Sharing Information for Direct Care
Staff are reminded that, when providing direct care to a patient and in order to provide a comprehensive service, relevant and pertinent information can be shared for health and social care purposes with other health, social care and other partner organisations (e.g. third-party care providers, charities or private companies, etc.) involved in that patient’s care if there is a clear basis in law for sharing and where the individual is aware of the sharing and has not objected. This is extremely important as any delays with sharing may impact on the care being provided and present a clinical risk to the patient.
Any sharing of person confidential information must be both lawful and ethical. Only share person information in a way that is lawful, fair, transparent and in line with the rights and expectations of the individuals whose information you are sharing (e.g. health information for care purposes, Human Resources information for employment purposes, etc.)
All requests to share information must be considered on a case-by-case basis and all sharing must be kept to the minimum necessary for the purpose requested and on a strict ‘need-to-know’ basis. The requestor must be able to justify why the request is being made and that they are legally entitled to make the request.
Sharing must be done in line with current Data Protection legislation, the Common Law Duty of Confidentiality and the Caldicott Principles, and individuals must be informed who their information may be shared with and for what purposes through the Trust’s Privacy Notices.
Data Protection legislation covers the processing and sharing of person confidential information about living identifiable individuals. There needs to be a clear basis in law for all sharing of information and an appropriate legal basis needs to be identified under Data Protection law. There are two types of data that the Trust uses: personal and special category. Personal data means any information relating to a person who can be directly (e.g. by name or picture) or indirectly (e.g. by age, gender and post code) recognised. Special category data means any information relating to racial or ethnic origin, political opinions, religious beliefs, trade union activities, physical or mental health, sexual life or details of criminal offences.
To share personal information, one of the Article 6 conditions within the UK General Data Protection Regulations (UK GDPR) must be met. Additionally, under UK GDPR, special category information affords even greater protection due to its sensitivity. As such, to share special category information, one of the Article 9 conditions within UK GDPR must also be met.
Under the National Health Service Act 2006 and the Health and Social Care Act 2012, the Trust is required by law to process a patient’s personal data and share it with other organisations involved in their care to provide them with direct care. Therefore, under current Data Protection legislation, the processing of a patient’s personal data is necessary under Article 6(1)(e) “in the exercise of official authority or performance of a specific task in the public interest that is set out in law” (Article 6(1)(e) of UK GDPR). Where the Trust processes a patient’s special category data it will do so because it is necessary under Article 9(2)(h) for “Health or social care (with a basis in law)”
The seventh Caldicott Principle emphasises that sharing information can be as important as protecting confidentiality. This requires that relevant information about individuals is shared with all those involved in care, subject to confidentiality and an appropriate legal basis being identified, where this may result in improved outcomes or experience for those individuals. Information about patients and service users must be treated respectfully, not shared with those who do not ‘need to know’. It is essential that information requirements are fully understood so that sharing is neither excessive nor overly restricted.
The Health and Social Care (Safety and Quality) Act 2015 introduced a new legal duty requiring health and adult social care bodies to share information where this will facilitate care for an individual. In complying with this Act, subject to the preferences of the individuals concerned, sharing for the care of individuals is a requirement, not an option. The Act also provides statutory support for the seventh Caldicott Principle It makes it clear that unless an individual objects, when information can be lawfully shared between health or adult social care commissioners or providers for purposes likely to facilitate the provision of health services or adult social care and are in an individual’s best interests, then it must be shared.
The information shared must be done using secure systems and processes (e.g. secure encrypted email) to safeguard the security and confidentiality of the information.
If you have any further questions or concerns about these issues, please contact the Information Governance Team at IG