Caldicott Guardian: Sharing personal information
The process of sharing personal data with other organisations and agencies must be conducted in accordance with Trust policies, and, if necessary, after having sought advice from the Information Governance department/ Caldicott. This document provides an overview of some of the reasons why personal information may be shared without consent.
The Caldicott Guardian is responsible for ensuring implementation of the Caldicott Principles with respect to personal data.
Caldicott Principles (2013)
i. Justify the purpose(s).
ii. Don’t use personal confidential data unless it is absolutely necessary.
iii. Use the minimum necessary personal confidential data.
iv. Access to personal confidential data should be on a strict need-to-know basis.
v. Everyone with access to personal confidential data should be aware of their responsibilities.
vi. Comply with the law.
vii. The duty to share information can be as important as the duty to protect patient confidentiality.
Personal information can be disclosed if the patient consents to the disclosure.
Where consent is refused, or cannot reasonably be obtained (because the patient cannot be reached or lacks capacity), then disclosure of personal information must be processed in accordance the Data Protection Act 1998 and/or other statutory provisions that either require information to be disclosed or withheld.
Information must also be disclosed if there is a court order.
In addition to these statutory and judicial routes of disclosure, information can also be disclosed under the Common Law of Confidentiality whereby information given in confidence must not be disclosed without consent unless there is a justifiable reason, e.g. a requirement of law, or when there is a clear public interest in disclosing the information (the “public interest test”). In deciding whether this test is met, the Caldicott Guardian will consider the Caldicott Principles and Department of Health Guidance on Confidentiality.
Every decision to share personal data should be considered on a case-by-case basis and, where necessary, in consultation with IG or the Legal Department. What is agreed for one case may not apply to another, so specific circumstances should always be carefully reviewed. The Caldicott 2 review in 2013 added a new principle which is to safeguard both the NHS and patients: The duty to share information can be as important as the duty to protect patient confidentiality.
Why might we share personal data?
Whilst the Trust works to the principle of looking to ask for consent wherever it can prior to sharing personal data, in certain cases, the law does allow us to pass on this information without your permission. These are considered on a case by case basis and strict assurances will be needed prior to any disclosure. Some examples are:
Section 251 Approvals (such as the Community Mental Health Survey by the CQC.) These types of approvals are often gained for the purposes of research.
- Section 60 of the Health and Social Care Act 2001 as re-enacted by Section 251 of the NHS Act 2006 allows the Secretary of State for Health to make regulations to set aside the common law duty of confidentiality for defined medical purposes. This means some personal data can be shared without consent where it is deemed to be in the public interest.
Data Protection Act- Section 29 and 35
- Section 29 is an exemption that allows an organisation to give out personal information where the disclosure is for one of the “crime and taxation purposes”:
o The prevention or detection of crime
o The apprehension or prosecution of offenders or
o The assessment or collection of any tax or duty or of any imposition of a similar nature.
o and complying with the normal provisions of the DPA would be likely to prejudice one of these purposes.
- Section 35 of the Data Protection Act 1998 states that personal data are exempt from the non-disclosure provisions whereby:
o a disclosure is required by or under an enactment, by any rule of law or by the order of a court;
o For the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings) for the purpose of obtaining legal advice, or is otherwise necessary for the purpose of establishing, exercising or defending legal rights.
Information may be shared if the processing is necessary to protect an individual’s “vital interests” (patient or other member of the public). This applies in cases of life or death, such as where an individual’s medical history is disclosed to a hospital’s A&E department treating them after a serious road accident where urgent treatment is needed, or the public may be placed at risk if information on a data subject is not shared, e.g. a prisoner transferring prisons, who is known to be violent. The Trust would not put people at risk by not sharing necessary personal information; however each decision will be based on an individual assessment of that particular case and scenario.
Under the Children Act 2004 key people and bodies have the duty to make arrangements which ensure their functions are discharged with regard to the need to safeguard and promote the welfare of children. Information sharing is fundamental for complying with this regulation. Wherever possible practitioners should seek consent to share when they are concerned about a child, a child in need or a child in need of protection. There may however be some cases where they should not seek consent. For example if doing so would:
- “place a person (the individual, family member, yourself or a third party) at increased risk of significant harm if a child, or serious harm if an adult; or
- prejudice the prevention, detection or prosecution of a serious crime; or
- lead to an unjustified delay in making enquiries about allegations of significant harm to a child, or serious harm to an adult”.