Information Governance – resources for all

The fundamentals
Always explain openly and honestly what information you will share, with whom and why – the only time you should not do this is if it will leave someone at risk of significant harm.

You should respect the wishes of family members if they do not want information shared – unless someone will be placed at risk of significant harm if you do not share the information.

If in doubt, speak to your manager; or have a general discussion with social care services – one where you do not necessarily share the name of the person or family.

Make sure that the information that you are sharing is accurate, up-to-date, necessary for the purpose for which you are sharing it and only shared with those who need to know it. Having decided to share information you need not tell everyone everything.

Information should always be shared securely.

You should always record the reason for your decision; whether you shared the information or not.

The importance of proportionality
The word proportionality is rather jargonistic but it explains a very helpful concept. It accepts that the decision about sharing information is not a simple ‘yes’ or ‘no’ decision but depends upon a number of factors such as:

• How at risk is the child, young person or adult?
• Is the risk imminent?
• How much safer will they be if the information is shared?
• Will the relationship between practitioners and the family be so damaged by sharing information against their wishes that it may be better to not share?
• Does the information need to be shared now? Could it wait until the family have changed their mind about agreement?

Sometimes you may not be able to answer these questions – in this case it is best to contact one professional and share information with them. Following a discussion you may be clearer about what to do. If not, contact one further professional.

Consent
Consent must be informed – which means that the person who has given consent understands:

• what will happen to the information?
• who will be told what?
• who they will then tell?
• why people are being told the information.

Communication
Although there is a lot of guidance about sharing information there is very little about communication – the process by which information is shared. The following tips from the archived Common Core of Skills and Knowledge) are very helpful:

• communicate effectively with other practitioners by listening and ensuring that you are being listened to
• appreciate that others may not have the same understanding of professional terms and may interpret abbreviations or acronyms differently
• be able to use clear language to communicate information unambiguously to others
• listen carefully to what is said and check understanding
• know that inference or interpretation can result in a difference between what is said and what is understood.

Effective information sharing underpins integrated working and is a vital element of both early intervention and safeguarding; however it needs to be done in a careful and considered way.

GDPR requirements came into being in May 2018 and relate to how organisations collect, store and use information.

Under the General Data Protection Regulation (GDPR) all businesses must obtain customers’ consent to collect, store and use their personal data.

Organisations also face more checks on how they protect and maintain data, both in digital and paper formats.

Informed customer consent is the key theme of GDPR – this makes it easier for everyone to withdraw consent for business use of their personal data; ask for it to move to another service provider; or to be erased.

‘Personal data’ can include email addresses, internet protocol (IP) addresses, telephone numbers, bank account details, health records, economic or social information. This type of information could be stored in emails, spreadsheets, databases, invoices or contact lists. GDPR is also designed to allow parents and guardians to give consent for their children’s data to be used.

Consent for organisations to collect, store and use personal data is vital under GDPR.  Consent must be given freely and must be specific, informed and unambiguous. It cannot be assumed to have consent, even if a relationship with a contact is good and long-standing.

Another key requirement under GDPR is for organisations to keep detailed records of their data processing methods for potential inspection – failing to do so could result in a heavy fine.

The MSP will maintain and review personal data, delete any unneeded data, act promptly on data-related requests and report any cyber-attacks to the Information Commissioners Office.

The most up-to-date advice regarding GDPR is available from the ICO website at ico.org.uk.

Practitioners, particularly in the public sector, should always seek advise from their IG lead.

GDPR in the workplace
We should not confuse GDPR requirements on consent and personal data with other individual privacy laws or corporate PR guidelines.

The common use of employees’ names, work contact details and workplace photographs on employer-business websites, marketing material, news and social media is not a GDPR issue. This is not the use of ‘personal data’ that GDPR focuses on.

Employees cannot object to their employer’s reasonable use of workplace information for legitimate business purposes under GDPR or privacy laws.

Under privacy law, people’s rights to individual privacy are highest in private, domestic locations such as family homes and gardens. At work, employees have lesser rights to privacy, so they can be asked to appear in marketing activities linked to the workplace or employer’s needs. This includes business-related PR, photography, social media and marketing activities.

It is obviously good practice to gain employees’ approval for such activities but this is not the commercial harvesting and use of ‘personal data’ that GDPR focuses on.

Similarly, GDPR’s emphasis on consent to use customers’ personal data is different to the consent needed when one business wishes to publicly link itself to another business or brand for PR purposes. This is known as ‘association’ and approval for any publicity should be obtained from the second business or brand.

Social media channels deal with consent and privacy issues in their terms and conditions – they too are subject to GDPR laws for users in the UK and Europe.

The most up-to-date advice regarding GDPR is available from the ICO website at ico.org.uk.

To safeguard children and young people from harm it is important that we share information about them to make referrals, undertake assessments and provide multi-disciplinary services.

We must be careful to protect rights to privacy and only share information with consent or, if it is not possible or appropriate to get consent, to share without consent to protect someone.

The MSP has adopted the GMSP procedures which can be found on the website greatermanchesterscb.proceduresonline.com and these are supported by the MSCB consent policy.

For more guidance see our consent policy for children & young people resource.

Always seek advice from the designated lead for your organisation.

The NSPCC have produced a useful guide which can be found on their website at learning.nspcc.org.uk/child-protection-records-retention-storage-guidance

The Independent Inquiry into Child Sexual Abuse
In March 2015 the Home Secretary established a statutory inquiry under the 2005 Inquiries Act with the aim of conducting an overarching national review of the extent to which institutions in England and Wales have discharged their duty of care to protect children against sexual abuse.

The Inquiry is independent of government and a wide range of public institutions are being investigated including local authorities, the police, the armed forces, schools, hospitals, children’s homes, churches, and charities.

In July 2015 Justice Goddard wrote to every Chief Executive of a Local Authority in England and Wales, requesting that the organisation :

‘Retain any and all documents; correspondence; notes; emails and all other information (however held) which contain or may contain content pertaining directly or indirectly to the sexual abuse of children or to child protection and care.

For the purposes of this appendix, the word “children” relates to any person under the age of 18.’

Agencies must not destroy, and must make available for inspection, all reports, reviews, briefings, minutes, notes and correspondence in relation to:

• allegations (substantiated or not) of individuals, organisations, institutions, public bodies or otherwise who may have been involved in, or have knowledge of, child sexual abuse, or child sexual exploitation
• allegations (substantiated or not) of individuals having engaged in sexual activity with, or having a sexual interest in, children
• institutional failures to protect children from sexual abuse or other exploitation
• statutory responsibilities for the care of children in public or private care
• the development of policy on child protection
• the development of legislation on child protection
• the determination of the award of Honours to persons who are now demonstrated to have had a sexual interest in children or are suspected of having had such an interest.

All of these document types, in whatever format, must be “retained pending further requests from the Inquiry”.

Although agencies may have their own records retention schedules for the destruction dates of files, the instructions received by the Inquiry constitute a legal hold as defined by the code of practice issued under Section 46 of the Freedom of Information Act. As such all records that fall within the above categories are retained, and not destroyed, until directed otherwise.

For advice on whether records can be destroyed or are covered by the Inquiry retention hold, consult the designated lead for your organisation.

1. Remember that the Data Protection Act 1998 and human rights law are not barriers to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately.
2. Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
3. Seek advice from other practitioners if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible.
4. Share with informed consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgment, there is good reason to do so, such as where safety may be at risk. You will need to base your judgment on the facts of the case. When you are sharing or requesting personal information from someone, be certain of the basis upon which you are doing so. Where you have consent, be mindful that an individual might not expect information to be shared.
5. Consider safety and well-being: Base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.
6. Necessary, proportionate, relevant, adequate, accurate, timely and secure: Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely.
7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

(from Information sharing advice for safeguarding practitioners: DfE March 2015)

The Caldicott Report set out a number of general principles that health and social care organisations should use when reviewing its use of client information:

Principle 1: Justify the purpose(s)
Every proposed use or transfer of personally identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by the appropriate guardian.

Principle 2: Do not use personally identifiable information unless it is absolutely necessary.
Personally identifiable information items should not be used unless there is no alternative.

Principle 3: Use the minimum personally identifiable information.
Where the use of personally identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability.

Principle 4: Access to personally identifiable information should be on a strict need to know basis.
Only those individuals who need access to personally identifiable information should have access to it.

Principle 5: Everyone should be aware of their responsibilities.
Action should be taken to ensure that those handling personally identifiable information are aware of their responsibilities and obligations to respect patient/client confidentiality.

Principle 6: Understand and comply with the law.
Every use of personally identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements.

Information sharing advice for safeguarding practitioners is the government guidance on information sharing for people who provide safeguarding services to children, young people, parents and carers – the guidance can be found on the government website at www.gov.uk/safeguarding-practitioners-information-sharing-advice

The Data Protection Act provides the framework for processing and sharing of personal information. Remember  it should not be considered a barrier to the sharing of confidential information, but it sets out the conditions and circumstances in which sharing of information should be considered; as well as how to ensure that information is shared safely and securely. Find the Act on the website www.legislation.gov.uk or  www.gov.uk/data-protection

The following  definitions may help in understanding the language of the Act:

• Data processing: applies to anything at all done to personal data, including collection, use, disclosure (sharing), destruction and merely holding data.
• Data controller: organisations processing personal data.
• Data subject: the individual service user about whom personal data is held and used.

The Data Protection Act provides eight guiding principles – they apply to information about a living person, where that person could be identified from that information. As such, they do not apply to anonymised information, but care needs to be taken with information covering small areas or groups, where individuals could still be identified.

Principles of the Data Protection Act 1998
The eight guiding principles of the data protection act are:

1. Fair and lawful – personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless certain conditions are met. Also the processing must adhere to the fair processing code.
2. Use for specified purposes –  personal data shall be obtained only for one or more specified purposes, and shall not be further processed in any manner incompatible with that purpose or purposes.
3. Adequate, relevant and not excessive – personal data shall be adequate, relevant and not excessive in relation to the purpose.
4. Accurate and up to date – personal data shall be accurate and, where necessary, kept up to date.
5. Don’t keep longer than necessary – personal data processed for any purpose or purposes shall not be kept longer than is necessary for that purpose or those purposes.
6. Rights given under the act – personal data shall be processed in accordance with the rights of the data subject under the act.
7. Security – appropriate and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
8. Disclosure outside Europe – personal data shall not be transferred to a country or territory outside the European Economic area, unless that country or territory ensures an adequate level of protection.

Data Controller
Information about data controllers can be found on the ICO website at ico.org.uk

The MSP and MSAB have chosen to register as Data Controllers with the Information Commissioner in the interests of openness and transparency (although it is accepted that that not all LSABs or LSPs do and they may be exempt from the need to).

Personal information held by Manchester City Council
For advice about how to access personal information held by Manchester City Council visit their website at www.manchester.gov.uk/data_protection

The Manchester Safeguarding Adults Board (MSAB) and the Manchester Safeguarding Partnership (MSP) are not a ‘public authority’ and are therefore not subject to requests made under the Freedom of Information Act 2000.

This status includes any information, documentation, photographic images, including those stored electronically, which is owned by the MSAB or MSP.

A Freedom of Information (FoI) request may be made directly to partner agencies of the MSAB or MSP and should be managed according to that agency’s Freedom of Information Policy. However, if such a request concerns the business or information relating to the MSAB or MSP then this information will not be disclosed by an individual member agency.

Freedom of Information Act 2000
The Independent Commission on Freedom of Information (FoI) can be found on the government website at www.gov.uk/independent-commission-on-freedom-of-information

Information about how to make a FoI request can be found on the website at www.gov.uk/make-a-freedom-of-information-request

The Freedom of Information Act provides clear statutory rights for those requesting information together with a strong enforcement regime. Under the terms of the Act, any member of the public will be able to apply for access to information held by bodies across the public sector.

The FoI Act can be found at www.legislation.gov.uk

The legislation will apply to a wide range of public authorities, including local authorities, health trusts, doctors’ surgeries, publicly funded museums and thousands of other organisations.

The main features of the Act are:

• a general right of access to information held by public authorities in the course of carrying out their public functions, subject to certain conditions and exemptions
• in most cases where information is exempted from disclosure there is a duty on public authorities to state where they believe the public interest in disclosure outweighs the public interest in maintaining the exemption in question
• an office of Information Commissioner and a Information Tribunal, with wide powers to enforce the rights created
• a duty imposed on public authorities to adopt a scheme for the publication of information. The schemes, which must be approved by the Commissioner, will specify the classes of information the authority intends to publish, the manner of publication and whether the information is available to the public free of charge or on payment of a fee.

Information held by Manchester City Council
For advice about how to access personal information held by Manchester City Council visit their website at www.manchester.gov.uk/data_protection

SCIE
This SCIE guide is part of a range of products to support implementation of the adult safeguarding aspects of the Care Act 2014. Sharing the right information, at the right time, with the right people, is fundamental to good practice in safeguarding adults but has been highlighted as a difficult area of practice. Updated in January 2019, the guide can be found at www.scie.org.uk/sharing-information

NSPCC
The NSPCC have lots of advice for practitioners about what to do if a child speaks about abuse on their website at  www.nspcc.org.uk/what-to-do-child-speaks-out-about-abuse

Centre of Excellence for Information Sharing
The Centre of Excellence for Information Sharing website hosts published resources produced over their four year programme to support the public sector in overcoming information sharing challenges.

Information sharing is crucial to the success of public service transformation, but capacity or cultural issues can often obstruct lasting change – work focuses on challenging these barriers to ensure improved outcomes for public service users.

For more information visit their website at informationsharing.org.uk

NHS Digital (previously HSCIC)
NHS Digital provides national information, data and IT systems for health and care services and offers guidance on looking after information well according to the principles of good information governance.

For more information visit the NHS Digital website at digital.nhs.uk

There are legal requirements surrounding information sharing that must be considered and complied with to ensure an individual’s rights are respected. Organisations should put in place standards and procedures to ensure they do not breach these legal requirements.

The main pieces of legislation governing an individual’s rights in respect of information sharing are:

• The Data Protection Act 1998
• The Freedom of Information Act 2000
• The Human Rights Act 1998
• The Adoption Act 1976
• The Mental Health Act 1983
• The Service users Access to Records Act 1987 & Regulations 1989
• The Copyright Designs and Patents Act 1988
• The Children Act 1989
• The Children Act 2004
• The Computer Misuse Act 1990
• The NHS & Community Care Act 1990
• The Access to Health Records Act 1990
• The Carers (Recognition & Service) Act 1995
• The Crime & Disorder Act 1998
• The Health Act 1999 (section 31)
• The Regulation of Investigatory Powers Act 2000
• The Health and Social Care Act 2001 (Section 60)
• The Learning and Skills Act (2001)
• The NHS confidentiality code of practice.

This section is provided as a general guide. More detailed guidance should be sought from designated officers such as the Data Protection Officer, Information governance leads, Caldicott Guardian or legal advisors.

In alphabetical order:
Common Law Duty of Confidentiality
The Common Law Duty of Confidentiality requires that unless there is a statutory requirement to use information that has been provided in confidence, it should only be used for purposes that the subject has been informed about and consented to. In certain circumstances, this also applies to the deceased. The duty is not absolute but should only be overridden if the holder of the information can justify disclosure as being in the public interest i.e. to protect others from harm.

Crime and Disorder Act 1998
The Act is concerned with measures to reduce crime and disorder and includes the introduction of local crime partnerships to formulate and implement strategies for reducing crime and disorder in each local authority area.

Section 115 of the Act provides that any person has the power to lawfully disclose information to the police, local authorities, probation service or health authorities (where they would not otherwise have the power). Guidance from the Information Commissioner suggests that this power can be used to support anti-crime initiatives by these agencies generally and not just for the purposes of obtaining one or more of the various orders specified in the Act.

Under Section 17 each police authority and local authority is required to exercise its functions with due regard to the need to do all it reasonably can to prevent crime and disorder in its area.

Criminal Procedures and Investigations Act 1996
This Act requires the police to record in durable form any information that is relevant to an investigation. The information must be disclosed to the Crown Prosecution Service (CPS), who must in turn disclose it to the defence at the relevant time if it might undermine the prosecution case.

In cases where the information is deemed to be of a sensitive nature then the CPS can apply to a judge or magistrate for a ruling as to whether it should be disclosed.

Health and Social Care Act 2001 (Section 60)
Section 60 of the Act provides a power to ensure that patient-identifiable information needed to support essential NHS activity can be used without the consent of patients. The power can only be used to support medical purposes that are in the interests of patients or the wider public where consent is not a practical alternative and where anonymised information will not suffice. It is intended largely as a transitional measure whilst consent or anonymisation procedures are developed which is reinforced by the need to review each use of the power annually.

The reason for this provision is mainly in relation to the carrying out of large-scale research projects which may involve tens of thousands of patients where contact would be impracticable.

The essential nature of such research is put forward as the justification for the “public good” outweighing issues relating to privacy and confidentiality. (Note that as of February 2002 the regulations which are needed to give effect to Section 60 have not yet been passed.)

Human Rights Act 1998
Article 8.1 of the Act provides that “everyone has the right to respect for his private and family life, his home and his correspondence.” European case law shows that storing or using “private” information, or disclosing this information for a purpose other than the purpose for which it was originally obtained will all constitute an interference with these rights. This is however, a qualified right i.e. there are specified grounds upon which it may be legitimate for authorities to infringe or limit those rights. Article 8.2 defines the grounds as follows:

• In the interests of national security, public safety, or the economic well-being of the country
• For the prevention of disorder or crime
• For the protection of health or morals
• For the protection of the rights and freedoms of others.

In addition to identifying one of these grounds, a public body would also have to show: “proportionality” i.e. that it had tried to strike a fair balance between the individual’s rights and the permitted ground for interference it was seeking to rely on. In the event of a claim that an organisation has acted in a way which is incompatible with the Act, the key factors that will be considered will include:

• Whether the organisation can show that it has taken the rights under the Act into account in reaching its decision
• That it considered whether any breach may result, directly or indirectly, from its action
• If there was the possibility of a breach, whether the particular rights which might be breached were absolute rights or qualified rights
• Whether one of the permitted grounds for interference could be relied upon
• Whether there was proportionality.

The Act also requires public bodies to read and give effect to other legislation in a way which is compatible with these rights and makes it unlawful to act incompatibly with them. As a result these rights still need to be considered, even where there are special statutory powers to share information.

Regulation of Investigatory Powers Act 2000
This legislation ensures that investigatory powers are used in accordance with human rights.

Statutory restrictions on passing on information
There are statutory restrictions on passing on certain types of information:

• The NHS (Venereal Diseases) Regulations 1974 and NHS Trusts (Venereal Diseases) Regulations 1991 prevent the disclosure of any identifying information about a patient with a venereal disease other than to a medical practitioner under specified circumstances.
• The Human Fertilisation and Embryology Act 1990 (as amended) limits the circumstances in which information may be disclosed by centres licensed under the Act.
• The Abortion Regulations 1991 limit and define the circumstances in which information submitted under the Act may be disclosed.

If it seems likely that information to be shared falls into one of these categories further advice should be sought.

The ICO (Information Commissioners Office) is the independent body set up to uphold information rights in the UK.  A wealth of information for the public, practitioners and organisations can be found on their website at www.ico.org.uk.

Guidance for the public can also be found on the ICO website at ico.org.uk.