Cumbria County Council Logo


Top of page

Size: View this website with small text View this website with medium text View this website with large text View this website with high visibility

1.1.2 Confidentiality Policy

SCOPE OF THIS CHAPTER

This procedure sets out the responsibility of the employee to familiarise themselves with the handling of confidential information in the context of their social work role and as an employee of the council.

RELATED GUIDANCE

Information sharing: advice for practitioners providing safeguarding services (March 2015)

RELATED CHAPTER

Children’s Services Information Sharing Protocol

AMENDMENT

In February 2016, this chapter was updated to reflect the Information Sharing Advice For Practitioners Providing Safeguarding Services To Children, Young People, Parents And Carers (March 2015) and an updated version of the Children’s Services Information Sharing Protocol was added.


Contents

  1. Cumbria County Council Children's Services Confidentiality Policy
  2. Confidentiality Values and Principles
  3. Freedom of Information Act 2000
  4. Data Protection Act 1998
  5. The Common Law Duty of Confidence
  6. Information Sharing Agreements

    Appendix 1: Data Protection Act 1998 Schedules

    Appendix 2: Seven Golden Rules for Information Sharing

    Appendix 3: Guide to Marking E-mails High Importance and Confidential


1. Cumbria County Council Children's Services Confidentiality Policy

1.1 Introduction

Cumbria County Council Children's Services recognises its common law duties to safeguard the confidentiality of all personal information. Wherever disclosure of confidential information to another person or organisation is being considered, a check will always be made to ensure that such disclosure is lawful.

All Council staff must be made aware that the Data Protection Act 1998 (DPA) (see Section 4, Data Protection Act 1998) applies to the processing of all personal data, both in paper and electronic records. Where disclosure is proposed, and there is any doubt as to whether the DPA applies or whether only the common law of confidentiality applies, advice will always be sought, from the Council's Information Security Manager and/or Legal Services.

The Council will always record its reasons for deciding not to observe any duty of confidence it owes to a person who is the subject of information disclosed. See Section 5, The Common Law Duty of Confidence.

E-mail messages sent via the Internet can be intercepted, read and changed relatively easily. Consequently, Council staff will not use the Internet to pass on personal identifiable information about service users unless a secure or encrypted connection is in place.

Please refer to the Children’s Services Information Sharing Protocol.

See Appendix 3: Guide to Marking E-mails High Importance and Confidential

1.2 Staff Obligations

The Council's conditions of employment, issued as part of every employee's contract, detail the obligations placed upon the Council staff.

Staff employed with the Council will come into contact with confidential information/data relating to the work of the Council, its service users and other staff. Staff are bound by their conditions of service to respect the confidentiality of any information that they may come into contact with and under no circumstances should such information be divulged or passed to any persons or organisation in any form unless such disclosure is authorised under this policy.

Any unauthorised disclosure of confidential information by Council staff may result in disciplinary action. Staff may also face prosecution under the Data Protection Act 1998.

Where Council staff misuse confidential information, e.g. disclose their password to someone else or use someone else's password to gain access to systems, they could face disciplinary action that could lead to dismissal. They may also be prosecuted under the Computer Misuse Act 1990.

Managers must ensure that confidentiality is discussed with all new employees, as part of their induction. Managers must ensure that all new members of staff undertake the mandatory Information Security e-learning on the County Council’s e- Learning Zone as part of induction, and that this is refreshed annually. It is recommended that staff acknowledge that they have taken note of the contents of this policy. See Cumbria County Council's e-Learning Zone on Learning Pool.

Volunteers, work experience students and Commissioned Service Provider staff working on behalf of Cumbria County Council must also have their role in maintaining confidentiality made clear by the member of staff responsible for them and must be aware of and adhere to this policy.

Information sharing: advice for practitioners providing safeguarding services (March 2015) states that:

Wherever possible, you should seek consent or be open and honest with the individual (and/or their family, where appropriate) from the outset as to why, what, how and with whom, their information will be shared. You should seek consent where an individual may not expect their information to be passed on and they have a genuine choice about this. Consent in relation to personal information does not need to be explicit – it can be implied where to do so would be reasonable, i.e. a referral to a provider or another service. More stringent rules apply to sensitive personal information, when, if consent is necessary then it should be explicit. But even without consent, or explicit consent, it is still possible to share personal information if it is necessary in order to carry out your role, or to protect the vital interests of the individual where, for example, consent cannot be given. Also, if it is unsafe or inappropriate to do so, i.e. where there are concerns that a child is suffering, or is likely to suffer significant harm, you would not need to seek consent. A record of what has been shared should be kept.

It is also possible that an overriding public interest would justify disclosure of the information (or that sharing is required by a court order, other legal obligation or statutory exemption). To overcome the common law duty of confidence, the public interest threshold is not necessarily difficult to meet – particularly in emergency situations. Confidential health information carries a higher threshold, but it should still be possible to proceed where the circumstances are serious enough. As is the case for all personal information processing, initial thought needs to be given as to whether the objective can be achieved by limiting the amount of information shared – does all of the personal information need to be shared to achieve the objective?

1.3 Commercial Confidentiality

Some Council staff may have access to commercial information, agreements or contracts. This information must be treated as confidential, and only discussed/disclosed where this forms part of the employee's remit within the organisation. Staff should consult their manager if they are in any doubt.

1.4 Research, Audit and Monitoring

Access to confidential information or anonymous data may be sought for research, audit or monitoring purposes, either by other council areas or by outside organisations or public bodies.

Internal requests related to research projects must be approved and a formal submission will be required.

All external requests or enquiries may need to be directed to the Information Security Manager for clarification or Legal Services for their approval.

1.5 Press Interest, Police and Legal Enquiries

All media enquiries should be referred to the Chief Executive via the press office.

The Police do not have automatic rights to personal information held by the Council about service users. The matter should always be referred to a manager and/or the Information Security Manager/Legal Services.

Any requests for access to confidential information held by the Council for the purpose of any legal proceedings must be referred to the Council's Legal Services. A Court Order is required in order to release such information for legal proceedings. Verbal or written requests from lawyers are not sufficient. Staff should also seek advice from their manager and, where advised, the Data Protection Officer to ensure that correct action is taken.


2. Confidentiality Values and Principles

The following guidance should be read along with the publication Information Sharing Advice For Practitioners Providing Safeguarding Services To Children, Young People, Parents And Carers (March 2015).

2.1 Personal Information is Subject to a Legal Duty of Confidence

Personal information held about children is subject to a legal duty of confidence and should not normally be disclosed without the consent of the subject. The exceptions to this are set out in Paragraph 2.2 and Section 5, The Common Law Duty of Confidence.

The legal framework for confidentiality is contained in the common law duty of confidence, the Children Act 1989, the Human Rights Act 1998 and the Data Protection Act 1998.

2.2 Disclosure of Confidential Information is Permitted in Exceptional Circumstances

Whilst the general principle is that information obtained about children must be shared with them and not with others, there are exceptions. The public interest in child protection overrides the public interest in maintaining confidentiality and the law permits the disclosure of confidential information necessary to safeguard a child or children. Effective information-sharing underpins integrated working and is a vital element of both early intervention and safeguarding.

Disclosure should be justifiable in each case, for example to provide information to professionals from other agencies working with the child, and where possible and appropriate, the agreement of the person concerned should be obtained.

Those working with children must make it clear that confidentiality may not be maintained if the disclosure of information is necessary in the interests of the child. Even in these circumstances, disclosure will be appropriate for the purpose and only to the extent necessary to achieve that purpose.

There may also be situations where third parties have a statutory right of access to the information or where a court order requires that access be given.

The circumstances in which information held in records on children and families can and should be disclosed and shared with others with or without consent are set out in the following sections.

In all other cases, where third parties such as advocates, solicitors or external researchers request access to information, this should only be given if written consent is given by the person concerned or if a Court Order requires it.

2.3 Situations where Disclosure is Permitted Should be Shared with Children Involved

Wherever possible, children should be informed of the circumstances in which information about them will be shared with others. It should be made clear that in each case the information passed on will only be what is relevant and on a 'need to know' basis.

2.4 Information should be Disclosed to Colleagues and other Professionals/Agencies on a Need to Know Basis

Sharing information promptly with others working with the same child, or who may need to know, is invariably the key to safeguarding the child's interests.

Therefore, relevant information about children must be shared with colleagues, other professionals or agencies that may have a role to play in their care.

However, the general principle is that information may only be shared on a 'need to know' basis.

For example:

  • Where professionals are undertaking a Section 47 Enquiry in relation to a child;
  • Where information is requested in the furtherance of an inquiry or tribunal, or for the purposes of a Serious Case Review.

In such circumstances the person to whom the information relates should be informed that records have been requested unless to do so would prejudice the purpose of the request.

Any objections they have should be considered before responding to the person making the request.

Where information or records are passed to others it should be noted and confirmed in writing.

Information may also be disclosed to persons who have a statutory right of access to the information, for example:

  • Where the Court directs that records be produced or a Children's Guardian is appointed;
  • Where information is requested by Inspectors of the Regulatory Authority (who have specific statutory powers that permit access to records).

Where information is requested by telephone or electronically, great care must be taken to ensure that the recipient is entitled to receive the information requested. Where there is any doubt the information may not be provided without the approval of a manager.


3. Freedom of Information Act 2000

The Freedom of Information Act 2000 came into force on 1 January 2005.

Under the Act anybody may request information in writing or via e-mail from a public authority (which includes all local authorities) and must receive a response within 20 working days. The Act confers two statutory rights on applicants:

  • To be informed in writing whether or not the public authority holds the information requested; and if so;
  • To have that information communicated to him/her.

The Act applies to all information whether recent or old.

The Act sets out 23 exemptions from rights of access to information. If the information is exempt, there is no right of access under the Act.

One exemption relates to personal information. This means that an application for personal information under the Act is exempt and will not therefore be dealt with under the Act. A person's right of access to such information must still be dealt with in accordance with the Data Protection Act 1998. The procedure is set out in the Subject Access Requests Procedure.

Another category relates to information provided in confidence where disclosure would involve an actionable breach of confidence. This would include information provided by a member of the public about a child protection issue where the provider has provided the information on the basis that anonymity will be maintained.

The Act therefore does not change the legal position into the principles of confidentiality set out in paragraphs 2.1 to 2.4 above.

See also: Guide to freedom of information.


4. Data Protection Act 1998

The Data Protection Act controls how personal information is used by organisations, businesses or government.

Everyone responsible for using data has to follow strict rules called “data protection principles”. They must make sure the information is:

  • Used fairly and lawfully;
  • Used for limited, specifically stated purposes;
  • Used in way that is adequate, relevant and not excessive;
  • Accurate;
  • Kept for no longer than is absolutely necessary;
  • Handled according to people’s data protection rights;
  • Kept safe and secure;
  • Not transferred outside the UK without adequate protection.

There is stronger legal protection for more sensitive information, such as:

  • Ethnic background;
  • Political opinions;
  • Religious beliefs;
  • Health;
  • Sexual health;
  • Criminal records.

The Act balances the rights of the information subject (the individual whom the information is about) and the need to share information about them. Never assume sharing is prohibited – it is essential to consider this balance in every case. The Information Commissioner has published a statutory code of practice on information sharing to help organisations adopt good practice.

See also:

Data Protection Act 1998

Appendix 1: Data Protection Act 1998 Schedules

Appendix 2: Seven Golden Rules for Information Sharing


5. The Common Law Duty of Confidence

When considering personal information that has been provided “in confidence”, then all staff of any organisation with access to such information are subject to the Common Law Duty of Confidence. This duty is recognition in law, of the need to ensure that the information remains confidential.

A duty of confidence arises when one person (the “confidant”) is provided with information by another (the “Confider”) in the expectation that the information will only be used or disclosed in accordance with the wishes of the confider. If there is a breach of confidence, the confider or any other part affected may have the right to take action through the courts.

See also: A guide to confidentiality in health and social care - Health & Social Care Information Centre.


6. Information Sharing Agreements

Cumbria County Council Children’s Services have several signed information sharing agreements in place, using a Cumbria County Council legally approved template. These are supported by Privacy Notices and Consent Forms.


Appendices

Appendix 1: Data Protection Act 1998 Schedules

Appendix 2: Seven Golden Rules for Information Sharing

Appendix 3: Guide to Marking E-mails High Importance and Confidential

End