• contents
• keywords & contacts
• quick guide
• forms library
• values
• contact us
• search

Contents

1. Introduction
2. Section A
3. Section B
   
   Appendix 1: References
   
   Appendix 2: Contacts

1. Introduction

The purpose of this Manual is to help you take the most appropriate course of action when you receive requests to share confidential personal information.

The Manual is one of the documents supporting LISA (Lambeth Information Sharing and Assessment), the protocol which commits its partners to establish common information sharing standards and procedures. Signatories to LISA are members of the CYPSPB (Children & Young People’s Strategic Partnership Board), namely Lambeth Council, Lambeth Primary Care Trust, South London & Maudesley NHS Trust and the Metropolitan Police.

The arrangement of this Manual is in two sections. Section A uses questions and answers based on those formulated by the Department for Education and Skills (DfES) to illustrate the key principles underpinning information sharing. Section B also uses a question-and-answer format, to explain the main procedures in more detail and to address some other concerns you may have.

Information sharing is a complex area and a Manual such as this cannot cover all exigencies. It will, however, be reviewed and updated regularly and your suggestions for improvement welcomed.

2. Section A

A1. Is there a legitimate purpose for you or your organisation to share information?

Improving information sharing practice is the cornerstone of the Government’s Every Child Matters strategy, the aim of which is to ensure children and young people are kept safe, receiving the support they need when they need it. There is also growing emphasis on integrated working, with intervention happening at an earlier stage in order to prevent problems escalating and to increase the chances of children and young people achieving positive outcomes. Sharing information about them in order to attain these objectives is therefore good practice. However, the way in which you share information has to comply with the Data Protection Act 1998 and associated laws and standards. It must also comply with LISA and any documents supporting LISA (such as this Manual) that CYPS has in place.

A2. Does the information enable a person to be identified?

In this manual, references to “information” are generally to confidential personal information concerning a named child or young person although anyone else who can be identified (e.g. a parent, practitioner or carer) is included. Information that allows a person to be identified is subject to data protection law. However, information that has been anonymised is not normally subject to data protection law and can be shared, as long as the purpose for sharing it is legitimate.

Anonymising of data is usually carried out in connection with research. While you should be aware of the process, you will not be expected to anonymise, aggregate or otherwise disguise information, or to deal with research requests. These should be referred to the Information Governance Manager (see Appendix 2: Contacts)

A3. Is the information confidential?

Information, particularly sensitive information, is confidential if shared in a relationship where the person giving the information has understood it will not be shared with anyone else. The lines are clearly drawn in formal relationships where all information shared is confidential e.g. a social worker and client or a doctor and patient. However, if a pupil shares a wide range of information with a teacher but asks that something specific be kept confidential, it is only where that specific piece of information is concerned that the teacher and pupil have a formal confidential relationship.

Sensitivity of itself does not necessarily restrict the sharing of information. For instance, a teacher may know a pupil has a parent who misuses drugs. While this is sensitive information, if it is already quite widely known or was shared on the understanding it would be shared with others, it is not confidential.

Public bodies, such as ours, have a statutory duty of confidentiality where this concerns the holding of private or sensitive information about individuals in order to carry out their duties e.g. the maintenance of case files of looked after children in order to provide them with appropriate social care.

A4. Do you have consent to share information?

Although you will be expected to check that consent to share information has been obtained (see Section B3), you will not normally be involved in seeking consent from service users as this is an area of responsibility for trained practitioners. However, it is still important that you have a clear idea as to:

• What constitutes consent;
• Whose consent should be sought;
• When not to seek consent.

What constitutes consent

Consent should be sought at the earliest possible opportunity, normally at the point of collection of the information, and must be “informed”. This means that the person giving consent has understood the reasons for sharing and its implications, including the consequences of withholding consent.

Consent to share information can be “explicit” or “implicit”. When obtaining explicit consent, it is preferable for this to be in writing - to reduce the scope for subsequent dispute. If given orally it needs to be recorded. Implicit consent is valid where information sharing is intrinsic to the activity particularly if explained at the outset e.g. when conducting a common assessment.

Whose consent should be sought

Young persons aged 16 or 17, or children under 16 with the capacity to understand and make their own decisions may give (or refuse) consent. Children aged 12 or over normally have sufficient understanding to make such decisions. Where a child cannot or is not competent to give consent, it will need to be sought from a person with parental responsibility for the child. If, however, a child or young person is competent to give, or refuse, consent, then their decision should be the one accepted even if a parent or carer disagrees.

When not to seek consent

Only Heads of Service/Service Managers or more senior officers have the authority to over-ride an individual’s right to confidentiality or to decide not to seek their consent to share information and then only in circumstances where seeking consent would:

• Place a child or young person at risk of significant harm;
• Place an adult at risk of serious harm;
• Prejudice the prevention or detection of a serious crime;
• Cause delays in making enquiries about allegations of significant harm.

A5. Is there a statutory duty or court order to share information?

There will be occasions when a court will make an order for certain information or case files to be brought before it.

A6. Is there a sufficient public interest argument to share the information?

If consent is refused or not sought for some reason, there may be a sufficient public interest argument to share the information. Although this area of decision-making is for Heads of Service/Service Managers or more senior officers and therefore not your responsibility, you should be aware that the key factor in the decision-making process is “proportionality” i.e. weighing up what might happen if the information is shared against what might happen if it is not. For instance, maintaining the confidence of the general public in the confidentiality of certain services will normally weigh against sharing.

A7. If you decide to share information, are you doing it in the right way?

This means you should:

• Share no more than the necessary amount of information and then only for the purpose for which it needs to be shared;
• Share the information only with the person or persons needing to know;
• Check that the information is up to date;
• Share the information in a secure way;
• Ensure that anyone with whom you share information understands the limits of any consent that has been given.

A8. Have you recorded your decision properly?

Recording your decision properly is essential especially in organisations such as ours where much of our performance depends on, and is judged by, the quality of our record-keeping. It is also something you should do for your own protection (see Section B5). When you share information you therefore need to record why, what information was shared and with whom, following any procedures that are in place. Any decision not to share information should also be recorded.

3. Section B

B1. What do I do if I receive a telephone request to share information about a service user?

As a general principle you should:

• Not give out information about service users over the telephone;
• Seek agreement from a senior officer/team manager before sharing information about a service user.

The caller will fall into one of the following categories:

1. A fellow Lambeth Council worker;
2. A representative from one of our partner agencies;
3. A third party other than the above (e.g. a solicitor, a worker from another Council, a relative of the service user).

Caller is a fellow Lambeth Council worker

This may be someone you know, whose voice you recognise and who satisfies you they have a good reason for requesting information about a particular service user. If this is the case, you may share the information, provided that:

• You share in the right way (see Section A7);
• You have checked for consent (see Section B3);
• You have sought a senior officer’s agreement (see Section A4).

Or the caller may be a Lambeth colleague not known to you. Therefore, in addition to details of the service user concerned, you will need to ask for the caller’s own details and ring them back to establish they are who they say they are. If you are satisfied with their response, you may share the information, provided that:

• You share in the right way (see Section A7);
• You have checked for consent (see Section B3);
• You have sought a senior officer’s agreement (see Section B4).

As soon as you have completed your business, remember to record the following details in the relevant service user’s file in the Notes field on FRAMEWORK:

• Date and time of call;
• Name of caller;
• Caller’s team/business unit;
• What information was requested and why;
• Full description of information disclosed and why;
• Name of senior officer from whom you sought agreement to share information.

Caller is a representative from one of our partner agencies

Our partner agencies are those with whom we have an agreement to share information. These are the signatories to LISA referred to in the Introduction, namely the Lambeth Primary Care Trust, South London & Maudesley NHS Trust and the Metropolitan Police. You will need to ask the caller for full details of the service user they are requesting information about, asking them also for their own details and those of the agency they represent so that you can ring them back to verify they are who they say they are. If you are satisfied with their response, you may share the information, provided that:

• You share in the right way (see Section A7);
• You have checked for consent (see Section B3);
• You have sought a senior officer’s agreement (see Section B4).

As soon as you have completed your business, remember to record the following details in the relevant service user’s file in the Notes field on FRAMEWORK:

Date and time of call

• Name of caller;
• Organisation to which caller belongs;
• What information was requested and why;
• Full description of information disclosed and why;
• Name of senior officer from whom you sought agreement to share information.

Caller is a third party other than the above

You should ask any caller other than those falling into the above categories (e.g. solicitors, workers from other Councils, relatives or friends of service users) to put their request in writing, giving them contact details of the appropriate service team.

As soon as you have completed your business, remember to record the following details in the relevant service user’s file in the Notes field on FRAMEWORK:

• Date and time of call;
• Name of caller;
• Caller’s organisation and address or caller’s postal address, as applicable;
• What information was requested and why;
• Team/business unit to which caller was referred.

N.B. In a real emergency a caller, no matter who they are, should be given the information necessary to prevent serious harm, injury or death to a client or potential client. Then make sure to create an appropriate record of whatever information you have disclosed

B2. What do I do if I receive a request in writing to share information about a service user?

Usually you should pass written requests to the appropriate service team. However, if a situation arises where you are instructed to transfer personal information in writing you need to do so securely whether this is by letter, email or fax, with the following provisos:

• Letters should be sent in sealed envelopes clearly marked “To be opened by Addressee Only”;
• Service user’s information should be sent via the Internet only if password protected using WORD’s security functionality. If you have any concerns about this you should refer them to the Council’s Data Protection Advisor (see Appendix 2: Contacts);
• Faxes should be used only if no other method of communication is available and the situation is urgent. You must double-check the fax number before sending out the information and make sure that the fax machine to which you are sending it is sited in a “safe haven” (where access is restricted to appropriate staff).

As soon as you have completed your business, remember to record the following details in the relevant service user’s file in the Notes field on FRAMEWORK:

• Date of communication;
• Name of writer;
• Writer’s organisation and address or writer’s postal address, as applicable;
• What information was requested and why;
• Team/business unit to which writer was referred.

B3. Must I always check if we have a service user’s consent before sharing information about them?

Yes. Always. You should find this recorded on the first page of the Initial Assessment on the service user’s case file in FRAMEWORK and any contradictions must be resolved before information is released e.g. if the consent is out of date (if more than 3 years old, it must be re-sought) or has been withdrawn at some date before the expiry of the original consent.

If you cannot find any record of consent having been given, it may have been “implied” (see Section A4 under What constitutes consent). If you suspect this is the case, you will need to contact the relevant service team and record their response.

It is not your responsibility to seek consent from a service user or to get involved in decisions to over-ride consent (see Section A4 under When not to seek consent) unless faced with a life-and-death situation.

B4. Must I always seek the agreement of a senior officer/team manager before I share information about a service user

Yes. Your line manager is the person to contact in the first instance, or the relevant team manager.

B5. Must I always record my decisions about sharing information?

Yes. This cannot be stressed enough. While proper record-keeping is good working practice and therefore in the interests of the Council (see Section A8), it is also in your own best interests to ensure you record your decisions properly, especially in this sensitive area of business. Even if things go wrong and you end up getting sued, if you can demonstrate that you followed procedures, took advice where necessary and acted in good faith, then the Council will support you.

B6. How can I be sure I am sharing information lawfully?

You cannot be sure! The law in this area will always be open to interpretation particularly where judgements are involved as to the level of risk or potential risk to an individual. There is also a fairly common (although inaccurate) perception that there are contradictions in the relevant Acts i.e. between the Data Protection Act 1998 and the Children’s Act 2004, the first being seen as discouraging the sharing of information and the second as encouraging it. While it is certainly true that increased emphasis on sharing and integrated working is quite a recent development, the restrictions imposed by the Data Protection Act, along with the associated Caldicott Standards, are more about sharing in the right way than disallowing the sharing of information (see A7). In the words of the Information Commissioner: “The Data Protection Act is not a barrier to sharing information but is in place to ensure that personal information is shared appropriately”

Obviously the Council wants all information exchanges to be as lawful as possible but if you have to take a risk, it should be in the interests of public safety. For example, the Council would prefer to be in Court defending a breach of confidentiality than defending actions you did not take which led to someone’s death or serious injury.

If you are worried about any of these things or would simply like to know more about them, you can look at the DfES Guide and other references as listed in Appendix 1: References or ask the colleagues listed in Appendix 2: Contacts. However, as long as you follow the guidance in this Manual, you can generally be confident that your responsibility to share information is being carried out in the right way – and thereby within the limits of the law.

Appendix 1: References

STATUTORY INSTRUMENTS & GUIDANCE:

Children Act 2004, Sections 10,11 & 12

Section 10 (co-operation and well-being) and Section 11 (arrangements to safeguard and promote welfare) create an implicit duty to share information when judged to be in the best interests of the child. However, these do not alter the way in which consent and confidentiality issues need to be considered and they cannot be relied upon as a defence of breach of confidence.

Section 12 is different in that it makes it a duty to create a child index and share the basic information in it with other relevant agencies. As this is explicit disclosure required by law, it cannot be deemed breach of confidence.

Human Rights Act 1998

The Act provides individuals with a right to privacy. However, this is a qualified right, allowing for interference provided the disclosure is in pursuit of a legitimate aim, in accordance with the law, and necessary in a democratic society

Data Protection Act 1998

Sharing of data in pursuance of Sections 10, 11 and 12 of the Children Act 2004 must comply with this Act and in particular the 8 Data Protection Principles.

In accordance with the fairness element of the First Principle, data subjects must be made aware of any intention to disclose their personal data and the reason for it unless, for example, notifying a service user prior to disclosure could prejudice an ongoing criminal investigation.

In brief, the 8 Principles state that personal data must be:

1. Processed fairly and lawfully;
2. Processed for limited defined purposes;
3. Adequate, relevant and not excessive;
4. Accurate and up-to-date;
5. Kept no longer than necessary for the purposes in 2;
6. Processed in accordance with the data subject’s rights;
7. Kept secure;
8. Transferred only to countries with adequate data protection laws.

Caldicott Standards 1997

While information sharing is encouraged where it is in the best interests of a child or young person, this must be in accordance with the 6 Caldicott Principles.

The emphasis of the 4th Principle on access to personally identifiable information on a strict need-to-know basis essentially means that the amount of information shared, and the number of people with whom it is shared, should be no more than absolutely necessary to meet the duty to protect the health and well-being of the child, young person or other individual concerned.

The 6 Caldicott Principles are:

• Justify the purpose for any use of personally identifiable information;
• Do not use personally identifiable information unless it is absolutely necessary;
• Only use the minimum personally identifiable information necessary;
• Access to personally identifiable information should be on a strict need-to-know basis;
• Everyone handling personally identifiable information should be made aware of their responsibilities;
• Every use of personally identifiable information must comply with the law.

NON-STATUTORY GUIDANCE:

LISA in action: Lambeth Information Sharing and Assessment (2006)

This protocol (agreement) sponsored by the Lambeth Children & Young People’s Strategic Partnership can be accessed at: Lambeth website

Information Sharing: Practitioners’ Guide (DfES 2006)

This Guide was used as the main reference for Section A of this Manual and can be accessed at: Department for Education website/Information Sharing.

Appendix 2: Contacts

CYPS:

Caldicott Guardian Andrew Wyatt, Assistant Director, Multi-Agency Assessment, Family Support and Child Protection Phone: 02079264526 Email: Awyatt@lambeth.gov.uk Ian Goodwin, Information Governance Manager Phone: 0207962341 Email: Igoodwin@lambeth.gov.uk Jason Preece, Head of Policy, Planning and Performance Telephone: 02079268157 Email: jpreece@lambeth.gov.uk

End