- Contact The DPO Centre
- +44 (0)203 797 1289
- hello@dpocentre.com
DUAA vs UK GDPR: What businesses need to know
July 3, 2025
GDPR compliance in white label banking
July 21, 2025
How can organisations share personal dataInformation which relates to an identified or identifiable natural person. about at-risk children in the UK responsibly and compliantly?
This blog explores that question in light of the independent report, National Audit on Group-based Child Sexual Exploitation and Abuse, led by Baroness Casey. Published on 16 June 2025, the report highlights the issues that continue to impact effective safeguarding, including fragmented data practices, organisational silos, and a lack of confidence in lawful data sharing.
While the UK’s new Data (Use and Access) Act 2025 (DUAA) reaffirms that data can be lawfullyIn data protection terms, 'lawfully' must satisfy one of the appropriate lawful basis for processing and must not contravene any other statutory or common law obligations. shared to protect children, many organisations still face real-world barriers – from outdated systems and unclear processes to a culture of caution.
Below, we look at what the report means for professionals working in data protection and compliance. With expert insights from DPO, Dom Newton, we focus on practical steps organisations can take to strengthen data sharing practices, enabling safer and more confident responses when children are at risk.
Important areas covered:
- DUAA reiterates data sharing for safeguarding
- Why is data not being shared?
- Could URNs be a smart solution?
- Next steps for healthcare and child-focused organisations
The Data (Use and Access) Act 2025 introduces a list of ‘Recognised Legitimate Interests’, including the sharing of personal data to protect vulnerable individuals. It also confirms that data can be shared for safeguarding purposes even if it was originally collected for a different reason. These are welcome clarifications, but it is important to note that data protection lawAny law, statute, declaration, decree, directive, legislative enactment, order, ordinance, regulation, rule or other binding restriction (as amended, consolidated or re-enacted from time to time) that relates to the protection of individuals with regards to the Processing of personal data. has long permitted this type of sharing, for example under the Vital Interests or Public Interest lawful bases.
This reiteration in the DUAA suggests there is still a misunderstanding of data protection law among practitioners, especially around how and when personal data can be shared for safeguarding purposes.
The Casey report highlights that well-intentioned services still fail to protect children because essential data is not shared effectively, despite legal permission. Reasons include:
- Cultural and institutional fear: Professionals may hesitate to share data due to fear of breaching confidentiality or getting the law wrong, especially where consentAn unambiguous, informed and freely given indication by an individual agreeing to their personal data being processed. hasn’t been explicitly obtained
- Disjointed systems: Local authorities, healthcare providers, police forces, and schools often operate on disparate and outdated systems that cannot interoperate
- Inaccurate or incomplete records: Data points such as ethnicity of offenders are often not recorded, and variable categorisation of abuse types can be misaligned across agencies
- Lack of training and clarity: Staff are not always confident in applying lawful bases under the UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU., leading to unnecessary caution and missed opportunities to intervene.
Could URNs be a smarter solution?
ContactPoint, a national register of children developed in response to Lord Laming’s review into the tragic death of seven-year-old Victoria Climbié, was an early attempt to address information sharing failures. Launched in the early 2000s, it aimed to provide a central record of professionals involved in a child’s life — such as GPs, schools, and social workers — and included a unique identifier for each child. However, it deliberately excluded specific case-level detail.
The controversial system was ultimately scrapped in 2010 amid concerns about civil liberties. Now, 15 years on, Baroness Casey’s audit recommends the use of a Unique Reference Number (URN) for each child, known to all relevant agencies, to support safe and consistent data matching.
Given modern technological capabilities and the stronger safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... enshrined in UK data protection law, there is now a renewed opportunity to design systems that enable effective information sharing to protect children, while upholding core data protection principlesA series of principles which embody the requirements of the data protection regulation..
Next steps for healthcare and child-focused organisations
Following the government’s announcement of a new national inquiry into child sexual exploitation by grooming gangs, the Casey Report also serves as a renewed reminder to all organisations that hold data about children — particularly those in policing, social care, health, and the third sector. As safeguarding concerns grow and public scrutiny intensifies, proactive data governance is more important than ever.
Organisations should:
Know when you can share data
The UK GDPR allows you to share personal data without consent if it is necessary to fulfil a legal obligation or protect a child’s vital interests, including preventing or detecting serious harm.
Embed safeguarding in your data governance
Ensure Records of Processing Activities (RoPAs) clearly reflect how safeguarding data is collected, stored, and shared. Review retentionIn data protection terms, a defined period of time for which information assets are to be kept. schedules, access and security controls, and lawful bases accordingly.
Read our guide to building a Record of Processing Activities (RoPA).
Train your teams
Equip staff with the knowledge and confidence to act when safeguarding concerns arise. Practical training should address common misconceptions, particularly around consent, confidentiality, and lawful disclosure.
Review interoperability
Audit whether your current systems allow for secure, effective data sharing internally and with partners, such as social services or the police. If gaps exist, raise them with your senior leadership or data protection lead.
Key takeaways
Baron Casey’s National Audit on Group-based Child Sexual Exploitation and Abuse calls for renewed solutions to a longstanding issue: the failure to effectively share data about vulnerable children. Her report highlights the urgent need for better systems, stronger cross-agency cooperation, and greater confidence among professionals to act when a child is at risk.
The recently passed Data (Use and Access) Act 2025 reaffirms that data protection law does not prevent professionals from sharing information to protect children. As Dom Newton says, ‘Data protection law is not and should never be a barrier to sharing information in order to protect a child.’
But legal clarity alone is not enough, and organisations must take proactive steps to overcome cultural, technical, and operational barriers to facilitate timely and effective information sharing.
The DPO Centre has extensive experience supporting organisations with data sharing and implementing effective data governance frameworks. Get in touch with our team for practical guidance tailored to your sector.
Enquire
Fill in your details below and we’ll get back to you as soon as possible
