Confidentiality and Information Sharing

Scope of this chapter

The service (and every individual employee) has a duty to respect and protect personal information. This is a common law duty and a legal responsibility, as set out in the Data Protection Act 2018 and the General Data Protection Regulations (GDPR).

This chapter will explain the steps that should be taken to protect personal information and maintain confidentiality, and when/how such information can/should be shared.  

The principles of confidentiality and information sharing are legal requirements, but also two core values and principles. This means that they apply to everyone and are always relevant when planning for or providing care and support.

Note: This chapter cannot cover every situation where issues around confidentiality and information sharing arise. If the appropriate action is not clear you should refer to the Information Commissioners Office website or seek legal advice.

Relevant Regulations

Related Chapters and Guidance

Confidentiality means 'protecting personal information and privacy'. Article 8 of the European Convention on Human Rights says the right to a private and family life is one of the basic human rights and must be upheld by law.

Personal information is 'any information relating specifically to an individual'. It includes information they hold themselves and information that others hold about them.

Examples of personal information include:

  • Personal details (name, date of birth, address);
  • Correspondence (letters and emails/text);
  • Images and video;
  • Records relating to the person (e.g., health and social care records).

Personal information also includes things a person may tell you that they wish to be kept private.

Personal information should only ever be shared if the person has asked for it to be shared, has consented to it being shared or, if they lack capacity to consent, sharing is in their best interests.

For guidance about consent, including what to do if the person lacks capacity to consent, see: Consent

There are a small number of circumstances when confidentiality can be breached lawfully. These are explained in Section 3, When to share information

The table below provides some examples of everyday steps you can take to protect personal information:

Caption: examples of everyday steps you can take to protect personal information

Hard records

Don’t leave letters or files lying around.

Close filing cabinets and lock them to prevent unauthorised access.

Electronic records

Always lock computers and mobile devices to prevent unauthorised access.

Never leave confidential information visible on screen.

Images and videos

Always seek consent before taking an image or video-there should be a record of this consent.

Only ever take an image or video when there is a benefit to doing so.

Never post an image or video in a way that means it can be copied (either directly or by using screenshot)

Verbal information

Only write something down if it is important.

Let the person know you have written the information down and check they are OK with it.

When written down, file the written record securely.

Other ways to protect information

Never talk about personal information in an environment that is not private.

Delete or securely dispose of information if it is no longer necessary to keep.

Decisions about information sharing are made every day and it is important that the right information is shared at the right time with the right people.

Sharing information with the person

The person being supported by the service is legally entitled to see any information held about them at any time. This includes hard copies of information and electronically stored information. As such, if they ask to see any such information it should be provided to them.

Requests from the person to share information with others

Information should be shared with others if the person has asked for it to be shared. For example, a person may ask you to tell a family member about the results of a health test.

However, this should always be on an information-by-information basis. This means that you should never assume that a person wants a particular piece of information to be shared because they have requested this in the past. Always check they still want it to be shared. 

Requests from a Lasting Power of Attorney or Deputy

A Lasting Power of Attorney (LPA) or Deputy appointed by the Court of Protection can make a request to see information held about the person if:

  1. The person lacks consent to make the request; and
  2. The LPA or Deputy has deemed that seeing the information is in the person’s best interests; and
  3. The LPA or Deputy has the legal authority to see the type of information being requested.

If these circumstances apply, the request should be treated as if the person has made it themselves.

Requests from carers, family members and friends

If a carer, family member or friend asks to see information, it should only be shared if the person gives their consent. 

If the person does not have the capacity to provide such consent, the information can only be shared if the service deems it to be in their best interests under the Mental Capacity Act 2005.

For guidance about consent, including what to do if the person lacks capacity to consent, see: Consent

Requests from professionals and organisations

The same rules apply as for carers, family members and friends. This is with one exception: when there is a legal requirement to share information.


Sharing relevant information with the right people at the right time is vital to good safeguarding practice.

With the consent of the person (or persons) at risk (or in their best interests if they lack capacity to consent), a concern should be raised, and relevant information shared.

If the person withholds their consent (or consent cannot be obtained) information must still be shared if neglect or abuse has caused (or may cause) serious harm. 

If consent is withheld (or cannot be obtained) and it is not clear as to the seriousness of the harm that has occurred (or may occur), the service should contact the local authority for advice. This should be available without having to provide personal details.

For guidance about consent, including what to do if the person lacks capacity to consent, see: Consent

Subject to the above rules around consent, if the nature of abuse or neglect taking place (or at risk of taking place) constitutes a criminal act, the police should also be notified. We all have a moral duty to report any crime or suspected crime to the police. Doing so can reduce the risk of harm to the adult and others and help ensure that perpetrators of crime are bought to justice.

If a safeguarding enquiry or criminal investigation begins, the service must provide relevant information to the local authority or police as requested to support this process.

For further information about sharing safeguarding information see: Disclosure and Raising a Concern.

Requests from courts

If a court requests information for any reason, this must be provided.

Duty of candour

The duty of candour requires the service (and every individual employee) to be open, honest and transparent, including when things go wrong. If the duty of candour applies, information must be shared with the ‘relevant person’ as set out in the duty of candour process.

For further information see: Duty of Candour

The following flowchart can be used in a range of circumstances to help you decide whether information should be shared. It has been adapted from the following government guidance: Information sharing.

When to share information flowchart

When to share information flowchart)

All information sharing should have regard for the Caldicott Principles and be carried out in line with any local information sharing protocols agreed with partner organisations, particularly the police, local authority, CCG or NHS Trust.

Caption: Important information sharing principles

Necessary and proportionate

When taking decisions about what information to share, you should consider how much information you need to share and what the impact of sharing will be on the person about whom it relates and any third parties. Any information shared must be proportionate to the need and level of risk.


Only information that is relevant to the purposes for which it is intended should be shared, and only with those who need it. This allows others to do their job effectively and make sound decisions.


Information should be adequate and fit for purpose. Information should be of good quality to ensure that it can be understood and relied upon.


Information should be accurate and up to date and should clearly distinguish between fact and opinion. If the information is historical then this should be explained.


Information should be shared in a timely fashion to reduce the risk of harm. Timeliness is key in emergency situations, and it may not be appropriate to seek consent for information sharing if it could cause delays and therefore harm. You should ensure that sufficient information is shared, as well as consider the urgency with which to share it.


Wherever possible, information should be shared in an appropriate, secure way.

When providing information electronically, use the most secure method possible. For example, an encrypted email or password protected document.

Make sure any email addresses used belong to the intended recipient. If the email account is a team email and can be accessed by multiple people in an organisation you should be satisfied that there are arrangements in place to maintain confidentiality before sending the information. 

All information sharing decisions should be recorded. This includes decisions made to share information and decisions made to withhold information.

The rationale for decisions should be clear and evidence based.

Records should be made about the information shared, when, how, with whom and why.

Breaches include:

  1. Failing to protect personal information; and/or
  2. Sharing information without consent or good reason.

Breaches of confidentiality without consent or good reason are unlawful and may result in whole service or individual employee criminal prosecution under the Data Protection Act 2018. Depending on the circumstances it could also be an offence under the Human Rights Act 1998.

Breaches can also affect the quality of the service we are able to provide as people may be less likely to provide us with the information we need to support them.

The services reputation in the local community, with the regulatory body (Care Quality Commission) and with commissioning organisations (the local authority, the CCG or the NHS Trust) can also be affected.

It is therefore important that breaches (or potential breaches) of confidentiality are highlighted quickly so that appropriate action can be taken to protect personal information and minimise any negative consequences for the person and for the service.

If you break confidentiality or become aware of a breach by another person you must report it.

Examples include:

  • Theft of a mobile device;
  • Loss of a record or document;
  • Information being shared with someone that doesn’t need to know it;
  • An image or video being uploaded to a social media site;
  • Electronic records being left open;
  • Hard copies of information being left lying around.

Breaches can also include potential viruses and hacks of computers and mobile devices.

Breaches should be reported to the registered person but can also be managed through the whistleblowing process.

Managers must consider whether the breach is notifiable to the Information Commissioners Office. 

For guidance see: ICO Report a breach 

Last Updated: March 21, 2022