Freedom to Speak Up
Freedom to Speak Up (FTSU) is about encouraging a positive culture where people feel they can speak up, their voices are heard, and their concerns acted upon. This guidance helps patients and staff of NHS organisations understand the FTSU process and FTSU guardians and information governance professionals (IG) to manage information raised in a safe and appropriate way.
- I'm a patient/service user - what do I need to know?
- I work in a health and care organisation - what do I need to know?
- I'm an IG Professional - what do I need to know?
Guidance for patients and service users
There are several ways NHS staff can raise concerns within their organisation. One of these ways is known as FTSU. The aim of speaking up is to improve patient safety and make the workplace better for NHS staff.
This is different to the way patients can raise concerns. Guidance on how to complain to the NHS is on the NHS website.
FTSU guardians
Each NHS organisation has an FTSU guardian. The guardian is someone NHS staff can speak to about any concerns they have. The guardian may be:
- a member of staff in the same NHS organisation, or
- someone from another NHS organisation, or
- someone who is paid to be a guardian but does not work in the NHS
Social care organisations do not have FTSU guardians, but these organisations should make sure there are other ways their staff can raise concerns.
Information shared with FTSU guardians
Members of staff should only share enough information to allow the guardian to look into their concern. This might include information about the way another member of staff is treating you.
In most cases, staff will not need to share personal information about you with the guardian. However, if you are at risk of serious harm, staff may need to share information such as your name or where you are receiving care, so the guardian can make sure the NHS organisation protects you.
FTSU guardians should not look at patient records as part of their role as a guardian. Their role is to pass on any concerns to the right person, or to follow the correct processes to allow them to be explored.
If your personal information needs to be used as part of an inquiry for example the UK COVID-19 inquiry, this is different. You can find out more about this by reading our guidance on inquiries, investigations and court orders.
Guidance for healthcare workers
FTSU guardians
Within NHS organisations there are several ways that staff can choose to ‘speak up’ or raise concerns. One way is through FTSU guardians.
The role of the FTSU guardian was created in response to recommendations made in Sir Robert Francis QC’s report “The Freedom to Speak Up” (2015). In England, all NHS organisations and other organisations who provide NHS healthcare services in primary or secondary care are required to appoint an FTSU guardian. This includes NHS trusts, GP practices, as well as dental surgeries, opticians and pharmacies providing NHS services.
FTSU guardians may be based within your organisation, or they may be appointed to cover a number of organisations, for example, all GPs within a local area may partner to appoint one FTSU guardian to cover them all.
Raising concerns
Your organisation will have their own procedures and processes, so you should familiarise yourself with your local arrangements. You can also find more information on speaking up in the national FTSU policy.
The most important aspect of anyone speaking up is the information they can provide, not their identity. Therefore, if you are speaking up you have the option to do so in any of the following ways:
- openly: the FTSU guardian knows your identity and you are happy that they can share it with anyone else involved in responding
- confidentially: you reveal your identity to the guardian on the condition that they will not share this further without your consent, unless there are exceptional circumstances (see guidance for IG professionals – disclosures without consent section below)
- anonymously: you do not want to reveal your identity to anyone. Organisations should provide methods for individuals to report concerns anonymously, such as through online forms
Patient confidentiality
If your concern involves a patient, you should share the minimum amount of information necessary to allow the guardian to follow up, in order to protect patient confidentiality. In most cases, this will mean providing information about the nature of your concern without sharing information that directly identifies the patient.
If patient information is required by the guardian, you should not rely on the implied consent of the patient. This is because FTSU guardians are not directly involved in the care of patients therefore a patient is unlikely to have a reasonable expectation that their information will be shared with a guardian.
In exceptional circumstances, you may share patient information without breaching confidentiality where the disclosure can be justified in the public interest, for example, to protect individuals from serious harm or crime. In these cases, you should still only provide information which is relevant to the concern.
Guardians will guide you in these conversations and let you know what information they need to take a concern forward. While it is important to keep patient confidentiality in mind, as long as you are acting in good faith and the best interest of the patient, you will not be penalised for sharing information with a guardian.
Information shared by FTSU guardians
Other parts of your organisation
Guardians may need to share information about your concern within your organisation to allow for this to be investigated or resolved.
For example:
- if the concern is about the conduct of another member of staff, the guardian may need to share information about the individual’s conduct with their line manager or HR
- if the concern involves clinical or patient safety aspects, the guardian may need to escalate this and share information about your concern with a medical director, or as part of a patient safety investigation
- guardians may need to report to senior management or boards about the types of cases they are handling
Other guardians
Your organisation may have multiple guardians who share caseloads or cover each other in case of annual leave or sickness. This may include using a joint mailbox. Where information about your case is shared amongst guardians, they should inform you of this.
Sharing cases with FTSU networks
Guardians may wish to share case details among local networks of FTSU guardians for joint learning. They should only use anonymous data. If there is a risk that you can be identified (for example, due to small numbers of staff in the clinical department which the case relates to) or the unique context of the scenario, then your consent must be obtained. This is the case even if a situation is known to others (for example, a high-profile case or where there is media attention).
Where there is a safeguarding concern
In exceptional cases, information may be shared with a guardian which indicates there is an immediate risk of serious harm to another person. In these cases, the guardian may need to share the information they have about the concern with the police or other bodies to safeguard a person at risk.
If the concern has not been reported anonymously, they may need to share information about the person who reported it, in order for the appropriate body (for example, the police) to follow up and gather more information. The guardian should inform the person raising the concern if this is the case.
Where you are the subject of a concern
If someone raises a concern about you to an FTSU guardian, they would typically share information such as your name, your job role and the nature of the concern.
The guardian may share this information further within the organisation to allow the concern to be addressed, for example by sharing details of the concern with your line manager for it to be investigated.
Guardians do not need consent to share information about the subject of a concern, as this would prejudice their ability to appropriately manage concerns (see Legal basis under UK GDPR section below for further information).
Your organisation’s Privacy Notice, or information they provide to staff about the FTSU service, should detail how your information would be used in the event of an FTSU concern being raised about you.
Guidance for IG professionals
Legal basis under UK GDPR
The lawful basis for use of personal information as part of the FTSU process is:
- Article 6 1 (e) - Public task/official authority
It may be necessary for an FTSU guardian to process special category data, for example where a concern is raised about the behaviour towards an ethnic minority colleague. In these circumstances, the lawful basis should be assessed on a case-by-case basis. The most likely to apply are:
- Article 9 2 (b) - Employment
- Article 9 2 (h) - Health and social care; or
- Article 9 2 (i) - Public health
To rely on one of these lawful bases, you must be able to demonstrate that processing the special category data is necessary. Please see ICO guidance for further information.
Confidentiality of those speaking up
The confidentiality of those who speak up should be respected, subject to the need to ensure that people are protected from serious harm (see below).
FTSU guardians should be supported to maintain the confidentiality of those reporting concerns to them, ensuring they do not share details of cases outside of the bounds of their agreements with the individuals they are supporting.
Disclosures without consent
In exceptional circumstances it may be necessary to make a disclosure without consent. For example:
- where there is an immediate risk of serious harm to a patient, worker or member of the public
- where it is required by law, for example:
- there is a court order requiring you to release information
- you have information that would assist police in preventing an act of terrorism or help in apprehending or prosecuting a terrorist (in line with the Terrorism Act 1989 and Terrorism Act 2000)
- you are asked for information that might identify a driver who is alleged to have committed an offence under the Road Traffic Act 1988
- you have information that suggests that a girl under the age of 18 has been subject to genital mutilation (in line with the Female Genital Mutilation Act 2003)
A decision to make a disclosure without consent must be taken on a case-by-case basis. Where possible, this should be discussed with the person who reported the concern and the minimum amount of information needed should be shared.
Guardians may seek support from their Caldicott Guardians, Data Protection Officers (DPO) or more senior FTSU guardians to determine whether sharing information without consent is in the public interest.
You should support guardians to ensure that they fully document any decision to disclose information without consent.
Confidentiality of patients
While it will usually be possible for staff to raise concerns with guardians without sharing information which identifies patients, this may be considered necessary in some exceptional circumstances, such as where a member of staff is putting a patient at risk.
When information about patients is shared beyond those with a legitimate relationship with the patient, explicit consent is usually required in order to satisfy confidentiality. However, staff may be supported to share patient information with guardians without breaching confidentiality where the disclosure can be justified in the public interest, for example, to protect individuals from serious harm or crime.
If a person raising a concern shares patient information with a guardian, and this does not meet the threshold for a disclosure in the public interest, guardians should be advised not to record any patient information and only share information onwards which does not identify the patient, in order to protect their confidentiality.
Transparency
Transparency is key to maintaining confidentiality and trust in the FTSU process.
In order to ensure transparency, organisations should:
- provide information about the FTSU process, including any associated information sharing and confidentiality considerations in your staff and public privacy notice, intranet or service specific material
- ensure that when an individual is sharing a concern, they are advised how their information will be used, including the exceptional circumstances that may apply to disclosing their identity where there is an expectation of privacy
- consider how FTSU guardians can best keep the people they are supporting informed of developments including any changes in plans to share information
- ensure that the use of joint or shared mailboxes is sufficiently clear to employees where it is possible that more than one guardian would access concerns reported to that mailbox
- ensure that in cases of annual leave, sickness or a change of guardian, the person who raised the concern consents to the sharing of their case with another guardian. For further guidance on handing over cases see the National Guardian’s Office guidance on Starting Out and Stepping Down
Records management
IT systems should be set up to ensure that only FTSU guardians can access information relating to cases. Care should be taken when recording the details of the individual who reported the concern, and no patient details should be collected or recorded.
When recording information on FTSU cases, the guardian should only record the minimum amount of information necessary for their purposes.
The National Guardian’s Office requires FTSU guardians to record details about all of the concerns that are raised with them. Organisations must ensure that they provide methods for guardians to do so securely. Consider whether concerns will be recorded on an incident management or risk management system, and what controls should be applied, for example limiting access to only the relevant FTSU guardian.
Records of FTSU cases are considered to be ‘complaint records’. In line with the NHS Records Management Code of Practice, the retention period for records relating to complaints is a minimum of 10 years, at which point the records should be reviewed to see if there is a need to retain them further or not. If an FTSU guardian is leaving, records should be handed over to the new guardian and retained electronically for the appropriate retention period. If these records contain staff information, consent should be sought to share the information with the new guardian, or they should be anonymised before they are passed on.
Guardians should be encouraged to manage their emails in line with the above and not to use email systems to file complaint information, but to instead transfer appropriate information to approved systems for retention.
Reporting
FTSU guardians are required to report to the National Guardian’s Office each quarter. Internal reports will be required (for example, by boards).
It may be helpful for information governance professionals to provide guardians with additional support and guidance during these reporting periods to ensure that information is appropriately anonymised, and confidentiality is maintained.
For further advice on both recording and reporting cases, guardians should refer to the Recording Cases and Reporting Data Guidance from the National Guardian’s Office.
Subject Access Requests
It is common for subjects of a concern/complaint to request copies of information about them under a Subject Access Request (SAR). It should be clear to individuals who make an SAR that only their personal information is disclosed. The identity of the individual who reported the concern will be withheld including any information likely to identify the individual. Where a statement is held but releasing it would disclose personal data, even with redactions, a summary may be provided instead. Please see our SAR guidance for further information on managing and responding to Subject Access Requests.