2.10 Information sharing and confidentiality

Effective secure information sharing is vital for safeguarding and promoting the welfare of children to facilitate early identification of need, assessment and intervention to ensure that children with additional needs receive the services they require and that children are protected from exploitation abuse and neglect.

‘Fears about sharing information must not be allowed to stand in the way of the need to promote the welfare and protect the safety of children’ (Working Together 2018) Often, it is only when information from a number of sources have been shared and is then put together that it becomes clear that a child is at risk of suffering significant harm.

Information sharing is also essential for the identification of patterns of behaviour when a child is at risk of going missing or has gone missing, when multiple children appear associated to the same context or locations of risk.  If a child is in a secure estate where there may be multiple local authorities involved in a child’s care, it will be for local safeguarding partners to consider how they will build positive relationships with other local areas to ensure that relevant information is shared in a timely and proportionate way that complies with all relevant legislation.

A key factor in many Serious Case Reviews has been missed opportunities to record, understand the significance of and share  information in a timely manner, which has had consequences for the safety and welfare of children. (Working Together 2018)

Practitioners are often concerned about sharing information and uncertain about when they can do so lawfully. This procedure provides a summary of the general principles to be followed by all practitioners to assist them in being proactive in sharing information as early as possible to help identify, assess and respond to risks or concerns about the safety and welfare of children. This procedure also includes guidance on sharing important information about any adults with whom that child has contact, which may impact the child’s safety or welfare.

Under data protection legislation (UK Data Protection Act 2018 (DPA2018) and UK General Data Protection Regulations (GDPR)) it is not necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child or a vulnerable person provided that there is alternative lawful basis detailed in the UK Data Protection Act 2018/UK GDPR to process any personal information required.

Where, in the judgement of a practitioner a child(ren) is thought to be at risk, the practitioner is not obliged to seek the consent of any person who, if they knew that their personal data was being shared, might put  a child (ren) at further risk. It does, of course, continue to be good practice to inform parents / carers that you are sharing information for these purposes and to seek to work cooperatively with them.

As set out below in the 7 Golden Rules of information sharing practitioners must ensure that the information shared is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely

In some circumstances, it may be appropriate to obtain consent to share data but it is important to note that the UK GDPR sets a high standard for consent which is specific, time limited and can be withdrawn (in which case the information would have to be deleted).

‘Information sharing: Advice for practitioners providing safeguarding services to children, young people, parents and carers, July 2018’ [hyperlink https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/721581/Information_sharing_advice_practitioners_safeguarding_services.pdf] provides detailed guidance, consistent with UK GDPR, to those involved in safeguarding children.

Seven golden rules to sharing information:

1. Remember that the UK General Data Protection Regulation (GDPR), UK Data Protection Act 2018 and human rights law are not barriers to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately.
2. Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
3. Seek advice from other practitioners, or your information governance lead, if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible.
4. Where possible, share information with consent, and where possible, respect the wishes of those who do not consent to having their information shared. Under the UK GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is lawful basis to do so, such as where safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be clear of the basis upon which you are doing so. Where you do not have consent, be mindful that an individual might not expect information to be shared.
5. Consider safety and well-being: base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.
6. Necessary, proportionate, relevant, adequate, accurate, timely and secure: ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely (see principles).
7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

Confidential information is information of some sensitivity, which is not public knowledge, and which has been shared in a relationship where the person giving the information understood that it would not be shared with others.

Confidence is only breached where the sharing of confidential information is not authorised by the person who provided it or to whom it relates or there is no legal basis to do this. If the information was provided on the understanding that it would be shared with a limited range of people or for limited purposes, then sharing in accordance with that understanding will not be a breach of confidence. Similarly, there will not be a breach of confidence where there is explicit consent to the secure sharing.

Even where sharing of confidential information is not authorised it may lawfully be shared as set out above in the Seven golden rules to sharing information

Therefore, where a practitioner has a concern about possible significant harm to a child, he or she should not regard refusal of consent as necessarily precluding the sharing of relevant confidential information. The key factor in deciding whether or not to share confidential information is whether there is a legal basis to carry out safeguarding functions and to share the information in question.

The conditions for processing data concerning safeguarding may be to protect the vital interests of an individual at risk of harm, or under a legal obligation article 6 and article 9 UK GDPR to carry out safeguarding functions.

When any agency considers that it will need to share information in order to promote the wellbeing of a child under 16, where possible/appropriate a parent or other person with parental responsibility should be informed, as well as the child or young person themselves if they are old enough (generally 12 or over) to understand the information and the implications of sharing it. 

Therefore, it continues to be a requirement for practitioners to explain to children and families when they first receive services, openly and honestly, what and how information will, or could be shared and why, and seek to work, cooperatively with them. This would be through the provision of a privacy notice or verbal confirmation.

All practitioners should be confident of the lawful basis and processing conditions under the Data Protection Act 2018 and the UK GDPR which allow them to process personal information including information which is considered sensitive, such as health data, known under the data protection legislation as ‘special category personal data’.

Information sharing (for non-special category information only) must satisfy at least one condition in Article 6 of the Data Protection Act 2018 in relation to personal data:

• Condition a will apply where, the data subject has given consent to the processing of their data for one or more specific purpose;

• Condition b is where processing is necessary for the performance of a contract to which the data subject is party, or in order to take steps at the request of the data subject prior to entering into a contract;

• Condition c is where processing is necessary for compliance with legal obligation to which the controller is subject;

• Condition d is where processing is necessary in order to protect the vital interests of the data subject or of another natural person;

• Condition e is where processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;

• Condition f (NB this condition cannot be used by public authorities to provide public duties) is where processing is necessary for the purpose of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.

Processing of special category data is also important as detailed within Article 9 of the Data Protection Act 2018. The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation shall be prohibited.

However, if one condition in Article 6, and at least one of the conditions listed below apply, then processing of special category data is permitted

• Condition (a) the data subject has given explicit consent to the processing of their personal data for one or more specified purposes;

• Condition (b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law;

• Condition (c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;

• Condition (d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;

• Condition (e) processing relates to personal data which are manifestly made public by the data subject;

• Condition (f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;

• Condition (g) processing is necessary for reasons of substantial public interest;

• Condition (h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services;

• Condition (i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices;

• Condition (j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

The Information Commissioners Office (ICO) has created the Lawful basis interactive guidance tool | ICO toolkit to help identify what lawful basis might apply to processing. 

Practitioners must always consider the safety and welfare of a child as the overriding consideration when making decisions on whether to share relevant information about the child without consent. In many instances a failure to pass on information, that might have prevented a child suffering harm, would be far more serious and dangerous than an incident of unjustified disclosure.

Practitioners should seek advice and consultation from a manager or supervisor when in doubt, in addition to consulting with their Information Governance Lead/Team where appropriate. Advice must be sought and consultation must take place within a time frame which is not detrimental to the child’s interests.

Practitioners must share relevant information securely when they are in situations where there is a statutory duty or Court Order requiring the information to be shared. Practitioners must consult with their local policy and procedure for sharing information securely for example; if Secure File Transfer is their local authorities’ preferred method of sending information securely then this procedure should be followed. If a practitioner is ever in doubt regarding how to send information securely or requires further guidance, they should seek advice from their Information Governance Lead/Team. However, wherever possible, the individual concerned should be informed about the information to be shared, the reasons and to whom it will be disclosed, being mindful of situations where to do so would place a child at increased risk of harm.

Information may be shared securely without consent if a practitioner has another legal basis under data protection to share. When decisions are made to share or withhold information, practitioners should record who has been given the information and why.

Information should only be shared on a need-to-know basis, i.e. necessary for the purpose for which they are sharing it and shared only with those people who need it securely.

Practitioners should ensure that the information they share is relevant, accurate, factual and up-to-date; where opinion is given, this should be made clear to the recipient.

Practitioners should only share the minimum amount of relevant information necessary for the disclosure, and where appropriate it will be anonymised/pseudonymised, if possible.

Consideration should be given to where and when the disclosure will be given, ensuring this takes place in a secure and safe environment.

Practitioners should always record the disclosure to include:

• When the disclosure was made;
• Who made the disclosure;
• Who the disclosure was made to;
• How the disclosure was made; and
• What was disclosed and what legal basis sharing occurred.

Disclosure of information must be justifiable, as set out above.

Where information is disclosed, the decision and the reasons for it must be recorded, as well as the matters listed above.

In addition, the person making the disclosure must advise the recipient that consent has been refused or has not been sought if this would not prejudice any investigation or put individuals at risk.

The recipient of information that has been disclosed without consent should record:

• the details of the information received
• who provided it
• that it was provided without consent and the reasons given (if known)
• any restrictions placed on the information that has been given, for example ‘Not to be disclosed to service user’.

For further detailed guidance, see Information sharing: Advice for practitioners providing safeguarding services to children, young people, parents and carers (July 2018).

Working Together to Safeguard Children. A guide to inter-agency working to safeguard and promote the welfare of children, July 2018. Myth-busting guide to information sharing Page 21.

Information Commissioners Office Data Sharing Code of Practice

In addition reference should be made to your local information sharing agreements and privacy statements.  Data controllers may want to consider the completion of a data protection impact assessment prior to sharing.

The Child Sex Offender Disclosure Scheme (CSODS) or Sarah’s Law, is designed to provide members of the public with a formal mechanism to ask for disclosure about people they are concerned about, who have unsupervised access to children and may therefore pose a risk. This scheme builds on existing, well established third-party disclosures that operate under the Multi-Agency Public Protection Arrangements (MAPPA).

Police will reveal details confidentially to the person most able to protect the child (usually parents, carers or guardians) if they think it is in the child’s interests.

The scheme is managed by the police and information can only be accessed through direct application to them.

If a disclosure is made, the information must be kept confidential and only used to keep the child in question safe. Legal action may be taken if confidentiality is breached. A disclosure is delivered in person (as opposed to in writing) with the following warning:

• 'That the information must only be used for the purpose for which it has been shared i.e. in order to safeguard children;
• The person to whom the disclosure is made will be asked to sign an undertaking that they agree that the information is confidential and they will not disclose this information further;
• A warning should be given that legal proceedings could result if this confidentiality is breached. This should be explained to the person and they must sign the undertaking’ (Home Office, 2011, p16).

If the person is unwilling to sign the undertaking, the police must consider whether the disclosure should still take place.

See also: Domestic Violence and Abuse procedure.

The Domestic Violence Disclosure Scheme (DVDS) or Clare’s Law, gives members of the public a formal mechanism to make enquires about an individual who they are in a relationship with, or who is in a relationship with someone they know, where there is a concern that the individual may be violent towards their partner. This scheme adds a further dimension to the information sharing about children where there are concerns that domestic violence and abuse is impacting on the care and welfare of the children in the family.

Members of the public can make an application for a disclosure, known as the ‘right to ask’. Anybody can make an enquiry, but information will only be given to someone at risk or a person in a position to safeguard the victim. The scheme is for anyone in an intimate relationship regardless of gender.

Partner agencies can also request disclosure is made of an offender’s past history where it is believed someone is at risk of harm. This is known as ‘right to know’.

If a potentially violent individual is identified as having convictions for violent offences, or information is held about their behaviour which reasonably leads the police and other agencies to believe they pose a risk of harm to their partner, a disclosure will be made.