RCGP Safeguarding toolkit
The aim of this toolkit is to enhance the safeguarding knowledge and skills that GPs already have to enable them to continue to effectively safeguard children and young people, as well as adults at risk of harm.
Part 5: Information Sharing and multiagency working
Legal considerations for sharing personal information
Legal considerations for sharing personal information
In general practice (and in healthcare in general) there are two main legal considerations when sharing personal information for the purposes of safeguarding: the common law and data protection law.
Both are equally important and necessary, but need to be considered separately; by doing so you can confidently share personal information that is necessary, proportionate, and relevant, for the purposes of safeguarding.
You can also be assured in the knowledge that you are complying with the common law and data protection law.
Both are equally important and necessary, but need to be considered separately; by doing so you can confidently share personal information that is necessary, proportionate, and relevant, for the purposes of safeguarding.
You can also be assured in the knowledge that you are complying with the common law and data protection law.
1) Common Law.
Information acquired by doctors in their professional capacity will generally be confidential under the common law. It is generally accepted that the common law allows disclosure of confidential information if:
Information acquired by doctors in their professional capacity will generally be confidential under the common law. It is generally accepted that the common law allows disclosure of confidential information if:
- the patient consents
- it is required by law, or in response to a court order
- it is justified in the public interest.
In their guidance ‘Confidentiality: good practice in handling patient information’ (paragraph 9), the GMC states:
“Confidentiality is an important ethical and legal duty, but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies:
“Confidentiality is an important ethical and legal duty, but it is not absolute. You may disclose personal information without breaching duties of confidentiality when any of the following circumstances applies:
- The patient consents, whether implicitly or explicitly for the sake of their own care or for local clinical audit, or explicitly for other purposes.
- The patient has given their explicit consent to disclosure for other purposes.
- The disclosure is of overall benefit to a patient who lacks the capacity to consent.
- The disclosure is required by law, or the disclosure is permitted or has been approved under a statutory process that sets aside the common law duty of confidentiality.
- The disclosure can be justified in the public interest.”
Disclosing information in the public interest can be justified in circumstances where it is necessary to prevent serious crime, death, or serious harm.
GMC guidance ‘Confidentiality: good practice in handling patient information’ (paragraphs 63 – 70) sets out guidance on disclosing information in the public interest and the principles to follow.
GMC guidance ‘Confidentiality: good practice in handling patient information’ (paragraphs 63 – 70) sets out guidance on disclosing information in the public interest and the principles to follow.
The common law cannot be considered in isolation. Even if a disclosure of personal information is permitted under the common law, the disclosure must still satisfy the requirements of data protection law.
2) Data protection law (UK GDPR).
Under UK GDPR, there are six lawful bases for sharing personal information. The most appropriate ones for safeguarding purposes are likely to be public task, legitimate interests, legal obligation, and vital interests.
Under UK GDPR, there are six lawful bases for sharing personal information. The most appropriate ones for safeguarding purposes are likely to be public task, legitimate interests, legal obligation, and vital interests.
In addition to identifying a lawful basis under the UK GDPR to share information, you are very likely to have to satisfy additional safeguards for sharing information from a patient’s health record since it is very likely to be sensitive or ‘special category data’. These additional safeguards are called ‘conditions’ and include health or social care, public health, substantial public interest and vital interests. See the ICO guidance on special category data for further information.