Privacy Policy

Version 1.0
Date 1 August 2019
Managing Director Colin Nicholson
Director of Operations Abbie Nicholson
Director Governance and Compliance Neil Powell
Policy Owner Neil Powell
Review Date 1 August 2020
Distribution All Staff


Records Management including Access and Confidentiality Policy


This document aims to set out the policy to be adhered to in relation to Records Management within the Company taking into consideration:

    • Access, storage and Retrieval
    • Writing and recording
    • Retention and destruction schedules
    • Confidentiality

The Company must comply with the Data Protection Bill and the GDPR which specifies measures which must be taken by users of information to ensure that it is acquired, held, used and transferred/disposed of in accordance with best practice. It also ensures that the rights of those who are the subject of the information in question are protected.

Definition and Explanation of Terms

Medical Record

A record relating directly to the physical or mental health of an identifiable individual and which has been made by, or on the advice of, a health professional in connection with the care and treatment of that Person, or in connection with the organisation of that care.


Anything which contains information (in any media) which has been created or gathered as a result of any aspect of the work of the Company’s “employees”.

Policy Statement

The Data Protection Bill and the GDPR regulates how personal information is used and protects people from misuse of personal details. It provides principles which prohibit the misuse of personal information without stopping it being used for legitimate or beneficial purposes.

Every member of staff completing and keeping personal information is known as data controllers‟ and must comply with the principles to ensure that personal information is:

    • Fairly and lawfully processed
    • Processed for limited purposes
    • Adequate, relevant and not excessive
    • Accurate
    • Not kept longer than necessary
    • Processed in accordance with the Person‟s rights
    • Kept secure
    • Not transferred abroad without adequate protection.

The Bill and the GDPR provides stronger protection for sensitive information about ethnic origins, political opinions, religious beliefs, trade union membership, health, sexual life and criminal history.

A health record can be recorded in a computerised form or in a manual form or a combination of the two. They may include such things as hand-written clinical notes, letters to and from other health professionals, laboratory reports, radiographs and other imaging records, printouts from monitoring equipment, photographs, videos and tape recordings of telephone conversations.


All manual and electronic files generated within service must be managed within this policy. All practitioners must ensure that they are aware of the current rules on such issues as data protection and access to information. They should also be aware of the vital role that records play in delivering quality, evidenced based healthcare.

What Constitutes a Care Record?

Care records include any material that holds information regarding an individual, collected as part of their care provision whilst at the Service. Such material can be written, electronic or other media format and include cards, minutes of meetings, research and audit data, audio or visual recordings, letters, notes, diaries, emails and duplicate copies.

Purpose and Completion of Care Records

Records are a valuable resource because of the information they contain about the care we provide to a person receiving care. High quality information underpins the delivery of high quality, safe, evidence-based healthcare. Information is of greatest value when it is accurate, up to date and accessible when it is needed.

An effective records management service ensures that information is properly managed and is available when needed:

  • To support an individual’s care and continuity of care
  • To support day to day business within the Company and underpin delivery of care
  • To support safe and evidence-based clinical practice
  • To support sound administrative and managerial decision making as part of the knowledge base for Integrated Governance and Clinical practices
  • To meet legal requirements including requests from persons receiving care under subject legislation
  • To assist clinical audit and other audit
  • To support improvements in clinical effectiveness through research and also support archival functions by taking account of the historical importance of material and the needs of future research or investigations
  • Whenever and wherever there is a justified need for information and in whatever media it is required

Standards for Completion of Records

Both written and electronic care records must be clear in content and must be completed as soon as is possible after the consultation or event, providing current information on the care and condition of the person receiving care.

All entries in health records must be dated, timed and signed. Amendments or alterations must be written in such a way that the original entry can still be clearly read. Alterations or errors must be scored through with a single line, initialled and dated. Eraser or white out liquid is not permitted and no part of an original entry in a Persons record should be permanently removed.

All entries in health records must be written legibly, accurately and in black ink.

Care records should identify problems that have arisen, and subsequent actions taken to rectify them.

Health records should record other persons present during any appointment. In the event of this being a student or any other member of staff observing the appointment, there should also be a record of the person's consent.

Abbreviations in care records should only be used where this is first explained in the notes to identify what the abbreviation is.

Access to Records

Any Person may apply for access to records written about him/herself. Requests may come from the Person receiving Care; however, there are other occasions when requests will come from other people:

  • A person receiving care may authorise in writing any other person to apply for access on his or her behalf.
  • A person appointed by the Courts may apply on behalf of a person receiving care who is incapable of managing his/her own affairs.
  • The representative of a person who has died or any person having a claim arising from the persons death may apply for access under the provisions of the Access to Health Records Act 1990.
  • Parents or a person exercising parental responsibility have this right where the Person or carer is a child under the age of 18; but access may be refused:
    1. in any case to the extent in which granting access would be likely to cause serious harm to the physical or mental health or condition of the child
    2. Where to allow access would disclose information provided by the child in the expectation that it would not be disclosed to his/her parent, as a result of any examination or investigation to which the child consented in the expectation that the information would not be disclosed or which the child has expressly indicated should not be disclosed.

The provisions introduce the difficult issue of the duty of confidentiality owed to a Gillick / Frazer competent child or a competent child aged between 16 and 18 years where he/she prohibits disclosure to the parent/person exercising parental authority. Whilst the DPA provides an exemption preventing the parent’s rights of access, where there is doubt about the child’s capacity or other difficulties, legal advice from the companies solicitors should be obtained.

Informal Access to Health Records

The Data Protection Bill and the GDPR entitles a Person receiving Care to access his/her own records. Some Persons receiving Care may ask to see their records. With this approach, no written applications have been needed and noting has been documented. This is described as INFORMAL access.

The Act stresses that informal access should be allowed to continue as it did under the previous Access to Health Records Act 1990. Therefore, where informal methods have succeeded in the past, they should be allowed to continue and should be encouraged as an easier alternative to the formal procedure.

Informal access has the major advantages of being quick and relatively simple. Even when using this method, however, staff should still check all records thoroughly and remove information which should not be disclosed before making them available to a Person receiving Care.

In the case of informal access:

A person receiving care, or their appointed advocate may ask to see their care records and a specific time should be set aside with the person or their appointed advocate to that any nursing/care terminology can be explained as they read the care records.

Any inaccuracies that the person or their appointed advocate point out must be documented.

If staff believe an entry to be medically and professionally inaccurate it must not be changed; instead a comment may be added about the person’s or appointed advocate’s objection.

A person receiving Care or their appointed advocate wishing to have access to their medical records must apply to the General Practitioner or Consultant; this includes any entries made by the GP or Consultant in the multidisciplinary records.

Formal Access to Health Records

For Persons or their appointed advocate requesting access to their records, who are no longer in the care home:

Complete Access to Care Records letter to send/give to Applicant. Enclose the Access to Care Records application form.

Enclose with the letter this policy to be read in conjunction with the Access to Care Records application form.

  • Make an appointment to see the applicant in person if they wish. Inform the data controller / registered manager. This meeting will be to review the Care Records in person and for the Service Manager to explain terminology that may have been used

Information that should not be Disclosed/ Exemptions

Before any healthcare records are released to the Person or their appointed representative/ advocate, under the Data Protection Bill and GDPR, the HealthCare Professional must thoroughly check them to ensure that their release would not cause the following:

  • Where the information released may cause serious harm to the physical or mental health or condition of the Person receiving Care, or any other person. The decision is made by the Director of Operations∙
  • Where access would disclose information relating to or provided by a third person. Refer to appropriate section below.

Exemption from both the subject information provisions and the disclosure provisions of the DPB may be available in the following circumstances.

Prevention or detection of a crime: The Company need not inform the Person that it is holding personal data about him/her:

  • for the purposes of the prevention or detection of crime, or to apprehend or prosecute offenders;
  • that information about him/her has been disclosed to another organisation which required it for any of these purposes (e.g. the Policy);
  • that it has received information from an organisation which has such information in its possession for any of these purposes.

Third Party Disclosure

Where records contain information that relates to an identifiable third party, the information may not be released unless:

  • The third party is a health professional who has compiled or contributed to the health records or who has been involved in the care of the Person receiving Care.
  • The third party, who is not a health professional, gives their consent to the disclosure of the information.
  • It is reasonable to dispense with that third party’s consent (taking into account duty of confidentiality owed to the other individual, any steps to seek his or her consent, whether he or she is capable of giving consent and whether consent has been expressly refused).

Examples of where a third party may be involved

  • A parent may apply for access to their fourteen-year-old child’s health records. The child may have made some reference to his/her parents (the third party), contained within their health record, of which the child didn’t want to disclose. The doctor may withhold this information from the child’s parents.

Disagreements over Records

If a Person examines a record and believes that it contains inaccuracies, he/she can ask the company to amend the record. The company may then agree to the change or may state that it believes the record to be correct. In the latter case, the company is not obliged to amend the records, but it must make a note of the Person’s disagreement with the record. The Company must also send to the Person a copy of the amendment or the note.

Dealing with Complaints

If a Person is unhappy with the outcome of an access request, such examples may include information withheld from them, or they feel their information has been recorded incorrectly within their health record. To help rectify the complaint, the Person should be encouraged to go through the following channels:

  • The health professional may wish to have an informal meeting with the individual in the hope of resolving the complaint locally.
  • If the health professional feels that they cannot do anything for the individual locally, the person or their appointed advocate/representative should be advised to make a complaint through the Company complaints procedure.
  • Ultimately, the Person/Appointed representative may not wish to complain locally and may prefer to make a complaint direct to the Information Commissioner’s Office.
  • Alternatively, if the Person/Appointed representative wishes to do so they may seek independent legal advice to pursue their complaint.

Police Requests for Access

Police requests for information can come in through a number of avenues and are often urgent and complex in nature.

It is important to emphasise that the Police do not have automatic rights of access to personal information and there are four main routes by which information requests should be considered:

The request is accompanied with the explicit signed consent of the data subject concerned.

An order of the Court mandating release of the personal information

A Section 29(3) request where personal information is requested by the Police to support their investigations where the seriousness of the offence/matter in hand must be balanced against the duty of confidentiality of the person concerned and also the interests of the wider public.

The Police have been called at our request and are assisting us with Police matters.

It is also desirable to inform the Director of Operations should they be unaware of the access request to determine their opinion on content of the notes for release and whether it would be appropriate for them to discuss the individuals record with the police. All police requests for access to information should be directed to:

Operations Director

  1. Liaise with the lead Clinician and, where appropriate, the care coordinator to seek their views on whether it would be appropriate for the record to be disclosed or discussed with the police.
  2. Liaise with the police to determine:
    ▪ Who from the police is requesting records (rank, station etc)
    ▪ Why the records are being requested
    ▪ Which individual records are being requested
    ▪ Whether we hold records on that individual/ where they are
  3. Keep the Caldicott Guardian informed of access requests from the Police to ensure that confidentiality of Persons information is handled in accordance with the requirements of the Data Protection Bill and GDPR 1998.

Should the above criteria be fulfilled the police will then normally need to provide:

  • A signed request form by someone of Inspector level or above
  • Consent from the person whose records they are wishing to access
  • Court order

Where consent is not given/ not appropriate to obtain, the Service Manager will liaise with the Commissioning authority to determine information needed to make a decision whether to proceed on the grounds that:

  • it is in the public interest to allow the police to have access to the information
  • there is the potential for harm to occur to an individual (s) should the police be denied access
  • Whether to seek legal advice

This information will then be shared with the Operations Director in their capacity as Caldicott Guardian to make the final decision.

The Service Manager will then arrange with the police on behalf of the Caldicott Guardian for either:

  • a suitable time and date at which the records can be viewed copies to be sent
  • an explanation for why disclosure is being denied

Where there is a dispute with the police over an access request then the Director of Operations will consult with the Caldicott Guardian and a decision will be made over whether or not to involve the company’s solicitors.

All requests for access to health and social care information are governed by the Data Protection Bill 2017 and GDPR 2018 from that the company’s internal policies and procedures and any multi agency information sharing protocols the company is a party to.

  • CQC, HIW HIS and the RQIA have access to all Persons Receiving Care records
  • Photocopies of a Person’s records can be taken off the premises
  • Originals can only be removed when there is a very important reason, for example the Time Allowed for Response
  • The company has 40 days to respond to a request for access from the date that it is satisfied that the request is genuine. Hence, within that time, the company must either make the information available to the Person or state that it does not hold any information that it has to disclose under the terms of the Data Protection Act and GDPR

However, when a request refers to records made within the last 40 days, the period for response is reduced to 21 days. In such circumstances the regulations assume that the records will be more easily available, so the time is reduced.

Failure to meet the deadlines can result the Person/s complaining to the Information Commissioner Office.

Chargeable Fees

The company is entitled under the provisions of the Bill and the GDPR to charge a fee for providing access to healthcare records. The company does not make a charge for “informal” access requests.

The maximum fee chargeable for granting access to information held totally on computer is £10.00.

The maximum fee chargeable for information held either manually or a combination of manual records and computerised records is £50.00. This charge includes the costs of photocopying, packaging and postage.

In exceptional circumstances, this fee may be waived by the Data Controller.


Information about people using services is covered by the Human Rights Act 1998 (and specifically Article 8 of the Human Rights Convention), the common law duty of confidence and, when held in paper form or on computer, by the Data Protection Act 1998.

The basic principle in terms of respecting confidentiality is that a Person’s consent should always be sought, save in exceptional circumstances, prior to information about them being disclosed to another party.

In principle, information given for one purpose may not be disclosed to a third party, or used for different purposes, without the consent of the Person receiving Care.

Disclosing information without the consent of the Person receiving Care can be done only in exceptional circumstances. These circumstances are outlined in Appendix 3.

The protection and use of information about the Person receiving Care should be further governed by the principles underpinning Caldicott guidance:

  • Principle 1 – Justify the purpose(s).
  • Principle 2 – Don’t use person-identifiable information unless it is absolutely necessary.
  • Principle 3 – Use the minimum necessary person-identifiable information.
  • Principle 4 – Access to person-identifiable information should be on a strict need-to- know basis.
  • Principle 5 – Everyone with access to person identifiable information should be aware of their responsibilities.
  • Principle 6 – Understand and comply with the law.
    Under the Data Protection Bill 2017 and the GDPR 2018 the Company has to ensure that the appropriate security measures are in place to safeguard a Person receiving care‟s information.

Wherever possible anonymised information should be used by removing as many of the Person’s identifiers as possible, and address. The use of NHS number is encouraged as a means of all organisations in the NHS being sure that the same Person is being discussed, and as a means of effective anonymisation in transit.



Staff must guard against breaches of confidentiality by protecting information from improper disclosure at all times.

A Person receiving Care may sue the Company for unlimited damages if they can prove that they have suffered significant harm or distress as a result of an unlawful disclosure of their information. This may be by any means, e.g. by electronic or paper means, by telephone, fax or face to face conversation.

Arrangements for the storage and disposal of all Person’s information (both manually and computer based) must protect confidentiality. Care should be taken to ensure that unintentional breaches of confidentiality do not occur. Many improper disclosures are unintentional.

Staff should not discuss a Person receiving Care where the conversation can be overheard or leave a Person’s records where they can be seen by other Persons receiving Care or members of the public. Whenever possible, consultations with Persons receiving Care should be private. The Company seeks to ensure that any contractors and their staff coming onto any of the Company’s sites in the course of their work are also aware of their responsibilities regarding confidential Person and staff information.

Access to rooms and offices where terminals are present or data relating to individuals are stored should be controlled. Wherever possible, doors should be locked with keys or keypads when data and terminals are unattended.

Health care records and all other information about Persons receiving Care should be stored securely in lockable desk drawers or filing cabinets, within rooms which should be locked when left unattended.

Unwanted printouts containing confidential information should be either shredded or put into a confidential waste bag. Discs, tapes, printouts and fax messages should not be left lying around but be filed and locked away when not in use.

Health care records

Staff must not leave health care records in boxes on corridors awaiting portering staff. If expected pick-ups of boxes of notes by porters are delayed, the boxes should be secured and not left in areas accessible by the public.

Smaller batches and individual health care records may be sent through the internal post (where applicable) but must be placed in adequately sealed envelopes, not transit envelopes, and must be clearly addressed to an individual recipient (name or title) not to a department or building. Clinical records should be concealed in envelopes, or other suitable cover when carried in public areas.

Individual health care records transported by porters should also be placed in envelopes, which should be addressed as stated above.


Person’s information must only be stored on Company equipment and not on personally owned laptops, palm-pilots, or home desktop computers.

All files containing individual Person receiving Care identifiable information, held on Company owned computer equipment should be “encrypted/password” protected, and preferably not held by the individual Person’s name, substituting case note number, NHS number or other suitable identifier other than name. Particular care should be taken with portable devices. The ideal is that portable devices should only act as terminals to the main networked system, since the data is then protected in the hospital network.

Individual Person named data should not be kept on the hard drives of PCs unless formally justified by the Caldicott Guardian, due to the risk of theft and breach of confidentiality. Such files should be stored on the network, where they will be backed up centrally by the IT Department.

Files containing individual Person-identifiable information on portable computers should be password protected, (or better still not stored on a portable).

Files stored on network drives do not require password protecting, as a password is needed to log on to the network, and access to folders is restricted.

Users should not leave terminals logged in and unattended, unless a screen saver is applied for short term absences from the terminal. When terminals are left unattended, they are automatically locked after a period of inactivity, (15 min).

Computers should not be transferred between users or disposed of other than through the IT department, as they have the means of transferring or removing all data from the hard drive.


All possible steps must be taken to ensure that information regarding a Person receiving Care is not divulged over the telephone to anyone without authority.

Where relatives’ telephone on the Person’s behalf to enquire about appointment dates etc, all efforts should be made to speak to the Person him/herself. Asking for key details about the Person receiving Care, e.g. date of birth may not be sufficient to ensure that the caller is genuinely a relative and has a need to know.

Where there is any doubt regarding the identity of the person requesting the information, guidance should be sought from the line manager. If advice is not immediately available, then the information should not be disclosed. If the caller is claiming to be from an organisation e.g. social services then the switchboard telephone number should be obtained (rather than direct line), checked and then used to ensure that the caller is from the agency stated.

Where relatives are asking for clinical information about a Person receiving Care, this would not usually be given over the telephone. If, however, this is felt to be appropriate, due to the geographical location of the relative, the Person must be consulted and give consent for information to be divulged, and a password arrangement made with the relative.

The use of mobile telephones to discuss named individual Person’s data is discouraged.


E-mails containing details of a Person’s receiving Care that are sent externally, and not password protected/encrypted are automatically blocked.


A completed Company fax header should always be used. Faxes should be sent to a named individual recipient.

Reporting Breaches of Confidentiality

Any potential or actual breaches of confidentiality must be reported to the registered manager who will manage dependent on the seriousness of the breach of confidentiality, the conduct and disciplinary procedure explains the procedure to be followed.

Disclosure of Information

Consent should normally be sought to share personal information save in exceptional circumstances. Circumstances in which consent to share information may not be sought, or may be deferred include those in which:

  • The Person receiving Care is under 16 years old, and consent is provided by a person with parental responsibility;
  • The Person receiving Care lacks capacity and a decision is made to share the information in that Persons best interests.

There are a number of circumstances in which disclosure must take place with or without the consent of the Person. These circumstances include those that are necessary for:

  • legal proceedings or taking legal advice; or
  • the administration of justice; or
  • the exercise of any function by or under an enactment; or
  • the exercise of any function of the Crown or a government department; or
  • in order to protect the vital interests of the Person receiving Care (i.e. in matters of life or death), and consent cannot be given or cannot reasonably be expected to be obtained; or
  • to protect the vital interests of another person, and consent has been unreasonably withheld; or
  • the exercise of a Social Services statutory function; or
  • if it is in the substantial public interest, and
  • it is necessary for the prevention or detection of any unlawful act and seeking explicit consent would prejudice these protective aims (for example, where there are concerns that a child has suffered significant harm or might be at risk of significant harm);
  • This includes sharing information about risk issues to self, others or staff members.

In a case involving unfitness or competence of any person, specific legal advice may need to be sought as to whether or not information can be disclosed without the consent of the individual. This would prevent an automatic disclosure, which may breach Article 8 of the Human Rights Convention.

Personal information for a Person receiving Care will not be used or disclosed for purposes other than healthcare without one of the following:-

  • The individual’s explicit consent
  • Some other legal basis
  • A robust public interest or legal justification

A Person receiving Care should be made aware that personal information about them will be shared within the health care team, unless they object, and of the reasons for this. A “need to know” justification applies to the sharing of information necessary to provide care or treatment for an individual Person.

A Person receiving Care needs to be fully informed of other planned uses of information but it is neither practicable nor necessary to seek specific consent each time information needs to be passed on for the care or treatment of the Person; consent to sharing information for NHS purposes can be implied if a Person has been informed and does not object.

Health professionals must make sure that anyone to whom personal information is disclosed understands that it is given to them in confidence, which they must respect. Anyone receiving personal information in order to provide care is bound by a legal duty of confidence, whether or not they have contractual or professional obligations to respect confidentiality.

Full consideration should always be given as to whether unidentifiable data will serve the purpose, and thus personal information regarding a Person receiving Care will be anonymised wherever possible.

All disclosures, of identifiable information or anonymised information should be the minimum necessary to fulfil the purpose of the disclosure.

The Company remains responsible for decisions to disclose information and will take particular care to respect a Persons wishes unless there are overriding considerations. Justification of decisions to disclose information should be documented in the Persons records.

Advice can be sought from the Consultant/Medical Practitioner responsible for the Person receiving Care and information in question, or the Caldicott Guardian.

Direct Care

It is particularly important to check that a Person receiving Care understands what will be disclosed if it is necessary to share personal information with anyone employed by another organisation or agency providing health or social care. It should not be assumed that the Person already knows what information will be shared and with whom.

The Person’s wishes must be respected if he/she objects to particular information being shared with others providing care, except where this would put themselves or others at risk of death or serious harm. The Person should be informed of how not sharing information might affect the quality of overall care delivered. Where information is shared in spite of objections by the Person, this should be clearly documented in the Health care records, and the reasons for doing so explained.

Where it is evident that there is a risk to a Person receiving Care, other Persons, staff, or members of the public, staff have a duty to breach Person confidentiality and share their concerns with the Persons Clinical Team and Manager of the Service. The Director of Operations will take appropriate action to ensure that any potential risk is managed accordingly, and that where required external agencies and other professionals will be made aware of any risk assessment/management plan that has been put in place.

It is not permitted to release any stored information, such as notes, records, computer stored literature, unless it is appropriate and necessary for ongoing care. Information about a Persons health and treatment will only be disclosed to those persons who need to be aware of that information in order to treat the Person effectively, or to minimise the risk of the Person harming himself, or another person, or for the proper administration of the service. Any employee who receives a request to provide such information must seek further advice from the registered manager.

When communicating a Person’s information to external agencies such as CQC and commissioners, staff are required to use the agreed unique Person identifiers such as the Persons NHS NUMBER in addition to the Persons initials and date of birth. Any other exchange of confidential clinical information between internal and external clinicians should be carried out in such a manner as to protect the Persons confidentiality at all times, for example when sending information electronically, these must be encrypted, and password protected.

Staff dealing with a Person with a diagnosis of HIV/AIDS, termination of pregnancy or fertility treatment should seek express consent for sharing information. The Person must be given enough information on which to base their decision, the reasons for the disclosure and the likely consequences of the disclosure. It should also be explained how much information will be disclosed and to whom it will be given.

It is good practice to give a Person receiving Care information about how anonymised information about them may be used to protect public health, to undertake research and audit, to teach or train staff and students and to plan and organise health care services.

Information use other than for Direct Care

A Person’s information is also needed for a range of services other than direct Person care, including quality assurance and management. The Persons information used for these purposes by Company professional and administrative staff, should be aggregated and anonymised wherever practicable in preference to identifiable information. Disclosure of such information should still only be for justifiable purposes.

Express consent must be obtained where a Person may be personally affected by the disclosure, for example when disclosing personal information to a Person’s employer, insurer or legal representative, unless a copy of the Person’s signed valid consent has been supplied with the request for disclosure.

When seeking express consent, the Person must be given enough information on which to base their decision, the reasons for the disclosure and the likely consequences of the disclosure. It should also be explained how much information will be disclosed and to whom it will be given.

There are certain legal requirements imposed on the Company to pass on information. In these circumstances, consent is unnecessary. Equally, there are certain statutory restrictions on passing on information. In other cases, the Company has a power to disclose, depending on the circumstances. Many of these are dealt with in the rest of this policy, but the legal considerations are described, with further references in Appendix 3.

Disclosure to the Police

The police have no general right of access to health records containing personal/sensitive information, without the Person’s consent, except where covered in Appendix 1. These regulations have the effect of making disclosure a legitimate function in the circumstances they cover.

Even if the disclosure is legitimate, information on a Person using the Service should never be released to the police by Medical Records or Administration staff without the authorisation of the clinician in charge of the Person’s care, and without the disclosure being documented in the Person’s records. This includes both demographic information and clinical information.

Staff should always check the identity of the police officer requesting information. The police officer should provide his warrant card, and make all requests in writing, with the number of his warrant card included. In the case of urgent telephone requests for information, the identity of the police officer should be checked by calling the police switchboard for verification.

Requests for disclosures to the Person or their legal representative should be forwarded to Medical Records or Regional Manager.

The Police may seek personal information under an exemption of the Data Protection Act 1998. A Section 29(3) exemption form signed by a Police Inspector who has decided to serve the exemption is used when making enquiries which are concerned with:

  • the prevention and detection of crime, or
  • the apprehension or prosecution of offenders.

The view of the Police is that seeking consent or even informing the individual(s) about the transfer of data will prejudice the enquiry as they may destroy evidence or abscond. A section 29 exemption allows information to be provided by organisations without gaining consent; however, it does not force them to do so.

The Company does not have to supply information, and may still decide to seek consent /inform the Person, even though the Police will have taken a considered judgement about the

Unless the section 29(3) form is produced, staff should inform any police officer requesting information that consent may need to be obtained and check whether they still wish to continue.

Care should be taken to ensure that the Person receiving Care understands exactly what information has been requested, and what they are consenting to release, i.e. whether it includes clinical information as well as demographic/ event information.

Judgement will often need to be exercised, including consideration of whether disclosing information will cause fewer problems than withholding it. The reasoning and any decisions made should be recorded in the Health care records, these should clearly state whether a Person’s consent has been sought/ obtained. Where disclosure is justified it should be limited to the minimum necessary to meet the need.

Under section 47 of the Children Act (1989) a Local Authority must make enquiries (which might be through the Police) necessary to decide whether they should take any action to safeguard or promote the child’s welfare. In such a situation, staff should firstly confirm it is a section 47 enquiry and then release relevant information, unless to do so would be “unreasonable in the circumstances of the case”. Staff do not have to gain consent of the parent or child or inform them however they may choose to if appropriate.

Where individuals cannot give consent due to incapacity, the decision to release information should be made on the individual’s behalf by those responsible for providing care, taking into account the known views of the individual or carer.

The individual’s best interests are paramount in these decisions. Where decisions are made without the individual/carer’s consent, this must be clearly recorded in the Healthcare record along with the rationale.

Where the police ask for confirmation of details of a Person receiving care present in the hospital, the police officer needs to give sufficient details to satisfy staff that they are referring to the Person in question, and not just ‘fishing’ for information, e.g. their version of the Person’s name, where/when the incident occurred etc. Nonclinical information can be given, without consent if necessary, if the offence (whether the Person is the victim or the perpetrator) is a serious one.

If the police enquire as to whether a Person fitting a description or injury has attended the Service, the provision of information will to some extent depend on the nature of the offence, and whether the Person is the victim or perpetrator. If there is more than one person fitting the description or sustaining the injury, on no account should any details be given to the police, without further information being provided by them to narrow down the search, and/or detailed review of the cases by the senior clinician. If there is only one person matching the request, then their consent should be sought, unless to do so would prejudice the enquiry.

If the police have issued an alert about a person, perhaps because they are missing from home, and a person fitting that description arrives at the Service, staff may notify the police only with the Persons consent, unless they consider a serious arrestable offence to have occurred, in which case consent is not required.

Where the police are requesting information about a deceased person, the guidance elsewhere in this policy applies, unless the enquiry is within the definition of a serious crime, when that guidance will take priority.

There should be local arrangement in form of a protocol in the sharing of Persons’ confidential information under MAPPA.

A log of all requests from and disclosures to the police, except for child safeguarding or protection purposes, should be maintained by the Registered Manager/Hospital Director.

Disclosure to Relatives of a Person Receiving Care Information should only be disclosed if:

  • the Person consents to the release of the information
  • where the Person cannot give consent, a member of the medical staff or the manager is satisfied from the information given from the enquirer about the person and that their interest is legitimate e.g. name, address, age and their own name and relationship.
  • if the Person has died, information will not be disclosed until the next of kin has been informed and given consent.

Where relatives are asking for clinical information about a Person receiving Care, this would not usually be given over the telephone. If, however, this is felt to be appropriate, due to the geographical location of the relative, the Person must be consulted and give consent for information to be divulged, and a password arrangement made with the relative.

Disclosure to Press and Other Media

All enquiries should be referred to person in charge of the unit and Service Manager. Neither confirmation of facts and / or personal information should be supplied unless one of the following applies:

  • It refers generally to an incident i.e. no individuals could be identified from the disclosure.
  • The Person (or for children and incapacitated adults, their next of kin) gives consent to information being released.
  • In the case of a deceased Person, information will only be supplied after their next of kin has been informed and given consent.

The Hospital Director/Registered Manager should seek the advice of the Director of Operations


Young people aged 16 or 17 are regarded as adults for purposes of consent to treatment and are therefore entitled to the same duty of confidence as adults.

Children under 16 who have the capacity and understanding to take decisions about their own treatment are entitled also to decide whether personal information may be passed on and generally to have their confidence respected (e.g. they may be receiving treatment or counselling about which they do not wish their parents to know). In other instances, decisions to pass on personal information may be taken by a person with parental responsibility in consultation with the health professionals involved.

Concerns about possible abuse need to be shared with other agencies such as Social Services following Local Safeguarding Children Committee guidelines.

In the case of an anonymous referral or concern about a child with respect to possible child abuse, the Health Professional should establish from the Social Worker if the parent has been informed of the request before disclosing any information to Social Services. If the information requested is for any other reason than possible child abuse, parental consent is needed.

Where the child is on the child protection register, careful consideration will need to be given as to whether giving access to that child’s health records to those with parental responsibility would be in the child’s best interests. In each case this issue must be considered on an individual basis in consultation with the Social Services department if necessary.

In all cases, the welfare of the child is paramount. Disclosure without Consent


Disclosure without consent should only reveal the minimum of information required dealing with the request and careful thought must be given to the question of to whom the information should be released, and whether the disclosure is justifiable. This will vary according to the circumstances of the case, provided that the Company has a power to disclose (i.e. a choice) rather than a duty to disclose (see Appendix 3).

The circumstances in which a competent refusal to permit disclosure or in which the need to obtain consent can be overridden are:

  • When the information is required by statute or court order
  • Where there is a serious public health risk
  • Where there is a risk of harm to other individuals
  • For the prevention, detection or prosecution of serious crime
  • Knowledge or belief of abuse or neglect, particularly of children (the needs of the children are paramount under the Children Act 1988)

The decision to release information in these circumstances, where judgement is required, should be made by a senior consultant/ Director of Operations consulting the Caldicott Guardian, and it may be necessary to take legal and specialist advice.

In these cases, the Person receiving Care should be informed of the disclosure, unless to do so would be harmful to the Person or others, would prejudice the outcome of a police investigation.

If health professionals or other staff have any doubts about whether the disclosure requested by police, lawyers or others is a statutory obligation, they should ask the person or body applying for the information to specify under which legislation it is sought, and this should be in writing, countersigned by a senior person within that organisation.

Requests for information from these bodies should be referred to the Director of Operations will involve the relevant clinician(s) and the Caldicott Guardian, deciding what, if anything, is appropriate to disclose.

If the health professionals responsible for the Person’s care are not those requested to pass on the information, the former should usually be consulted as to whether the clinical facts do indeed mean that disclosure is necessary. If in doubt, legal advice should be sought. The Person’s consent to disclosure is not necessary, and the Person has no right to refuse, but he or she should be told of the fact and purpose of the notification and reassured that disclosure will only be to a secure authority.

Deceased Persons

There is still an ethical obligation to keep personal information confidential after a Person dies, and the extent to which such information may be disclosed after a Person’s death will depend on the circumstances. These include:

  • the nature of the information
  • whether that information is already public knowledge or can be anonymised
  • the intended use to which the information will be put
  • whether the disclosure of information may cause distress to, or be of benefit to,
  • the Person‟s partner or family
  • the identity of the requestor, since there are special provisions for personal representatives of the deceased and the police (see above)

Other cases should be referred to the Caldicott Guardian for further advice.

Disclosure in the public interest

Decisions to disclose information in the public interest should be taken by the Caldicott Guardian, and the health professionals involved, particularly the clinician with overall responsibility for care. It is important not to equate “the public interest” with what may be “of interest” to the public

When considering disclosing information to protect the public interest, health professionals must:

  • Consider how the benefits of making the disclosure balance against the harms associated with breaching a Person’s confidentiality
  • Assess the urgency of the need for disclosure
  • Consider whether the subject might be persuaded to disclose voluntarily
  • Inform the Person before making the disclosure and seek his or her consent, unless to do so would enhance the risk of harm or inhibit its effective investigation
  • Reveal only the minimum information necessary to achieve the objective
  • Seek assurances that the information will be used only for the purpose for which it was disclosed.
  • Be able to justify the decision

Refusal to Allow Disclosure

A Person does have the right to object to information they provide in confidence being disclosed to a third party.

A Person’s refusal to allow information sharing with other health professionals may compromise the Person’s safety. Every effort should be made to explain to the individual the consequences for care and planning but the final decision rests with the individual. The clinician treating the Person may in these circumstances decide not to carry on with treatment.

Careful documentation of the decision-making process and the choices made by the Person receiving Care must be included within the Healthcare record.

When a Person has refused that information be shared staff should consider whether they have an over-riding duty to breach confidentiality where there is a potential risk to the Person staff or members of the public.

Consent Issues

Seeking consent may be difficult, either because of a Person’s capacity or learning disability or circumstances have prevented them from becoming informed about the likely uses of their information, or because they have a difficulty communicating their decision (be it to consent or object).

In the case of learning disabilities extra care must be taken to ensure that information is provided in a suitable format or language that is accessible and to check that it has been understood.

In the latter case, it will be important to check for a clear and unambiguous signal of what is desired by the Person, and to confirm that the interpretation of that signal is correct by repeating back the apparent choice.

Failure to support those with disabilities could be an offence under the Equality Act 2010 and may prevent consent from being gained.

If a Person is unable to give consent due to their mental condition, the health professional concerned must take decision about the use of information. This needs to take into account the Person’s best interests and defined by the Mental Capacity Act 2005 and any previously expressed wishes and be informed by the views of relatives or carers as to the likely wishes of the Person. If a Person has made his or her preferences about information disclosure known in advance, this should be respected.

Sometimes it may not be practical to locate or contact an individual to gain consent. If this is well evidenced and documented and anonymised data is not suitable, the threshold for disclosure in the public interest may be lessened where the likelihood of detriment to the individual concerned is minimal. Where explicit consent cannot be gained and the public interest does not justify breaching confidentiality, then support would be needed under Section 60 of the Health & Social Care Act 2001 (paragraph 29-34). (In Wales the Care Standards Act 2000)

Where a Person lacks capacity and is unable to consent, information should only be disclosed in the Persons best interests, and then only as much information as is needed to support their care. Decision to disclose and the justification for disclosing should be noted in the Person‟s records.

Informing a Person Receiving Care

The Data Protection Bill 2017 and the GDPR 2018 requires that A Person receiving Care be informed, in general terms, how their information may be used, who will have access to it and the organisation it may be disclosed to. A Person must be informed as to who is responsible for their personal information – “the Data Controller” and how to contact them. This should take place prior to the information being used, accessed or disclosed. The requirement falls upon both those who provide information and those who receive it. The obligations of the recipient can be discharged by the provider informing the Person of the possible chain of disclosures and uses.

Safeguarding of Vulnerable Adults (SOVA)

Disclosure of abuse may be made by a vulnerable adult who may ask for that information to remain confidential and for no action to be taken. Staff should explain to the vulnerable adult or their relatives, or anyone else seeking to disclose concerns about abuse, that they may not be able to keep all information confidential.

Staff have a duty of care to alert their line manager, or a more senior manager if they are made aware of any actual or potential abuse of any Person receiving Care. Failure to do so will lead to disciplinary action. This is important for the protection of the person reporting the abuse and for the safety and protection of other potential victims of the abuser’s behaviour.

Staff must not disclose information to any third party, as a decision about who needs to be informed will be by the senior manager.

All agencies receiving information in the course of the investigation must treat it as confidential, although priority must at all times be given to the protection of the vulnerable person. The person at risk must be advised when information is passed to other professionals or key individual.

Statutory Requirements

There are some instances where there is a statutory responsibility to pass on confidential information and prior consultation is not required but may be judged appropriate. If there are any doubts legal advice should be sought. The Person receiving Care and relevant health professional should be informed and a note made in the Persons record. Statutory notifications are required for:

  • Mental Capacity Act 2005
  • Health and Social Care Act 2008
  • Care Standards Act (Wales) 2000
  • Care Act 2014
  • Social Services and Wellbeing Act (Wales) 2014
  • Mental Health Act 2007
  • Health and Safety Executive -Reporting of Injuries, Diseases, and Dangerous Occurrences Regulations (RIDDOR) 2013

It is the responsibility of the Service Manager within services to pass on this information to the relevant body. The Registered Manager’s accountable for all statutory reporting.

Confidential Waste

All confidential waste is to be disposed of appropriately, either via a shredding machine or through the Confidential Waste Collection Service. Guidance on the appropriate methods is available from Unit Administrative Officer/Office Managers.

Handling and Storing Records

  • No-one should eat, drink or smoke near the records.
  • Clinical records being carried on-site e.g. from the archive storage to the department, should be enclosed in an envelope.
  • Records should be handled carefully when being loaded, transported or unloaded.
  • Records should never be thrown.
  • Records should be packed carefully into vehicles to ensure that they will not be damaged by the movement of the vehicle.
  • Vehicles must be fully covered so that records are protected from exposure to weather, excessive light and other risks such as theft.
  • No other materials that could cause risks to records (such as chemicals or water) should be transported with records.
  • Vehicles containing records should ensure that records are out of sight and the vehicle is locked when stationary.

Storage and Movement of Clinical Records

All care records at work bases should be filed in lockable, fire-resistant cabinets by the end of the working day.

All staff should ensure the confidentiality of care records is protected at all times.

Records should only ever be taken off site in the event of a clinician visiting the Person on another site or if the records are required at another site for continuity of care in respect of the individual.

Records should never be left unattended e.g. in the car. Care must be taken in order that others cannot gain access to the records

If the health records cannot be returned to the appropriate site on the same day following a visit then the Clinician must ensure that they are kept securely and confidentially, not left in a car or lying around for any unauthorised persons to gain access.

Records should be carried in a secured envelope, locked briefcase and not carried “loosely”, as this increases the risk of dropping the records and loss of the contents. The responsibility for maintaining health records in a secure place rests with the person who has use of the documents at any one time

Record Retention / Archiving

  • Person’s records are sometimes called into evidence in order to investigate a complaint at local level or for criminal proceedings.
  • The approach to record keeping that courts of law adopt tends to be that “if it is not recorded, it has not been done”.
  • Records should be kept for a minimum period of eight years in the event of a death and twenty years when a Person is discharged from a Service. (See Appendix 4)
  • Diaries containing clinical information are considered part of a Person’s clinical records and should be kept also for a minimum period of eight years.
  • Supervisors are required to retain the supervisory files of their supervisees for seven years.
  • Documents of historical importance must not be destroyed and should be marked clearly to that effect.
  • If in doubt about the classification of the record, refer to the Hospital Director or Registered Manager.
  • Where records are being retained, the Registered Manager must ensure that they are boxed and clearly labelled showing the type of material stored, the date of

Updating and Safe Keeping of Records

This policy details the effective management requirements of all records. The registered Manager is the “data controller” under The Data Protection Bill 2018 and GDPR 2018 and has overall responsibility for the effective management of records.

The Caldicott Guardian will be the responsibility of the nominated person within the Company with advice and support to services.

Additional Considerations

Effective and efficient management of records must be considered during the following:

  • Closure of a service
  • Relocation of facilities
  • Demolition/Unexpected loss of Buildings
  • Fire & Flood

Retention and Disposal of Records

The destruction of any record is an irreversible act and must comply with all legislative minimum retention period requirements. Recommended minimum retention periods should be calculated from the end of the calendar or accounting year following the last entry on the document. Retention periods outlined are “minimum recommendations” only and discretion should always be applied before destruction of any document. (See Appendix 4)

All documentation for destruction containing the Persons identifiable information or confidential or sensitive information whose uncontrolled disclosure may pose a risk to the business of CP must be placed in confidential waste bags and destroyed in accordance with local procedures.

« »