In this article
After reading the Care Certificate Standard 14 – Handling Information, you should be able to:
- Describe the agreed ways of working and legislation regarding the recording, storing and sharing of information.
- Explain why it is important to have secure systems for recording, storing and sharing information.
- Demonstrate how to keep records that are up to date, complete, accurate and legible.
- Explain how, and to whom, to report if you become aware that agreed ways of working have not been followed.
The Care Certificate Standards detail what you must achieve and be assessed against to meet these learning outcomes.
If you have any concerns or queries, you should discuss these with your employer and/or assessor.
All about confidentiality in health and social care
Confidentiality is a crucial right of all individuals who are receiving care and support, and it must be respected.
Respecting confidentiality is:
- A legal requirement.
- Essential to protect the individual.
- Helpful in building relationships that are based on trust.
Information relating to an individual’s care and support may be classed as personal and sensitive. This type of information must be treated confidentially and should only be shared on a need-to-know basis.
Information about an individual should only be shared with:
- Health and social care workers involved in their care and support.
- Other workers in different roles involved in the provision of care and support.
Information must only be shared on a need-to-know basis, which does not include the following:
- The individual’s family or friends.
- The individual’s neighbour.
- Your family or friends.
- A health and social care worker not involved in providing care and support to the individual.
Information must not be shared with the above people without the individual’s permission. For example, you may have a situation where an individual does not want to share information about their health or happiness with their family or friends. Therefore, it is always vital to respect their wishes regarding the passing on of their information.
As well as only sharing an individual’s information on a need-to-know basis, it is also crucial to safeguard (protect) their personal information from being accidentally viewed or heard.
To achieve this, be mindful of the following:
- When discussing your work with another worker, consider who can overhear the information being shared verbally.
- Be careful when storing information to avoid unauthorised people accessing personal or sensitive information, e.g. do not leave a personal letter to an individual in a public place where others could read it.
- Paper records should be stored in locked cupboards or filing cabinets, and electronic information should always be password protected.
- Always gain consent from the individual before sharing their information with others.
If you have a situation where an individual may harm themselves or others, you must share this information with your manager, even when the individual has not given their consent.
Social media and confidentiality
The technology we have today means that people can keep in touch and share information instantly with one another, e.g. via internet social media platforms, such as Facebook, Twitter and Instagram.
If you use any type of social media, you must be mindful of all individuals’ confidentiality rights, including others you work with. As a health and social care worker, always be careful when using social media and use these platforms responsibly.
The majority of workers have mobile internet technology, such as smartphones, with them whilst they are at work. This increases the risks of confidentiality breaches, as it is easy to accidentally share information about their day or individuals without thinking about the consequences.
Sharing an individual’s information on social media is as much of a breach of confidentiality as:
- Leaving a record out of the locked filing system.
- Leaving a computer unsupervised whilst you are still logged in.
- Discussing an individual’s care and support where you can be overheard.
It is important to realise that any breach of confidentiality when using social media, including taking or sharing videos or photos, can be:
- A disciplinary offence.
- A criminal offence, depending on what is shared.
If you have to take photos or videos for work purposes, you must never share them with anyone unless it is on a need-to-know basis. Also, you should not take photos or videos for any other purpose whilst you are at work, i.e. selfies, as you may inadvertently breach confidentiality.
Agreed ways of working
Your organisation’s policies and procedures are also known as agreed ways of working. It includes those less formally documented by individual employers and the self-employed, as well as more formal policies.
As a health and social care worker, you:
- Have an overall responsibility to safeguard individuals’ personal information.
- Must safeguard other workers’ personal information where you have access to it.
- Must always follow your employer’s agreed ways of working. They will have systems in place to comply with the legal requirements regarding storing information.
- Should ask your employer to explain the systems they have in place to protect individuals’ information.
The Caldicott Principles
In 1997, a committee chaired by Dame Fiona Caldicott produced a report about confidentiality. The aim was to review the transfer of patient identifiable information within the health service. The outcome of the review was a set of standards known as the Caldicott Principles.
The Caldicott Principles apply to:
- All data collected for the provision of health and social care services, where patients and service users can be identified and would expect that it will be kept private, e.g. details about symptoms, diagnosis, treatment, names and addresses.
- The use of confidential information in health and social care organisations.
- When confidential information is shared with other organisations and between individuals; both for individual care and other purposes.
- The processing of staff information, in certain circumstances.
The principles are primarily intended to guide organisations and their staff. However, patients, service users and/or their representatives should be included as active partners in the use of their confidential information.
The eight Caldicott Principles
There were initially six Caldicott Principles, and a seventh was added after a review in 2013. The most recent review was in December 2020, and an eighth principle was added.
The principles are as follows:
- Principle 1: Justify the purpose(s) for using confidential information.
- Principle 2: Use confidential information only when it is necessary.
- Principle 3: Use the minimum necessary confidential information.
- Principle 4: Access to confidential information should be on a strict need-to-know basis.
- Principle 5: Everyone with access to confidential information should be aware of their responsibilities.
- Principle 6: Comply with the law.
- Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality.
- Principle 8: Inform patients and service users about how their confidential information is used.
The Caldicott Principles 1 & 2
Principle 1: Justify the purpose(s) for using confidential information
Every proposed use or transfer of confidential information should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed by an appropriate guardian.
A Caldicott Guardian is a senior person responsible for protecting the confidentiality of people’s health and care information and ensuring it is used properly.
Principle 2: Use confidential information only when it is necessary
Confidential information should not be included unless it is necessary for the specified purpose(s) for which the information is used or accessed. The need to identify individuals should be considered at each stage of satisfying the purpose(s) and alternatives used where possible.
The Caldicott Principles 3 & 4
Principle 3: Use the minimum necessary confidential information
Where the use of confidential information is considered to be necessary, each item of information must be justified so that only the minimum amount of confidential information is included as necessary for a given function.
Principle 4: Access to confidential information should be on a strict need-to-know basis
Only those who need access to confidential information should have access to it, and then only to the items that they need to see. This may mean introducing access controls or splitting information flows where one flow is used for several purposes.
The Caldicott Principles 5 & 6
Principle 5: Everyone with access to confidential information should be aware of their responsibilities
Action should be taken to ensure that all those handling confidential information understand their responsibilities and obligations to respect the confidentiality of patient and service users.
Principle 6: Comply with the law
Every use of confidential information must be lawful. All those handling confidential information are responsible for ensuring that their use of and access to that information complies with legal requirements set out in statute and under the common law.
The Caldicott Principles 7 & 8
Principle 7: The duty to share information for individual care is as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share confidential information in the best interests of patients and service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.
Principle 8: Inform patients and service users about how their confidential information is used
A range of steps should be taken to ensure there are no surprises for patients and service users, so they can have clear expectations about how and why their confidential information is used, and what choices they have about this. These steps will vary depending on the use: as a minimum, this should include providing accessible, relevant and appropriate information – in some cases, greater engagement will be required.
Protection of information legislation
When it comes to the confidentiality and safeguarding of individuals’ personal and sensitive information, the following legislation will apply:
- The Data Protection Act (DPA) 2018.
- The UK General Data Protection Regulation (UK GDPR).
- The Freedom of Information (FOI) Act 2000, and the Environmental Information Regulations 2004 (EIR).
Legislation is the laws and government guidance on the legal rules that affect people in society.
You must be aware of this legislation. As a health and social worker, you will have responsibilities when handling the personal and sensitive information of the individuals you are caring for and supporting.
The Data Protection Act and GDPR
The Data Protection Act (DPA) 2018 is a UK Act of Parliament, which relates to data protection laws in the UK. It is a national law, which replaced the Data Protection Act 1998 when the EU General Data Protection Regulation (GDPR) 2016 came into force.
The GDPR 2016 is an EU regulation on data protection and privacy in the European Union (EU) and the European Economic Area (EEA). As the UK was a previous member state, the EU GDPR was directly applicable.
Since the UK’s departure from the EU, the GDPR has been retained in domestic law and has become the UK General Data Protection Regulation (UK GDPR). The UK GDPR sits alongside an amended version of the Data Protection Act 2018. Both apply to the protection of people’s data, and they both complement each other.
The Data Protection Act and GDPR
The UK GDPR is supplemented by the Data Protection Act (DPA) 2018. Data protection legislation controls how people’s personal information is used by organisations, businesses or the government. It also introduces ‘digital rights’ for individual citizens, as personal information is increasingly stored in computer databases.
According to the Information Commissioner’s Office (ICO), data protection is:
The ICO is the regulator for data protection in the UK.
The Data Protection Act (DPA) 2018 and the UK GDPR stipulates the actions that must be taken when processing personal data.
Processing can mean anything done with data, such as (this list is not exhaustive):
Personal data is information that relates to an identified or identifiable person (a data subject) who could be identified, directly or indirectly, based on the information.
It includes an individual’s:
- Identification number, e.g. National Insurance or passport number.
- Location data, e.g. home address or mobile phone GPS data.
- Online identification, e.g. IP address or email address.
There are special categories of personal data, which cover individuals’ sensitive information, for example:
- Ethnic background.
- Political opinions.
- Religious beliefs.
- Trade union membership.
- Biometrics (where used for identification).
- Sex life or orientation.
Sensitive information has stronger legal protection. There have to be lawful grounds for the processing of these types of data, and additional safeguards must be in place. There are separate safeguards for personal data relating to criminal convictions and offences.
The DPA and UK GDPR applies to electronic files and paper filing systems that include personally identifiable information. Spoken information is not included but confidentiality can be breached if personal or sensitive information is discussed where others can overhear.
Under data protection legislation, individuals have the right to find out what information the government and other organisations store about them.
These include the right to:
- Be informed about how their data is being used.
- Access their personal data.
- Have incorrect data updated.
- Have data erased.
- Stop or restrict the processing of their data.
- Data portability (allowing others to get and reuse their data for different services).
- Object to how their data is processed in certain circumstances.
Individuals also have rights when an organisation is using their personal data for:
- Automated decision-making processes (without human involvement).
- Profiling, for example, to predict their behaviour or interests.
Data protection principles
Article 5 of the UK GDPR sets out seven key principles, which lie at the heart of the general data protection regime.
These principles are:
- Lawfulness, fairness and transparency – personal data must be processed lawfully, fairly and in a transparent manner.
- Purpose limitation – personal data can only be collected for specified, explicit and legitimate purposes. It can only be used for a specific purpose and no other. Individual’s details must not be passed on to third parties unless they have already consented.
- Data minimisation – no more than the minimum amount of data should be kept for specific processing.
- Accuracy – data must be accurate and where necessary kept up to date. If the data held is wrong or out of date, individuals have the right to have it corrected or deleted.
- Storage limitation – data that is no longer required should be removed.
- Integrity and confidentiality (security) – data must be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage.
- Accountability – the controller has responsibility for demonstrating compliance with the other principles.
These principles are a vital part of ensuring an organisation remains compliant with data protection laws.
Who is responsible for data protection?
A controller is responsible for ensuring that any data processing complies with data protection legislation. They decide how, and for what purpose, the data will be collected and used. Your employer is likely to be the controller but it can also be an individual, such as a sole trader.
A processor processes the data on behalf of the controller, as per their instructions. A processor is not an employee, it is a separate organisation or person.
As an employee, your employer must make you aware of the agreed ways of working and your specific role when it comes to data protection and confidentiality. Everyone in the organisation will have some responsibilities regarding data protection. Your employer must also make you aware of your rights concerning your own personal data.
Data protection legislation is a lengthy and complex topic, and far too detailed to cover in this certificate. For further information, the ICO website has a detailed guide to data protection, which can be found here.
The Freedom of Information Act 2000
The Freedom of Information (FOI) Act 2000 and the Environmental Information Regulations 2004 (EIR) give members of the public the right to request and access recorded information that is held by public authorities in England, Northern Ireland and Wales. In Scotland, it is the Freedom of Information (Scotland) Act 2002 (FOISA).
Examples of recorded information include:
- Meeting minutes.
The main principle behind freedom of information legislation is that people have a right to know about the activities of public authorities unless there is a good reason for them not to.
Under the Act, a public authority includes:
- Central government and government departments.
- Local authorities.
- Hospitals, doctors’ surgeries, dentists, pharmacists and opticians.
- State schools, colleges and universities.
- Police forces.
- Prison services.
Rights to information
If you work for an organisation that is classed as a public authority, under the FOI Act and EIR, then individuals have the right to see anything that has been written about them.
They may ask to see documents, reports and even emails that have been sent. Therefore, whatever you record in writing must be precise and appropriate to be seen by individuals who want access.
There may be instances where the information requested is covered by a qualified exemption or exception. If a public authority believes that this is the case, it must apply the ‘public interest test’. It means that there has to be a valid reason why they deem the sharing of such information is not in the public interest, i.e. there has to be a good reason for the information to be made public.
Further information on the FOI Act can be found on the government’s website, which can be accessed here.
Everything you need to know about handling information
Your organisation will have agreed ways of working that protect individuals’ personal and sensitive information, and you must always follow them.
Some examples of the policies and procedures that may be in place to protect information include:
- Computer firewalls and password protection.
- Only sharing passwords with those who have the authorisation to access the information.
- Not sharing personal passwords with anyone else or allowing them to be found by others.
Paper-based systems and procedures:
- Locked filing cabinets and cupboards.
- Secure storage of keys.
- Office security codes.
- Security fobs or cards to access secure areas.
If you provide care and support to individuals in their own homes, it is vital to know what records are available and where they are stored.
If you have any questions about your organisation’s agreed ways of working regarding the handling of information, speak to your manager and ask them to explain.
We now live in a digital world where most, if not all, workplaces use some form of technology; whether it is computers, smartphones or tablets.
There is also assistive technology that can be used to improve the functional independence of individuals with disabilities.
In everyday practice, in health and social care, digital working, digital learning and digital information sharing are being used.
There are known benefits associated with the use of technology in the workplace, such as:
- Improved communication.
- Access to a wide range of knowledge.
All health and social care workers should have the confidence to work digitally and have opportunities to develop these skills.
Care plans are essential records that detail an individual’s needs and choices, along with an assessment of the risks. They are a vital tool in ensuring good communication between the individual and those involved in providing care and support.
To ensure the quality and consistency of individuals’ care, care plans must always be:
- Kept up to date.
- Factual (not based on opinion).
- Free from jargon.
Care plans may be used as legal documents of evidence if there is ever any concern or an enquiry regarding the individual’s care and support. Therefore, as well as the above, you must include all information about the individual’s agreed care in their care plan.
Remember that care is one of the 6Cs, and it is central to work within the social care and health sectors. It must always take account of the individual’s wellbeing needs.
Completing and checking care plans
To help you develop your knowledge and skills regarding individuals’ care plans, you can ask your manager to:
- Share some examples of care plans with you.
- Explain how the care plans should be completed.
- Show you the information and level of detail that should be included.
Care plans must be checked frequently to ensure they are fit for purpose. There will be someone in your workplace who will have this responsibility.
All about reporting concerns
There may be instances where you have concerns regarding the recording, storing or sharing of information.
These concerns could include poor practices relating to confidentiality, for example:
- Confidential files containing sensitive information left around.
- A missing key to a cabinet or office that contains confidential files.
- Passwords shared with unauthorised people.
- Personally identifiable information shared on social media.
- Workers discussing an individual in a pub or cafe.
Concerns can also include how to handle information regarding risks to an individual’s wellbeing. If you have any concerns, you should first report them to your manager.
Reporting concerns internally
If your concerns are about breaches of confidentiality, you must inform your manager immediately, so that action can be taken.
The table below shows some examples of breaches and the actions your manager may take.
|Files containing sensitive information have been left around for any unauthorised individual to look at.||Your manager must:
|A key has gone missing.||Your manager must:
Reporting concerns externally
If you are faced with a situation where your concerns are not taken seriously within your organisation, you have a duty to report any unsafe or incompetent practice to the relevant regulatory body, e.g. the Care Quality Commission (CQC). You are also responsible for making a report under your organisation’s whistleblowing procedure.
If you have concerns about:
- An individual’s information – you must have their permission before making a complaint.
- The recording, storing or sharing of information – you should make a written record that includes:
– Your concerns.
– Who you have reported these concerns to.
– A signature and date.
Ensure that you report your concerns properly, as they may be used as evidence during an investigation.
Courage is one of the 6Cs, which gives you the confidence to do the right thing in difficult or challenging situations. It is vital to remember this when reporting your concerns.