Protecting adults at risk in London: Good practice resource
Information sharing: A summary of the legal framework
The main legal framework relating to the protection of personal information is set out in:
- the Human Rights Act 1998, which incorporates Article 8 of the European Convention on Human Rights (ECHR), including the right to a private and family life
- the common law duty of confidentiality
- the Data Protection Act 1998, covering protection of personal information.
Here we summarise these pieces of legislation and others; however, legal advice needs to be sought for a more detailed interpretation of the main requirements of each.
There is no general statutory power to share information, just as there is no general power to obtain, hold or process data. Some Acts of Parliament give public bodies express statutory powers to share information. These are often referred to as ‘statutory gateways’ and provide for the sharing of information for particular purposes. These gateways may be permissive or mandatory.
- An example of a ‘permissive statutory gateway’ is Section 115 of the Crime and Disorder Act 1998, which permits people to share information to help prevent or detect crime.
- An example of a ‘mandatory statutory gateway’ is Section 8 of the National Audit Act 1983, which imposes a legal obligation on public bodies to provide relevant information to the National Audit Office.
Where there is no express statutory power to share information it may still be possible to imply such a power from the other duties and powers public bodies have. Many activities of statutory bodies will be carried out as a result of implied statutory powers, particularly as it may be difficult to expressly define all the numerous activities that a public body may carry out in the process of delivering its main duties and exercising its powers.
Having express or implied statutory powers in any particular case does not mean that the Human Rights Act 1998, the common law duty of confidentiality and the Data Protection Act 1998 can be disregarded. Where a statutory gateway explicitly removes the need to consider confidentiality, then confidential information can be shared; however, this will be rare and will apply in limited circumstances. Where there are implied powers you need to consider the language of the gateway and the surrounding circumstances.
The Human Rights Act 1998Open
The ECHR confers a positive obligation on public authorities to take reasonable steps within their powers to safeguard the rights of individuals. Article 8 of the ECHR was incorporated into UK law by the Human Rights Act 1998 and recognises a right to respect for private and family life.
- Article 8.1: everyone has the right to respect for his private and family life, his home and his correspondence.
- Article 8.2: there shall be no interference by a public authority with exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of crime or disorder, protection of health and morals or for the protection of rights and freedoms of others.
Sharing confidential information may be a breach of an individual’s Article 8 right; the question is whether sharing information would be justified under Article 8.2, and whether it would be proportionate. You need to consider the pressing social need, whether sharing the information is a proportionate response to this need, and whether these considerations can override the individual’s right to privacy. If an adult is at risk of serious harm, or sharing information is necessary to prevent crime or disorder, interference with the individual’s right may be justified under Article 8.
The common law duty of confidentialityOpen
The common law duty of confidentiality provides that where there is a confidential relationship, the person receiving the confidential information is under a duty not to pass on that information to a third party. However, this duty is not absolute and information can be shared without breaching the common law duty if:
- the information is not confidential in nature
- the person to whom the duty is owed has given explicit consent
- there is an overriding public interest in disclosure
- sharing is required by a court order or other legal obligation.
The Data Protection Act 1998Open
The Data Protection Act 1998 deals with the processing of personal data (both sensitive and non-sensitive). Personal data is data which relates to a living person, including the expression of any opinion or indication of intentions in respect of the individual concerned. Sensitive personal data is that relating to racial or ethnic origin, religious or other similar beliefs, physical or mental health condition, sexual life, political opinions, membership of a trade union, the commission or alleged commission of any offence, any proceedings for an offence committed or alleged to have been committed, the disposal of proceedings or the sentence of any court in proceedings.
Information about an individual will often contain data from several sources – for example, from care agencies, doctors or the police – and may contain their name and address. Such information may also include data about other people – for example, the individual’s family members. These people are usually referred to in the Data Protection Act as ‘third parties’. Information about third parties is personal information and should be treated accordingly.
If an individual is no longer alive their personal information is not covered by the Data Protection Act, although a duty of confidence may require some or all of their personal information to be kept confidential.
Organisations which process personal data must comply with the data protection principles set out in Schedule 1 of the Data Protection Act. These require data to be:
- fairly and lawfully processed: in particular, data shall not be processed unless a Schedule 2 condition is met, and if sensitive personal data, a Schedule 3 condition
- processed for limited specified purposes
- adequate, relevant and not excessive for those purposes
- accurate and up to date
- kept for no longer than necessary
- processed in accordance with the data subject’s rights under the Data Protection Act
- kept secure
- not transferred to non-European economic areas (EEAs) without adequate protection
Personal data must not be processed unless at least one of the conditions in Schedule 2 of the Data Protection Act (‘the conditions for processing’) is met and, in the case of processing sensitive personal data, at least one of the conditions in Schedule 3 (‘the conditions for processing sensitive data’). However, meeting a Schedule 2 and a Schedule 3 condition will not, on its own, guarantee that processing is fair and lawful. The general requirement that data be processed fairly and lawfully must be satisfied in addition to meeting the conditions.
Schedule 2 conditions include:
- the data subject has given consent to the data processing
- the processing is necessary for the performance of a contract to which the data subject is party, or for the taking of steps at the request of the data subject with a view to entering into a contract
- the processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract
- the processing is necessary to protect the data subject’s vital interests
- the processing is necessary for the administration of justice; for the exercise of any functions of either House of Parliament; for the exercise of any functions conferred on any person by or under any enactment; or for the exercise of any functions of the Crown, a minister or a government department; or for the exercise of any other public functions in the public interest by any person
- the processing is necessary for the purposes of the legitimate interests of the
data controller, or of the third party or parties to whom the data is
disclosed, except where the processing is unwarranted by reason of the
rights, freedoms or interests of the data subject.
When information is sensitive then a Schedule 3 condition must also be met. These are:
- the data subject has given explicit consent to the processing
- the processing is necessary for the purposes of exercising any legal right or obligation on the data controller in connection with employment
- the processing is necessary to protect the vital interests of the data subject or someone else, in a case where the data subject cannot give consent or consent cannot reasonably be obtained, or, in order to protect another person’s vital interests, the data subject is unreasonably withholding consent
- the processing is carried out by a not-for-profit body in the course of its legitimate activities and does not involve disclosure of the personal data to a third party without consent
- the information has been made public as a result of steps taken by the data subject
- the processing is necessary for the purposes of, or in connection with, any legal proceedings, obtaining legal advice or to establish, exercise or defend legal rights
- the processing is necessary for the administration of justice; for the exercise of any functions of either House of Parliament; for the exercise of any functions conferred on any person by or under any enactment; or for the exercise of any functions of the Crown, a minister or a government department
- the processing is necessary for medical purposes and is undertaken by a health professional
- the processing is of sensitive personal data consisting of information as to racial or ethnic origin, is necessary for the purpose of promoting racial or ethnic equality and is carried out with appropriate safeguards.
There is other ‘gateway’ legislation where cooperation between statutory bodies includes the sharing of information. Below are the Acts most relevant to safeguarding adults at risk.
The Criminal Justice Act 2003Open
The Criminal Justice Act sets out the arrangements for assessing the risk posed by different offenders. These include relevant sexual and violent offenders and other persons who are considered by the responsible body to be a serious risk to the public. The responsible bodies in this case are the police, probation and prison services. There is a duty on social services to cooperate with these arrangements and that cooperation may include the exchange of information. The arrangements will be familiar to people as multi-agency public protection arrangements (MAPPA).
OpenThe Crime and Disorder Act 1998The Crime and Disorder Act recognises that key authorities, such as councils and the police, have a responsibility for the delivery of a wide range of services within the community. Section 17 places a duty on them to do all they reasonably can to prevent crime and disorder in their area. Local partnerships will exist to address crime reduction. Section 115 provides any person with the power, but not an obligation, to disclose information to responsible public bodies (e.g. the police, health or local authorities) and their cooperating bodies in pursuing a local crime and disorder strategy. Therefore, this can cover circumstances of criminal activity, but also civil law proceedings and local initiatives of crime prevention and reduction.
OpenThe Immigration and Asylum Act 1999Section 20 of the Immigration and Asylum Act provides for a range of information sharing to undertake the administration of immigration controls to detect or prevent criminal acts under this legislation.
OpenThe Mental Capacity Act 2005
There will be circumstances where an individual adult appears not to be able to make a decision about whether to consent to information being shared with others.
The Mental Capacity Act and the associated code of practice contain guidance about the consideration of a person’s capacity, or lack of capacity, to give consent to sharing information. The starting assumption must be that the person has capacity unless it is established that they do not, and only then after all practical steps to help the person make the relevant decision have been taken but have been unsuccessful. An unwise decision taken by the relevant person does not mean they lack capacity. Where a decision is made on behalf of the person who lacks capacity to share personal information it must still comply with the requirements of the Data Protection Act and be in their best interests.
Sharing health information can be a contentious area. There is guidance from professional health bodies, which NHS staff refer to, as well as local health trust policies. Local practice agreements need to be in place to ensure consistency across health and social care agencies and it is advisable to find out what these arrangements are when seeking the cooperation of health care staff. The most relevant piece of legislation is outlined briefly below.
OpenThe National Health Service Act 2006
Section 82 of the National Health Service Act 2006 places a duty on the NHS and local authorities to cooperate with one another in order to secure and advance the health and welfare of people, which would indicate the requirement to share information.