Transformation Directorate

This guidance has been reviewed by the Health and Care Information Governance Panel, including the Information Commissioner’s Office (ICO) and National Data Guardian (NDG).

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at

Sharing information with the voluntary sector


Voluntary and Community Sector (VCS) organisations make an invaluable contribution to the care of patients and service users. This guidance provides information to health and care organisations on how information can be shared safely with the voluntary sector.

Guidance for patients and service users

Some health and care services are provided by charities. Examples include hospices or services where your GP has provided you with a “social prescription”, for example to access exercise classes or a debt counselling service. 

In order to provide the best support possible, the health or care organisation that refers you to the VCS organisation may need to share personal or confidential patient information with them. They will only share the information needed for them to deliver their services. For example, a debt counselling service may need your name and telephone number to arrange a meeting.  

You can find more information about which organisations your health and care provider shares information with in their privacy notice. You can object to your information being shared or accessed in this way and you should contact your health and care provider if you would like to object.  

This guide will support health and care professionals to share this information correctly and safely. 

Guidance for healthcare workers

You should feel confident to share relevant information with the voluntary sector where they are providing health and care services. Where these organisations are providing care, such as a hospice, you can share information with implied consent. For services that are broader than health and care, such as housing advice or cookery classes, you will need explicit consent. See the IG professionals section below for more details.

Patients or service users can object to their information being shared or accessed by the voluntary sector. If an individual objects to any proposed sharing or access to information about them, their wishes should be respected unless there are exceptional circumstances such as safeguarding. The consequences of not sharing for care should be carefully explained but if an individual has the capacity to make this decision then it is their choice.

Guidance for IG professionals

Health and care organisations must provide assurance that they are practising good data security and that personal or confidential patient information is handled correctly. They can do this by completing the online Data Security and Protection Toolkit (DSPT). The DSPT includes a view for voluntary sector organisations to complete. The requirements that need to be in place within a VCS organisation can be found under category 3 of the DSPT. The DSPT rating will support health and care organisations when assuring voluntary sector organisations.  

Some of the key things that VCS organisations should have in place in order to practise good IG are:

  • People should be told what organisations are doing with their information, who it will be shared with and what their rights are, for example to object and to have access to what information is held. (As a minimum this should be privacy notices and on the website, however in some circumstances, explicit patient consent is required, see below)
  • Responsibility for IG should be assigned to an appropriate member of staff, such as a Caldicott Guardian or Senior Information Risk Owner (SIRO).
  • All contracts (staff, contractor and third party) must contain clauses that clearly identify IG responsibilities.
  • All staff members must be provided with appropriate training on IG requirements, both at induction and on a regular basis.
  • There should be staff guidance on confidentiality including the disclosure of information. This should also be part of staff contracts.
  • Unauthorised access to the premises, equipment, records and other assets must be prevented.
  • Personal data must be stored securely. All portable devices used to store personal or confidential patient information, such as memory sticks and laptops, should be encrypted.
  • There are documented retention periods for information and people’s information is only held for as long as necessary.

Staff and volunteers should be supported in following good IG practice. VCS organisations may need support to evidence that their organisation, including their staff, understands what is required. An IG lead from a larger health or care organisation may provide small partner VCS organisations with support in order to ensure that data is managed securely and confidentially. Further information on how the NHS should support smaller partner organisations can be found in the Social prescribing and community-based support guide in section 6. 

It is essential that both those sharing information with a VCS and those receiving it understand IG requirements so that sharing with VCS organisations is lawful and not excessive but is not restricted when it is appropriate to share. When sharing personal or confidential information it should be via a secure email system such as NHS mail or one that meets the secure email standard.  

Information requirements must be fully understood by all parties and these may vary widely between different services. The information that a particular VCS partner organisation needs in order to contribute effectively must be determined locally. Information sharing agreements, if kept simple and focussed, can be an invaluable mechanism for setting out information requirements, the legal basis for sharing or providing access to information and the required IG standards that must be met. 

Consent under common law

Within health and care settings consent under common law is implied as a consequence of people presenting for care.

When planning to share or enable access to information more broadly than health and care settings, such as with a VCS organisation that provides services not traditionally viewed as health or care, you should ensure that the patient or service user understands what is proposed and has indicated that they are happy for it to happen. Such services might include cookery classes, gardening and arts activities or housing advice. This explicit consent, under common law, should be captured in the health and care record by the organisation that is planning to share information. A signed consent form countersigned by the member of staff who sought the explicit consent would be a good way of achieving this or verbal consent which is then recorded within the health or care record. You should ensure that no more than the minimum information is needed from organisations providing non-clinical services.

If an individual objects to any proposed sharing of information about them, whether for their individual care or other purposes, their wishes should be respected unless there are exceptional circumstances such as safeguarding (please see The NHS Confidentiality Code of Practice - annex B). The consequences of not sharing for care should be carefully explained but if an individual has the capacity to make this decision then it is their choice. 


You should make information available which explains the circumstances in which your organisation shares information with other organisations including VCS organisations. This should be readily available to patients and service users (such as in your privacy notice and on your website), so that no one is surprised or upset by information sharing that they did not anticipate and were not informed about.