7.2 Information Sharing and Confidentiality
This chapter was updated in October 2015 to include links to new Department for Education Guidance on Information Sharing.
- 1. Local Context and Justification for Sharing Information(Jump to)
- 2. Relevant Law & Government Requirements(Jump to)
- 3. Further Guidance for the Children's Workforce(Jump to)
- 4. Practice Requirements for Information Transfer(Jump to)
- 5. Responsibilities(Jump to)
- 6. Child Sex Offender Disclosure Scheme(Jump to)
- 7. The Domestic Violence Disclosure Scheme(Jump to)
1. Local Context and Justification for Sharing Information
Information sharing guidance is designed to help every worker be able be confident about sharing share in relation to vulnerable children.
Research and experience have demonstrated that to keep children safe from harm it is essential that workers maximise the potential for safe partnership with parent/s and share relevant information across geographical and worker boundaries.
Often it is only when information from a number of sources has been shared, collated and analysed, that it becomes clear a child is suffering, or is likely to suffer Significant Harm.
Information relevant to child protection will be about:
- Health and development of a child and her/his exposure to possible harm;
- A parent / carer who is unable to care adequately for a child;
- Other individuals who may present a risk of harm to the child.
The informed consent of a person under the age of 18 is as significant as that of an adult where s/he is the subject of information, provided s/he has sufficient emotional maturity and intellectual competence to understand the consequences of their consent and consider alternative options. If a member of staff is in doubt about a child's competence s/he should seek legal advice.
Where a child does not have the capacity to consent, it should be sought, if it does not place her/him at additional risk, from a person with Parental Responsibility for that child.
Where possible, informed consent should be provided in writing.
It is the duty of workers, whether they are providing services to adults or children, to place the needs of the child first.
Each case will depend on its own facts and legal advice should always be sought from agencies' own legal advisers where the worker is concerned about the legality of sharing information.
Limitations to informed consent must be made clear at the point of information exchange (e.g. a request that information is not shared with a particular service/agency).
Informed consent can be withdrawn at any stage. In this event, all professional parties involved in information exchange must be informed as soon as possible. Information exchange should cease at this point, unless there is justification to continue sharing information without consent.
Particular care should be exercised sharing sensitive information (e.g. sexual health, emotional health needs, etc.). The rule of proportionality should be applied in these instances i.e. what does the other worker 'need to know' to inform their judgement or service.
Information should be stored safely and securely at all times.
Information sharing is also essential for the identification of patterns of behaviour when a child is at risk of going missing or has gone missing, when multiple children appear associated to the same context or locations of risk, or in relation to children in the secure estate where there may be multiple local authorities involved in a child’s care. It will be for local safeguarding partners to consider how they will build positive relationships with other local areas to ensure that relevant information is shared in a timely and proportionate way.
The Data Protection Act 2018 and General Data Protection Regulations (GDPR) do not prevent the sharing of information for the purposes of keeping children safe. Fears about sharing information must not be allowed to stand in the way of the need to promote the welfare and protect the safety of children.
General Data Protection Regulation (GDPR)
The GDPR provides a number of bases for sharing personal information. It is not necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child provided that there is a lawful basis to process any personal information required. The legal bases that may be appropriate for sharing data in these circumstances could be ‘legal obligation’ or ‘public task’ which includes the performance of a task in the public interest or the exercise of official authority. Each of the lawful bases under GDPR has different requirements. In some circumstances, it may be appropriate to obtain consent to share data but it is important to note that the GDPR sets a high standard for consent which is specific, time limited and can be withdrawn (in which case the information would have to be deleted).
Practitioners must have due regard to the relevant data protection principles which allow them to share personal information, as provided for in the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). To share information effectively:
- all practitioners should be confident of the lawful bases and processing conditions under the Data Protection Act 2018 and the GDPR which allow them to store and share information including information which is considered sensitive, such as health data, known under the data protection legislation as ‘special category personal data’
- where practitioners need to share special category personal data, for example, where information obtained is sensitive and needs more protection, they should always consider and identify the lawful basis for doing so under Article 6 of the GDPR, and in addition be able to meet one of the specific conditions for processing under Article 9. In effect, the Data Protection Act 2018 contains ‘safeguarding of children and individuals at risk’ as a processing condition that allows practitioners to share information, including without consent (where in the circumstances consent cannot be given, it cannot be reasonably expected that a practitioner obtains consent or if to gain consent would place a child at risk). However, practitioners should be mindful that a data protection impact assessment for any type of processing which is likely to be high risk must be completed, and therefore aware of the risks of processing special category data.
Further information on GDPR is available in Working Together to Safeguard Children 2018.
2. Relevant Law & Government Requirements
The main sources of law and other relevant requirements with respect to information sharing and confidentiality in child protection are the:
- Common law duty of confidence;
- European Convention on Human Rights (via its introduction into English law in the Human Rights Act 1998);
- Data Protection Act 1998;
- Crime and Disorder Act 1998;
- Children Act 1989;
- Children Act 2004;
- Caldicott Standards (Health and Children's Services);
- Information sharing - Advice for practitioners providing safeguarding services to children, young people, parents and carers (Department for Education, March 2015);
- Working Together to Safeguard Children 2018.
The 'Common Law Duty of Confidence' arises when a person shares information with another in circumstances where it is reasonable to expect that the information will be kept confidential e.g. a contract, a patient-doctor, solicitor-client, pupil-teacher relationship.
Personal information about children and families kept by workers and agencies should not generally be disclosed without the consent of the subject.
The duty of confidence is not absolute and disclosure can be justified if:
- The information is not confidential in nature e.g. it is trivial or readily available elsewhere e.g. a social worker seeking confirmation from a school of a child's attendance that day;
- The person to whom the duty of confidence is owed has 'expressly' authorised disclosure (orally or in writing) or 'implicitly' authorised it (a referrer of an allegation of abuse to Children's Social Care would expect the information to be shared on a 'need to know' basis);
- There is an overriding public interest in disclosure;
- Disclosure is required by a court order or other legal obligation.
The disclosure of information should not be an obstacle if an individual has particular concerns about the welfare of a child, the information is disclosed to another worker and the disclosure is justified under the common law duty of confidence.
The key factor in deciding whether or not to disclose confidential information is 'proportionality' i.e. is the proposed disclosure a proportionate response to the need to protect the child's welfare? The amount of confidential information disclosed and the number of people to whom it is disclosed should be no more than is necessary to meet the public interest in protecting the health and well-being of the child.
The approach to confidential information should be the same whether any proposed disclosure is internally within an organisation e.g. within a school or Children's Social Care or between agencies e.g. a teacher to a social worker.
European Convention on Human Rights
Article 8 of the above Convention states that:
- Everyone has the right to respect for her/his private and family life, home and correspondence;
- There shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, protection of health or morals or for the protection of rights and freedom of others.
The right is not absolute and in certain situations Article 8 enables workers to disclose information without consent - e.g. to:
- Safeguard a child;
- Protect her/his health or morals;
- Protect the rights and freedoms of others; or
- Prevent disorder or crime.
As with the common law described above, the principle of 'proportionality' applies to sharing confidential information i.e. when disclosing information without consent one must limit the extent of the disclosure to that which is absolutely necessary to achieve the aim of disclosure e.g. child protection.
Data Protection Act 1998
The Data Protection Act 1998 (as amended) regulates the handling of information kept about an individual on a computer or in a manual filing system and requires of public authorities that any personal information is:
- Obtained and processed fairly and lawfully;
- Processed for limited purposes and not in any manner incompatible with those purposes;
- Accurate and relevant;
- Held for no longer than necessary;
- Kept secure;
- Only disclosed if specific conditions set out in the Act are satisfied.
The AMENDMENT to the Data Protection Act 1998 introduced by the Freedom of Information Act 2000 mean that any incidental personal information held in loose papers etc. (as opposed to a structured filing system) is now also covered by subject access and accuracy obligations.
Legitimate conditions (in Schedule 2 of the Data Protection Act 1998) for sharing information include that:
- Consent of the person to whom the data relates has been obtained;
- Disclosure is necessary to comply with a legal obligation;
- It is necessary to protect the vital interests of the data subject;
- It is necessary for the exercise of a statutory function or other public function exercised in the public interest e.g. a s17 assessment or s47 enquiries; and
- It is necessary for the purposes of legitimate interests pursued by the person sharing the information (except where it is unwarranted by reason of prejudice to the rights and freedoms or legitimate interests of the data subject):
- It is necessary for the purposes of: prevention / detection of crime and the apprehension / prosecution of offenders as long as the receivers of shared information are undertaking an activity that will prevent or detect crime
Many of the above conditions, especially the latter one offer a justification for sharing information (mindful of the proportionality principle).
If the information being shared is 'sensitive personal data' e.g. racial or ethnic origin, religious beliefs or political opinions, trade union membership, sexual life, criminal offences, one of the following additional conditions of Schedule 3 must be met:
- The subject has explicitly consented;
- It is necessary to protect her/his vital interests or those of another person where the subject's consent cannot be given or is unreasonably withheld or cannot reasonably be expected to be obtained;
- It is necessary to establish, exercise or defend legal rights;
- It is necessary for the exercise of any statutory function; and
- It is in the substantial public interest and necessary to prevent or detect an unlawful act and obtaining express consent would prejudice those purposes.
Defence of a child's 'legal rights' under the Human Rights Act 1998 or exercise of a statutory function in connection with a s17 assessment or s47 enquiries may offer justification for information sharing.
For more detailed information see Information Commissioner's Office website.
For the NHS and councils with social services responsibilities, the Caldicott principles and processes provide a framework of quality standards for the management of confidentiality and access to personal information under the leadership of a Caldicott Guardian.
This includes 'Safe Haven' principles on the secure storage and transfer of confidential information.
These Standards apply to NHS organisations and Councils with Social Services Responsibilities in order to provide an effective framework to operationalise the Data Protection Act 1998 and underpin appropriate information sharing.
Health and Children's Social Care must ensure that their information sharing arrangements are compliant with their own local procedures based on the Caldicott Standard (see Health Service Circular/LAC circular HSC 2002/003/LAC (2002) 2 'Implementing the Caldicott Standard into Social Care').
Each Health Service and Children's Social Care will have its own Caldicott Guardian who should be able to provide advice and guidance.
Department for Education Guidance
In the following circumstances, sharing confidential information without consent will normally be justified in the public interest:
- 'There is evidence that the child is suffering or is likely to suffer significant harm; or
- There is reasonable cause to believe that a child may be suffering or is likely to suffer significant harm; or
- To prevent significant harm arising to children / young people or serious harm to adults, including through the prevention, detection and prosecution of serious crime'
Overall Legal & Best Professional Practice
Thus, in general, the law does not prevent an individual sharing information with other practitioners if:
- Those likely to be affected, consent;
- The public interest in safeguarding the child's welfare overrides the need to keep the information confidential;
- Disclosure is required by court order or other legal obligation.
3. Further Guidance for the Children's Workforce
4. Practice Requirements for Information Transfer
The net result of legislation and worker guidance as summarised above is that workers may share information for a child protection purpose without the consent of the subject:
- To protect the vital interests of the person;
- Where seeking permission might place the child or another person at serious risk of Significant Harm;
- Where such action might reasonably assist in the prevention or detection of serious crime.
It is important that each worker accept responsibility for her/his own referrals and should not seek to provide information to another agency anonymously.
Routine 'Checks' - s.17 & 47 Enquiries
The permission of the subject (child or parent) must ordinarily be sought on those occasions when there is a need to gather further information via checks with other agencies, in order to:
- Progress an assessment of need (s.17 Children Act 1989);
- Decide whether to re-designate an assessment of need to a Section 47 Enquiry; or
- Inform such a Section 47 Enquiry.
Such checks may be completed without such permission if:
- Seeking permission is likely to increase risk to children concerned or other individuals e.g. by causing a substantial delay to the Section 47 Enquiry;
- A request for permission has been refused, the reason for refusal has been considered and sufficient worker concern remains to justify disclosure;
- Seeking permission is likely to impede a criminal investigation.
Recording of Information Sought and Shared
The person requesting information from another agency and the person in that agency who provides it must record the event in accordance with her/his own agency procedures.
The recording must indicate if the consent of the relevant person was sought and obtained, sought and refused or not sought.
If information was provided without consent, reason/s for so doing must be made clear and the record indicate whether the person in question was subsequently informed of the information transfer.
Confidentiality of Exchanges of Information
Unless s/he is already known, a phone call received from a worker seeking information must be verified before information is divulged, by calling her/his agency back.
A record of any information relayed by phone or in person must be made.
Transmission of personal and sensitive information by fax should only happen when absolutely necessary. The number / address to which it is being sent should be checked very carefully (preferably by a colleague) and reassurance provided and recorded about the security of its handling by the other agency.
When sending out e-mails containing confidential information, a confidentiality warning should be used. Wherever possible Confidential information should only be sent by secure electronic systems and not by internet e-mail.
Thames Valley Police will only share information via e-mail where a secure network is available.
All agencies must ensure that their record keeping is maintained in accordance with statute and guidance (both national and local).
Security of the Information
4.13 Any information that is shared must be classified and managed in accordance with the Government Security Classification Policy (GSCP).
If a party to this agreement receives a subject access application under section 7 of the Data Protection Act and personal data is identified as having originated from another signatory agency, it will be the responsibility of the receiving agency to contact the originating organisation to determine whether the latter wishes to advise use of any statutory exemption under the provisions of the Data Protection Act.
If an agency receives a request for information under the Freedom of Information Act 2000 and the information requested is identified as belonging to another Organisation, it will be the responsibility of the receiving agency to contact the data owner to determine whether the latter wishes to rely on any statutory exemption under the provisions of the Freedom of Information Act and to identify any perceived harm.
All agencies as receivers of information will accept total liability for the loss or compromise of any information subject to this information sharing agreement whilst in their custody.
6. Child Sex Offender Disclosure Scheme
The Child Sex Offender Review (CSOR) Disclosure Scheme is designed to provide members of the public with a formal mechanism to ask for disclosure about people they are concerned about, who have unsupervised access to children and may therefore pose a risk. This scheme builds on existing, well established third-party disclosures that operate under the Multi-Agency Public Protection Arrangements (MAPPA).
Police will reveal details confidentially to the person most able to protect the child (usually parents, carers or guardians) if they think it is in the child’s interests.
The scheme has been operating in all 43 police areas in England and Wales since 2010. The scheme is managed by the Police and information can only be accessed through direct application to them.
If a disclosure is made, the information must be kept confidential and only used to keep the child in question safe. Legal action may be taken if confidentiality is breached. A disclosure is delivered in person (as opposed to in writing) with the following warning:
- 'That the information must only be used for the purpose for which it has been shared i.e. in order to safeguard children;
- The person to whom the disclosure is made will be asked to sign an undertaking that they agree that the information is confidential and they will not disclose this information further;
- A warning should be given that legal proceedings could result if this confidentiality is breached. This should be explained to the person and they must sign the undertaking’ (Home Office, 2011, p16).
If the person is unwilling to sign the undertaking, the police must consider whether the disclosure should still take place.
7. The Domestic Violence Disclosure Scheme
The Domestic Violence Disclosure Scheme (DVDS) commenced on 8 March 2014. The DVDS gives members of the public a formal mechanism to make enquires about an individual who they are in a relationship with, or who is in a relationship with someone they know, where there is a concern that the individual may be violent towards their partner. This scheme adds a further dimension to the information sharing about children where there are concerns that domestic abuse is impacting on the care and welfare of the children in the family.
Members of the public can make an application for a disclosure, known as the ‘right to ask’. Anybody can make an enquiry, but information will only be given to someone at risk or a person in a position to safeguard the victim. The scheme is for anyone in an intimate relationship regardless of gender.
Partner agencies can also request disclosure is made of an offender’s past history where it is believed someone is at risk of harm. This is known as ‘right to know’.
If a potentially violent individual is identified as having convictions for violent offences, or information is held about their behaviour which reasonably leads the police and other agencies to believe they pose a risk of harm to their partner, a disclosure will be made.