Confidentiality Policy

1. Children's Services Confidentiality Policy

1.1 Introduction

Derbyshire County Council Children's Services recognises its legal duties to safeguard the confidentiality of all personal information. Wherever disclosure of confidential information to another person or organisation is being considered, a check will always be made to ensure that such disclosure is lawful.

All Council staff must be made aware that the UK General Data Protection Regulations (UK GDPR) and Data Protection Act 2018 apply to the processing of all personal data, both in paper and electronic records, unless an exemption applies under the legislation. Where disclosure is proposed, and there is any doubt as to whether the Data Protection Act / UK GDPR apply or whether only the common law of confidentiality applies, advice will always be sought, from the Council's Data Protection Officer and/or Legal Services at access2info@derbyshire.gov.uk.

The Council will always record its reasons for deciding not to observe any duty of confidence it owes to a person who is the subject of information disclosed.

E-mail messages sent via the internet can be intercepted, read and changed relatively easily. Consequently, Council staff will not use the internet to pass on personal identifiable information about service users unless a secure or encrypted connection is in place.

1.2 Staff Obligations

The Council's conditions of employment, issued as part of every employee's contract, detail the obligations placed upon the Council staff.

Staff employed with the Council will come into contact with confidential information/data relating to the work of the Council, its service users and other staff. Staff are bound by their conditions of service to respect the confidentiality of any information that they may come into contact with and under no circumstances should such information be divulged or passed to any persons or organisation in any form unless such disclosure is authorised under this policy.

Any unauthorised disclosure of confidential information by Council staff may result in disciplinary action. Staff may also face prosecution under the Data Protection Act 2018.

Where Council staff misuse confidential information, e.g. disclose their password to someone else or use someone else's password to gain access to systems, they could face disciplinary action that could lead to dismissal. They may also be prosecuted under the Computer Misuse Act 1990.

Managers must ensure that confidentiality is discussed with all new employees, as part of their induction. It is recommended that staff acknowledge that they have taken note of the contents of this policy.

Volunteers and work experience students must also have their role in maintaining confidentiality made clear by the member of staff responsible for them and must be aware of and adhere to this policy.

1.3 Commercial Confidentiality

Some Council staff may have access to commercial information, agreements or contracts. This information must be treated as confidential, and only discussed/disclosed where this forms part of the employee's remit within the organisation. Staff should consult their manager if they are in any doubt.

1.4 Research, Audit and Monitoring

Access to confidential information or anonymous data may be sought for research, audit or monitoring purposes, either by other council areas or by outside organisations or public bodies.

Internal requests related to research projects must be approved and a formal submission will be required.

All external requests or enquiries may need to be directed to the Data Protection Officer for clarification or Legal Services for their approval at access2info@derbyshire.gov.uk.

1.5 Press Interest, Police and Legal Enquiries

All media enquiries are dealt with in the first instance by the news desk within the Council Communications team. Where necessary, for example with more complex, serious reputational or corporate matters, the team may decide it is necessary to alert the Communications Manager.

Contact details newsdesk tel: 01629 538205 or e-mail: news@derbyshire.gov.uk.

In some cases and only where necessary, more serious matters may be passed on for information to the Executive Director of Organisation, Development and Policy and, if required, to the Executive Director for Commissioning, Communities and Policy who would liaise with the appropriate Cabinet Member and, on corporate matters, the Council Leader.

The Police do not have automatic rights to personal information held by the Council about service users. The matter should always be referred to the Children's Services Head of Starting Point Service and/or relevant Children's Services Head of Service, who will consult with the Council's DPO/Legal services at access2info@derbyshire.gov.uk for advice on an appropriate response, unless imminent safeguarding concerns require an immediate decision as to whether to release information without delay or when following a process in a written data sharing agreement containing the lawful basis. In this case, the identity of the recipient should be verified before sharing information appropriately and proportionately; a record of the decision to share should also be kept on the data subject's record.

Any requests for access to confidential information held by the Council for the purpose of any legal proceedings must be referred to the Council's Legal Services at access2info@derbyshire.gov.uk. A Court Order is required in order to release such information for legal proceedings. Verbal or written requests from lawyers are not sufficient. Staff should also seek advice from their manager and, where advised, the Data Protection Officer to ensure that correct action is taken.

2. Confidentiality Values and Principles

Information in this section should be read alongside Information Sharing - Advice for Practitioners Providing Safeguarding Services to Children, Young People, Parents and Carers (DfE 2018).

2.1 Personal information is subject to a legal duty of confidence

Personal information held about children is subject to a legal duty of confidence and should not normally be disclosed without the consent of the subject unless there is a legal basis to do so under the UK GDPR. Further guidance on this is set out in paragraph 2.2 below.

Information on legal bases used by the department to process personal data can be found by visiting Derbyshire County Council, General Data Protection Regulation (UK GDPR) and accessing Council’s Record of Data Processing Activity, Information Audit Register.

The legal framework for confidentiality is contained in the common law duty of confidence, the Children Act 1989, the Human Rights Act 1998, the UK General Data Protection Regulations (UK GDPR) and the Data Protection Act 2018.

2.2 Disclosure of confidential information without consent is permitted in circumstances where there is an appropriate legal basis

Whilst the general principle is that information obtained about children and their families must be shared with them and not with others without consent, there are exceptions. The public interest in safeguarding the welfare of children overrides the public interest in maintaining confidentiality, and the law permits the disclosure of confidential information where this is necessary to safeguard a child or children. Effective information-sharing underpins integrated working and is a vital element of both early intervention and safeguarding.

Disclosure of confidential information should be justifiable in each case, for example to provide information to professionals from other agencies working with the child, and where possible and appropriate, the agreement of the person concerned should be obtained.

Those working with children and families must make it clear to them that confidentiality may not be maintained if the disclosure of information is necessary in the interests of the child. Even in these circumstances, disclosure will be appropriate for the purpose and only to the extent necessary to achieve that purpose.

There may also be situations where third parties have a statutory right of access to the information or where a court order requires that access be given.

The circumstances in which information held in records on children and families can and should be disclosed and shared with others with or without consent are set out in the following sections.

In all other cases, where third parties such as advocates, solicitors or external researchers request access to personal information, this should only be given if written consent is given by the person concerned or if a Court Order requires it.

2.3 Situations where disclosure is permitted should be explained to children and families involved

Children and families should be informed of the circumstances in which information about them will be shared with others, and their consent to this sharing obtained if no legal basis is in place which enables sharing to take place without consent. They should also be helped to understand that, in some situations, sharing information without consent could be justified – for example to safeguard a child or adult at risk. It should be made clear that in each case the information passed on will only be what is relevant and on a 'need to know' basis. Children and families should be made aware of department’s Privacy Notice, which contains details of these circumstances, which can be found at Derbyshire County Council, Privacy Notices.

2.4 Information should be disclosed to colleagues and other professionals/agencies on a need to know basis

Sharing information promptly with others working with the same child, or who may need to know, is invariably the key to safeguarding the child's interests.

Therefore, relevant information about children must be shared with colleagues, other professionals or agencies that may have a role to play in their care.

There are also situations where council employees have a legal duty to share information.

For example:

• Where professionals are undertaking a Section 47 Enquiry in relation to a child;
• Where the Police are investigating a criminal offence or require information to help them find an absent, missing or absconded child;
• Where information is requested in the furtherance of an inquiry or tribunal, or for the purposes of a Child Safeguarding Practice Review.

In such circumstances the person to whom the information relates should be informed that records have been requested unless to do so would prejudice the purpose of the request.

Any objections they have should be considered before responding to the person making the request.

Where information or records are passed to others it should be noted and confirmed in writing.

Information may also be disclosed to persons who have a statutory right of access to the information, for example:

• Where the Court directs that records be produced or a Children's Guardian is appointed;
• Where information is requested by Inspectors of the Regulatory Authority (who have specific statutory powers that permit access to records).

Where information is requested by telephone or electronically, great care must be taken to ensure that the recipient is entitled to receive the information requested. Where there is any doubt the information may not be provided without the approval of a manager.

Information sharing protocols and agreements with external agencies can be found on the Derby and Derbyshire Safeguarding Children Partnership Manual and on the Derbyshire Partnership Forum.

3. Freedom of Information Act 2000

Under the Freedom of Information Act 2000.

Anybody may request to see non personal information held by a public authority (which includes all local authorities), in writing or via e-mail and must receive a response within 20 working days. The Act confers two statutory rights on applicants:

• To be informed in writing whether or not the public authority holds the information requested; and if so
• To have that information communicated to them.

The Act applies to all information whether recent or old.

The Act sets out 23 exemptions from rights of access to information. If the information is exempt, there is no right of access under the Act.

One exemption relates to personal information. This means that an application for personal information (either of the requester or a third party) under the Act is exempt and will not therefore be dealt with under the Act. See Access to Records / Subject Access Requests Procedure.

Another category relates to information provided in confidence where disclosure would involve an actionable breach of confidence. This would include information provided by a member of the public about a child protection issue where the provider has provided the information on the basis that anonymity will be maintained.

The Act therefore does not change the legal position into the principles of confidentiality set out in paragraphs 2.1 to 2.4 above.

Freedom of Information requests should be referred to Legal Services at access2info@derbyshire.gov.uk as soon as they are received as there are strict timescales for response.