Confidentiality is an important principle that enables people to feel safe in sharing their concerns and to ask for help. However, the right to confidentiality is not absolute. Sharing relevant information with the right people at the right time is vital to good safeguarding practice.

All staff and volunteers should be familiar with their internal safeguarding procedures for raising concerns. They can also contact either the police or the local authority safeguarding lead for advice, without necessarily giving an individual’s personal details, if they are unsure whether a safeguarding referral would be appropriate.

Some basic principles:

  • Don’t give assurances about absolute confidentiality.

  • Try to gain consent to share information as necessary.

  • Consider the person’s mental capacity to consent to information being shared and seek assistance if you are uncertain.

  • Make sure that others are not put at risk by information being kept confidential:

    • Does the public interest served by disclosure of personal information outweigh the public interest served by protecting confidentiality?

    • Could your action prevent a serious crime?

  • Don’t put management or organisational interests before safety.

  • Share information on a ‘need-to-know’ basis and do not share more information than necessary.

  • Record decisions and reasoning about information that is shared.

  • Carefully consider the risks of sharing information in relation to domestic violence or hate crime.


The revised Caldicott principles

The sharing of information in health and social care is guided by the revised Caldicott principles. These principles are reflected in the General Data Protection Regulation (GDPR) and are useful to other sectors:

They are:

1. Justify the purpose(s)

Every proposed use or transfer of personal confidential data within or from an organisation should be clearly defined, scrutinised and documented, with continuing uses regularly reviewed, by an appropriate guardian.

2. Don’t use personal confidential data unless it is absolutely necessary

Personal confidential data should not be included unless it is essential for the specified purpose(s) of that flow. The need for patients / service users to be identified should be considered at each stage of satisfying the purpose(s).

3. Use the minimum necessary personal confidential data

Where use of personal confidential data is considered to be essential, the inclusion of each individual item of data should be considered and justified so that the minimum amount of personal confidential data transferred or accessible as is necessary for a given function to be carried out.

4. Access to personal confidential data should be on a strict need-to-know basis

Only those individuals who need access to personal confidential data should have access to it, and they should only have access to the data items that they need to see. This may mean introducing access controls or splitting data flows where one data flow is used for several purposes.

5. Everyone with access to personal confidential data should be aware of their responsibilities

Action should be taken to ensure that those handling personal confidential data – both clinical and non-clinical staff – are made fully aware of their responsibilities and obligations to respect patient / service user confidentiality.

6. Comply with the law

Every use of personal confidential data must be lawful. Someone in each organisation handling personal confidential data should be responsible for ensuring that the organisation complies with legal requirements.

7. The duty to share information can be as important as the duty to protect patient / service user confidentiality

Health / social care professionals (and key personnel in other organisations) should have the confidence to share information in the best interests of their patients / service users within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Adapted from ‘Safeguarding Adults : sharing information’ – SCIE.