Information sharing in social care

Social care professionals have a legal duty to share information to support individual care.

The duty to share information for individual care is as important as the duty to protect confidentiality. Sharing relevant information at the right time helps colleagues to make informed decisions and ensures that people receive safe care across different care settings.

This guidance refers to adult social care only. Responsibility for information governance and information sharing policy in children's social care resides with the Department of Education. See the statutory guidance Working Together to Safeguard Children and the non-statutory guidance Information Sharing: Advice for Practitioners Providing Safeguarding Services which apply to all safeguarding practitioners.

There are several main principles to consider when deciding whether to share information.

• consider the purpose
• sharing for individual care
• sharing for other purposes, such as research or planning
• check for a person’s concerns
• share only relevant and necessary information
• transfer information securely
• check your organisation policy

When deciding whether to share social care information, you need to consider the purpose the information will be used for. The purpose will determine which rules you apply. This is because the rules for sharing for individual care are different to those for sharing for other purposes, such as research or planning.

Relevant information should be shared with health and care professionals working in a care team, when needed to support care.

All staff who are directly involved in providing care to an individual have a legitimate relationship with that person. Examples of legitimate relationships would be:

• a social worker supporting an individual
• a mental health support worker working with a resident in a mental health facility
• an occupational therapist supporting an individual to ensure their house is equipped with rails to prevent them falling
• a care home manager at an individual’s care home

All of these people have a legitimate relationship with the individual, and can share information about that individual across organisational boundaries on that basis.

On the other hand, staff without a legitimate relationship with a particular individual are not entitled to access information about them. For example, a social worker in a local area which has a shared care record would not have a legitimate relationship with all the individuals in that shared care record area. They would only have a legitimate relationship with the individuals they are directly supporting.

Health and care information about a person cannot generally be disclosed without that person’s consent. However, you can rely on implied consent when sharing relevant information for the purpose of providing care, with health and care staff who have a legitimate relationship with the person.

In some situations, you may need to share information without consent to keep someone safe. This includes cases where a child or adult is at risk of serious harm. In these situations, the need to protect them can outweigh the usual duty to keep information private. You should only share what is necessary, and involve your manager or safeguarding lead and Caldicott Guardian where possible.

When using confidential information for important purposes like social care research or service planning, you must always consider whether information that identifies people is needed. Where possible, information that does not identify a person should be used.

Data protection laws do not apply to anonymised data. An example of anonymised data would be the number of residents and their age range in a supported living facility. If information that identifies an individual is requested, then you should check with your senior manager or Caldicott Guardian before sharing.

If confidential information is needed for purposes beyond individual care, then explicit consent is normally required.

Where you would usually seek explicit consent but the person lacks capacity to give consent for their data to be shared, consent should be sought from the person who holds a health and welfare lasting power of attorney (LPA) on their behalf. Alternatively, consent can be sought from the welfare deputy registered with the Court of Protection if the person has someone acting in that capacity.

If no one holds an LPA or role of welfare deputy for the individual, you will need to speak with the person in your care setting who has senior care or clinical responsibility to decide what is in the best interests of the person without capacity. This person could be a nurse, Caldicott Guardian or another competent senior person. Deciding best interests should include a case by case assessment of whether an individual’s confidential information should be shared.

Capacity can fluctuate, so any decision must be reviewed on a regular basis and reflected in the person’s care record and their Personalised Care and Support Plan (PCSP). The assessment should focus on the specific decision that needs to be made at the time when the decision is required. See the Public Guardian’s Mental Capacity Act Code of Practice for further guidance.

If a person does not want their information to be shared, you should discuss this with them. You may have concerns about not sharing, for example, if it will impact upon being able to provide safe care. In such a case, you should explain the implications of the decision to the person or their representative. You should respect their wishes unless there is a reason not to, such as concerns that not sharing the information may put other people at risk of harm. Any concerns or objections about information sharing should be noted in the individual’s record. Further discussion with the person, their representatives, and senior colleagues, may be required.

Where an individual does not want to share confidential information for research and planning, you should check the guidance from the Digital Social Care hub on national data opt outs.

In some situations, it may not be possible to use anonymous data or obtain explicit consent. If that is the case, you will need to work with your senior manager or Caldicott Guardian to consider seeking support under Section 251 of the Health Service (Control of Patient Information) Regulations 2002. Further information about the process is available on the Health Research Authority website.

You should only share relevant and necessary information. Sometimes it is difficult to be clear about what is relevant. The key points are that you:

• use your professional judgement information sharing may vary from a single piece of information to the person’s whole record
• can justify and evidence your decision
• record your decision
• inform the person and their representatives of any decision, where appropriate

Relevant information can also be shared with those involved in providing support to individuals. For example, where a person has asked for support with housing, staff can share relevant information needed with the council’s housing department so that they can understand the person’s needs. Only the information needed to provide appropriate support, such as a person’s mobility issues in this example, should be shared, not the entire care record.

This is one of the key principles to consider when using information.

Ensure information is transferred using an email system that meets the secure email standard, such as the NHS.net Connect service (previously known as NHSmail) which is free to social care organisations registered with the Care Quality Commission (CQC); a verified Office 365 account; or a secure accredited domain.

Insecure email accounts should not be used. Alternatives include uploading the information onto a secure, shared system, app or tool that has been approved by your organisation, transferring information via a phone call or using an alternative work account, such as a secure team email address.

Double check that the email has been addressed accurately.

When you are emailing confidential information, the contents should be encrypted unless you and all recipients are using NHSmail or other email accounts that meet the secure email standard.

Staff using NHSmail can send messages to insecure email accounts by adding [secure] at the start of the email subject line, or by using the Egress add-in for Outlook. Staff using any other email system should seek guidance from their organisation.

If you use a different method to encrypt information with a password, you should send the password by another communication channel, such as a phone call or text message.

Mobile messaging, such as through text or instant messaging, may be permitted where there is no practical alternative and the benefits outweigh the risk but the use of confidential information must be minimised, for example by using the person’s initials rather than their name. You should check your organisation’s policies to see if there is a particular app you should use.

When transferring paper records and information between health and care settings, use secure trackable and traceable methods, such as a courier, Royal Mail’s Registered Delivery or Special Delivery services.

Transparency materials about how people's information will be used and shared must be made available, for example, on privacy notices, notice boards and websites. Ideally, transparency information should also be provided in the welcome pack received when people register for a new service or setting. See the ICO’s guidance on transparency in health and social care for more information.

You should check your organisation’s agreed policy and process for sharing information. For example, some care providers only accept requests to share information through email; some require the care manager or duty nurse to approve; and some junior staff are not allowed to share information at all.

If you are not sure about how to deal with a request to share information, you should check with your senior staff; or your information governance lead or Caldicott Guardian if you have one.

A Caldicott Guardian is a senior person responsible for upholding the Caldicott Principles. Organisations that provide publicly funded adult social care services and process confidential information are required to appoint a Caldicott Guardian or make alternative arrangements.

See the National Data Guardian guidance for further details.

You can also check the guidance on the IG web page; the Information Commissioner’s Office’s data sharing information hub, the Data Security and Protection Toolkit, and the Better Security, Better Care guidance from Digital Social Care.