Transformation Directorate

This guidance has been reviewed by the Health and Care Information Governance Panel, including the Information Commissioner’s Office (ICO) and National Data Guardian (NDG).

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at england.igpolicyteam@nhs.net.

Information sharing in social care

Consent Social care
Involving patient carer and citizen networks

Social care professionals have a legal duty to share information to support individual care.

The duty to share information for individual care is as important as the duty to protect confidentiality. Sharing relevant information at the right time helps colleagues to make informed decisions and ensures that people receive safe care across different care settings.

This guidance refers to adult social care only. Responsibility for information governance and information sharing policy in children's social care resides with the Department of Education. See the statutory guidance Working Together to Safeguard Children and the non-statutory guidance Information Sharing: Advice for Practitioners Providing Safeguarding Services which apply to all safeguarding practitioners.

Key issues to consider before sharing information

There are several key principles to consider when deciding whether to share information.

Consider the purpose

When deciding whether to share social care information, you need to consider the purpose the information will be used for. The purpose will determine which rules you apply. This is because the rules for sharing for individual care are different to those for sharing for other purposes, such as research or planning.

Sharing for individual care

Relevant information should be shared with health and care professionals working in a care team, when needed to support care.

All staff who are directly involved in providing care to an individual have a legitimate relationship with that person. Examples of legitimate relationships would be:

  • a social worker supporting an individual
  • a mental health support worker working with a resident in a mental health facility
  • an occupational therapist supporting an individual to ensure their house is equipped with rails to prevent them falling
  • a care home manager at an individual’s care home

All of these people have a legitimate relationship with the individual, and can share information about that individual across organisational boundaries on that basis.

On the other hand, staff without a legitimate relationship with a particular individual are not entitled to access information about them. For example, a social worker in a local area which has a shared care record would not have a legitimate relationship with all the individuals in that shared care record area. They would only have a legitimate relationship with the individuals they are directly supporting.

Implied consent

Health and care information about a person cannot generally be disclosed without that person’s consent. However, you can rely on implied consent when sharing relevant information for the purpose of providing care, with health and care staff who have a legitimate relationship with the person.

Sharing for other purposes

When using confidential information for important purposes like social care research or service planning, you must always consider whether information that identifies people is needed. Where possible, information that does not identify a person should be used. Data protection laws do not apply to anonymised data. An example of anonymised data would be the number of residents and their age range in a supported living facility. If information that identifies an individual is requested, then you should check with your senior manager before sharing.

Explicit consent

If confidential information is needed for purposes beyond individual care, then explicit consent is normally required.

When a person lacks capacity to give consent

If the person lacks capacity to give consent for their data to be shared, consent should be sought from the person who holds a health and welfare lasting power of attorney (LPA) on their behalf. Alternatively, consent can be sought from the welfare deputy registered with the Court of Protection if the person has someone acting in that capacity.

If no one holds an LPA or role of welfare deputy for the individual, you will need to speak with the person in your care setting who has senior care or clinical responsibility to decide what is in the best interests of the person without capacity. This person could be a nurse, Caldicott Guardian or another competent senior person. Deciding best interests should include a case by case assessment of whether an individual’s confidential patient information should be shared.

Capacity can fluctuate, so any decision must be reviewed on a regular basis and reflected in the Personalised Care & Support Plans (PCSP). The assessment should focus on the specific decision that needs to be made at the time when the decision is required. See the Public Guardian’s Mental Capacity Act Code of Practice for further guidance.

Check for a person’s concerns

If a person objects to their information being shared, you should discuss this with them. You may have concerns about an objection, for example, if it will impact upon being able to provide safe care. In such a case, you should explain the implications of the decision to the person or their representative. You should respect their wishes unless there is a reason not to, such as concerns that not sharing the information may put other people at risk of harm. Any concerns or objections about information sharing should be noted in the individual’s record. Further discussion with the person, their representatives, and senior colleagues, may be required.

Where an individual does not want to share confidential information for research and planning, you should check the guidance from Digital Social Care on national data opt outs.

Share only relevant and necessary information

You should only share relevant and necessary information. Sometimes it is difficult to be clear about what is relevant. The key points are that you:

  • use your professional judgement – information sharing may vary from a single piece of information to the person’s whole record
  • can justify and evidence your decision
  • record your decision
  • inform the person and their representatives of any decision, where appropriate

Relevant information can also be shared with those involved in providing support to individuals. For example, where a person has asked for support with housing, staff can share relevant information needed with the council’s housing department so that they can understand the person’s needs. Only the information needed to provide appropriate support, such as a person’s mobility issues in this example, should be shared, not the entire care record.

Transfer information securely

This is one of the key principles to consider when using information.

Ensure information is transferred using an email system that meets the secure email standard, such as the NHSmail service which is free to social care; a verified Office 365 account; or a secure accredited domain.

Insecure email accounts should not be used. Alternatives include transferring information via a phone call or using an alternative work account such as a secure team email address.

Double check that the email has been addressed accurately.

When you are emailing confidential information, the contents should be password protected unless you are using NHSmail or other email account that meets the secure email standard. If a password is needed, you should send it using a different method like a text message.

Staff using Office 365 or NHSmail email accounts should add [secure] into the email subject line or body text to encrypt the email contents. Then they will not need to encrypt or password protect the message by another method.

Mobile messaging may be permitted where there is no practical alternative and the benefits outweigh the risk but the use of confidential information must be minimised, for example by using the person’s initials rather than their name.

When transferring paper records and information between health and care settings, use secure trackable and traceable methods, such as a courier, Royal Mail’s Registered Delivery or Special Delivery service.

Be transparent about information sharing

Transparency materials about how people's information will be used and shared must be made available, for example, on privacy notices, notice boards and websites. Ideally, transparency information should also be provided in the welcome pack received when people register for a new service or setting.

Check your organisation policy

You should check your organisation’s agreed policy and process for sharing information. For example, some care providers only accept requests to share information through email; some require the care manager or duty nurse to approve; and some junior staff are not allowed to share information at all.

Where to seek support

If you are not sure about how to deal with a request to share information, you should check with your senior staff; or your information governance lead or Caldicott Guardian if you have one.

A Caldicott Guardian is a senior person responsible for upholding the Caldicott Principles. Over the coming months, organisations that provide publicly funded adult social care services and process confidential information will be required to appoint a Caldicott Guardian or make alternative arrangements.

Until that time, a senior member of staff at your organisation should take responsibility for information management. See the National Data Guardian guidance for further details.

You can also check the guidance on the IG portal; the Information Commissioner’s Office’s data sharing information hub, the Data Security and Protection Toolkit, and the Better Security, Better Care guidance from Digital Social Care.

Involving patient carer and citizen networks