Information Sharing and Confidentiality – Manchester Provider APPP Resource

RELEVANT INFORMATION

Confidentiality – Guidance for Registrants (Health and Care Professions Council)

RELEVANT CHAPTERS

Safeguarding Adults from Abuse or Neglect

1. Introduction
2. Principles of Sharing Information
3. Seven Golden Rules for Sharing Information
4. When and How to Share Information
- 4.1 When
- 4.2 How
5. Confidentiality
6. Sharing Information with Relevant Bodies

1. Introduction

Staff are often required to work within a multi-agency arena and therefore need to be confident when they can share information with other professionals. Good information sharing is essential for providing safe and effective care. Data protection legislation (see Data Protection Act: Legislation and Practice chapter) should not be seen as an obstacle to sharing information, but as a framework of best practice which helps to ensure that when agencies record and share information, they do so safely and in a way which is transparent and in line with the law.

Sharing information with other agencies helps to promote the wellbeing and improve outcomes for adults with care and support needs and their carers by ensuring that services are joined up and that the different professionals involved know what they are each doing. Information sharing is also very important in keeping adults (and their families) safe from harm. Any safeguarding concerns should be shared with the council’s adult social care department as a safeguarding referral. You should not assume someone else will pass on information which may be vital to keeping a vulnerable adult or child safe.

There is an expectation that from their first point of contact with the service, adults will be helped to understand what information that is being collected, processed and stored in relation to them and give their consent to this. Under data protection legislation, this consent must be freely given, specific and informed – it can also be withdrawn at a later date. Adults with care and support needs also have a right to know if and when information held about them is going to be shared, for what purpose it will be shared and with whom (unless there is justified reason to share without informing the individual concerned).

There are certain circumstances when sharing information is not appropriate and doing so can cause detriment to adults and the service. However, not sharing information can have serious consequences, therefore all staff must use their professional judgement on a case by case basis, and if necessary seek help from their line manager before making a decision. All decisions and outcomes need to be recorded appropriately.

Staff must apply a consistent and responsible approach to information sharing and should ensure that they are familiar with local information sharing protocols and supporting government guidance in relation to information sharing.

2. Principles of Sharing Information

When sharing information with other practitioners and organisations, the following principles apply and will help to ensure that all information shared is:

Necessary and proportionate: When taking decisions about what information to share, you should consider how much information you need to release. Data protection legislation (including the General Data Protection Regulation) requires you to consider the impact of disclosing information on the information subject and any third parties. Any information shared must be proportionate to the need and level of risk.

Relevant: Only information that is relevant to the purposes should be shared with those who need it. This allows others to do their job effectively and make sound decisions.

Adequate: Information should be adequate for its purpose. Information should be of the right quality to ensure that it can be understood and relied upon.

Accurate: Information should be accurate and up to date and should clearly distinguish between fact and opinion. If the information is historical then this should be explained.

Timely: Information should be shared in a timely fashion to reduce the risk of harm. Timeliness is key in emergency situations and it may not be appropriate to seek consent for information sharing if it could cause delays and therefore harm to an adult or child at risk of harm. Practitioners should ensure that sufficient information is shared, as well as consider the urgency with which to share it.

Secure: Information should be shared in an appropriate, secure way. Practitioners must always follow their organisation’s policy on security for handling personal information.

Record: Information sharing decisions should be recorded whether or not the decision is taken to share. If the decision is to share, reasons should be cited including what information has been shared and with whom, in line with organisational procedures. If the decision is not to share, it is good practice to record the reasons for this decision and discuss them with the requester. In line with each organisation’s own retention policy, the information should not be kept any longer than is necessary. In some circumstances this may be indefinitely, but if this is the case there should be a review process.

3. Seven Golden Rules for Sharing Information

Remember that data protection legislation is not a barrier to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately.
Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
Seek advice from other practitioners or your line manager if you are in any doubt about sharing the information concerned; you should do this without disclosing the identity of the individual where possible.
Where possible, share with informed consent where appropriate and respect the wishes of those who do not consent to having their information shared. Under the UK GDPR and Data Protection Act 2018, you may still share information without consent if, in your judgement, there is lawful reason to do so, such as where safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be certain of the basis upon which you are doing so. Where you have consent, be mindful that an individual might not expect information to be shared.
Consider safety and wellbeing: Base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.
Necessary, proportionate, relevant, adequate, accurate, timely and secure: Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely.
Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

4. When and How to Share Information

When asked to share information, you should consider the following questions to help you decide if and when to share. If the decision is taken to share, you should consider how best to effectively and securely share the information.

4.1 When

Q1. Is there a clear and legitimate purpose for sharing information? This includes taking action in relation to safeguarding children and adults.

Yes – see Q.2;
No – do not share.

Q.2 Does the information enable an individual to be identified?

Yes – see Q.3;
No – you can share but should consider how.

Q.3 Is the information confidential?

Yes – see Q.4;
No – you can share but should consider how.

Q.4 Do you have consent?

Yes – you can share but should consider how;
No – see Q.5.

Q.5 Is there another reason to share information such as to fulfil a public function or to protect the vital interests of the information subject? See also Section 6, Sharing Information with Relevant Bodies below.

Yes – you can share but should consider how;
No – do not share.

4.2 How

Identify how much information to share;
Distinguish fact from opinion;
Ensure that you are giving the right information to the right individual;
Ensure that you are sharing the information securely.

Inform the individual that the information has been shared if they were not aware of this, as long as this would not create or increase risk of harm

All information sharing decisions and reasons must be recorded in line with your organisation or local procedures. If at any stage you are unsure about how or when to share information, you should seek advice and ensure that the outcome of the discussion is recorded.

5. Confidentiality

Confidential information includes all data collected for the provision of health and social care services where individuals can be identified and would expect that it will be kept private. This may include for instance details about symptoms, diagnosis, treatment, names and addresses.

Agencies should draw up a common agreement relating to confidentiality and setting out the principles governing the sharing of information, based on the welfare of the adult or of other potentially affected adults.

Any agreement should be consistent with the Caldicott Principles which ensure that:

information will only be shared on a ‘need to know’ basis when it is in the interests of the adult;
confidentiality must not be confused with secrecy;
informed consent should be obtained but, if this is not possible and other adults are at risk  of abuse or neglect, it may be necessary to override the requirement; and
it is inappropriate for agencies to give assurances of absolute confidentiality in cases where there are concerns about abuse, particularly in those situations when other adults may be at risk.

Where an adult has refused to consent to information being disclosed for these purposes, then practitioners must consider whether there is an overriding public interest that would justify information sharing (for example because there is a risk that others are at risk of serious harm) and wherever possible, the appropriate Caldicott Guardian should be involved.

Decisions about who needs to know and what needs to be known should be taken on a case by case basis, within agency policies and the constraints of the legal framework.

The duty to share information for individual care is as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share confidential information in the best interests of patients / adults, within the framework set out by these principles. Principles of confidentiality designed to safeguard and promote the interests of an adult should not be confused with those designed to protect the management interests of an organisation. These have a legitimate role but must never be allowed to conflict with the welfare of an adult. If it appears to an employee or person in a similar role that such confidentiality rules may be operating against the interests of the adult then a duty arises to make full disclosure in the public interest.

In certain circumstances, it will be necessary to exchange or disclose personal information, which will need to be in accordance with the law on confidentiality and the Data Protection Act 2018 where this applies.

6. Sharing Information with Relevant Bodies

6.1 Safeguarding Adults Boards

In order to carry out its functions, the SAB will need access to information that a wide number of people or other organisations may hold.

In the past, there have been instances where the withholding of information has prevented organisations being fully able to understand what ‘went wrong’ and so has hindered them identifying, to the best of their ability, the lessons to be applied to prevent or reduce the risks of such cases reoccurring. If someone knows or suspects that abuse or neglect is happening they must act upon that knowledge, not wait to be asked for information.

A SAB may request a provider service to supply information to it or to another person. The Care Act 2014 specifies that the person who receives the request must provide the information provided to the SAB if:

the request is made in order to enable or assist the SAB to do its job;
the request is made of a person who is likely to have relevant information and then either:
1. the information requested relates to the person to whom the request is made and their functions or activities or;
2. the information requested has already been supplied to another person subject to a SAB request for information.

6.2 Care Quality Commission

The Care Quality Commission (CQC) requires a range of information from providers in order for them to fulfil their statutory duties of monitoring, inspecting and regulating services.

It requires registration information from new providers and registered managers. It also requires information from current providers.

For services already operating, the CQC will request information as part of a comprehensive or focused inspection. It also requires the service to send notification information as specified (including Notification of Significant Events, Notification of Absence of the Registered Manager and Notification of Death of a Service User).

6.3 Commissioners and other relevant bodies

Other bodies, for example local authority commissioning teams, adult safeguarding teams, coroners’ offices and the police may request information in relation to the service provided. This may include policies, procedures, quality assurance and performance information or concerning personal data relating to individual adults, family members or staff.

6.4 Providing information

The service should provide the information requested in the format specified, and within the timescales outlined, otherwise penalties may be introduced or regulatory action initiated.

If a service is not satisfied that the information being requested from them is justifiable, it should seek legal advice.

CONTENTS