Providing Information about a Person or Carer
Amendment
In November 2024, Section 1, Maintaining Confidentiality about a Person or Carer was amended to clarify that the Data Protection Act 2018 and UK GDPR do not prevent the sharing of information for safeguarding purposes.
The Local Authority has a common law and legal duty to safeguard the confidentiality of all personal information. As an employee of the Local Authority, you are bound contractually to respect the confidentiality of any information that you may come into contact with.
Under no circumstances should such information be divulged or passed to any person or organisation in any form unless you have authorisation to do so.
All information sharing that takes place must be in line with data protection legislation (namely the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) and local policy.
The Caldicott Principles must also be regarded. The Caldicott Principles are a set of principles that apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes. For further information, see: The Caldicott Principles.
Any unauthorised disclosure of confidential information may result in disciplinary action of individual prosecution under the Data Protection Act 2018.
The Data Protection Act 2018 and UK GDPR do not prevent the sharing of information when necessary and proportionate to do so, to safeguard vulnerable adults and children. See: Exemptions to the Provision of Information.
You should take necessary steps to protect the information that you hold and have access to. For example:
- You should ensure that nobody else has access to your electronic information systems (e-mail and IT system);
- You should send electronic communication by secure channels (having verified the detail of the recipient);
- You should keep records made by hand in a secure place (e.g. notebooks);
- You should only discuss information with appropriate people in safe environments.
Under the UK GDPR any individual (known legally as the data subject) that the Local Authority holds information about is legally entitled to access the information held about them (known legally as the right of access) unless an exemption to do so applies (see below).
This includes both paper/hard copy information and information held electronically.
If the data subject lacks capacity to make a request for information under the UK GDPR and they have a legally authorised representative who deems it in their best interests to request the information it can also be requested by that legally authorised representative and the request should be treated as if it had been made by the data subject.
A carer does not have rights to access information about the person they care for unless this information is information that should be provided to them as a matter of course under the Care Act (e.g. copies of the person's assessment or review report).
In all other circumstances information can only be shared if:
- The data subject provides consent for it to be shared; or
- The data subject lacks capacity to consent but has a legally authorised representative who has consented; or
- The data subject lacks capacity to consent, does not have a legally authorised representative but it is the view of the Local Authority that sharing the information would be in their best interests (e.g. to support an assessment by another professional);
- None of the exemptions set out in the Data Protection Act 2018 apply.
The rights of other people to access information about a data subject are limited. Information can only be provided if:
- The data subject provides consent for it to be shared; or
- The data subject lacks capacity to consent but has a legally authorised representative who has consented; or
- The data subject lacks capacity to consent, does not have a legally authorised representative but it is the view of the Local Authority that sharing the information would be in their best interests (e.g. to support an assessment by another professional);
- None of the exemptions set out in the Data Protection Act 2018 apply; or
- The information is requested under safeguarding and is integral to protecting the person, a child or other vulnerable adult from abuse or neglect.
As permitted under the UK GDPR, the Data Protection Act 2018 sets out some exemptions to the right of access. These exemptions apply to every information request, with one exception; if disclosure of the information is required by a court order or is necessary for the purpose of or in connection with any legal proceedings it should be provided.
The exemptions are:
- If providing the information requested will place the data subject, a child or other adult in (or at risk of) serious harm to their mental or physical health;
- If the information is child abuse data, it would not be in the best interests of the data subject;
- If a court has ordered the information not to be disclosed;
- Where a person with capacity provided the information to you with the expectation it would not be disclosed, or if they expressly indicated this (i.e. they did not consent);
- Where the information contains the identity or personal information of another data subject, that other person has capacity and has not consented to their information being shared, and it would not be possible to remove or disguise their data from the information (e.g. by blocking out or removing those details);
- Where the information contains the identity or personal information of another data subject, that other person lacks capacity to consent to their information being shared, it is not deemed in their best interests to do so and it would not be possible to remove or disguise their data from the information (e.g. by blocking out or removing those details);
- Where disclosure would prevent the detection or investigation of a crime or pose a risk to national security;
- The request is deemed 'manifestly unfounded or excessive' (e.g. an identical request has already been received and information has already been provided or denied).
If you are unsure whether an exemption applies you should seek support from a manager, who in turn should seek legal advice as required.
Data subjects should be told what information is collected about them, why and how long it will be kept for.
You should routinely share the following information with the individual it is about (the data subject), whether or not they have requested it:
- Copies of any assessment or review reports (including risk assessments, mental capacity assessments and safeguarding reports);
- Copies of any Care and Support or other Plans; and
- Copies of any meeting minutes in which they were present.
Where the individual has capacity and requests that this information is also shared with another person you should honour this request unless doing so would place the individual, a child or other vulnerable adult at risk of harm from abuse or neglect by that person. Where a request to share information is not honoured you should explain to the individual why the information has not been provided.
If you feel that the information should be shared with another person or organisation in order to benefit the individual (for example a health professional completing an assessment) you should obtain consent to do so.
Where the individual lacks capacity a decision can be made that it is in their best interests for this information to be shared, so long as no exemptions apply.
Whenever you are unclear about whether or not to share information you should seek support from a manager, who in turn should seek legal advice as required.
If the individual (data subject) has requested information informally relating to them or their case you must decide whether the information can be provided under the UK GDPR.
It is the expectation in the UK GDPR that wherever possible information is provided to a data subject following an informal request.
Some of the things that should be considered are:
- Is the information something that should be shared with the individual as a matter of course?
- Would providing the information be a breach of someone else's confidentiality?
- Would sharing the information put the individual at risk of harm from abuse or neglect?
- Would sharing the information put another adult or child at risk of harm from abuse or neglect?
- Do any of the exemptions in the Data Protection Act 2018 apply?
If the request is being made by a person who is legally authorised to request the information (a Court of Protection appointed Deputy for welfare or someone with Lasting Power of Attorney) the request should be treated as if it had been made by the data subject.
The rights of other people to access information about a data subject are limited.
Information can only be provided if:
- The data subject provides consent for it to be shared; or
- The data subject lacks capacity to consent but has a legally authorised representative who has consented; or
- The data subject lacks capacity to consent, does not have a legally authorised representative but it is the view of the Local Authority that sharing the information would be in their best interests (e.g. to support an assessment by another professional); or
- The information is requested under safeguarding and is integral to protecting the individual, a child or other vulnerable adult from abuse or neglect.
The person making the request can still make a formal request for the information if an informal request is denied.
A formal request is a request made in writing. They can be made by anyone.
The outcome of a formal information request should be made within 1 month of the date it was made. Notification in writing should be provided to the person making the request.
If information is to be shared this should also take place within that timeframe, even if the amount of information is significant (e.g. a case file).
Under the Freedom of Information Act anybody may make a formal request in writing (including e-mail) for non-personal information from a public body. This is information that does not relate to a particular individual (data subject).
The Freedom of Information Act specifies that any formal request for information made under the Act must be responded to within 20 days of receipt. The response should confirm:
- Whether the information is held by the Local Authority; and
- If so, provide the information requested.
Where information about an individual (data subject) is requested as part of a safeguarding enquiry in order to protect the individual, or another vulnerable adult or child from abuse or neglect (or the risk of abuse or neglect) it should be provided.
This should be provided securely to the person leading the safeguarding enquiry and any concerns that you have about the implications for other vulnerable adults or children as a result of providing the information should be shared and considered by the safeguarding enquiry.
If it is possible to seek consent from the data subject before providing the information you should do so, although information can be provided without consent for the purpose of protecting them (or another adult or child) from abuse or neglect. If the individual does not give consent the information should still be shared if doing so would serve to protect them (or another adult or child) from the risk of abuse and neglect.
You should notify the individual that their information has been shared for the purposes of protecting them (or under safeguarding) from harm unless doing so would place them (or another adult or child) at further risk of harm. In this case you should notify them when it is deemed safe to do so.
You should be clear with the individual from the beginning that in the event of safeguarding information about them may be provided without their consent or immediate knowledge.
For further information and guidance see:
Information Commissioner’s Office: Guide to Data Protection (namely the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR))
Last Updated: November 4, 2024
v24