This article sets out some of the key points from the above Guidance as well as considers some of the information sharing conditions of the Data Protection Act 1998.
The Guidance indicates that "if a practitioner has concerns about a child's welfare, or believes they are at risk of harm, they should share the information with the Local Authority, and/or the police or any organisation which is required. Security of information sharing must always be considered and should be proportionate to the sensitivity of the information and the circumstances. If it is thought that a crime has been committed and / or a child is at immediate risk, the police should be notified without delay".
Further the Guidance explains that "where there are concerns about the safety of a child, the sharing of information in a timely and effective manner between organisations can reduce the risk of harm. Whilst the Data Protection Act 1998 places duties on organisations and individuals to process personal information fairly and lawfully, it is not a barrier to sharing information where the failure to do so would result in a child or vulnerable adult being placed at risk of harm. Similarly human rights would not prevent sharing information where there are real safeguarding concerns".
The Data Protection Act 1998 ("DPA")
The Guidance reiterates that the "DPA 1998 does not prohibit the collection and sharing of personal information. It does, however, provide a framework to ensure that personal information about a living individual is shared appropriately. In particular, the DPA balances the rights of the information (data) subject and the need to share information about that individual. It is essential to consider the balance in every case".
In terms of that balance, you should consider whether or not it is possible to obtain consent in every case. The Guidance emphasizes "you do not necessarily need the consent of the information subject to share their personal information, although wherever possible, consent should be sought. However there are times when this may not be possible, for example, where it is unsafe to do so. Even without consent, it is still possible to share personal information about a living individual" in line with the DPA conditions contained within Schedules 2 and 3 of the Act.
The Data Protection Act Schedules
Schedules 2 and 3 of the DPA set out conditions which should be fulfilled before disclosure is deemed to be lawful. Before sensitive personal data (1) is disclosed it must meet one of the conditions from Schedule 2 and one of the conditions from Schedule 3 of the DPA. The key conditions which are likely to be encountered include:
DPA – Schedule 2 Conditions
- That the patient consents to the processing (if this is not the case or it is not possible to obtain consent you will need to consider the conditions below);
- That the processing is necessary for the performance of a contract to which the data (information) subject is party, or for taking steps at the request of the information subject with a view to entering a contract;
- The processing is necessary for compliance of a legal obligation;
- The processing is necessary to protect the vital interests of the data (information) subject;
- The processing is necessary for the administration of justice, for functions under an enactment, or for a function exercised in the public interest;
- The processing is necessary for the legitimate interests of the controller of the information or by the third party to whom the information is disclosed except where processing is unwarranted by reason to the prejudice to the rights or legitimate interests of the information subject. (This is where the balancing exercise described above will be of particular relevance).
DPA – Schedule 3 Conditions
- The data subject has given his explicit consent to the processing of the personal information (again if this is not the case you will need to consider the conditions below).
- The processing is in connection with employment.
- The processing protects the vital interests of the data subject or another person in a case where consent cannot be given, or the data controller cannot be reasonably expected to obtain consent. Alternatively the processing is necessary to protect the vital interests of another person in a case where consent of the data subject has been unreasonably withheld.
- The data subject has made the information public themselves.
- The processing is necessary for legal proceedings, obtaining legal advice or for establishing, exercising or defending legal rights.
- The processing is necessary for the administration of justice, or for functions under an enactment (ie the processing is required by law).
- The processing is necessary for medical purposes and is undertaken by a health professional or a person who owes a duty of confidentiality equivalent to a health professional. 'Medical purposes' includes preventative medicine, medical diagnosis, medical research, the provision of care and treatment, and the management of healthcare services.
As you can see, even where the information / data subject does not provide consent to information being disclosed, there are a raft of other conditions which would allow disclosure so long they are applicable to the information requested.
Duty of Confidence
The Guidance reaffirms the legal position that "if the information is confidential, and the consent of the information subject is not gained, then the data controller needs to satisfy themselves that there are grounds to override the duty of confidentiality in the circumstances. This can be because it is overwhelmingly in the information subject's interests for the information to be disclosed". Again disclosure should tie in with the Data Protection conditions indicated.
It is also possible that an overriding public interest would justify disclosure of the information even where the DPA conditions do not apply. You should consider the balancing exercise again weighing up the rights of the individual verses the public interest element to reach a conclusion as to whether disclosure should occur on this basis.
You must only share sufficient information to achieve the objective.
Other Relevant Legislation
The Local Safeguarding Children Board can request that a person or body supply information which it requests to the Board or to another person or body specified in the request. This is on the basis that the request is for the purpose of assisting the Board to perform its function, and that the request is made to a person or body who is likely to have relevant information because it relates to that person or body, and / or its functions (Children Act 2004, section 14B).
Other Factors to Keep in Mind in relation to the Disclosure of Information
The Guidance suggests that information should be:
- Necessary & Proportionate: Any information shared must be proportionate to the need and level of risk identified.
- Relevant: Only information that is relevant to the purpose should be shared.
- Adequate: Information should be adequate for its purpose.
- Accurate: Information should be accurate and up to date and should clearly distinguish between fact and opinion.
- Timely: Information should be shared in a timely fashion to reduce the risk of harm.
- Secure: Where possible, information should be shared in an appropriate and secure way.
- Record: Information sharing decisions should be recorded whether or not the decision is taken to share. If the decision is to share, reasons should be cited including what information has been shared and with whom in line with organisational procedures. If the decision is not to share, it is good practice to record the reasons for this decision and discuss them with the requester.
The Guidance also reinforces '7 Golden Rules of Information Sharing' (see document) which are worth considering not just in relation to children, but also more widely.
- Within the Guidance produced by the Government, there is a flow chart covering when and how to share information.
- Click here for The Government Guidance.
Overall, it is possible to share information in connection with an individual, be they an adult or child where there are concerns about safety, vulnerability or risk. In every case you should consider whether it is appropriate or possible to obtain consent. However, even where it is not possible to obtain consent, it is still possible to share information if there is good reason. The disclosure should tie in with the conditions of the DPA or be in the public interest. Any information disclosed should be deemed necessary, and should be relevant and proportionate for the purpose. At all times a record of the decision making process should be kept, and should include a balance between the rights of the data subject verses the rationale for disclosure and non-disclosure. This is what potentially offers a defence or shows the decision making rationale should there be any claim or issue arising in the future.
(1) Data Protection Act 1998: Sensitive personal data.
In this Act “sensitive personal data” means personal data consisting of information as to—
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.