Introduction and principle of the Code
1.1. This Code of Practice (“the Code”) is to inform staff on the use and disclosure of confidential person-identifiable information.
1.2. The main principle behind this Code is that no employee shall breach or allow others to breach their legal duty of confidentiality with regards to confidential information. Neither shall they attempt to breach any of the Authority’s security systems or controls in order to do so.
1.3. Devon County Council (DCC) has a separate policy, guidance and information on the Data Protection Act 1998
1.4. This Code has been written to meet the requirements of:
1.5. Devon County Council is committed to the delivery of a first class confidential service. This means ensuring that all service users/customer information is processed fairly, lawfully and as transparently as possible so that the public:
- understand the reasons for processing personal information
- give their consent for the disclosure and use of their personal information
- gain trust in the way the Authority handles personal information and
- understand their rights to access information held about them.
2.1. What is a duty of confidence?
2.1.1 Information that can identify individuals must not be used or disclosed for purposes other than the reason it was obtained, without the individual’s explicit consent, some other legal basis, or where there is a robust public interest or legal justification to do so.
2.1.2. A duty of confidence therefore arises when one person discloses information to another (e.g. a doctor and patient or a service user and practitioner) in circumstances (see 2.1.3) where it is reasonable to expect that their privacy will be respected and the information will be held in confidence, because:
- there is a legal obligation that is derived from case law
- there is a requirement established within professional codes of conduct and
- it is included within DCC employment contracts as a specific requirement linked to disciplinary procedures.
2.1.3. Personal information that individuals entrust to professionals, or allow professionals to gather, can be sensitive information relating to their health and other matters as part of their seeking help and advice.
2.2. Confidential information is:
2.2.1. Information, including personal sensitive information, that relates to service users/patients, staff (including non-contract, volunteers, bank and agency staff, and student placements), their family or friends, in whatever format it is stored (paper, DVD, CD, computer file or printout, video, photograph or even spoken by word of mouth).
2.2.2. Examples include social care assessments and employee records, including occupational health.
2.3. Consent to the disclosure of confidential information
2.3.1. Individuals generally have the right to object to the use and disclosure of confidential information that identifies them, and they should be made aware of this right.
2.3.2. Where individuals have been informed of:
- the use and disclosure of their information associated
- the choices that they have and the implications of choosing to limit how information may be used or shared.
Then explicit consent is not usually required for information disclosures needed to provide that care or service. Even so, opportunities to check that individuals understand what may happen and are content, should be taken.
2.3.3. Consent cannot be implied where the disclosure is for purposes other than the original purpose it was obtained. If this is the case, additional efforts to gain consent are required or alternative approaches that do not rely on identifiable information will need to be developed.
2.3.4. Individuals have the right to withhold or withdraw consent to the use or disclosure of their information at any time,and they need to be made aware of this right.
2.3.5. Where consent cannot be obtained for the use or disclosure of person-identifiable information or it is refused, there are circumstances where the public good of this use outweighs issues of privacy (see number 4 below).
2.3.6. If individuals choose to prohibit information being disclosed to other providers or partner agencies involved in providing a service, it might mean that the service that can be provided is limited and, in certain circumstances, that it is not possible to offer certain options.
2.3.7. Individuals must be informed if their decisions about disclosure have implications for the provision of care or a service
2.4. Recording of consent
2.4.1. Any consent obtained must be recorded with details of:
- who gave consent (either the person themselves or someone acting on their behalf)
- when it was given (date)
- what purposes (it will be used for)
- any limitations to the consent (restrictions on use or sharing of some or all of their information).
2.5. Disclosing and using confidential information
2.5.1. In order to provide a service, the collection of personal data is necessary for correspondence purposes and/or detailed service provision.
2.5.2. At times personal data may need to be passed on to service providers who are contracted to Devon County Council to provide services on the County’s behalf. These providers are obliged to keep service user details securely, and use them only to fulfill the service needs. Once this service need has been satisfied or the case has been closed, the data will either be retained or disposed of in line with Statutory and/or Council policy and procedures on retention.
2.5.3. If there is a need to pass an individual’s sensitive personal data onto a third party such as a service provider or partner organisation such as a health provider, it will only be done with the individual’s consent, unless there is a legal reason required to do so.
3.1. The Data Protection Act 1998 requires that individuals be informed prior to their information being processed, (used, accessed or disclosed), in general terms:
- why the information is required
- how it is intended to be used
- who will have access to it
- the organisations it may be disclosed to
- who/which organisation is responsible for their personal information.
Individuals should be given this information at first contact with the organisation or as soon as possible afterwards and consent to the processing recorded at this time. If first contact is by telephone then verbal consent should be recorded.
3.2. Where individuals are to be offered choice about how information that relates to them might be used, they must also be made aware of their right to impose restrictions. It will generally be appropriate for people to be told about their rights at the same time as they are provided with information on proposed uses.
4.1. Under common law, staff are permitted to disclose person identifiable information in order to prevent and support detection, investigation, and punishment of serious crime and/or to prevent abuse or serious harm to others. The Data Protection Act also provides for exemptions which may enable onward disclosure of personal data (e.g. the prevention or detection of crime or prosecution of offenders, Section 29 of the Act) and staff may use these.
- This must be judged on a case-by-case basis, where the member of staff believes that the disclosure of the confidential information for the public good outweighs that of both the obligation of confidentiality to the individual service user concerned and the broader public interest in the provision of a confidential service.
- The person who makes the decision to disclose the information must record that decision to evidence the reasoning and circumstances of the disclosure.
- Where possible the decision to disclose should be discussed with the individual concerned (although this will not be possible in all circumstances, e.g. where the individual may be violent or aggressive or discussion may interfere with a crime investigation).
4.2. Examples of disclosure to protect the public may include serious crime, national security, or risk of harm to another individual.
4.3. Where a disclosure is required on the grounds of public interest/protection of the public the Directorate Data Protection Liaison Officer must be informed so that all disclosures can be documented and monitored.
4.4. Within the Social Care Directorates the Caldicott Guardian (or in his absence the authority’s Data Protection Officer) must be informed prior to any disclosures. If this is not possible and the disclosure is urgent, the Caldicott Guardian and the Data Protection Officer must be informed on the next working day or as soon as possible afterwards.
5.1. Devon County Council operates an open and transparent organisation and will comply with the law in respect of individuals’ rights.
5.2. Access to personal information
5.2.1. The Data Protection Act 1998 provides living individuals with the right to access personal information held about them (“right of subject access”). Personal information will only be disclosed where an individual has been identified as the “data subject” or consent has been obtained to disclose information to a third party.
5.2.2. Devon County Council has specific guidance on subject access requests which are dealt with by the Information Governance team.
5.2.3. The duty of confidentiality extends after death and this must be considered if access to the records of deceased individuals are requested. Requests must be dealt with on a case by case basis.
5.3. Access to other information
5.3.1. The Freedom of Information Act 2000 gives individuals’ the right to access information held by Devon County Council.
A Publication Scheme is produced under the Act which describes the classes of information held by the Council.
5.3.2. Devon County Council provides guidance on the rights of individuals to access information under the Freedom of Information Act.
6.1. The Council processes, (i.e. collects, stores and uses) the information provided in a manner that is compatible with the Data Protection Act. It will be kept accurate and up to date and not kept for longer than is necessary. In some instances the law sets the length of time information has to be kept but in most cases the council will use its discretion to ensure that records are not kept outside of the normal business requirements (i.e. for providing a service to the individual). See Record Retention Policy.
6.2. Records containing person identifiable information should be stored securely to minimise the risk of unauthorised access or disclosure.
7.1. The Authority has a responsibility to monitor all incidents that occur that might breach security and/or confidentiality of information. An information security incident should be reported as soon as it becomes apparent,
Any actual or suspected attempts to breach security should immediately be reported to the line manager and the Directorate Information Governance Officer. Deliberate breaches of security are illegal and will result in disciplinary action.
The procedure for reporting incidents is outlined in the Security Incident Reporting Policy.