Information Sharing pre Care Act

Unless one or more the conditions appearing below applies, processing of sensitive personal data by anyone is expressly prohibited by the Data Protection Act 1998. But there are exceptions which apply to those concerned with the protection of vulnerable adults.

The most relevant conditions for lawful processing are:

Explicit consent

The processing is necessary in order to protect the vital interests of the data subject or another person in a case where consent cannot be given by or on behalf of the data subject or the controller cannot reasonably be expected to obtain the consent of the data subject or where the data subject unreasonably withholds information necessary to protect the vital interests of another person

The processing is necessary for the exercise of any functions (ie duties or discretions) conferred by or under any enactment (ie a statute or regulations).

The processing is necessary for medical purposes (for these purposes, medical treatment includes care) and is undertaken by a health professional or a person owing a duty of confidentiality which is equivalent to that which would arise if that person were a health professional.

In other words, the form of processing constituted by disclosure is specifically allowed under the DPA in the interests of compliance with statutory and legal obligations.

Under the indicative social services purposes, where consent is not a requirement, Department of Health guidance lists disclosure to

staff directly involved in a case and their line managers;

to anyone else who cares for a client where the information is needed for care (this includes volunteers),

and to Health, Education, child protection, inspection, audit, finance, and the police – because the provision of the information may be needed in order to enable the authority to gain confirmation of it, or doubts as to the information, for the purposes of discharging its own statutory functions.

Who is a recipient?

The definition of a recipient of data does not include persons to whom disclosure is, or may be, made, as a result of or with a view to a particular inquiry by or on behalf of that person made in the exercise of any power conferred by law. This is consistent with the principle that other statutory agencies have a right to the information without it counting as disclosure and hence without any need for consent for that sharing.

This definition is crucial, in our view to good co-operation in joint working, particularly with the police. The local authority can say it is not a recipient of data, because it is a corporate person to whom disclosure will be made, with a view to a particular inquiry by that authority, made in the exercise of a power conferred by law – ie s47 NHSCCA, regarding the assessment of risk to the client.

Social services purposes

Even if this approach turns out not to be open to an authority, the department is supposed to maintain a list of third party recipients to whom disclosure is specifically allowed, for their own social services purposes. Examples are suggested as being local authority approved authorised organisations e.g. voluntary organisations, health professionals, the police, the ombudsman etc.


In community mental health teams, the DH guidance suggests that joint records may be held, but acknowledges that each organisation is a data controller in its own right. Each is supposedly entitled to give access for the other, so as to cut down on applications. Since community mental health teams have been made up of two separate organisations without power to delegate each others functions to the other, until the Health Act, we do not see how their records can be regarded as joint records. Only if staff had been seconded across could they be discharging two roles at once.

In any event, each of the agencies who are party to an Adult Protection Protocol will have their own policies, professional codes of conduct and procedures for ensuring that users receive a confidential service. It is therefore important that staff have due regard to their own agencies policies when dealing with issues of confidentiality in the context of adult protection work. But some organisational cultures (the police in particular) have not transferred child protection principles about information sharing to the adult protection field as yet, and tend to prefer rules about the confidentiality of police investigations, rather than discretions to share information on a need to know risk prevention basis. An understanding of the law of confidentiality can help agencies challenge such cultural assumptions.

Decisions to share information about a service user with other agencies without the consent of the user in question should be made by the agency and not one individual acting on their own, and the reasons for the decision recorded.

Agencies should draw up a common agreement relating to confidentiality and setting out the principles governing the sharing of information based on the best interests of the vulnerable adult. Any such agreement should take account of the provisions of the Public Interest Disclosure Act 1998 and the Data Protection Act and the common law of confidentiality, again all areas not familiar to the average social services manager.


With regard to practice, concerning confidentiality, the following principles flowing from the report of the Caldicott Committee are helpful:


  • information will only be shared on a need to know basis, when it is in the best interests of the service user;
  • confidentiality must not be confused with secrecy or terms of employment designed to protect the management interests of an organisation or its reputation;
  • informed consent should be obtained,but if this is not possible and other vulnerable adults are at risk it may be necessary to override the requirement; and
  • it is inappropriate for agencies to give assurances of absolute confidentiality in cases where there are concerns about abuse.


All agencies should keep accurate records of complaints or allegations of abuse. Staff should be given clear instructions as to what information should be recorded and how it should be recorded. Staff should be reminded that interviewing the alleged abuser without caution would be a breach of his or her legal rights. Arrangements should be made for making records available to those affected by and subject to investigation.


Decisions about who needs to know and what needs to be known, should be taken on a case by case basis and within agency policies and the constraints of the legal framework.


Affected third parties

The guidance emphasises that there may be occasions where it is reasonable in all the circumstances to give disclosure even of a third party’s personal data, without that other person’s consent, and this is so, even when it involves identifiable details about a source of information to a record.

It is implied that it may be reasonable if that other person is not capable of giving consent, or if they cannot be found, and that it would be less so, if s/he has specifically refused. But it must be remembered that the law of confidentiality still allows a confidence to be overridden. It is our view that any authority which balances the competing interests and documents its reasons for coming down for or against disclosure will not be overruled in the line it takes, by a court.

TB v the Combined Court at Stafford has held that where an application was made by a defendant’s solicitor for the disclosure of personal and confidential medical information in criminal proceedings, it was unlawful for the Court not to give the data subject notice of the application and an opportunity to make representations in relation to the application before an order for disclosure was made.  This was a breach of the data subject’s Article 8 rights.

Access to third party information – on behalf of an incapacitated person


In the processing rules applicable to data and sensitive personal data, there is one very large exception to the need for consent before disclosure of health records. Authorities may grant access to information if it is reasonable in all the circumstances to do so, without consent, bearing in mind what has been done to obtain it, the capacity and position of any affected third party, and the extent of the duty of confidentiality owed to that person.

A person can exercise these access rights through a relative, advocate or solicitor, so long as they have mental capacity. Requests from people without mental capacity will not have legal force, whether made by themselves or their agents.

Although it seems that the right to receive information is restricted to the data subject, it has been suggested that it should be read so as to be compatible with Convention rights and that this will extend to a third party making the request. We do not think that it is possible to stretch the subject access parts of the legislation so far, as a matter of legal reasoning. But we are confident that a court would be likely to find some way or another of authorising disclosure to a third party where it was essential for the best interests of the person concerned. It is possible that in so far as the DPA builds on the law of confidentiality, it is that body of law that would be regarded as the bottom line for the lawfulness of the processing which would have been constituted by the disclosure. The Mid Glamorgan Family Health Service Authority ex p Martin suggests exceptional disclosure to third parties will be acceptable.

The Government certainly seems to think that disclosure will be made to third parties because the Regulations under the Act provide for additional grounds of refusal specifically applicable to third party requests. For instance, the grounds for refusal for Court of Protection Patients are that the subject expected it would not be disclosed; that consent to examination was given on that basis, or the person had expressly indicated it should not be disclosed.

The DH guidance suggests that a person acting under the Court of Protection’s authority, or within the terms of a registered enduring power of attorney can request access on behalf of an incapacitated person. Our view would be that this may be so but only so long as the disclosure relates to financial or property related matters, not to a welfare decision. This is because neither a Receiver nor an attorney has legal power to act in place of the incapacitated individual in this regard. A guardian would be better placed to do so, in our view.


Good Practice

Technicalities aside, there are some key principles which will be common to all policies of the agencies involved. These principles can be summarised as follows:

Agencies cannot guarantee a fully confidential service. There will always be exceptional circumstances when a duty to protect the wider public interest will outweigh the responsibility to any one individual. Although the views and wishes of the service user will normally be respected when sharing, the law of confidentiality and Data Protection are overriding, and the exceptions to their principles must be appreciated.

Information given to an agency should only be used for the purposes for which it was intended.

Service users and carers should be advised why and with whom information will be shared.

Information given to an individual member of staff or agency representative belongs to the agency and not the individual, although legislation may give the individual right to disclosure thereof.

Information about a service user should only be shared within an agency on a need to know basis to support the effective delivery of services to that user.

Staff therefore have a clear duty to report any concerns they may have relating to the abuse or suspected abuse of a vulnerable adult to their Line Manager at the earliest opportunity.

Information about a service user can normally only be shared with staff in other agencies with the express consent of the service user.

Agencies should have in place appropriate decision making mechanisms for deciding when the agencies duty to protect the wider public outweigh their responsibilities to protect the user’s right to confidentiality. Issues of adult protection can fall into this category, but agencies may need to seek legal advice in relation to specific circumstances.

Related Links

Data Protection Act 1998 Protection and Use of Patient Information

The Information Commissioner’s legal guidance to the legislation.


Leave a Reply

Your email address will not be published.