This is a new service – your feedback will help us to improve it.

DfE logo

Privacy Notice: Child Safeguarding Online Notification System

Who we are

This document is issued by the Children’s Social Care Innovation, Practice and Reform team, which is a part of the Department for Education (DfE). Children’s Social Care Innovation, Practice and Reform has the policy responsibility for child protection and for establishing the Child Safeguarding Practice Review Panel (the Panel) and providing its Secretariat. Although established by DfE, the Panel is independent of Government, has its own statutory powers and can make its own decisions. The Panel’s primary purpose is to commission national reviews of child safeguarding cases that raise issues that are complex or of national importance. Its main objective is to develop learning through improvement, using what it learns from serious safeguarding cases to increase capability within local child protection and safeguarding systems.

What is the purpose of this document?

DfE is committed to protecting the privacy and security of personal data. This Privacy Notice describes how we (the Children’s Social Care Innovation, Practice and Reform team in DfE) collect and use personal data during and after operation of the Child Safeguarding Online Notification System.

How and why is the data collected?

Notifications are submitted to the Panel using the Child Safeguarding Online Notification System (‘the System’) and are submitted by local authorities only. The notifications allow local authorities to comply with the duty, brought in by 16C(1) of the Children Act 2004, to notify incidents to the Panel where a local authority in England knows or suspects that a child has been abused or neglected and:

  • the child has died or has been seriously harmed in the Local authority’s area; or
  • while normally resident in the Local authority’s area, the child has died or been seriously harmed outside England.

Notifications will also be made by local authorities to the Panel, under Schedule 2, paragraph 20(1)(a) of the Children Act 1989, where the local authority must notify the Secretary of State for Education and Her Majesty’s Chief Inspector of Education, Children’s Services and Skills (Ofsted) if a child who is being looked after by a local authority dies whether or not neglect is known or suspected.

Once a notification is submitted no local authority, including the one that made the notification, will have access to it.

For the purpose of data protection legislation, the DfE and Ofsted are the joint data controllers for the personal data received via the System, that is, the DfE and Ofsted jointly determine the purpose for and manner in which the personal data is processed. The personal data is processed by the Panel. This means the Panel carries out activities involving the personal data, including (but not limited to) collecting, storing, sharing and destroying.

How we will use the information

The Panel will use the notifications to inform their deliberations about whether a national child safeguarding practice review of any of those incidents notified is required and in maintaining oversight of the system of national and local reviews and how effectively it is operating (all local safeguarding arrangements are to be in place by 29 September 2019). Statutory Guidance: Working Together to Safeguard Children

An essential part of the Panel being able to fulfil its role will be its ability to receive statutory notifications of serious injury and death of children from local authorities.

The nature of the personal data we will be using

The categories of personal data that will be contained in each notification will cover:

Personal data:

  • Local authority notifier’s first name, last name, job role, telephone number, work email address, local authority
  • Date of incident
  • Number of children
  • Characteristics of the incident:
    • Abuse (sub-categories: Alcohol, Domestic violence, Drugs/Solvents, Emotional, Faith-based, Online, Peer-on-peer, Physical: self-harm, Physical: female genital mutilation, Sexual: inter-familial)
    • Bullying
    • Child perpetrator
    • Criminal exploitation (sub-categories: County lines, Modern slavery, Trafficking, Other)
    • Extremism
    • Fabricated illness
    • Filicide - when a parent kills their child
    • Gang violence
    • Harmful sexual behaviour (sub-categories: Extra-familial, Intra-familial)
    • Injury
    • Knife crime
    • Life-limiting illness (natural causes)
    • Neglect (sub-categories: Long-standing, Recent)
    • Risk-taking behaviour by child
    • Road traffic accident
    • Self-harm
    • Serious illness
    • Sexual exploitation
    • Shaken baby syndrome
    • Sudden infant death syndrome
    • Suicide
    • Other (must provide details for ‘other’)
  • Incident outline – what happened
  • Child’s full name
  • Child’s date of birth
  • Child’s Gender
  • Legal status of child
  • Parent or Guardian (of child) details (legal status of child; relationship with child)
  • Has child been on child protection plan (dates and status open/closed)
  • child protection plan categories: Emotional abuse, Neglect, Physical abuse, Child Sexual Abuse (start and end dates)
  • Placement details (where child was staying at time of incident - includes address and who is responsible for the management of this location)
  • Education and early years provision details (child was attending - includes name of establishment and address)
  • Agency details (child known to social care or any agencies prior to the incident)

Special category data:

  • Child’s ethnicity
  • Any prior disability
  • Health
  • Reasons for notification (Death: abuse, neglect, looked-after child – life-limiting illness; Serious Harm: abuse, neglect)
  • Death: detail an whether natural causes

This list is exhaustive.

We will also process sensitive information that is not necessarily considered as personal or special category data e.g. anonymous data or data where the identity of the individual has been irretrievably removed.

Why our use of your personal data is lawful

In order for our use of your personal data to be lawful, we need to meet one (or more) conditions in the data protection legislation. For the purpose of this project, the relevant condition(s) that we are meeting are (as required by the General Data Protection Regulations (‘GDPR’) and the Data Protection Act 2018 (‘the DPA’):

  • The processing of personal data is also necessary to fulfil a legal requirement placed on the Department (Article 6 (1) (c) of the GDPR) i.e. the Secretary of State for Education has a general statutory duty to promote the well-being of children (s.7 of the Children and Young Persons Act 2008).
  • Processing of personal data is necessary in order to perform a task in the public interest or in the exercise of official authority, i.e. it is necessary for the exercise of a function of the Crown, a Minister of the Crown or a Government department (Article 6 (1) (e) of the GDPR and s.8 (c) and (d) of the DPA).
  • Special categories of personal data need to also be processed as it is necessary in order to perform a task in the public interest or in the exercise of official authority (Article 6 (1) (e) of the GDPR). In addition to this, the processing is necessary for the processing is also necessary for reasons of substantial public interest on the basis of EU or member state law (Article 9 (2) (g) of the GDPR, supplemented by paragraph 12 (c) of Schedule 6 of the DPA 2018 (Chapter II of the GDPR (principles)), section 10 (3) of the DPA 2018 (Special categories of personal data and criminal convictions etc data) and paragraphs 5 (Requirement for an appropriate policy document when relying on conditions in this Part), 18 (Safeguarding of children and individuals at risk), 39 (Requirement to have an appropriate policy document in place) and 41 (additional safeguard: record of processing) of Schedule 1 of the DPA 2018.

There can be rare occasions where it will be necessary to use the personal data to protect your interests or someone else’s interests (Article 6 (1) (d) of the GDPR).

How we will share the information

The notifications received by the Panel will also be shared with other teams in the DfE and Ofsted. In broad terms the data sharing will allow:

  • Ofsted to support its regulatory and inspection work, in particular to assess local authority children’s services and inspection of services for looked after children, safeguarding and child protection. In exercising its functions, Ofsted must have regard for the need to promote and safeguard the welfare of children (under section 117 of the Education and Inspections Act 2006 (‘the 2006 Act’) and section 153 of the 2006 Act provides that information obtained by the Chief Inspector of Ofsted in connection with any of his functions may be used by him in connection with any of his other functions.
  • The DfE, as a department of the UK government, to exercise effectively its responsibilities for children and young people in England up to the age of 18, including child protection and education. The Secretary of State for Education has a general duty to promote the well-being of children (s.7 of the Children and Young Persons Act 2008) and the DfE uses safeguarding information received from local authorities by the Panel to inform development of policy on child protection and wider reforms to the children’s social care system in England. It also uses the information to inform any action being taken or to be taken by the government in relation to local authority interventions. The Serious Child Incident Team in the DfE will have immediate direct access to notifications made through the System as the team with responsibility for serious incident notifications for the DfE.

Whom we will make the personal data available to

We will make the personal data contained in the notifications available to the Panel, Ofsted and other teams in the DfE, such as the Serious Child Incident Team. Staff working for the Panel, Ofsted and the DfE will have Baseline Personnel Security Standard clearance and therefore be cleared to handle the personal data. We may also provide personal data from the notifications to contracted partners whom we have employed to process the personal data on our behalf for specific research purposes. All such personal data shared with contracted partners will be anonymised so that it no longer constitutes personal data. Where we need to share the personal data with others, we ensure that this data sharing complies with data protection legislation.

There are currently no plans to share the personal data with third party processors. Should this change, this privacy notice will be updated with the details and Baseline Personnel Security Standard clearance checks will also be completed for any third parties engaged prior to sharing the data.

How long we will keep the personal data

We will only keep the personal data for as long as necessary to achieve the agreed purposes for which it was collected for each of the parties (Ofsted and the DfE), after which point it will be securely destroyed. At a minimum, this will require the three parties to undertake bi-annual reviews to ensure that the personal data is not retained for longer than is necessary for the purposes for which it was provided to them.

Please note that, under Data Protection legislation, and in compliance with the relevant data processing conditions, we can lawfully keep personal data processed purely for research and statistical purposes indefinitely.

The data protection rights

You have the right:

  • to ask us for access to information about you that we hold
  • to have the personal data rectified, if it is inaccurate or incomplete
  • to request the deletion or removal of personal data where there is no compelling reason for its continued processing
  • to restrict our processing of the personal data (i.e. permitting its storage but no further processing)
  • to object to direct marketing (including profiling) and processing for the purposes of scientific/historical research and statistics
  • not to be subject to decisions based purely on automated processing where it produces a legal or similarly significant effect on you

If you need to contact us regarding any of the above, please do so via the DfE site at:

You can also contact the DfE’s Data Protection Officer, Emma Wharram by email at or by post to Emma Wharram, Data Protection Officer, Department for Education, 2 Rivergate, Temple Quay, Bristol BS1 6EH.

Further information about the data protection rights appears on the Information Commissioner’s website at:

The right to lodge a complaint

You have the right to raise any concerns with the Information Commissioner’s Office (ICO) via their website at

Last updated

We may need to update this privacy notice periodically so we recommend that you revisit this information from time to time. This version was last updated on 14 February 2019.

Contact Information: If you have any questions about how the personal data will be processed please contact us at