Skip to main content


Caption: floating buttons
View Working Together View Working Together
  View Hertfordshire Safeguarding Children Partnership website

1.4 Information Sharing and Confidentiality


  1. Introduction
  2. Working Together to Safeguard Children
  3. Key Points for Workers when Sharing Information
  4. When and How to Share Information
  5. Flowchart - When and How to Share Information
  6. Legal Framework
  7. Resources and Links

1. Introduction

In order to deliver the best safeguarding decisions that ensure timely, necessary and proportionate interventions, decision makers need the full information picture concerning an individual and their circumstances to be available to them. Information viewed alone or in silos is unlikely to give the full picture or identify the true risk.

Therefore all the relevant information from various agencies needs to be available. By ensuring all statutory partners have the ability to share information, it will help to identify those who are subject to, or likely to be subject to, harm, in a timely manner which will keep children and young people safe from harm.

A public authority must have some legal power entitling it to share the information. There is an obligation to consider on all occasions and on a case by case basis whether information will be shared with or without consent. The determination must always be based on what is reasonable, necessary and proportionate.

HM Government advice on Information Sharing (March 2015) states: "Sharing information is an intrinsic part of any front-line practitioners’ job when working with children and young people. The decisions about how much information to share, with whom and when, can have a profound impact on individuals’ lives. It could ensure that an individual receives the right services at the right time and prevent a need from becoming more acute and difficult to meet. At the other end of the spectrum it could be the difference between life and death".

The decision whether or not to share information must be recorded by the partner agency which makes that decision.

2. Working Together to Safeguard Children

Working Together to Safeguard Children states that:

Effective sharing of information between professionals and local agencies is essential for effective identification, assessment and service provision.

Early sharing of information is the key to providing effective early help where there are emerging problems. At the other end of the continuum, sharing information can be essential to put in place effective child protection services. Serious Case Reviews (SCRs) have shown how poor information - sharing has contributed to the deaths or serious injuries of children.

Fears about sharing information cannot be allowed to stand in the way of the need to promote the welfare and protect the safety of children.” (Working Together to Safeguard Children)

Working Together to Safeguard Children states that:

… all organisations should have arrangements in place which set out clearly the processes and the principles for sharing information between each other, with other professionals and with the LSCP; and no professional should assume that someone else will pass on information which they think may be critical to keeping a child safe. If a professional has concerns about a child’s welfare and believes they are suffering, or likely to suffer, harm, then they should share the information with local authority children’s social care.

Information Sharing: Advice for practitioners providing safeguarding services to children, young people, parents and carers (2015) supports frontline practitioners working in child or adult service who have to make decisions about sharing personal information on a case- by-case basis. The guidance can be used to supplement local guidance and encourage good practice in information sharing.” (Working Together to Safeguard Children).

3. Key Points for Workers when Sharing Information

The general principle is that information will only be shared with the consent of the subject of the information. Sharing confidential information without consent will normally be justified in the public interest in limited circumstances described below.

The Seven Golden Rules for Information Sharing

  • Remember that the Data Protection Act 1998 and human rights laws are not barriers to justified information sharing but provide a framework to ensure that personal information about living individuals is shared appropriately;
  • Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so;
  • Seek advice from other practitioners if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible;
  • Share with informed consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgement, there is good reason to do so, such as where safety may be at risk. You will need to base your judgment on the facts of the case. When you are sharing or requesting personal information from someone, be certain of the basis upon which you are doing so. Where you have consent, be mindful that an individual might not expect information to be shared;
  • Consider safety and well-being: Base your information sharing decisions on considerations of the safety and wellbeing of the individual and others who may be affected by their actions;
  • Necessary, proportionate, relevant, accurate, timely and secure. Ensure that the information you share is:
    • Necessary for the purpose for which you are sharing it;
    • Is shared only with those people who need to have it;
    • Is accurate and up-to-date;
    • Is shared in a timely fashion; and
    • Is shared securely (Practitioners must always follow their organisation’s policy on security for handling personal information).
  • Keep a record of your decision and the reasons for it - whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.

Each situation should be considered on a case-by-case basis. Professionals should always seek advice from senior colleagues, including those in legal services, where clarity is required; in the first instance practitioners should contact the data protection lead in their agency.

The Information sharing guidance for Practitioners makes a point which should be borne in mind. Information can be held in many different ways, in case records or electronically in a variety of IT systems with access for different professionals. The use of emails in professional communications also raises another mechanism for sharing information other than in direct person to person contact. However the information is shared, it should always be recorded in the individual’s record.

Information sharing: advice for practitioners providing safeguarding services (March 2015) states that:

Wherever possible, you should seek consent or be open and honest with the individual (and/or their family, where appropriate) from the outset as to why, what, how and with whom, their information will be shared. You should seek consent where an individual may not expect their information to be passed on and they have a genuine choice about this.

Consent in relation to personal information does not need to be explicit – it can be implied where to do so would be reasonable, i.e. a referral to a provider or another service. More stringent rules apply to sensitive personal information, when, if consent is necessary then it should be explicit. But even without consent, or explicit consent, it is still possible to share personal information if it is necessary in order to carry out your role, or to protect the vital interests of the individual where, for example, consent cannot be given. Also, if it is unsafe or inappropriate to do so, i.e. where there are concerns that a child is suffering, or is likely to suffer significant harm, you would not need to seek consent. A record of what has been shared should be kept.

It is also possible that an overriding public interest would justify disclosure of the information (or that sharing is required by a court order, other legal obligation or statutory exemption). To overcome the common law duty of confidence, the public interest threshold is not necessarily difficult to meet – particularly in emergency situations. Confidential health information carries a higher threshold, but it should still be possible to proceed where the circumstances are serious enough. As is the case for all personal information processing, initial thought needs to be given as to whether the objective can be achieved by limiting the amount of information shared – does all of the personal information need to be shared to achieve the objective?

Where there is a clear risk of significant harm to a child, or serious harm to adults, the public interest test will almost certainly be satisfied. However, there will be other cases where practitioners will be justified in sharing some confidential information in order to make decisions on sharing further information or taking action. The information shared should be proportionate. Decisions in this area need to be made by, or with the advice of, people with suitable competence in Child Protection work such as named or designated professionals or senior managers.

4. When and How to Share Information

Information Sharing Principles

The principles set out below are intended to help practitioners working with children, young people, parents and carers share information between organisations. Practitioners should use their judgement when making decisions on what information to share and when and should follow organisation procedures or consult with their manager if in doubt. The most important consideration is whether sharing information is likely to safeguard and protect a child.

  • Necessary and proportionate
    When taking decisions about what information to share, you should consider how much information you need to release. The Data Protection Act 1998 requires you to consider the impact of disclosing information on the information subject and any third parties. Any information shared must be proportionate to the need and level of risk;
  • Relevant
    Only information that is relevant to the purposes should be shared with those who need it. This allows others to do their job effectively and make sound decisions;
  • Adequate
    Information should be adequate for its purpose. Information should be of the right quality to ensure that it can be understood and relied upon;
  • Accurate
    Information should be accurate and up to date and should clearly distinguish between fact and opinion. If the information is historical then this should be explained;
  • Timely
    Information should be shared in a timely fashion to reduce the risk of harm. Timeliness is key in emergency situations and it may not be appropriate to seek consent for information sharing if it could cause delays and therefore harm to a child. Practitioners should ensure that sufficient information is shared, as well as consider the urgency with which to share it;
  • Secure
    Wherever possible, information should be shared in an appropriate, secure way. Practitioners must always follow their organisation’s policy on security for handling personal information;
  • Record
    Information sharing decisions should be recorded whether or not the decision is taken to share. If the decision is to share, reasons should be cited including what information has been shared and with whom, in line with organisational procedures. If the decision is not to share, it is good practice to record the reasons for this decision and discuss them with the requester. In line with each organisation’s own retention policy, the information should not be kept any longer than is necessary. In some circumstances this may be indefinitely, but if this is the case there should be a review process.

When and How to Share Information

When asked to share information, you should consider the following questions to help you decide if and when to share. If the decision is taken to share, you should consider how best to effectively share the information. A flowchart follows the text.

What do we want to achieve from sharing this information. Is there a clear and legitimate purpose for sharing information?

  • Yes – see next question;
  • No – do not share.

Does the information enable an individual to be identified?

  • Yes – see next question;
  • No – you can share but should consider how.

Is the information confidential?

  • Yes – see next question;
  • No – you can share but should consider how.

Do you have consent?

  • Yes – you can share but should consider how;
  • No – see next question.

Is there another reason to share information such as to fulfil a public function or to protect the vital interests of the information subject?

  • Yes – you can share but should consider how;
  • No – do not share.


  • Who needs to be involved in the sharing? – identify relevant agencies;
  • Whose information do we need to make the decision – child, parent, carer, others? Is it sensitive personal data? Do we have their consent?


  • Share the information which is necessary for your purpose. It may not be necessary to give all agencies access to all the information you hold;
  • Make sure what you provide is up to date, accurate and relevant.


  • Identify how much information to share;
  • Distinguish fact from opinion;
  • Ensure you are giving the right information to the right person;
  • Ensure the information is shared securely;
  • Inform the individual that information has been shared if they were not aware of this, as long as this would not create or increase risk of harm.

All information sharing decisions and reasons must be recorded in line with your organisation or local procedures. If at any stage you are unsure about how or when to share information, you should seek advice and ensure that the outcome of the discussion is recorded. If there are concerns that a child is suffering or likely to suffer harm, then follow the relevant procedures without delay.

Consent to Share

Obtaining consent is one of the conditions for processing which can be used to satisfy Principle 1 of the Data Protection Act. In circumstances where it is appropriate and possible, explicit and informed consent must be sought from and freely given by the data subject.

Partners must ensure that consent is appropriately and clearly documented. Consent only allows the disclosure of data subject information, further consent should be sought from other third parties unless the overriding principles apply and that information shared is relevant and proportionate.

The rule of proportionality should be applied to ensure that a fair balance is achieved between the public interest and the rights of the data subject.

It is possible to disclose personal information without consent if this is in the defined category of Public Interest. The principles of the DPA would still apply in such cases.

The Public Interest Criteria include the:

  • Administration of justice;
  • Maintaining of public safety;
  • Apprehension of offenders;
  • Prevention of crime and disorder;
  • Detection of crime;
  • Protection of vulnerable members of the community.

When judging the public interest, it is necessary to consider the following:

  • Is the intended disclosure proportionate to the intended aim?
  • What is the vulnerability of those who are at risk?
  • What is the impact of disclosure likely to be on the individual to whom the shared information pertains?
  • Is there another equally effective means of achieving the same aim?
  • Is the disclosure necessary to prevent or detect crime and uphold the rights and freedoms of the public?
  • Is it necessary to disclose the information, to protect others?

Sharing Without Consent

There must be a proportionate reason for not seeking consent and the person making this decision must try to weigh up the important legal duty to seek consent and the damage that might be caused by the proposed information sharing on the one hand and balance that against whether any, and if so what type and amount of harm might be caused (or not prevented) by seeking consent.

There is an obligation to consider on all occasions and on a case by case basis whether information will be shared with or without consent. This determination by a practitioner should always be reasonable, necessary and proportionate. It should always be recorded together with the rationale for the decision.

If the need to share is urgent and seeking consent will lead to unjustified delay in making enquiries about allegations of significant harm to a child then if safeguarding is paramount take immediate action and share the information without consent but again remember to record the reason for the decision.

There may be times when consent is sought and refused. This does not mean that information cannot be shared. The refusal of consent should be considered in conjunction with other concerns and if it is considered justifiable then information can and MUST be shared. If professionals consider it justifiable to override the refusal in the interests of the welfare of the child then they can do so. This decision must be proportionate to the harm that may be caused by proceeding without consent.

Duty of Confidence

Information held by agencies is likely to have been gathered where a Duty of Confidence is owed. Duty of Confidence is not an absolute bar to disclosure, as information can be shared where there is a strong enough public interest to do so. It is the responsibility of the disclosing agency to ensure that the protection of children or other vulnerable persons would fulfil a public interest test before passing the information to a Partner.

When overriding the Duty of Confidence in the absence of consent the practitioners must seek the views of the person representing the organisation that holds the Duty of Confidence and take these into account in relation to breaching the confidence. The originating Partner will be the final arbiter as to whether information is disclosed or not. The Partner may wish to seek specialist or legal advice if there is lack of clarity around justifiable disclosure of information. All disclosures must be relevant and proportionate to the intended aim of the disclosure and must be fully documented as an unjustified disclosure could lead to a claim for damages against the disclosing party.

Practitioners must be particularly mindful of their professional and ethical obligations and the public interest of confidence in the confidentiality of their services.

It may be necessary to seek advice on professional conduct as well as legal advice before sharing information without consent, especially for information related to the treatment of mental illness.

Practitioners should ensure the need to protect children takes into account the children’s rights as well as those of the adults concerned.

All information sharing decisions and the reason for that decision must be recorded at the time of the decision.

5. Flowchart - When and How to Share Information

Click here to view Flowchart - When and How to Share Information.

6. Legal Framework

The main legal framework relating to the protection of personal information and how it is exchanged is set out in:

  • The Human Rights Act 1998, which incorporates Article 8 of the European Convention on Human Rights (ECHR), including the right to a private and family life;
  • The common law duty of confidentiality;
  • The Data Protection Act 1998, covering protection of personal information.

There is no general power to obtain, hold or process data and there is no statutory power to share information. Where data is held it should be processed in accordance with the Data Protection Act principles.

However, some Acts of Parliament do give statutory public bodies express or implied statutory powers to share information. There are a number of pieces of legislation. Some of these are relevant to all members of the HSCP. Others relate to specific organisations.

Data Protection Act 1998

The Principles of the Data Protection Act 1998 [DPA] have been used to provide a framework within which to consider the lawful basis for sharing information.

Each HSCP partner agency may have a different basis for holding and processing the information it needs to fulfil its legal duties. Some common considerations have been included here, but it is impractical for guidance to be fully comprehensive and universally applicable. Partner agencies must obtain their own assurance and be satisfied that it has a lawful basis for sharing the information it holds.

The Data Protection Act 1998 requires that Personal information is obtained and processed fairly and lawfully; only disclosed in appropriate circumstances; is accurate, relevant and not held longer than necessary; and is kept securely.

The Act balances the rights of the information subject (the individual whom the information is about) and the need to share information about them. Never assume sharing is prohibited – it is essential to consider this balance in every case. The Information Commissioner has published a statutory code of practice on information sharing to help organisations adopt good practice.

The relevant issues for social workers are usually around sharing information where consent has been withheld. There is a public interest defence if sharing information is for the purposes of safeguarding a child or vulnerable person.

Data Protection Act 1998 Section 29

Provides certain exemptions when personal information is used for the prevention and detection of crime and/or for the apprehension and prosecution of offenders if complying with fair processing conditions, i.e. telling individuals how their data will be processed or shared, would prejudice the purpose. Information processed for this purpose is exempted from disclosure in response to a Subject Access Request.

If not disclosing information would prejudice the situations listed above, organisations are then exempt from the usual non-disclosure provisions and may provide the information requested / they wish to share proactively.

All decisions to share or not share information must be decided on a case-by-case basis and recorded.

Children Act 2004

Sections 10 and 11 of the Children Act 2004 place obligations upon specified agencies including local authorities, Police, clinical commission groups and the NHS Commissioning Board to co-operate with other relevant partners in promoting the welfare of children and also ensuring that their functions are discharged having regard to the need to safeguard and promote the welfare of children. The Act sets out the specific agencies for s10 and s11 – if in doubt check.

Section 10 and 11 of the Children Act 2004 create a ‘permissive gateway’ for information to be shared in a lawful manner. Such information sharing must take place in accordance with statutory requirements pertaining to the disclosure of information namely the Data Protection Act 1998, the Human Rights Act 1998 and the Common Law duty of confidentiality.

The Act, although amended by the Health and Social Care Act 2012, does not provide a basis for processing by non-Public Sector bodies, i.e. healthcare providers that are not NHS Trusts or NHS Foundation Trusts, charities, or private providers.

The Act emphasises the importance of safeguarding the welfare of children by stating that relevant partner agencies, must ensure that functions are discharged having regard to the need to safeguard and promote the welfare of children.

The Act also states that they must make arrangements to promote co-operation between relevant partner agencies to improve the well-being of children in their area. Well-being is defined by the Act as relating to a child’s:

  • Physical and mental health and emotional wellbeing;
  • Protection from harm and neglect;
  • Education, training and recreation;
  • The contribution made by them to society;
  • Social and economic wellbeing.

Although most commonly used to refer to young people aged sixteen or under, ‘children’ in terms of the scope of this Act means those up to the age of eighteen.

Children Act 1989

For children and young people, the nature of the information that will be shared under this agreement may fall below a statutory threshold of s.47 (children in need of protection) or even s.17 (children in need of services).

If the information to be shared does fall within these sections of the 1989 Act, then these will be the main legal gateway.

Crime and Disorder Act 1998

Section 115, provides a legal basis for sharing information with a relevant authority where the disclosure is necessary or expedient for the purposes of any provision of the Crime and Disorder Act 1998. Relevant authorities include: Police, Probation, Local Authorities, ICBs and certain NHS statutory bodies.

Human Rights Act 1998

Gives force to the European Convention on Human Rights and, amongst other things, places an obligation on public authorities to protect people’s Article 2 right to life and Article 3 right to be free from torture or degrading treatment.

There needs to be a balance between the desire to share, with a person’s right to privacy under the Article 8: The right to respect for private and family life, home and correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in the interests of national security, public safety or for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

The Mental Capacity Act 2005

Under the Mental capacity Act 2005 staff are required to apply 5 principles in their assessments to decide whether to share information without consent in a persons’ best interests.

Paragraph 2.4 of the MCA Code of Practice, it is important to balance people's right to make a decision with their right to safety and protection when they can't make decisions to protect themselves. The starting assumption must always be that an individual has the capacity, until there is proof that they do not.

Under the Mental Capacity Act 2005 there would have to be good reasons for not undertaking an assessment of mental capacity regarding the decision to share information without consent, and these would need to be documented carefully.

Caldicott Guardian Principles

A Caldicott Guardian is a senior person responsible for protecting the confidentiality of patient and service-user information and enabling appropriate information-sharing. The Guardian plays a key role in ensuring that the NHS, Local Authority Social Services Departments and partner organisations satisfy the highest practicable standards for handling patient identifiable information. Since Caldicott Guardians were established, key legislation including: the Data Protection Act 1998, Human Rights Act 1998, Public Interest Disclosure Act 1998, Audit Commission Act 1998, Terrorism Act 2000, section 60 of the Health and Social Care Act 2001 and Regulation of Investigatory Powers Act 2000, and The Freedom of Information Act 2000 have become law which has extended the role and responsibility of the Caldicott Guardian.

The Seven Caldicott Principles

  • Justify the purpose(s) for using confidential information;
  • Don't use personal confidential data unless it is absolutely necessary;
  • Use the minimum necessary personal confidential data;
  • Access to personal confidential data should be on a strict need-to-know basis;
  • Everyone with access to personal confidential data should be aware of their responsibilities;
  • Comply with the law;
  • The duty to share information can be as important as the duty to protect patient confidentiality.

These are applicable to Children Services and Health Trusts. They have more recently been extended into councils with social care responsibilities, in order to provide a framework for working within the Data Protection Act 1998 and to promote appropriate information sharing.

Every local Health Service and Children Services has its own Caldicott Guardian, to provide advice and guidance on appropriate information sharing.

Staff working for an organisation which has a Caldicott Guardian may want to discuss sharing with them if their line-manager is unavailable.

7. Resources and Links

Useful resources and external organisations

  • ICO Data Sharing Code of Practice and checklists;
  • Centre of Excellence on Information Sharing;
  • Practice guidance on sharing adult safeguarding information.

Other relevant departmental advice and statutory guidance