Data protection

Data protection is a vital part of safeguarding, but it’s an area that can feel daunting or complicated. Whether you’re part of a small charity, a local church, or a larger organisation, understanding your responsibilities around personal data is essential.

What do we mean by Data Protection?

In the UK, data protection is the legal and ethical responsibility organisations have to protect people’s privacy and personal information. It applies not only to digital records, but also to anything kept on paper.

Data Protection Legislation sets out the rules around processing data about identifiable, living people, and every organisation is expected to have a Data Protection Policy. This policy should explain how your organisation manages data, including who is responsible and what procedures are in place.

At the heart of the law are eight key data protection principles. These apply no matter the size of your organisation or the type of work you do:

Personal data must be adequate, relevant and not excessive in relation to its purpose.
Data should be accurate and kept up to date where necessary.
It should only be obtained and held for specified, lawful purposes.
Data must be processed fairly and lawfully.
It should only be processed in line with the consent given by the individual.*
All personal data must be stored securely and protected from loss, destruction or unauthorised access.
It should not be kept longer than necessary.
Data must not be transferred outside the European Economic Area unless adequate protection is in place.

*In safeguarding, you do not need consent to hold information about children, nor alleged perpetrators.

Data Protection in Safeguarding

While the protection of personal data is important, if you ever come to a point where you have to choose between protecting information or keeping someone safe, guidance advises that safeguarding comes first.

UK Data Protection Act 2018 (Schedule 8, Safeguarding of Children and of Individuals at Risk) offers a specific condition under UK law for when personal data processing (including sharing) can be done without the consent of the individual — namely:

where it is necessary to protect a child, or an individual at risk, from physical, mental or emotional harm or neglect;
where obtaining consent is not reasonably possible; or would prejudice the protection that is needed

Failing to share information can be harmful, and data protection law does not prevent sharing for safeguarding purposes.

How long should safeguarding records be kept?

Safeguarding records require extra care due to the sensitive information they contain and their potential role in future investigations.

Often in General Data Protection Regulation (GDPR), organisations are advised to hold information about people for minimal periods. However, in safeguarding, it is different. On average, it takes a victim-survivor 26 years to disclose their abuse. Therefore, suggested safeguarding retention periods are long so that important historical data is available if needed.

Retention guidance differs slightly in the four nations of the UK. Below is a summary of current guidance, but each organisation is responsible for staying up to date with the latest statutory or local guidance relevant to your setting.

Member resources:

Information asset register

External links:

Information Commissioner's Office

Voluntary Sector Archives Toolkit

GDPR, data protection law, Brexit and how to keep on top of your responsibilities | NCVO

Good Management Good Records - Northern Ireland

Thirtyone:eight is not responsible for the content or security of external sites.

England and Wales

Good practice is to keep safeguarding records for a minimum of 75 years, or in some cases, permanently.

The Independent Inquiry into Child Sexual Abuse (IICSA) recommends that, where an organisation has identified that it holds records that are known to relate to allegations or cases of child sexual abuse, that material should be retained for 75 years with review periods as appropriate. This reflects the requirement to retain records relating to looked-after children and care homes until the individual’s 75th birthday. Those relating to adoption are kept for 100 years.

Allegations that are found to be unfounded should be removed from a person’s record.

Scotland

Covenants of responsibilities for those convicted of a sexual offence and records of concerns relating to potential/actual sexual offending should be retained for 100 years.

Records relating to child protection concerns or adult protection concerns should be retained for 50 years.

For looked-after children, the Scottish Government’s guidance sets a precedent for 100-year retention, and SCVO and NRS support long-term retention where safeguarding or legal accountability is involved.

Current best practice guidance, such as that contained in the Section 61 Code of Practice on Records Management, under the Freedom of Information (Scotland) Act 2002, advises that:

Authorities should define how long they need to keep particular records, should dispose of them when they are no longer needed and should be able to explain why records are no longer held.

This final point is a distinct point of difference from England, Wales and Northern Ireland.

Northern Ireland

The “Good Management, Good Records” (GMGR) framework sets out retention schedules. For safeguarding or incident records involving children, retention can extend to 25 years or more. But records of those who pose a known risk are 100 years and files for care experienced are 75.

Schools and public bodies may be required to transfer certain records to the Public Record Office of Northern Ireland (PRONI) for permanent preservation if they are considered of public or historic value.

Things to consider

Handling safeguarding data responsibly is about more than just following the law – it’s also about protecting those in your care. To help with this, it is good practice to:

Have secure storage. Paper files should be locked away in restricted-access cabinets, and digital files should be kept in a secure online environment with strong access controls.
Have separate files for different types of information (concerns, allegations, referrals).
Plan ahead. If your organisation were ever to close, what would happen to the records? Make sure you have a handover or archiving plan.
Consider creating an Information Asset Register that lists the data your organisation holds, along with a retention schedule to ensure files are regularly reviewed.
Build in a process for media migration (e.g. scanning paper files to secure digital storage) to avoid data loss as formats change.

Questions to ask yourself

To make sure you’re handling safeguarding data appropriately, it’s worth pausing to reflect:

Does the information have safeguarding value?
If data needs to be kept long-term, could it be stored in a different format (e.g. scanning paper records into secure electronic files)?
Do you need to take legal advice or check with your insurance provider regarding data retention?
Does your head office, parent organisation, or church denomination already have guidance or policy in place?

Page last updated: 06 November 2025