AMENDMENTThis guidance was reviewed and updated in January 2019, following the introduction of the General Data Protection Regulations (GDPR) and Data Protection Act 2018. Managers must ensure staff undertake the mandatory information security training annually and ensure that staff they supervise are fully aware of the contents of this policy and that this is recorded in their supervisory records.
Merton Council recognises its duties to safeguard the confidentiality of all personal information. The disclosure of confidential information will not be made to another person or organisation unless it is ensured this is lawful.
All council staff must be made aware that the General Data Protection Regulations (GDPR) and Data Protection Act 2018 apply to the processing of all personal data, both in paper and electronic records. Where disclosure is proposed, and there is any doubt as to whether the data protection legislation applies or whether the common law of confidentiality applies, advice will always be sought, from the Council's Information Governance Team. The Caldicott Principles govern the use of information about service users to ensure that the minimum amount of person identifiable information is exchanged and only when absolutely necessary (see Caldicott Principles).
There should be a record on file, for the reasons for sharing personal data as this would form part of an audit, in the event that this is challenged or needs to be reviewed or investigated.
E-mail messages sent via the internet can be intercepted, read and changed relatively easily. Consequently, council staff must not use the internet to pass on any personal identifiable information about service users unless this is in a secure or encrypted email.Fax messages are not secure and should not be used for sending personal data.
The council's conditions of employment, issued as part of every employee's contract, clearly detail the obligations placed upon the council staff.
Staff working in the council will come into contact on a day to day basis with confidential information and data relating to the work they carry out within the council, including personal data about its service users and other staff. Staff are bound by their conditions or contract of service to respect the confidentiality of any information that they may come into contact with and under no circumstances should such information be divulged or passed to any person or organisation in any form unless such disclosure is authorised under this policy.
Any unauthorised disclosure of confidential personal information by council staff may result in disciplinary action or dismissal. Staff may also face prosecution under the Data Protection Act 2018.
Where council staff misuse confidential information, for example, staff disclosing information to the press, they could face disciplinary action that could lead to dismissal. They may also be prosecuted under the Computer Misuse Act 1990.
All managers must ensure that confidentiality is discussed with all new employees and contractual workers, as part of their induction and with staff routinely within wider forums, such as Team Meetings. Managers must ensure staff undertake the mandatory information security training annually. Managers must ensure that the staff they supervise acknowledge that they have taken note of the contents of this policy and this is recorded in their supervisory/1:1 records.Any designated volunteers and work experience students must also have their role and responsibilities clearly outlined with regard to maintaining confidentiality. It should be made clear by their supervisory manager that they need to adhere to this policy.
Within their role staff may have access to service level agreements, or other contracts. This information must be treated as confidential and only discussed/disclosed where this forms part of the staff's working remit within the organisation. If there is any doubt this should be consulted with their supervisory manager.
Access to confidential personal information may be sought for research, audit or monitoring purposes, either by other council areas or by outside organisations or public bodies.
Anonymous information and data can be used for research without any checks being completed on the referrer. However, you must ensure that the data is truly anonymous and cannot be linked with other available data to re-identify individuals.
Internal requests for research projects need to be put in writing and agreed by the educational provision the member of staff/researcher attends. A final decision will be made by a Head of Service whether they will be granted to proceed with their research or if it may impact on service delivery, this may be declined.
All media enquiries should be referred to the communications team within Merton.
The Police do not have automatic rights to personal information held by the Council about service users. However, they should be granted access to records when this is necessary for crime prevention and detection purposes and for apprehending and prosecuting offenders. The Police should make their application in writing as described in the following Intranet link. This disclosure should always be approved by your Team Manager and the Information Governance Team.
Requests for personal data which aren't already covered by clear local policies, whether or not from the police, for legal proceedings or another reason, should be referred to the Information Governance Team.Any requests for personal access to confidential information held by the council for the purpose of any legal proceedings must be referred to the Information Governance Team.
The following is a summary of the Practitioners Guide to Information Sharing which has been published by the Department for Education (DfE), the full text of which can be accessed on the Department for Education website.
There is additional guidance in 'Information Sharing: Further Guidance on Legal Issues') and 'Information Sharing: Case Examples' (which can also be found at the Department for Education website).
Personal information held about children and families will often be subject to a duty of confidence. It should not normally be disclosed without the consent of the child concerned or those with parental responsibility.
The legal framework for confidentiality is contained in the common law duty of confidence, the Children Act 2004, the Human Rights Act 1998, the EU General Data Protection Regulations (GDPR) and the Data Protection Act 2018.
Whilst the general principle is that information obtained about children and their families may only be shared with them and not with others, there are exceptions. Safeguarding the welfare of children overrides the duty to maintain confidentiality, as the law permits the disclosure of confidential information where this is necessary to safeguard a child or an adult.
Those working with children must make it clear that confidentiality may not be maintained if the disclosure of information is necessary in the interests of the child. Even in these circumstances, disclosure will be appropriate for the purpose and only to the extent necessary to achieve that purpose.
There may also be situations where third parties have a statutory right of access to the information, for example the police in joint investigatory enquiries or where a court order requires that information is shared on a multi disciplinary basis.The circumstances in which information held in records on children and families can and should be disclosed and shared with others with or without consent are set out in the following sections:
If a Section 47 Investigation is required under the Children Act 1989 a child will not necessarily be informed, as this could place a child at risk of Significant Harm. The police may also as a joint agency withhold information from a child while they make decisions based on their findings.
Sharing information in a timely way with others working with the same child, or who may need to know, is instrumental to safeguarding a child's interests.
For safeguarding purposes relevant information about children must be shared with colleagues, other professionals or agencies that may have a role to play in their care. This should also be documented on the child's records on the social care information system.
There are also situations where council employees have a legal duty to share information. As outlined at 2.3 if any safeguarding concerns emerge then the relevant enquires will be made to make informed decisions with partner agencies, such as the police.
In such circumstances the person to whom the information relates should be informed that records have been requested unless to do so would prejudice the Investigation /enquiry and place a child or adult at risk of harm.
If someone provides consent and then withdraws their consent, this needs to be fully recorded and respected and any information obtained needs to reflect this. If information is shared between partner agencies a case note on the social care information system should be made as a reference.
Case information may also be disclosed to other persons who have a statutory right of access to the information, for example:
The DPA / GDPR gives everyone the right to a copy of the personal data which the council holds about them – see Access to Records Procedure. These Subject Access Requests (previously called Access to Files Requests) should be referred on receipt to the Information Governance Team who will log and assign to the relevant officer. Personal data is not supplied under the Freedom of Information Act 2000, as it is normally exempt.
These above policies are helpful tools for reference and should be used in addition to this policy document, as a working guidance.
Only valid for 48hrs