, in line with data protection policies. A data breach is when information has either been misplaced, been shared with someone or been retrieved by someone who is not authorised.

Examples of breaching confidentiality might be:

  • Leaving sensitive paperwork lying around.
  • Leaving your laptop unattended with a child’s profile open.
  • Emailing the wrong person about a matter personal to the child.

Many breaches of confidentiality are accidental, sometimes occurring through a technological error, though this does not diminish the individual from responsibility. Breaching confidentiality could put the child in danger of further abuse, for example, in instances where abusive family members are made aware that a child has made a disclosure at school.

In sectors that interact with children, it is recognised that the timely sharing of relevant information is a very important tool to help prevent young people coming to any harm, and for the effective safeguarding of their welfare.

In the past, poor information sharing has been at the root of many failures where children’s welfare is concerned, in the education, health and social care sectors. Thus, there are many instances that information must be shared, with different policies providing guidance on this.

What legislation covers confidentiality in childcare?

Legislation on confidentiality in childcare is not limited to one policy, but is covered by a range of Acts and guidance policies. It is up to the organisation to ensure that all staff are aware of how confidentiality impacts their role, based on these documents.

The Data Protection Act 2018 and the GDPR

The Data Protection Act was replaced by the GDPR (General Data Protection Act), with an aim to let individuals have a larger say over how their data is shared. It is a common myth that the new GDPR Act prohibits the sharing of information, but this is false. It simply ensures that only relevant and accurate information is being shared, by consent of the individual.

There are five main principles of the GDPR:

1. There must be a lawful reason for obtaining the data, and the process must be clear.

2. The information gathered should only be used for the purpose stated.

3. Only necessary information should be collected, and nothing more.

4. All data collected must be accurate, and the systems and processes must be in place to keep the information current.

5. The data must be secured.

Organisations working with children such as nurseries and schools interact with sensitive data every day, which must be handled in a more protective manner. Databases should be secured from viruses and cyber-attacks.

Children Act 2004

The Children Act 2004 was created to establish clear safeguarding guidelines to protect the wellbeing of children and young people. Chapter 1.9 details the protocol on sharing information, in accordance with the guidance on Working Together to Safeguard Children, and states that some information must be shared to rapidly identify any child who is at risk of harm.

The Act instructs childcare practitioners to share information, where relevant and necessary, about:

  • The child’s physical and mental health.
  • Exposure to harm.
  • Parental needs that affect the wellbeing of the child, preventing them from being looked after properly.
  • Any individual who presents a risk to the child.

Human Rights Act 1998

Under Article 8 of the Human Rights Act 1998, each individual has the right to respect for their family and private life, their home and their correspondence. This means that all individuals are entitled to privacy in their sexuality, their identity, their relationships with others, and their messages and communications. However, the Children Act 2004, as listed above, overrides this in instances where there is a threat to the child or to others.

KCSIE (updated in 2021)

After the murder of Victoria Climbié in February 2000, the Every Child Matters initiative began, which paved the way for the Keeping Children Safe in Education (KCSIE) guidance. Eight-year-old Climbié was failed by multiple agencies involved in the responsibility for her welfare, after they neglected to act properly on information which suggested she was being severely abused by her carers.

Social workers, police, educational institutions and healthcare providers all failed to share and act upon relevant and accurate information in a timely manner. KCSIE, in conjunction with the guidance on Working Together to Safeguard Children, outlines procedures for staff in educational settings to safely record and report particular types of information.

What are the principles of confidentiality in childcare?

The government outlines seven ‘golden rules’ when it comes to sharing information.

These are as follows:

1. Whilst the GDPR has changed how organisations must operate regarding the sharing of data, it does not prevent the sharing of information entirely. Instead, it acts as a guide as to how to go about it in an appropriate manner.

2. When a child, young person, parent or carer shares information with you, be transparent with them about how this information will be used and who it may be shared with, unless for any reason the anonymity of other parties is necessary.

3. If there is ever uncertainty about the nature and sharing of information, ask the DSL (Designated Safeguarding Lead) or another knowledgeable figure, being sure to keep the information you are privy to confidential as you do so.

4. Seeking consent to share information is the best way to confidently disclose that information, as legally, consent is a requirement. However, you are entitled to share information without consent if you believe that there is a lawful need to. Your decision must be removed from feeling or instinct and be based on factual information. If you then tell the individual that you will be sharing this information, you must be clear about why, and what the consequences of sharing the information might be. You can still share information if there is a lawful need, with the individual’s consent.

5. You should consider that decisions you make about sharing information could impact your health and wellbeing, as well as that of others.

6. When sharing information, ensure that it is:

– Necessary. Consider if it is absolutely essential that you share this information, and ensure you tell only those individuals who absolutely need to know.

– Proportionate. Understand clearly what needs to be shared, and in how much detail.

– Relevant. Unless it is essential, only share the information which relates to the case.

– Adequate. Ensure that you have given enough information for the situation to be understood thoroughly.

– Accurate. Only give information as it has been relayed to you, and as you have observed objectively. Try to use the exact wording where possible.

7. Keep a log of your decision and why you decided to either share or not share the information. If you choose to share, write down who it has been shared with and why.

When can you break confidentiality in childcare?

When working with children and young people, you are often exposed to a high volume of personal information. Young people should be viewed as citizens with the right to have their personal information kept confidential.

However, consent is not always needed, and confidentiality should be set aside immediately if there is a risk to the child, to yourself, or to someone else. Those who work with children should receive regular training in signs of abuse, neglect and bullying, and should disclose their concerns at once to the relevant parties (usually a DSL) if they believe a child is at risk.

There may also be the opportunity to log these concerns on an automated system, which will notify the relevant parties.

Under no circumstance should a childcare practitioner make promises to children that they will not pass on the information they are being told. They should explain to the child that the information will be recorded, and may be passed on for their own protection.

The child should not be led to think that the adult is able to keep secrets for them, or keep important information confidential. It might appear that a child will confide in more depth if they believe that the information they share will remain private; however, this is misleading and may also leave the practitioner in a vulnerable position.

Some instances where confidentiality can be broken may be:

  • If you believe that the child is at risk from someone else.
  • If you believe that the child is at risk from themselves (i.e. self-harm).
  • If the child is at risk of committing a crime or being involved in a crime.
  • If the child has been the victim of a crime.

Additionally, sharing of some personal information is vital. This may include:

  • Allergies and nutritional information.
  • Medical needs.
  • Illnesses.
  • Educational needs.

Some organisations may be involved in the dissemination of information, as they are listed in the GDPR legislation as the key organisations with duties for safeguarding children.

These are:

  • The local authority.
  • NHS England, NHS Trusts, NHS Foundation Trusts.
  • Local police.
  • British Transport Police.
  • Prisons.
  • National Probation Service and community rehabilitation companies.
  • Youth offending teams.
  • Educational organisations such as schools, learning centres or voluntary educational organisations.

Breaking confidentiality where it is deemed necessary is an act of professionalism, and enables these agencies to provide help, support and/or intervention where necessary. It should not be seen as inappropriate, and a practitioner should never second-guess passing on information that they believe is vital for other parties/agencies to know.

Sharing of such information is a part of the duty of individuals or agencies working with children. For more advice on how and when to share information, visit the government website.

Kathy Leatherbarrow
Early Years Consultant
Kathy Leatherbarrow is an experienced early years consultant with over 25 years in the field. She excels in improving childcare quality, mentoring staff, and exceeding Ofsted standards. Kathy is committed to providing every child with the best start in life.