News

The increase in joint working means more information-sharing between agencies concerning personal details of service users. To ensure all parties are comfortable with this, professionals need to be fully aware of data protection protocols, writes Natalie Valios.

How much information about clients should professionals from different agencies be sharing? The boundary between effective, safe practice in, say, child protection or mental health, and a breach of confidence or even an infringement of human rights is far from clear. Legislation offers a framework, but the decision about which details do and do not need to be passed on is still very much a matter of professional judgement.

Some organisations representing users of health and social care services fear that sensitive personal information is being shared inappropriately, particularly with the government drive for multi-agency working. Mental health service users and those who have been in the psychiatric system are particularly concerned, says Simon Foster, principal solicitor at mental health charity Mind.

The worry is that multi-agency working means that medical information is being routinely shared with social services and then housing officers or police when it has no bearing on the matter in hand, he says.

"They have a great fear that their information is being shared excessively and inappropriately. Most feel terribly anxious that the world at large shouldn't know about their mental health problems unless they want them to," says Foster.

Foster says that one common example is when someone has disclosed childhood abuse or a teenage pregnancy to his or her GP. Even if it has a direct bearing on the difficulties they are experiencing now, it is "deeply inappropriate" for those not working with them in a medical or therapeutic way to know, says Foster.

"Unfortunately we hear about hundreds of examples of people saying that information has been shared inappropriately."

Joint working, information-sharing and confidentiality are tricky areas, agrees Michael Hake, social services director at Solihull. Hake sat on the advisory group for the social services guidance around data protection. "There is always a fear that information will be shared inappropriately, but if everyone is working to the Caldicott standards then there shouldn't be a problem."

The Caldicott report contained guidelines for health authorities on the release of confidential information in which the patient concerned was identifiable. Health authorities had to appoint a Caldicott guardian responsible for information-sharing and data protection arrangements. In April this year, this was extended to cover social services departments.¹ The Data Protection Act 1998 is the governing legislation for the Caldicott report.² The Caldicott principles state that health authorities must have a valid reason for sharing information and should only use personal identifying information where absolutely necessary.

Hake recognises that members of the public are nervous about health information being transferred to social services, but thinks part of the reason lies in the misunderstanding over what social workers do. "The key thing is consent and understanding. In many cases a lot of people only tacitly know that we kept a file [on them]."

Reasons for keeping identifiable records must be justified and they should only be transferred when it is necessary to secure a person's welfare, he adds. For example, an older person in hospital might not be keen on information-sharing between agencies. But as well as knowing the total number of delayed discharges, health and social services need to know the accompanying patient details to learn why patients couldn't be moved out of hospital sooner.

And, as Hake points out, in direct contrast to fears about data-sharing, tragedies in the past, particularly in cases involving child protection or mental illness, have occurred because of ineffective sharing of information between agencies.

Indeed, during the seminar on identification held during the second phase of the Victoria Climbi‚ Inquiry, professionals from different disciplines agreed that fear of litigation prevented them from sharing and pooling as much information about vulnerable children as they would like. As well as the Data Protection Act, professionals must be aware of article 8 of the European Convention of Human Rights, on the right to privacy. So, for example, permission should generally be sought before discussing a referral about a child or family with other agencies, unless this would put the child at risk. And the worker responsible for the child protection register must use this information in a way that is consistent with the Data Protection Act. Information should only be shared without consent if there are grounds for concern about actual or likely significant harm or the prevention of a crime.

Hake says: "There are very clear information-sharing protocols. I would argue that there would be very few people who would say 'hang on, we're not sure about that'. They all want us to share and co-ordinate information to protect children."

Shelagh Gaskill, a partner at Mason's Solicitors, London, who specialises in public sector law has found that social workers don't explain to clients why they need the information or what they are doing with it. He says:"There isn't a very high level of trust in this country from the public to public bodies because people are not being treated as autonomous individuals capable of making their own decisions."

Mind's solicitor Simon Foster agrees. "We aren't opposed to appropriate sharing of information around care and treatment, but we are very concerned about inappropriate and excessive sharing which violates a person's privacy. It's my basic right that if I don't want somebody to know something, even if it is believed to harm my own interests, I am entitled to keep it private."

Cambridgeshire Council believes it has found a workable solution to the information-sharing dilemma. It has recently signed a protocol on information-sharing arrangements with health agencies in the authority. These agreed procedures will make professionals' lives a lot easier, says Paul Ainsworth, the council's communications and customer relations manager, and another member of the advisory group.

The Data Protection Act provides important safeguards particularly for the public, but it can become a bureaucratic nightmare, says Ainsworth. The protocol means that sensitive information about a person can be shared between those signed up to it as long as there is an assurance that it will be kept within those walls and confidential, says Ainsworth. So, as the housing department is not yet signed up to the protocol, if someone from housing requested sensitive information on a social services client, the department would ask the person in question's permission before releasing this information.

"Every time, we look at what information we have and what would be useful for partners to have while working together to provide the best possible care for the person concerned," says Ainsworth. "If you didn't have this in place then the instances in which you would need to seek consent from the person would be legion because you couldn't guarantee that that information would be secure." Potentially there are difficulties, but these can be removed if some thought is given to installing arrangements to ensure that the Caldicott principles are obeyed, he adds.

Hake agrees: "Data protection should not be used as a barrier or seen as a barrier to joint working. If used appropriately it enables joint working to proceed on a lawful basis consistent with the welfare of the people you are trying to help."

¹ DoH, The Role and Responsibilities of Caldicott Guardians in Social Care, DoH, 2001

² Department of Health, Data Protection Act 1998: Guidance to Social Services, DoH, 2000

- For information on the Data Protection Act go to www.doh.gov.uk/ipu or www.dataprotection.gov.uk

Data protection principles

Data should be:

- Fairly and lawfully processed.

- Processed for specified and limited purposes.

- Adequate, relevant and not excessive.

- Accurate and where necessary kept up to date.

- Not kept longer than necessary.

- Processed in accordance with the data subject's rights under the act.

- Secure.

- Not transferred to countries outside the European Economic Area (the EU plus Liechtenstein, Norway and Iceland) without adequate protection.