Information Sharing Guidance for Children, Families and Community Health

AMENDMENT

This chapter was updated in March 2023.

1. Background and Overview

Organisations must ensure that staff are trained to understand that they have a duty of confidentiality and a personal responsibility to safeguard any official information that they are entrusted with. This includes ensuring that they comply with the legal and regulatory requirements and standards, for example the encryption of personal data on removable media.

Incident management policies and procedures should be readily accessible and supported by common sense local business processes and guidance that make it easier for staff to follow the rules (e.g. clear desk policies, guidance on the transmission of personal data, proper disposal, etc).

The potential sanctions (criminal, disciplinary and corporate) for inappropriate behaviour should be clearly explained to staff and where inappropriate behaviours or security breaches occur they should be dealt with. HR policies and procedures should align with security policies and any disciplinary sanctions should be applied in a measured and proportionate way.

2. Information Sharing

2.1 Basic Principles

Swindon's Children, Families and Community Health service recognises its common law duties to safeguard the confidentiality of all personal information. Wherever disclosure of confidential information to another person or organisation is being considered, a check will always be made to ensure that such disclosure is lawful. The link below provides guidance for safeguarding practitioners in relation to information sharing.

All Council staff must be made aware and undertake annual mandatory training regarding the Data Protection Act (DPA) which applies to the processing of all personal data, both in paper and electronic records. Where disclosure is proposed, and there is any doubt as to whether the DPA applies or whether only the common law of confidentiality applies, advice will always be sought from the Council's Data Protection Officer and Caldicott Guardian. The Council will always record its reasons for deciding not to observe any duty of confidence it owes to a person who is the subject of information disclosed.

In order for agencies to plan for and provide services in a coordinated way, they are frequently required to share personal information about children and young people across professional and geographical boundaries. Anything that applies to an individual, and by which they can be identified, is personal information.

The approach to information sharing with others is the same whether practitioners are part of the same organisation or not. For instance, it is in the interests of a child with an Education, Health and Care (EHC) Plan, that teachers working closely with the child should have full knowledge of the plan. However, it may not always be necessary to share all information: for example, it is probably not necessary to share details of a parent's criminal convictions when looking to support their child's educational progress. Practitioners must build good relationships with colleagues, based on professional respect and trust to help break down organisational and cultural obstacles towards an open and positive approach to information sharing. At the same time there is a requirement to protect the privacy of children/young people and their families and maintain the highest standards of security and good data management.

Practitioners who wish to share information must be clear about their responsibilities under current legislation so that families can be confident that their personal data is being handled appropriately. In practice, there is likely to be implied consent for sharing between practitioners in the same organisation.  A concern for confidentiality must never be used as a justification for withholding information when it would be in the child's best interest to share it. A practitioner must balance the risk of sharing information with the risk of not sharing it.

2.2 Secure information exchange - good practice guidance

It is our duty to ensure that personal information is kept safe and secure, and only shared with those who have a legitimate reason to receive it. When information is in transit between individuals or information systems, it is at risk of loss, damage, theft and inappropriate or accidental disclosure.

This section sets out guidance on what to do when transferring information about identifiable individuals.

Agencies should consult their own local procedures, guided by their own professional code of conduct. Swindon Borough Council's Information Management policy can be found within the ICT and Information Governance Policy Library on the SBC intranet.

All practitioners providing services to children, young people, adults and/or families, whether working in the public, private or voluntary sectors as employee, contractor or volunteer, must follow HM Government's guidance on information sharing: advice for practitioners providing safeguarding services to children, young people, parents and carers (which is available on the GOV.UK website) when considering whether to share information on a case by case basis. This guidance, (and further associated materials available on the GOV.UK website), informed by training and experience, aims to support professional judgment and good practice by offering clarity on when and how information about a child's safety and well-being can be shared legally, ethically and professionally, in order to achieve improved outcomes.

Whether integrated working is through specific multi-agency structures or existing services, success for those at risk of poor outcomes depends upon effective partnership working and appropriate information sharing between services.

A practitioner must seek advice from their manager, supervisor, child protection advisor or Caldicott Guardian if they are not sure what to do at any stage, and they must ensure that the outcome of the discussion is recorded. Further, if planning bulk sharing of personal information between IT systems or organisations, advice must be sought through their agency Information Governance lead or Caldicott Guardian.

2.3 The Seven Rules of Information Sharing

Although information sharing can appear complex and rule bound, the principles are clear and encompassed in the Seven Golden Rules for Information Sharing as defined in HM Government's guidance on information sharing: advice for practitioners providing safeguarding services to children, young people, parents and carers.

The Seven Rules are:

  1. Remember that the Data Protection Act is not a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared appropriately.
  2. Be open and honest with the person (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
  3. Seek advice if you are in any doubt, without disclosing the identity of the person where possible.
  4. Share with consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgement, that lack of consent can be overridden in the public interest. You will need to base your judgement on the facts of the case.
  5. Consider safety and well-being: Base your information sharing decisions on considerations of the safety and well-being of the person and others who may be affected by their actions.
  6. Necessary, proportionate, relevant, accurate, timely and secure: Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those people who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely.
  7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

3. Arrangements for Consent

Consent is the key to successful information sharing. It is important that:

  • Consent is obtained where it is sensible, in the child's best interest, and practical;
  • To give informed consent, a child/young person and/or their parent/carer must be entirely clear about the purpose of the information; how it will be used; who it may be shared with and how it will be shared; how long it will be held and in what form. This must include making them aware of circumstances where information may be shared without consent and where confidentiality cannot be maintained;
  • Consent can be withdrawn at any time: giving of consent is not a one-off event.  It is a continuous and ongoing issue which needs to be revisited at regular and reasonable intervals. The child/young person and/or their parent/carer should be informed that they can withdraw consent at any time;
  • Consent is not required in instances where there are safeguarding concerns for a child, or where there is a statutory requirement for service provision.

4. Methods of Sharing Information

4.1 Sharing information by TELEPHONE

  • Always ask the caller to confirm their name, address and other identifying information. Be sure you know who you are talking to;
  • If you don't know the caller, be careful about disclosing information. If they are calling from another organisation you should call them back through their organisation's published switchboard number. Do not disclose information when a return telephone number cannot be supplied;
  • Only provide the information to the person who has requested it. If they are not there you should leave a message for them to call you back;
  • If the fact that someone has contacted your service is confidential, do not leave a message with someone else or on a voicemail unless you have their permission to do so;
  • Be aware of who might overhear your call;
  • Keep a record of any confidential information disclosed during the call.

4.2 Sharing information by POST

  • Posting documents is sometimes the only way to securely exchange documentation. Different levels of security can be used depending on the information being sent;
  • Consider sending the package as registered or 'signed for' delivery or by courier if confidential;
  • Reliable transport couriers should be used at all times. Consult with your Post Room;
  • Packaging must be adequate to protect the contents from damage during transit;
  • Ensure that you have the correct name and address. Sending material that is only addressed to an organisation is no guarantee that it will reach the intended recipient;
  • Where appropriate, mark the envelope 'Addressee Only';
  • This envelope may now be placed inside a larger envelope with only the correct name and address on it. This adds an additional level of security as the package is not easily identifiable as 'valuable' and administrative staff should only open the outer envelope;
  • Ask the recipient to confirm receipt;
  • Record the disclosure.

4.3 Sharing information IN PERSON

  • Confidential information may be delivered personally by members of staff. Such information may be held in paper or electronic form. Where laptops, PDAs or other electronic devices are used, precautions must be taken to ensure the security of your IT systems as well as any data held on the device itself;
  • Personal information should only be taken off site where necessary, either in accordance with local policy or with the agreement of your line manager;
  • Log any confidential information you are taking off site and the reason why;
  • Paper based information must be transported in a sealed file or envelope;
  • Electronic information must be protected by appropriate electronic security measures: password protection or encryption;
  • If transferring information by car, put the information in the boot and lock it;
  • Ensure the information is returned back on site as soon as possible;
  • Record that the information has been returned.

4.4 Sharing information by REGULAR EMAIL

Whilst internal messages within the Council are secure, those sent to addresses externally are not considered secure enough for confidential information exchange. Confidential information must be sent by other methods - several options follow below:

  • Ensure all recipients need to receive the information. Think twice before responding to a group email or copying others in;
  • When replying to emails or group emails always ensure the correct use of reply, reply to all, cc and bcc;
  • If you have to send a document containing personal information to an external recipient, ensure the email is secured by typing "Encrypt" in the message heading of the email. This will activate a secure email and When a respondent opens the email and replies the email chain for the email trail will be secure.

There are some domain addresses that are automatically secure. These are:

  • nhs.net;
  • mod.net;
  • cjsm.net;
  • pnn.gov.uk;
  • pnn.police.uk;
  • scn.gov.uk.

You can send sensitive data to these email addresses and they will be automatically encrypted.

For more information please see the ICT and Information Governance Policy Library on the swintranet.

4.5 Using Removable Media and Mobile Devices to share information

Removable media must not be used to share information. If you have issues with sharing information please contact and you will receive advice on alternative ways to share information securely.

Only council owned devices can be used by staff. Work data should not be saved on any other device that you own.

Staff should always ensure appropriate care and protection to prevent damage, loss or theft of laptops, tablets and phones. Full details of actions required can be found in Policy 6 of the Communication, Mobile Devices and Laptop Policy available on the SBC intranet.

4.6 Use of public Wi-Fi

The Council's laptops may use any public Wi-Fi to connect to the Council's network via Microsoft Direct Access, which is enabled by default. Direct Access ensures that all work is fully secure and encrypted between the laptop and our network. Some public Wi-Fi will be set up in such a way as to not work with our Direct Access system, but if you can connect, it will always be secure.

You will need to read the Terms and Conditions of Use when intending to use public Wi-Fi, as in many cases its use is only intended/reserved for private users and prohibited for commercial, or work purposes.

When working in a public place, please be aware of the need to maintain privacy. Always ensure that your screen can't be overlooked and also ensure that telephone conversations can't be overheard.

5. Dealing with personal information losses or breaches

Appropriate measures should be taken in order to prevent the occurrence of data losses or breaches. If a situation does arise then measures should be taken to ensure that the loss or breach is limited as much as possible, e.g. if a letter is sent mistakenly to the wrong person, then attempts should be made to retrieve the letter. All losses or breaches should be reported to the worker's line manager, the IT Service Desk and Data Protection Officer who will inform the officers who need to be advised.

In the event of a data breach please contact as soon as you become aware of a breach occurring. We have 72 hours in order to identify and report to the Information Commissioners Office where appropriate.

6. Further information

Any further information regarding information sharing can be obtained from the Information Governance page of the SBC intranet.

See also the Children's Services Confidentiality Policy.