RELEVANT CHAPTER

Data Protection Act 2018

January 2019: This chapter has been updated as a result of local review and should be reread.

1. Overview

1.1 Introduction

South Tyneside Safeguarding Adults Board (STSAB) is the strategic body for helping and protecting adults at risk, that is any adult who:

  1. has needs for care and support (whether or not the authority is meeting any of those needs);
  2. is experiencing, or is at risk of, abuse or neglect;
  3. and is a result of those needs is unable to protect himself or herself against the abuse or neglect or the risk of it. (Care Act, 2014).

The Care and Support Act Statutory Guidance states that: “agencies should draw up a common agreement relating to confidentiality and setting out the principles governing the sharing of information based on the welfare of the adult or other potentially affected adults.”

Effective multi-agency safeguarding adult’s procedures require personal information to be appropriately shared across agencies in order that all relevant information is available to those making judgements about  concerns of abuse or neglect.

This agreement has been approved by the agencies represented on the South Tyneside Safeguarding Adults Board, listed in Section 1.2. Partners to the agreement below Organisations that are contracted by statutory agencies or receive grant aid funding will be expected to be a party to this agreement.

The purpose of this information sharing agreement is to support lawful information sharing between agencies to protect adults at risk from abuse by setting out an agreed framework.

The agreement should be used as good practice standards that all staff from partner agencies need to meet in order to fulfil their duty of care in relation to the sharing of information for the purposes of responding to or preventing abuse or neglect of adults at risk.

1.2 Partners to the agreement

The information sharing agreement is between the following partners:

  • South Tyneside Council – Adult Social Care; Community Safety; Public Health;
  • South Tyneside NHS Foundation Trust;
  • South Tyneside Clinical Commissioning Group;
  • Northumberland Tyne and Wear NHS Foundation Trust;
  • Northumbria Police;
  • National Probation Service;
  • Northumbria Community Rehabilitation Company;
  • South Tyneside Homes;
  • Tyne Coast College;
  • Health Watch;
  • Tyne and Wear Fire and Rescue Service.

Any successor body (or bodies) of an organisation listed above, will be asked to sign the agreement as required.

It is the responsibility of all partners to:

  • understand their duty of confidentiality but also their duty to share information where there is a concern that an adult, a child, or member of the public is at risk or suffering harm;
  • ensure that the agreement is shared within their organisation and any other organisation with which it contracts to provide a service to adults with care and support needs;
  • ensure that all relevant members of staff should have access to, understand, and adhere to the information sharing agreement;
  • ensure that any organisation it contracts with has access to, understands and adheres to the agreement;
  • implement the agreement within their own organisation; make copies of the agreement available to users, carers and members of the public;
  • monitor and review the implementation of the agreement within their own organisation and any organisation it contracts with.

1.3 Purpose of information sharing

See also Data Protection Act 2018

The overall objective of sharing information within safeguarding adults work is to ensure that adults at risk are effectively safeguarded, by providing all relevant parties with the information they need in order to address concerns, reduce risks  or prevent abuse happening in the future.

Specific purposes for information sharing within safeguarding adults work may be to:

  1. seek advice about a specific safeguarding adult’s situation or to establish grounds for progressing with safeguarding adults procedures;
  2. make a safeguarding adults referral;
  3. seek immediate protection for a person/s through referral to another service/s;
  4. notify agencies who may need to take action against alleged or known perpetrators (includes risks posed by a member of the public, worker, volunteer or a service user;
  5. make a referral to agencies for purposes of requesting or amending services to people at risk of abuse or to those suspected of perpetrating  abuse;
  6. complete a criminal, employment, regulatory or any other investigation, review or assessment as part of a safeguarding adults enquiry (see Safeguarding Adults Procedures);
  7. conduct a Safeguarding Adults Review or any other case review that the STSAB deems appropriate;
  8. contribute to other review processes where safeguarding adults information is relevant for example Domestic Homicide Reviews, a Child Serious Case Review, multi-agency learning reviews;
  9. monitor and audit safeguarding adults work for example alerts, quality of outcomes, adherence to procedures;
  10. review and develop multi-agency policies and procedures to safeguard adults at risk;
  11. deal with complaints, grievances and professional or administrative malpractice.

The review of this Information Sharing Agreement (see Section 3.6, Management of the Information Sharing Agreement) will identify: other reasons for sharing information not included above and that the above are still necessary to effectively safeguard adults at risk.

1.4 Information to be shared

This agreement primarily applies to the sharing of information about an adult/s at risk where there is a concern they have been a victim of abuse or neglect, however this may involve the sharing of information about others in order to safeguard other adults, children or the general public.

Reference is made within this agreement to children; this is because information may need to be shared about children as part of the safeguarding adult’s enquiry and / or decisions to share information may be based on risks to children.

The agreement concerns the following personal and / or sensitive information which needs to be shared for the purposes outlined in Section 1.3, Purpose of information sharing above:

  1. ‘personal data’ which identifies the alleged victim/s or alleged perpetrator/s of abuse or neglect for example name, date of birth, address;
  2. ‘sensitive data’ about the alleged victim/s or alleged perpetrator/s of abuse or neglect for example gender, religion, ethnicity;
  3. reasons for concerns and details of the alleged concerns for example type of abuse, location of abuse, levels of risk or urgency;
  4. information about the physical and or mental health of the alleged victim/s or  alleged perpetrator/s for example mental capacity, communication needs.
  5. reports of any medical or social care assessments or examinations undertaken as part of the safeguarding adults procedures for example eligibility for community care, psychiatric assessment;
  6. personal data which identifies professionals involved with the alleged victim/s or alleged perpetrator/s;
  7. personal data which identifies other people who may be at risk for example via employment, family, service;
  8. historical information held in records about the alleged victim/s or alleged  perpetrator/s that may be relevant to the current safeguarding concern or a case review process. for example a previous safeguarding adult’s enquiry;
  9. name and contact details of the alerter and referrer (unless they have stated they wish to remain anonymous and this anonymity would not have a detrimental impact upon the safeguarding adults process);
  10. name of employer or organisation if the concern relates to a paid worker or volunteer of a service provider.

The agreement also concerns aggregated data (for example statistics) which may be  shared. In these situations, anonymised information should be used.

1.5 Legal basis for information sharing

The information shared under this agreement is regulated by:

Article 6 of the General Data Protection Regulation outlines six lawful basis’ for sharing information. One of these must apply whenever personal data is processed:

  1. consent: the individual has given clear consent for you to process their personal data for a specific purpose;
  2. contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract;
  3. legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations);
  4. vital interests: the processing is necessary to protect someone’s life;
  5. public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law;
  6. legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

In relation to safeguarding adults, the most likely lawful basis’ to be used are:

Section 2.1, Privacy and confidentiality and Section 2.2, Service user consent provide more information.

Where sensitive personal (special category) data is going to be shared, one of the above lawful basis’ must apply in addition to one of the following conditions under Article 9(2) of the GDPR:

  1. the data subject has given explicit consent to the processing of those personal data for one or more specified purposes;
  2. processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment, social security and social protection law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
  3. processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
  4. processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
  5. processing relates to personal data which are manifestly made public by the data subject;
  6. processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
  7. processing is necessary for reasons of substantial public interest, which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
  8. processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems;
  9. processing is necessary for reasons of public interest in the area of public health;
  10. processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes.

Section 45 of the Care Act (2014) provides for specific duties in relation to the supply of information to Safeguarding Adults Boards:

(1) If an SAB requests a person to supply information to it, or to some other person specified in the request, the person to whom the request is made must comply with the request if:

a) conditions 1 and 2 are met; and

b) condition 3 or 4 is met.

(2) Condition 1 is that the request is made for the purpose of enabling or assisting the SAB to exercise its functions.

(3) Condition 2 is that the request is made to a person whose functions or activities the SAB considers to be such that the person is likely to have information relevant to the exercise of a function by the SAB.

(4) Condition 3 is that the information relates to:

a) the person to whom the request is made;

b) a function or activity of that person;

c) a person in respect of whom that person exercises a function or engages in an activity.

(5) Condition 4 is that the information:

a) is information requested by the SAB from a person to whom information was supplied in compliance with another request under this section; and

b) is the same as, or is derived from, information so supplied.

(6) Information may be used by the SAB, or other person to whom it is supplied under subsection (1), only for the purpose of enabling or assisting the SAB to exercise its functions.

Your choice of lawful basis under Article 6 does not dictate which special category condition you must apply, and vice versa. For example, if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing under Article 9. You should choose must apply, and vice versa. For example, if you use consent as your lawful basis, you are not restricted to using explicit consent for special category processing under Article 9. You should choose whichever special category condition is the most appropriate in the circumstances – although in many cases there may well be an obvious link between the two. For example, if your lawful basis is vital interests, it is highly likely that the Article 9 condition for vital interests will also be appropriate

Sometimes information (described in paragraphs 4.2.1-4.2.10) gathered for safeguarding adults purposes may need to be shared at a later date for other purposes for example criminal investigation; child serious case review; Domestic Homicide Review. The relevant legislation and / or information sharing agreements and / or guidance for those processes should be referred to on these occasions.

The information sharing will be carried out in accordance with the GDPR / DPA 2018. This will including ensuring:

  1. that there is a clear and legitimate purpose for the sharing of information;
  2. that the person sharing the information deems it to be necessary for the purpose identified;
  3. information will only be shared on a ‘need to know’ basis when it is in the best interests of the adult;
  4. confidentiality will not be confused with secrecy;
  5. that personal and sensitive information is anonymised where possible and appropriate to avoid a person being identified;
  6. where possible informed consent is sought from a person when information is going to be shared about them (there are circumstances where it is appropriate to not seek consent or override consent);
  7. that agencies do not give assurances of absolute confidentiality in cases where there are concerns about abuse, particularly in those situations when others may be at risk;
  8. best interest decisions are made when a person lacks the capacity to consent to information being shared;
  9. specialist advice is sought from managers, legal advisors or data protection officers if there is uncertainty about the sharing of information;
  10. information is shared appropriately and securely;
  11. records are made when information is shared or requested.

2. Service User Considerations

2.1 Privacy and confidentiality

Where it is necessary to share information this will be done in accordance the GDPR / DPA 2018 where this applies, and any other relevant legislation.

In order that information is shared fairly and adults are safeguarded, the following principles should be adhered to:

  1. information sharing decisions will be based on considerations of the safety and wellbeing of the person and others;
  2. the GDPR / DPA 2018 should not be used as a barrier to sharing information, but as a framework to ensure that personal information is shared appropriately. Confidentiality  should never be confused with secrecy; in some circumstances it will be necessary to  share personal information with or without the person’s consent;
  3. a person has a right to know why, what, how and with whom information will, or could be shared with as part of the safeguarding adult’s process;
  4. whenever information is shared for a purpose other than the protection of people under safeguarding adults procedures (e.g. review of  procedures, training) then personal information will be anonymised wherever possible;
  5. where the information subject is deceased, their confidentiality endures beyond death.

2.2 Service user consent

Information will be shared with the informed consent of a person unless there is clear justification for proceeding without consent. This includes sharing information with family members, close relatives and friends. This means that the person giving consent understands why information needs to be shared, what will be shared, who will see their information, the purpose it  will be put and the implications of sharing that information. Consent can be expressed verbally, in writing, or another form of communication.

Where there is a concern that a person lacks capacity to consent to information being shared, a capacity assessment will be completed as per the Mental Capacity Act 2005 (MCA). If the assessment follows that the person lacks the capacity to consent, then a best interest decision should be made, following the principles outlined in the MCA. This includes considering the person’s own views (where possible) and the views of those close to a person (close relatives, partners, carers, welfare attorneys)

Where a person makes a decision or a best interest decision is made not to share information then this decision should be respected where possible.

There will be some circumstances when consent will not be sought because it is unsafe, or where consent will be overridden:

  1. if by seeking consent it would place a person (the individual, a family member, or a third party) at increased risk of harm;.
  2. where seeking consent would prejudice the prevention detection or  prosecution of a serious crime;
  3. where it would lead to the unnecessary delay into making enquiries about concerns of significant harm to an adult at risk or child;
  4. where it is justified in the public interest. This may include: to protect adults from serious harm; to protect children from significant harm; to prevent crime and disorder; in the interests of public safety. The question of whether there is sufficient public interest should be judged on the facts of each case.  Where there  is uncertainty whether the public interest justifies disclosing without consent, advice should be sought from a manager, data protection officer or legal advisor – where possible the identity of the person will not be disclosed;
  5. where it is a legal obligation imposed by the court or statute.

Information will be shared about an alleged perpetrator without their consent where there is a reasonable belief that the sharing of information is necessary to protect an adult at risk or the wider public. A decision will be made as part of the safeguarding adult’s enquiry about what, how and when information will be shared with an alleged perpetrator.

2.3 Service user awareness and rights

All partners to this agreement will ensure that it is available to service users, carers and members of the general public.

Partners to this agreement have a responsibility to make service users aware of the purpose and content of this Information Sharing Agreement, its impact upon them, their rights and how these may be exercised.

Information that is shared about a person will be kept on their records and will normally be made available to that person and/or an appropriate  representative. The right of access to information is made under the GDPR / DPA 2018. Requests should be made via a Subject Access Request. Subject Access Requests can be made to any of the partner agencies listed.

When information is shared about a person, they have the right to know the nature of the concerns, have a right of reply and an opportunity to correct any information about them that is not accurate. This includes alleged perpetrators. Exemptions to this right of access may be made if:

  • information identifies other people, then there is the right to remove that information;
  • there is concern that serious harm to the person or others would likely to be caused by disclosing the information;
  • a third party is requesting the information on would hinder the prevention or detection of crime.

Where a person feels that their confidentiality has been breached they can  make a complaint to any of the partner agencies listed.

3. Information Sharing Procedures and Processes

3.1 Access

Partner organisations (to this Agreement), their contracted services and their respective staff or volunteers have access to information for those purposes outlined in Section 1.4, Information to be shared.

It is the responsibility of those partner organisations to ensure there are procedures in place to ensure appropriate access to information by appropriate staff or volunteers.

Information will be stored and shared using secure methods which protect privacy and prevent risk of unauthorised access.

In addition to Subject Access Requests (see section 8 above) any requests for information under the Freedom of Information Act are handled on a case by case basis. Information can only be withheld if one of the exemptions listed in the Freedom of Information Act apply.

3.2 Methods of requesting and transferring information

This agreement applies to information that is shared in the following ways:

  • internal post;
  • external post;
  • safeguarding adults meeting;
  • fax or text phone;
  • databases / electronic records.

The safe and secure handling and transfer of information will depend upon the level of sensitivity of the information.

Recipients of information will understand the purpose for which the information was shared and the limits of any consent that has been given (for example, whether they are able to share the information further). Where there is uncertainty the originating person / organisation should be contacted.

All decisions relating to information sharing, and the reason why the decision was made, will be recorded. This includes if a decision was made not to share  For example, consent (or decision to override / not seek consent) to safeguarding adults referrals should be clearly recorded on the examples for recording requests and responses to requests for information sharing are in Appendices.

3.3 Information standards

Only information that is necessary for the purpose it is being shared will be shared.

Facts will clearly be distinguished from opinions in any information shared.

Information will only be shared with the person or people that need to know.

Information that is shared will be accurate and up to date.

3.4 Security

The GDPR / DPA 2018 require data to be processed in a manner that ensures its security. This includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical and organisational measures are used.

Partners to this Agreement must implement and maintain appropriate security measures to protect confidentiality, integrity and availability of personal information.

Adopted security measures should be communicated across all partner organisations, their contracted services and their respected staff and volunteers.

3.5 Data retention, review and disposal

Information will be retained in line with the relevant organisation’s retention schedules.

Staff should review individual case files on a case by case basis, taking into account any outstanding Subject Access Requests.

When the retention period has expired, the information must be disposed of in a  secure and safe way for example by using secure, locked disposal bins or by using a cross-cutting shredder.

3.6 Management of the Information Sharing Agreement

This Information Sharing Agreement is owned by the South Tyneside Safeguarding Adults Board (STSAB).

The Information Sharing Agreement will be agreed by STSAB members on behalf of their organisations.

The Information Sharing Agreement is effective from July 2018. The Agreement will be reviewed in two years (July 2020) by the STSAB to ensure that it is supporting the safe sharing of information and this is also having the desired effect of safeguarding adults at risk in South Tyneside.

Non-compliance with this Agreement will be referred to the Chair of the STSAB.

Appendices

Please note the following appendices are best practice tools. They are intended to support organisations and their staff in the lawful sharing of information for the purpose of safeguarding adults. It is recognised that individual organisations may have their own tools and guidance in place regarding: Where there are existing or alternative systems in organisations these can be used.

Appendix 1: Information Sharing Request Form

Click here to view Information Sharing Request Form

Appendix 2: Information Sharing Request Record

Click here to view Information Sharing Record Form