Information Sharing and Consent
Effective information-sharing underpins integrated working and is a vital element of both early intervention and safeguarding. Research and experience have shown repeatedly that keeping children safe from harm requires practitioners and others to share information about:
- a child's health and development and any exposure to possible harm
- a parent who may need help, or may not be able to care for a child adequately and safely, and those who may pose a risk of harm to a child.
Practitioners should be proactive in sharing information as early as possible to help identify, assess and respond to risks or concerns about the safety and welfare of children.
This includes when problems first emerge, or where a child is already known to local authority children's social care (e.g. they are being supported as a child in need or have a child protection plan).
Effective joint working can be undermined by poor communication and several Serious Case Reviews have highlighted poor information sharing as a factor.
For this reason Working Together 2013 is absolutely clear that, “Fears about sharing information must not be allowed to stand in the way of the need to promote the welfare, and protect the safety, of children, which must always be the paramount concern.”
The General Data Protection Regulations (GDPR) and the Data Protection Act 2018
The General Data Protection Regulations (GDPR) and the Data Protection Act 2018 supersede the Data Protection Act 1998. Practitioners must have due regard to the relevant data protection principles which allow them to share personal information.
The GDPR and Data Protection Act 2018 place greater significance on the need for organisations to be transparent and accountable in relation to their use of data. All organisations handling personal data must ensure they have comprehensive and proportionate arrangements for collecting, storing, and sharing information in place. This also includes arrangements on informing service users about the information they will collect and how this may be shared.
The GDPR and Data Protection Act 2018 do not prevent, or limit, the sharing of information for the purposes of keeping children and young people safe.
To effectively share information:
All practitioners should be confident of the processing conditions which allow them to store, and share, the information that they need to carry out their safeguarding role. Information which is relevant to safeguarding will often be data which is considered 'special category personal data' meaning it is sensitive and personal
Where practitioners need to share special category personal data, they should be aware that the Data Protection Act 2018 includes 'safeguarding of children and individuals at risk' as one of conditions that allows practitioners to share information with others without consent
Information can be shared legally without consent, if a practitioner is unable to / cannot be reasonably expected to gain consent from the individual, or if to gain consent could place a child at risk
Relevant personal information can also be shared lawfully if it is to keep a child or individual at risk safe from neglect or physical, emotional or mental harm, or if it is protecting their physical, mental, or emotional well-being
Practitioners looking to share information without consent should consider which processing condition in the Data Protection Act 2018 is most appropriate in the particular circumstances of the case. This may be the safeguarding processing condition or another relevant provision.
Confidentiality and Consent
Working Together to Safeguard Children states that:
'…all organisations and agencies should have arrangements in place that set out clearly the processes and the principles for sharing information. The arrangement should cover how information will be shared within their own organisation/agency, and with others who may be involved in a child's life.
...all practitioners should not assume that someone else will pass on information that they think may be critical to keeping a child safe. If a practitioner has concerns about a child's welfare and considers that they may be a child in need or that the child has suffered or is likely to suffer significant harm, then they should share the information with local authority children's social care and/or the police. All practitioners should be particularly alert to the importance of sharing information when a child moves from one local authority into another, due to the risk that knowledge pertinent to keeping a child safe could be lost.
...all practitioners should aim to gain consent to share information, but should be mindful of situations where to do so would place a child at increased risk of harm. Information may be shared without consent if a practitioner has reason to believe that there is good reason to do so, and that the sharing of information will enhance the safeguarding of a child in a timely manner. When decisions are made to share or withhold information, practitioners should record who has been given the information and why.
Consent therefore means the family are fully informed about their information being shared and the services they are being referred to, agree with the referral being made and understand what information will be exchanged and why. It is important to be honest from the outset and to respect the right to privacy of individuals.
Conversations about a worry should usually begin with the family. It is a good way of exploring whether they share the concerns and worries and to assess help that might be needed. If parents or young people understand that you are trying to help and are willing to work with you, they may be open to you making a referral to obtain the help they require, which will need their explicit consent.
When you have concerns about the welfare or development of a child wherever possible, the permission of parents/carers/children/young people (as appropriate to age and understanding) should have been sought before contacting either the Early Help Locality Hubs or Safeguarding Children Hub.
The following questions will help practitioners ensure that consent is obtained:
- Does the person with parental responsibility know that a request for service is being made?
- If ‘Yes’, does the person with parental responsibility consent to the sharing of information for:
members of the family’s network
professionals to be contacted for further information.
- If this referral is based on information from a third party, are they aware that it is being made?
- Does the child or young person know about this referral?
- Does your Line Manager or Safeguarding Lead know about this referral?
- National Guidance on Sharing Information.
There will be rare occasions when it would not be appropriate to inform parents / carers that the services are being contacted about a safeguarding concern; when by doing so the child/young person would be placed at immediate or greater risk of harm. Such an approach is supported by legislation (Children Act 1989, 2004) and the professional guidance from individual agencies. The following chart may help clarify what confidential information is, and if it can be shared:
Key Points on Information Sharing
Explain at the outset, openly and honestly, what and how information will be shared
Always consider the safety and welfare of a child or young person when making decisions on whether to share information about them
Seek consent to share confidential information. You may still share information if, in your judgment, there is sufficient need to override the lack of consent
Seek advice where you are in doubt
Ensure the information is accurate and up to date, necessary, shared only with those people who need to see it, and shared securely
Always record the reasons for your decision – whether it is to share information or not.
Key Principles for Information Sharing
See flow diagram below:
Key Principles for Information Sharing (pdf 137kb)
The General Data Protection Regulation (GDPR) and Data Protection Act 2018
The General Data Protection Regulation (GDPR) and Data Protection Act 2018 are based on existing best practice associated with the Data Protection Act 1998. They ensure personal information is obtained and processed fairly and lawfully; only disclosed in appropriate circumstances; is accurate, relevant and not held longer than necessary; and is kept securely.
They balance the rights of the information subject (the individual whom the information is about) with the need to share information about them.
The GDPR and the Data Protection Act 2018 introduce new elements and provide an opportunity for organisations to review their current data protection and privacy practices. The Data Protection Act 2018 sets out the lawful grounds for processing of special category personal data – including without consent if the circumstances justify it – where it is in the substantial public interest to safeguard children and individuals at risk.
Further details are set out in SCHEDULE 8 Section 35(5) of the Data Protection Act 2018 which states:
4 (1) This condition is met if:
the processing is necessary for the purposes of:
protecting an individual from neglect or physical, mental or emotional harm; or
protecting the physical, mental or emotional well-being of an individual.
the individual is aged under 18; or aged 18 or over and at risk.
Where there is a clear risk of significant harm to a child, or serious harm to adults the decision to share information is clear, as actions must be taken to respond to the disclosure. In other cases, for example, neglect, the indicators may be more subtle and appear over time. In these cases, decisions about what information to share, and when, may be more difficult to judge. Decisions in this area need to be made by, or with the advice of, people with suitable competence in Child Protection work such as named or designated practitioners or senior managers. The information shared should be proportionate.
Caldicott Guardian Principles
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing.
The Seven Caldicott Principles
- Justify the purpose(s) for using confidential information
- Don't use personal confidential data unless it is absolutely necessary
- Use the minimum necessary personal confidential data
- Access to personal confidential data should be on a strict need-to-know basis
- Everyone with access to personal confidential data should be aware of their responsibilities
- Comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality.
The Guardian plays a key role in ensuring that the NHS, Local Authority Social Services Departments and partner organisations satisfy the highest practicable standards for handling patient/client identifiable information.
Concerns about Adults who are in contact with Children
Practitioners should also be alert to sharing important information about any adults with whom that child has contact, which may impact on the child's safety or welfare.
Those providing services to adults and children, for example GPs, may be concerned about the need to balance their duties to protect children from harm and their general duty of care towards their patient or service user, e.g. a parent. Some practitioners and staff face the added dimension of being involved in caring for or supporting more than one family member - the abused child, siblings, and an alleged abuser. However, the Children Act 1989 makes clear where there are concerns that a child is, or may be, at risk of significant harm, the overriding consideration is to safeguard the child (The Children Act 1989).
Section 115 of the Crime and Disorder Act 1998
Section 115 of the Crime and Disorder Act 1998 establishes the power to disclose information is central to the Act's partnership approach. The Police have an important general power under common law to disclose information for the prevention, detection and reduction of crime. However, some other public bodies that collect information may not previously have had power to disclose it to the Police and others. This section puts beyond doubt the power of any organisation to disclose information to Police authorities, local authorities, Probation Service, Health Authorities, or to persons acting on their behalf, so long as such disclosure is necessary or expedient for the purposes of crime prevention. These bodies also have the power to use this information.
Part 3 of the Data Protection Act 2018 covers the processing of personal data for 'law enforcement purposes'. It covers processing for the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security.
The Domestic Violence Disclosure Scheme
The Domestic Violence Disclosure Scheme (DVDS) gives members of the public a formal mechanism to make enquires about an individual who they are in a relationship with, or who is in a relationship with someone they know, where there is a concern that the individual may be violent towards their partner. This scheme adds a further dimension to the information sharing about children where there are concerns that domestic violence and abuse is impacting on the care and welfare of children within the family.
Members of the public can make an application for a disclosure, known as the 'right to ask'. Anybody can make an enquiry, but information will only be given to someone at risk or a person in a position to safeguard the victim. The scheme is for anyone in an intimate relationship regardless of gender.
Partner agencies can also request disclosure is made of an offender's past history where it is believed someone is at risk of harm. This is known as 'right to know'.
If a potentially violent individual is identified as having convictions for violent offences, or information is held about their behaviour which reasonably leads the police and other agencies to believe they pose a risk of harm to their partner, a disclosure will be made.
Article 8 in the European Convention on Human Rights states that:
everyone has the right to respect for their private and family life, home and correspondence:
there shall be no interference by a public authority with the exercise of this right except such as in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of rights and freedoms of others.
Child Sex Offender Disclosure Scheme
The Child Sex Offender Review (CSOR) Disclosure Scheme is designed to provide members of the public with a formal mechanism to ask for disclosure about people they are concerned about, who have unsupervised access to children and may therefore pose a risk. This scheme builds on existing, well established third-party disclosures that operate under the Multi-Agency Public Protection Arrangements (MAPPA).
Police will reveal details confidentially to the person most able to protect the child (usually parents, carers or guardians) if they think it is in the child's interests.
The scheme is managed by the Police and information can only be accessed through direct application to them.
If a disclosure is made, the information must be kept confidential and only used to keep the child in question safe. Legal action may be taken if confidentiality is breached. A disclosure is delivered in person (as opposed to in writing) with the following warning:
'That the information must only be used for the purpose for which it has been shared i.e. in order to safeguard children.'
The person to whom the disclosure is made will be asked to sign an undertaking that they agree that the information is confidential and they will not disclose this information further;
A warning should be given that legal proceedings could result if this confidentiality is breached. This should be explained to the person and they must sign the undertaking'. See GOV.UK - Child sex offender disclosure scheme guidance (link below)
If the person is unwilling to sign the undertaking, the police must consider whether the disclosure should still take place.
The Seven Golden Rules for Information Sharing
- Remember that the Data Protection Act is not a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared appropriately.
- Be open and honest with the person (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
- Seek advice if you are in any doubt, without disclosing the identity of the person where possible.
- Share with consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgement, that lack of consent can be overridden in the public interest. You will need to base your judgement on the facts of the case.
- Consider safety and well-being: Base your information sharing decisions on considerations of the safety and well-being of the person and others who may be affected by their actions.
- Necessary, proportionate, relevant, accurate, timely and secure: Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those people who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely.
- Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record.
Information Sharing: Advice for Practitioners Providing Safeguarding Services to Children, Young People, Parents and Carers (external website)
Child Sex Offender Disclosure Scheme Guidance (external website)
The Information Commissioner's Office (ICO) (external website)
Practice Guidance on Sharing Adult Safeguarding Information (external website)