increase in joint working means more information-sharing between agencies
concerning personal details of service users. To ensure all parties are
comfortable with this, professionals need to be fully aware of data protection
protocols, writes Natalie Valios.
much information about clients should professionals from different agencies be
sharing? The boundary between effective, safe practice in, say, child
protection or mental health, and a breach of confidence or even an infringement
of human rights is far from clear. Legislation offers a framework, but the
decision about which details do and do not need to be passed on is still very
much a matter of professional judgement.
Some organisations representing users of
health and social care services fear that sensitive personal information is
being shared inappropriately, particularly with the government drive for
multi-agency working. Mental health service users and those who have been in
the psychiatric system are particularly concerned, says Simon Foster, principal
solicitor at mental health charity Mind.
The worry is that multi-agency working means
that medical information is being routinely shared with social services and
then housing officers or police when it has no bearing on the matter in hand, he
"They have a great fear that their
information is being shared excessively and inappropriately. Most feel terribly
anxious that the world at large shouldn’t know about their mental health
problems unless they want them to," says Foster.
Foster says that one common example is when
someone has disclosed childhood abuse or a teenage pregnancy to his or her GP.
Even if it has a direct bearing on the difficulties they are experiencing now,
it is "deeply inappropriate" for those not working with them in a
medical or therapeutic way to know, says Foster.
"Unfortunately we hear about hundreds of
examples of people saying that information has been shared
Joint working, information-sharing and
confidentiality are tricky areas, agrees Michael Hake, social services director
at Solihull. Hake sat on the advisory group for the social services guidance
around data protection. "There is always a fear that information will be
shared inappropriately, but if everyone is working to the Caldicott standards
then there shouldn’t be a problem."
The Caldicott report contained guidelines for
health authorities on the release of confidential information in which the
patient concerned was identifiable. Health authorities had to appoint a
Caldicott guardian responsible for information-sharing and data protection
arrangements. In April this year, this was extended to cover social services
departments.1 The Data Protection Act 1998 is the governing
legislation for the Caldicott report.2 The Caldicott principles
state that health authorities must have a valid reason for sharing information
and should only use personal identifying information where absolutely
Hake recognises that members of the public
are nervous about health information being transferred to social services, but
thinks part of the reason lies in the misunderstanding over what social workers
do. "The key thing is consent and understanding. In many cases a lot of
people only tacitly know that we kept a file [on them]."
Reasons for keeping identifiable records must
be justified and they should only be transferred when it is necessary to secure
a person’s welfare, he adds. For example, an older person in hospital might not
be keen on information-sharing between agencies. But as well as knowing the
total number of delayed discharges, health and social services need to know the
accompanying patient details to learn why patients couldn’t be moved out of
And, as Hake points out, in direct contrast
to fears about data-sharing, tragedies in the past, particularly in cases
involving child protection or mental illness, have occurred because of
ineffective sharing of information between agencies.
Indeed, during the seminar on identification
held during the second phase of the Victoria Climbi‚ Inquiry, professionals
from different disciplines agreed that fear of litigation prevented them from
sharing and pooling as much information about vulnerable children as they would
like. As well as the Data Protection Act, professionals must be aware of
article 8 of the European Convention of Human Rights, on the right to privacy.
So, for example, permission should generally be sought before discussing a
referral about a child or family with other agencies, unless this would put the
child at risk. And the worker responsible for the child protection register
must use this information in a way that is consistent with the Data Protection
Act. Information should only be shared without consent if there are grounds for
concern about actual or likely significant harm or the prevention of a crime.
Hake says: "There are very clear
information-sharing protocols. I would argue that there would be very few
people who would say ‘hang on, we’re not sure about that’. They all want us to
share and co-ordinate information to protect children."
Shelagh Gaskill, a partner at Mason’s
Solicitors, London, who specialises in public sector law has found that social
workers don’t explain to clients why they need the information or what they are
doing with it. He says:"There isn’t a very high level of trust in this
country from the public to public bodies because people are not being treated
as autonomous individuals capable of making their own decisions."
Mind’s solicitor Simon Foster agrees.
"We aren’t opposed to appropriate sharing of information around care and
treatment, but we are very concerned about inappropriate and excessive sharing
which violates a person’s privacy. It’s my basic right that if I don’t want
somebody to know something, even if it is believed to harm my own interests, I
am entitled to keep it private."
Cambridgeshire Council believes it has found
a workable solution to the information-sharing dilemma. It has recently signed
a protocol on information-sharing arrangements with health agencies in the
authority. These agreed procedures will make professionals’ lives a lot easier,
says Paul Ainsworth, the council’s communications and customer relations
manager, and another member of the advisory group.
The Data Protection Act provides important
safeguards particularly for the public, but it can become a bureaucratic
nightmare, says Ainsworth. The protocol means that sensitive information about
a person can be shared between those signed up to it as long as there is an
assurance that it will be kept within those walls and confidential, says
Ainsworth. So, as the housing department is not yet signed up to the protocol,
if someone from housing requested sensitive information on a social services
client, the department would ask the person in question’s permission before
releasing this information.
"Every time, we look at what information
we have and what would be useful for partners to have while working together to
provide the best possible care for the person concerned," says Ainsworth.
"If you didn’t have this in place then the instances in which you would
need to seek consent from the person would be legion because you couldn’t guarantee
that that information would be secure." Potentially there are
difficulties, but these can be removed if some thought is given to installing
arrangements to ensure that the Caldicott principles are obeyed, he adds.
Hake agrees: "Data protection should not
be used as a barrier or seen as a barrier to joint working. If used
appropriately it enables joint working to proceed on a lawful basis consistent
with the welfare of the people you are trying to help."
1 DoH, The Role and Responsibilities of Caldicott Guardians in Social
Care, DoH, 2001
2 Department of Health, Data Protection Act 1998: Guidance to Social
Services, DoH, 2000
Data protection principles
Fairly and lawfully processed.
Processed for specified and limited purposes.
Adequate, relevant and not excessive.
Accurate and where necessary kept up to date.
Not kept longer than necessary.
Processed in accordance with the data subject’s rights under the act.
Not transferred to countries outside the European Economic Area (the EU plus
Liechtenstein, Norway and Iceland) without adequate protection.