Skip to main content

Providing Information about a Person or Carer

1. Maintaining Confidentiality and Protecting Information

1.1 Maintaining confidentiality

The Local Authority has a duty to safeguard the confidentiality of personal information.

This duty arises in two ways:

  1. A statutory duty to store and process data in accordance with the Data Protection Act 2018;
  2. A duty under the common law to keep confidential any information which has been provided in confidence.

As an employee of the Local Authority, you are contractually bound to respect the confidentiality of any information that you may come into contact with.

Unless there is an imminent risk of harm, such information should not be divulged or passed to any person or organisation in any form unless you have authorisation to do so.

All information sharing that takes place must be in line with data protection legislation (namely the Data Protection Act 2018 and the UK General Data Protection Regulation (UK GDPR) and local policy.

The Caldicott Principles must also be considered. The Caldicott Principles are a set of principles that apply to the use of confidential information within health and social care organisations and when such information is shared with other organisations and between individuals, both for individual care and for other purposes. For further information, see: The Caldicott Principles.

The unauthorised disclosure of confidential information may result in disciplinary action or civil liability under the Data Protection Act 2018, and knowing or reckless breaches may lead to criminal prosecution.

Need to know
The Data Protection Act 2018 and UK GDPR do not prevent the sharing of information when necessary and proportionate to do so, to safeguard vulnerable adults and children. See: Section 7, Requests for Information Relating to Safeguarding.

1.2 Protecting information

You should take necessary steps to protect the information that you hold and have access to. For example:

  1. You should ensure that nobody else has access to your electronic information systems (e-mail and IT system);
  2. You should send electronic communication containing confidential information by secure channels (having verified the detail of the recipient);
  3. You should keep records made by hand in a secure place (e.g. notebooks);
  4. You should only discuss the information with people and in environments that are appropriate.

2. Rights of Access to Information about a Data Subject

2.1 The rights of the data subject

Under the Data Protection Act 2018, any individual that the Local Authority holds information about (the ‘data subject’) is legally entitled to access the information held about them (known legally as the right of access). This includes both paper/hard copy information and information held electronically.

The right of access may only be withheld where one of the exemptions set out in Data Protection Act 2018 applies. See: Section 3, Exemptions to the Provision of Information.

Need to know

The right of access under the Data Protection Act 2018 is in addition to the information and documents that should be shared with the data subject as part of good social work practice. See: Section 4, Information that Should Always be Shared with the Data Subject.

2.2 If the person lacks capacity

If a data subject who lacks capacity to make a request for information has an Attorney or Deputy appointed by the Court of Protection, the Attorney or Deputy may make a request if they consider it to be in the person’s best interests. In such circumstances, the request should be treated as if it had been made by the data subject themself.

2.3 Carer's access to information about the cared for person

A carer does not have a right to access information about the person they care for, other than information that should be provided to them as a matter of course under the Care Act (e.g. copies of the person's assessment or review report).

In all other circumstances, information can only be shared if:

  1. The data subject provides consent for it to be shared; or
  2. The data subject lacks capacity to consent but has a legally authorised representative who has consented; or
  3. The data subject lacks capacity to consent, does not have a legally authorised representative but it is the view of the Local Authority that sharing the information would be in their best interests (e.g. to support an assessment by another professional); and
  4. None of the exemptions set out in the Data Protection Act 2018 apply (see Section 3, Exemptions to the Provision of Information).

2.4 The rights of other people

The rights of other people to access information about a data subject are limited. Information can only be provided if:

  1. The data subject provides consent for it to be shared; or
  2. The data subject lacks capacity to consent but has a legally authorised representative who has consented; or
  3. The data subject lacks capacity to consent, does not have a legally authorised representative but it is the view of the Local Authority that sharing the information would be in their best interests (e.g. to support an assessment by another professional); and
  4. None of the exemptions set out in the Data Protection Act 2018 apply (see Section 3, Exemptions to the Provision of Information).

Information can also be shared if it has been requested for safeguarding purposes and sharing it is necessary to protect the data subject, a child or other vulnerable adult from abuse or neglect.

3. Exemptions to the Provision of Information

The Data Protection Act 2018 sets out some exemptions to the right of access. These enable the Local Authority to withhold disclosure of the requested information.

The exemptions are:

  1. If providing the information requested will place the data subject, a child or other adult in danger or at risk of serious harm to their mental or physical health;
  2. If the information is child abuse data, it would not be in the best interests of the data subject;
  3. If a court has ordered that the information should not be disclosed;
  4. Where a data subject with capacity provided the information to you in confidence with the expectation it would not be disclosed, or if they expressly indicated this (i.e. they did not consent);
  5. Where the information contains the identity or personal information of another data subject, that other person has capacity and has not consented to their information being shared, and it would not be possible to remove or disguise their data from the information (e.g. by blocking out or removing those details);
  6. Where the information contains the identity or personal information of another data subject, that other person lacks capacity to consent to their information being shared, it is not in their best interests to do so and it would not be possible to remove or disguise their data from the information (e.g. by blocking out or removing those details);
  7. Where disclosure would prevent the detection or investigation of a crime or pose a risk to national security;
  8. The request is deemed 'manifestly unfounded or excessive' (e.g. an identical request has already been received and information has already been provided or denied).
Need to know

The exemptions above do not apply when the information has been requested by a court or disclosure is necessary for the purpose of or in connection with legal proceedings (including obtaining legal advice).

If you are unsure whether an exemption applies you should seek support from a manager, who in turn should seek legal advice as required.

4. Information that Should Always be Shared with the Data Subject

Data subjects should be told what information is collected about them, why and how long it will be kept for.

You should routinely share the following information with the individual it is about (the data subject), whether or not they have requested it:

  1. Copies of any assessment or review reports (including risk assessments, mental capacity assessments and safeguarding reports);
  2. Copies of any Care and Support or other Plans; and
  3. Copies of minutes taken at any meetings in which they were present.

Where the data subject has capacity and requests that this information is also shared with another person you should comply with this request unless doing so would place the data subject, a child or other vulnerable adult at risk of harm from abuse or neglect by that person. Where a request to share information is refused you should explain to the data subject why the information has not been provided.

If you feel that the information should be shared with another person or organisation in order to benefit the data subject (for example a health professional completing an assessment) you should seek consent to do so. If the data subject does not consent, information can only be shared when consent is not a requirement. For example, when submitting an NHS Continuing Healthcare Checklist to the ICB.

Where the data subject lacks capacity to consent, information can only be shared if it is in their best interests to do so. It will not normally be in the person’s best interests to share the information if one of the exemptions permitting disclosure to be withheld applies.

5. Responding to Requests for Information about the Data Subject

5.1 In all cases

Whenever you are unclear about whether or not to share information you should seek support from a manager, who in turn should seek legal advice as required.

5.2 Informal requests by the data subject

If the individual (data subject) has requested information informally relating to them or their case you must decide whether the information can be provided under the UK GDPR.

It is the expectation in the Data Protection Act 2018 that wherever possible information is provided to a data subject following an informal request.

Some of the things that should be considered are:

  1. Is the information something that should be shared with the data subject as a matter of course, irrespective of the right of access?
  2. Would providing the information be a breach of someone else's confidentiality?
  3. Would sharing the information put the data subject at risk of harm from abuse or neglect?
  4. Would sharing the information put another adult or child at risk of harm from abuse or neglect?
  5. Do any of the exemptions in the Data Protection Act 2018 apply? (see Section 3, Exemptions to the Provision of Information).

5.3 Informal requests by others

If the request is being made by a person who is legally authorised to request the information (a Court of Protection appointed Deputy for welfare or an Attorney) the request should be treated as if it had been made by the data subject.

The rights of other people to access information about a data subject are limited.

Information can only be provided if:

  1. The data subject provides consent for it to be shared; or
  2. The data subject lacks capacity to consent but has a legally authorised representative who has consented; or
  3. The data subject lacks capacity to consent, does not have a legally authorised representative but it is the view of the Local Authority that sharing the information would be in their best interests (e.g. to support an assessment by another professional); and
  4. None of the exemptions set out in the Data Protection Act 2018 apply (see Section 3, Exemptions to the Provision of Information).

Information can also be shared if it has been requested for safeguarding purposes and sharing it is necessary to protect the data subject, a child or other vulnerable adult from abuse or neglect.

The person making the request can still make a formal request for the information if an informal request is denied.

5.4 Formal requests for information about a data subject

A formal request is a request made in writing. They can be made by anyone.

The outcome of a formal information request should be provided within 1 month of the date it was made. Notification in writing should be provided to the person making the request.

If information is to be shared this should also take place within that timeframe, even if the amount of information is significant (e.g. a case file).

6. Responding to Requests for Other Information

Under the Freedom of Information Act anybody may make a formal request in writing (including e-mail) for non-personal information from a public body. This is information that does not relate to a particular individual (data subject).

The Freedom of Information Act specifies that any formal request for information made under the Act must be responded to within 20 days of receipt. The response should confirm:

  1. Whether the information is held by the Local Authority; and
  2. If so, provide the information requested.
Need to know

Requests for information may be refused where the cost of providing the information exceeds the limit, or where one of the exemptions set out in the Data Protection Act 2018 applies.

7. Requests for Information Relating to Safeguarding

Where information about an individual (data subject) is requested as part of a safeguarding enquiry in order to protect the data subject, or another vulnerable adult or child from abuse or neglect (or the risk of abuse or neglect), it should be provided.

This should be provided securely to the person leading the safeguarding enquiry and any concerns that you have about the implications for other vulnerable adults or children as a result of providing the information should be shared and considered by the safeguarding enquiry.

If it is possible to seek consent from the data subject before providing the information you should do so, although information can be provided without consent if doing so is necessary for the purpose of protecting them (or another adult or child) from abuse or neglect. If the data subject refuses to give consent, consideration should be given to whether the information should still be shared. The information can be shared against the data subject’s wishes if doing so would be a proportionate step to take in order to protect them (or another adult or child) from the risk of abuse and neglect.

You should notify the data subject that their information has been shared for the purposes of protecting them (or under safeguarding) from harm unless doing so would place them (or another adult or child) at further risk of harm. In this case you should notify them when it is deemed safe to do so.

You should be clear with the data subject from the beginning that in the event of a safeguarding enquiry, information about them may be provided without their consent or immediate knowledge.

8. Further Information

For further information and guidance see:

Information Commissioner’s Office: Guide to Data Protection (namely the Data Protection Act 2018 and the UK General Data Protection Regulations (UK GDPR))

Data Protection Act 2018

UK GDPR

The Caldicott Principles

tri.x adults procedures