Skip to main content

Multi-Agency Safeguarding Hub (MASH)

Children's Services Support Hub (CSSH) and Multi Agency Safeguarding Hub (MASH)

To comply with the UK General Data Protection Regulation (UK GDPR), where personal data relating to a data subject is collected, Lancashire County Council would like to provide you with the following details.

Contact details of this Lancashire County Council service

Note that for queries intended for this specific service, do not contact the Data Protection Officer (DPO) mailbox, instead please direct your query to our safeguarding team

Reasons for processing your personal data

We process personal data to meet our legal duties to safeguard and promote the welfare of children, young people, and adults with care and support needs. This information is used to:

  • Receive and assess concerns or requests for support, identify risk, and determine the most appropriate response at the earliest opportunity.

  • Carry out safeguarding enquiries and decision‑making, including assessing whether statutory intervention, early help, or other support is required.

  • Share relevant information lawfully with partner organisations such as health, police, education, and other safeguarding agencies, where necessary to protect individuals from harm.

  • Coordinate and record multi‑agency safeguarding activity, ensuring decisions are informed, proportionate, and accountable.

  • Plan, deliver, and review support or protective interventions, including monitoring outcomes and ensuring continuity of care.

  • Maintain accurate records and meet statutory record‑keeping obligations, including audit, oversight, and quality assurance.

  • Support practitioners in managing information efficiently, including limited use of approved digital tools to help organise, summarise, or draft information, with all judgments and decisions made by qualified professionals.

We only use personal data for safeguarding, early support, and related statutory purposes, and we process information in a way that is necessary, proportionate, and focused on protecting individuals and the wider public.

Use of artificial intelligence (AI) technologies

We are increasingly utilising AI technologies to process your personal data. This is primarily utilised within Lancashire County Council using Microsoft Copilot Web and Microsoft Copilot 365. Please consult our Artificial Intelligence privacy notice for more details of how we use these specific platforms.

We do not use AI to make automated decisions. There is always a human intervention to review and approve any outputs from the AI tools. Decisions are not made solely by automated means.

In limited circumstances, we may use approved artificial intelligence (AI)–supported digital tools to help our staff manage information more efficiently. These tools may assist with tasks such as summarising information, organising records, or drafting routine text.

AI tools are used only as a support to qualified practitioners. They do not make safeguarding decisions, determine outcomes, or replace professional judgement. All outputs are reviewed by staff for accuracy, relevance, and fairness before being used.

We only use AI within secure, Council‑approved systems and for clearly defined safeguarding and early support purposes. We take steps to minimise the amount of personal data used, apply appropriate access controls, and ensure compliance with data protection law.

There is no fully automated decision‑making affecting individuals. Safeguarding decisions and actions are always made by appropriately trained professionals.

Legal basis for processing personal data

We process personal data because we have legal duties to safeguard and promote the welfare of children, young people, and adults with care and support needs. The lawful bases relied upon under UK GDPR Article 6 are:

  • Article 6(1)(c) – Legal obligation
    We are required by law to receive, assess, share and act on safeguarding information. This includes duties under:

    • Children Act 1989 and 2004 (statutory safeguarding functions and child protection)

    • Care Act 2014 (adult safeguarding and Section 42 enquiries)

    • Working Together to Safeguard Children statutory guidance

    • Other legislation requiring cooperation between safeguarding partners.

  • Article 6(1)(e) – Public task / exercise of official authority
    We process personal data as part of our responsibilities to carry out safeguarding, early help, and multi‑agency information sharing in the public interest. This includes receiving referrals, assessing risk, coordinating responses, and working with partner organisations to prevent harm.

Where families engage in non‑statutory early help, we may ask for agreement to share information; however, consent is not the legal basis relied upon for safeguarding processing, especially where there is a risk of harm.

Legal basis for processing special categories of personal data

In carrying out our safeguarding and early support functions, we may need to process special category personal data (for example information about health, disability, ethnicity, or other sensitive matters).

We rely on the following conditions under UK GDPR Article 9:

  • Article 9(2)(b) – Social protection and social care law
    Processing is necessary to carry out legal duties relating to safeguarding children and supporting or protecting adults with care and support needs. This includes duties under:

    • Children Act 1989 and Children Act 2004

    • Care Act 2014 (including adult safeguarding enquiries)

    • Relevant statutory guidance issued under this legislation.

  • Article 9(2)(g) – Substantial public interest
    Processing is necessary to safeguard children and adults at risk, prevent harm or abuse, and promote welfare, with appropriate safeguards in place. This reliance is supported by the Data Protection Act 2018, Schedule 1, including provisions relating to safeguarding of children and individuals at risk, and protection of the public.

Special category personal data is processed only where it is necessary and proportionate for safeguarding or early support purposes, and additional measures are applied to protect confidentiality and security.

Legal basis for processing criminal offence data

In carrying out our safeguarding functions, we may need to process criminal offence and criminal allegation data, such as information provided by the police, probation, or other safeguarding partners.

Criminal offence data is processed only where it is necessary and under the control of a public authority, supported by UK law. We rely on:

  • Article 10 of the UK GDPR, together with conditions set out in the Data Protection Act 2018, Schedule 1, Part 2, including provisions relating to:

    • safeguarding of children and individuals at risk, and

    • protection of the public.

This processing is justified by statutory duties and powers under legislation including:

  • Children Act 1989 and Children Act 2004 (child protection and safeguarding)

  • Care Act 2014 (adult safeguarding, including safeguarding enquiries)

  • Relevant statutory guidance requiring cooperation and information sharing between safeguarding partners.

Criminal offence data is used solely for safeguarding and risk management purposes, shared only where lawful and necessary, and handled with appropriate safeguards to protect individuals’ rights and freedoms.

Information we process about you

When you, or someone else, contacts us with a concern or request for support, we may process the following types of information where it is necessary for safeguarding or early support purposes:

  • Personal details
    Such as name, date of birth, address, contact details, and information about family or household relationships.

  • Details about the concern or request for support
    Including the nature of the concern, circumstances described by the referrer, and information relevant to assessing need or risk.

  • Information about children, young people, and adults at risk
    Including details about wellbeing, safety, development, care and support needs, and factors that may increase or reduce risk.

  • Special category information
    Such as health information, disabilities, ethnicity, or other sensitive details, where relevant to safeguarding or support.

  • Criminal offence or safeguarding‑related information
    Including information shared by the police or other authorities where this is necessary to protect individuals from harm.

  • Information from partner organisations
    Such as health, education, police, probation, social care, or other safeguarding partners, where lawful information sharing is required.

  • Records created by our services
    Including notes, assessments, decisions, safeguarding plans, and correspondence.

  • Details about professionals involved
    Such as the name, role, and contact details of professionals who make referrals or contribute information.

We only process information that is relevant, necessary, and proportionate to safeguarding and early support functions, and we handle it securely and confidentially.

Recipients of the personal data that we process about you

We may share personal data where it is lawful, necessary, and proportionate to do so for safeguarding or early support purposes. Recipients may include:

  • Internal services within Lancashire County Council
    Including children’s and adults’ social care, early help services, and other relevant teams involved in safeguarding, assessment, or support.

  • Safeguarding partner organisations
    Such as the police, health services, education providers, probation, youth justice services, fire and rescue, and other statutory or safeguarding bodies.

  • Professionals involved in providing support or protection
    Where information sharing is needed to assess risk, coordinate interventions, or protect individuals from harm.

  • Other local authorities or public bodies
    Where responsibilities for safeguarding or support transfer or are shared.

  • Referrers or contacts
    In limited circumstances, we may share appropriate information with the person or organisation that raised a concern, where lawful and necessary.

We do not share personal data for commercial or marketing purposes. All information sharing is carried out in line with the law, using appropriate safeguards, and on a need‑to‑know basis to support safeguarding and public protection.

Any transfers to another country

We do not routinely transfer personal data outside of the United Kingdom.

Where information is processed using secure, Council‑approved digital systems, this is subject to appropriate safeguards to ensure personal data remains protected in line with data protection law. If, in limited circumstances, personal data were ever transferred outside the UK, this would only take place where lawful safeguards are in place to protect individuals’ rights and freedoms.

Safeguarding information is handled securely and used only for lawful safeguarding and early support purposes.

Retention periods

Lancashire County Council will only store your information for as long as is legally required or in situations where there is no legal retention period they will follow established best practice.

File type

Description

Security

Retention period

Looked After Children (LAC) case records

Case records for looked after children (care planning, placement, reviews).

Stored in secure Council systems with role-based access; shared on a need-to-know basis within statutory safeguarding frameworks.

Until the 75th anniversary of the child’s birth; or if the child dies before 18, for 15 years from the date of death.

Children’s Homes case records

Records for children accommodated in children’s homes.

Secure storage and restricted access in line with children’s social care governance; disclosures limited to safeguarding purposes.

Until the 75th anniversary of the child’s birth; or if the child dies before 18, for 15 years from the date of death.

Child protection / assessments / referrals / children in need

General safeguarding records where no specific legislative retention period applies (including MASH referrals, triage notes, screening outcomes).

Held on secure Council case management systems with audit trails; multi-agency sharing constrained to necessity and lawfulness.

35 years from closure of the case, unless the child is added to CP register, then 75 years.

Fostering – approved foster carers

Case records for approved foster carers and entries in the foster carer register.

Secure storage: access limited to authorised fostering service staff and safeguarding partners as required.

75 years from approval from end of care provision or deregistration.

Fostering – applications not approved / withdrawn

Records for applicants who are refused approval or who withdraw prior to approval.

Secure storage; restricted access within fostering service.

10 years from closure, refusal or withdrawal.

Adoption – Adoption Order made

Adoption records for children where an Adoption Order is granted.

Secure archival storage with enhanced confidentiality controls; access strictly governed.

100 years from the date of the Adoption Order.

Adoption – Adoption Order not made

Adoption case records where no Adoption Order is made.

Secure storage while active; then transfer to LAC record if applicable or destroy when no further action is necessary.

25 years from withdrawal for the prospective adopter. If the child becomes looked after, transfer to LAC case record (see LAC retention).

Your rights

You have certain rights under the UK General Data Protection Regulation (UK GDPR), these are those rights:

  • to be informed via Privacy Notices such as this.

  • to withdraw your consent. If we are relying on your consent to process your data, then you can remove this at any point.

  • of access to any personal information the council holds about yourself. To request a copy of this information you must make a subject access request in writing. You are entitled to receive a copy of your personal data within 1 calendar month of our receipt of your subject access request. If your request is complex then we can extend this period by a further two months, if we need to do this, we will contact you. You can request a subject access request, either via a letter or via an email to Information Governance Team, address below.

  • of rectification, we must correct inaccurate or incomplete data within one month.

  • to erasure. You have the right to have your personal data erased and to prevent processing unless we have a legal obligation to process your personal information.

  • to restrict processing. You have the right to suppress processing. We can retain just enough information about you to ensure that the restriction is respected in future.

  • to data portability. We can provide you with your personal data in a structured, commonly used, machine readable form when asked.

  • to object. You can object to your personal data being used for profiling, direct marketing or research purposes.

  • in relation to automated decision making and profiling, to reduce the risk that a potentially damaging decision is taken without human intervention.

If you want to exercise any of these rights, then you can do so by contacting:

Information Governance Team
Lancashire County Council
PO Box 78
County Hall
Preston
PR1 8XJ

Email: dpo@lancashire.gov.uk

To ensure that we can deal with your request as efficiently as possible you will need to include your current name and address, proof of identity (a copy of your driving licence, passport or two different utility bills that display your name and address), as much detail as possible regarding your request so that we can identify any information we may hold about you, this may include your previous name and address, date of birth and what council service you were involved with.

Identity and contact details of the data controller

  • Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Contact details of the data protection officer

  • Our Data Protection Officer is Joanne Winston. You can contact her at dpo@lancashire.gov.uk or Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ

Further information

For more information about how we use personal information see Lancashire County Council's full privacy notice.

If you wish to raise a complaint on how we have handled your personal data, you can contact the Information Governance team who will investigate the matter.

Lancashire County Council, PO Box 78 County Hall, Fishergate, Preston, Lancashire, PR1 8XJ or email: dataprotection@lancashire.gov.uk

If you are not satisfied with our response or believe we are processing your personal data not in accordance with the law you can complain to the Information Commissioner’s Office (ICO).