When people think about admin support - whether that's for a large consultancy, a small therapy practice, a school, or a developing charity - they picture inbox management, diary juggling, minute taking... The usual stuff.
But if you're the person entrusted with sensitive information (health records, ethnicity, safeguarding concerns, that kind of thing), the job changes shape completely. You're not just processing paperwork anymore. You're holding someone's private life in your hands.
And sharing that information without the right authorisation isn't a "clerical error" you can shrug off. It's a genuine breach of trust (and the law) - and it needs to be treated that way.
Get this wrong and the consequences aren't abstract:
Stigma and discrimination - once someone's sensitive details are out there, they can't be unshared, and that can lead to real, unfair treatment.
Emotional distress - losing control over your own privacy is genuinely traumatic, for individuals and for whole families.
Safety risks - in a safeguarding context, an accidental disclosure could put a vulnerable person in actual danger.
This isn't me being dramatic, it's just the reality of what we're dealing with.
There's a common myth that sensitive information should never be shared, full stop. That isn't true - lawful sharing is part of doing the job properly. But the bar is high, and for a child's special category data (health, ethnicity, and so on), you actually need two things stacked together: a lawful basis, and a separate condition specifically for that type of data. One on its own isn't enough - you need both at the same time.
Explicit consent
You've got clear, informed permission from the person (or their parent/guardian) - though worth knowing the ICO is clear this isn't required in a safeguarding context, and usually isn't the best route (a parent's consent can be withdrawn at exactly the moment a child needs protecting).
Vital interests
It's needed to protect someone's life - a genuine emergency, e.g. an unconscious patient who can't consent. Not your everyday safeguarding concern.
Legitimate interests / Public task
These are the bases the ICO actually points to as most commonly appropriate for safeguarding purposes - alongside legal obligation, below.
Legal obligation
The law requires you to hand it over.
Safeguarding of children and individuals at risk
This is its own distinct condition in the DPA 2018 (not the same as vital interests) - built specifically for sharing a child's or vulnerable adult's information where there's a risk of harm.
My golden rule (and one I'd encourage every VA handling sensitive data to adopt): ask yourself, does this person actually need this information to do their job, or are they just curious? If it's the latter, the answer is no. Every time.
Transparency is everything here. The moment you realise something's gone wrong:
Stop the flow. Revoke access straight away - pull shared permissions, delete the email if you still can.
Assess the damage. What went out? Who received it? What's the actual risk to the person involved?
Report it. Work out whether it meets the threshold for reporting to the ICO. Even if it doesn't, document it internally anyway - what happened, and what you did to fix it.
Tell the person affected. If the risk is high, they need to know so they can protect themselves. This is an ethical obligation as much as a legal one.
The ICO doesn't just send a stern email and move on - it publishes enforcement action, and it's worth having a look through their public records if you want a sense of how these things actually play out in practice. There are patterns that come up again and again:
Sensitive information sent to the wrong recipient (misdirected emails are a classic).
Sensitive files - physical or digital - left accessible to people who had no business seeing them.
No basic safeguards in place: no encryption, no proper access controls.
None of these are exotic failures. They're ordinary mistakes made by people who didn't have the right systems in place - which is exactly why the systems matter so much.
Before I take on any work involving sensitive data, I make sure the following are in place:
A Data Processing Agreement - a proper contract that sets out who's responsible for what.
A documented lawful basis - I know exactly why I'm allowed to hold this data, not just that I am.
Secure infrastructure - MFA, encryption on sensitive documents, secure platforms for sharing (never just bunging things in an email attachment).
A breach procedure - a "break glass" plan for the moment something goes wrong, because it's a "when," not an "if," you should plan for.
Ongoing training - data protection isn't a box you tick once. It's a habit you keep.
At the end of the day, professionalism is measured by how carefully you handle the most sensitive information you're trusted with. If you're handling that kind of data, you're not just an admin support - you're a guardian of it. So act like one.
I am not a lawyer or legal professional. Data protection regulations are complex. This content is provided for general information and should not be considered legal advice. Please consult the official ICO guidance (https://ico.org.uk/) or a qualified legal professional to ensure your specific practices fully comply with current data protection laws.