Guidance

Prevent and the Channel process in the NHS: information sharing and governance

Published 27 September 2022

Applies to England

© Crown copyright 2022

This publication is licensed under the terms of the Open Government Licence v3.0 except where otherwise stated. To view this licence, visit nationalarchives.gov.uk/doc/open-government-licence/version/3 or write to the Information Policy Team, The National Archives, Kew, London TW9 4DU, or email: psi@nationalarchives.gov.uk.

Where we have identified any third party copyright information you will need to obtain permission from the copyright holders concerned.

This publication is available at https://www.gov.uk/government/publications/prevent-and-the-channel-process-in-the-nhs-information-sharing-and-governance/prevent-and-the-channel-process-in-the-nhs-information-sharing-and-governance

Executive summary

When considering the sharing of personal data, there is a need to decide whether it is necessary, proportionate and lawful to share this information when the risk to both the individual and/or the public is considered.

Any disclosures or discussions on sharing personal data or consent must always be documented in an appropriate location in the patient record.

In line with information sharing policy, there should be clarity as to what legal basis the personal data is being shared with and processed by other third parties, and whether it’s being shared for safeguarding purposes, national security or the prevention of crime.

Confidentiality is an important ethical and legal duty, but it is not an absolute and can be overridden without breaching duties of patient or staff confidentiality if the disclosure is for safeguarding or public interest reasons and where the public interest test can be met.

There are legal exemptions contained in the Data Protection Act 2018 (DPA 2018) which allow for information sharing to take place in this context. The General Data Protection Regulation (GDPR) (Article 6 (e)) allows for the lawful processing of personal data “where it necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller”. See further details from the Information Commissioner’s Office (ICO) about how to judge if the public interest test is met.

The third party (police or local authority) must always define a legitimate purpose or public interest for the receipt and processing of personal data.

All organisational safeguarding policies should reference Prevent.

All data sharing agreements that are signed on behalf of the organisation should have specific reference to Prevent.

Consideration should be given as to how staff, particularly Prevent or safeguarding leads, are made aware of the process for sharing personal data within the prescribed legal frameworks as described in this document.

If you are a Channel panel member and are asked to sign a purpose-specific Channel data sharing agreement, then you should ensure that your senior information risk owner and/or organisational information governance team are sighted on the document and are able to provide appropriate advice.

Every health practitioner has a duty and must take responsibility for sharing the information that they hold regarding Prevent safeguarding concerns and should not assume that someone else will pass on this information, which may be critical in keeping someone at risk safe.

All staff should be aware of who their organisational information governance team or data protection officer and Caldicott guardian are and how to contact them, as they are responsible for providing advice on the legal or ethical justification for sharing personal data.

1. Introduction

This guidance is intended to assist those involved in information sharing and information governance for the purposes of safeguarding individuals from radicalisation under the Prevent programme.

This document provides a brief overview of the key principles that are particularly relevant to Prevent (but which are also common to other safeguarding principles). Prevent is no different to any other safeguarding risk, and the same rigour is applied to information sharing in this context as to any other concern relating to personal harm.

The guidance has been developed in response to concerns raised by healthcare practitioners about information sharing for the purposes of Prevent and Channel particularly when:

  • they are making an initial Prevent referral regarding a vulnerable individual who may be at risk of being radicalised or drawn into terrorism
  • they are requested to share information for Prevent purposes with partner agencies, including the police and local authority, without the data subject’s prior consent

The aim is to support practitioners to be confident in their actions and to understand how they can share information appropriately, proportionately and lawfully.

Effective information sharing is key to the delivery of Prevent, enabling partners to take appropriate, informed action and is central to providing the best support to those who are vulnerable to being drawn into terrorism.

This is particularly the case for the second objective of the UK government’s CONTEST strategy: ‘Safeguarding and supporting those at most risk of radicalisation through early intervention, identifying them and offering support’.

Everyone who works within the NHS or is a healthcare provider in England (including staff, contractors and volunteers) has a duty of confidentiality and a responsibility to safeguard any NHS England personal or patient data that they access.

Timely and effective information sharing is a key element of Prevent, as with all other safeguarding concerns. It is therefore vital that healthcare organisations are familiar with their organisational policies and procedures on information sharing and have arrangements in place so that information can be shared with partners when necessary for Prevent purposes. This should include clear guidance as to how Prevent concerns are noted on patient records and handed over when patients are transferred.

2. Necessary, proportionate and lawful to share information

When considering the sharing of personal data, there is a need to consider whether it is necessary, proportionate and lawful to share the information when the risk to both the individual and/or the public is considered.

When considering sharing personal data with relevant authorities, you will need to consider:

  • why are you sharing personal data? (The purpose and the legal basis for sharing the information)
  • what are you intending to share? (Is it relevant and proportionate and necessary for the purpose of the sharing?)
  • with whom are you sharing it? (Do they really need it? Do they have a lawful basis to request or process this information?)
  • consent: have you gained the consent of the data subject? Or if consent has not been gained, or sought, what other legal basis are you using for disclosing the data?

There are occasions when it may not be appropriate to seek consent from data subjects before sharing any records or documents with the police or other partners, particularly if the disclosure is for a legitimate safeguarding purpose, such as the prevention or detection of crime and for reasons of substantial public interest, and when informing the data subject would prejudice the intended outcome or lead to harm. (See sections on ‘Consent’ and ‘Legal gateways, exemptions and explicit powers’ below).

It may be advisable to seek advice and approval from your organisational information governance team or data protection officer or Caldicott guardian in such matters, particularly if there is any doubt, a record of which must be kept as part of a Caldicott log.

The Prevent programme is designed to help prevent people from being drawn into terrorism and ensure that they are given appropriate advice and support, including through the multi-agency Channel programme. See Diagram 1 below showing Prevent and Channel pathways and the section ‘Channel and other partners’ below.

Diagram 1: Prevent and Channel referral pathway

Text alterative to diagram 1

The first step is to notice, check and share.

The next step is to make a Prevent referral. Has consent been sought? If not, has the case-by-case basis assessment been done? See section 3 (‘Consent’) and section 6 (‘Case-by-case decisions’) for further detail.

The next step is police screening.

The next step is multi-agency information gathering. Information gathering must be done 5 working days from request to pre-panel.

For the above 2 steps (police screening and multi-agency information gathering) has the data requestor provided a legitimate reason for you to share patient, service user or staff member’s personal or sensitive information with them? See section 5 (‘Responding to data requests from other partners’) for more information.

The next step is Channel panel.

The next step is bespoke support plan.

The final step is cases will be subject to review 6 to 12 months from closure.

Any time between the police screening step and the final step, there is an option to exit at any time, either by:

  • signposting to other services
  • an increase in risk, so escalated to police-led space
  • non-consent
  • no vulnerability or a reduction in vulnerability

The health sector needs to ensure that the crucial trust-based relationship between patients and clinicians is balanced with the professional duty of care and their responsibility to safeguard and protect their patients and the wider public.

Although consent to share personal data is always the gold standard and must always be the preferred option for clinical staff and safeguarding leads, there are times when it is essential to share personal information to safeguard individuals or others from harm, and where it is appropriate to do so without patient consent.

The DPA 2018 and GDPR has strengthened the need to demonstrate that consent is given freely to share someone’s personal data or information and data controllers need to define a clarity of purpose for sharing or processing data with third parties (for further information, see ICO guidance on consent). Importantly, the legislation also ensures that criminal justice agencies and other statutory partners can continue to process and share personal data or special category data to:

  • prevent and investigate crime
  • bring offenders to justice
  • safeguard the vulnerable
  • keep communities safe from harm (sometimes referred to as the ‘public interest’)

The primary conditions for disclosing personal or special category data about staff members, patients or service users for the purposes of Prevent should always be based on the principle of informed consent. However, this may not always be appropriate or achievable, particularly within a safeguarding context.

If consent is not appropriate or achievable, then a different lawful basis must be met in order to share personal or special category data (see the section ‘Legal gateways, exemptions and explicit powers’ below). These exemptions exist to facilitate the sharing of personal or special category data without consent for safeguarding and public interest reasons. However, exemptions should not routinely be relied upon or applied in a blanket fashion.

The General Medical Council (GMC) website contains a useful confidentiality decision tool to help with your decision-making regarding consent.

Best interest decisions

In cases where the vulnerable person lacks the capacity to give their informed consent (as described in the Mental Capacity Act 2005, parts 2 to 4) a referral may be made in certain circumstances without consent, in the data subject’s best interests and in accordance with the 5 statutory principles as defined in section 1 of the Mental Capacity Act 2005 (see also the Mental Capacity Act 2005: Code of Practice).

Your decision and rationale should be clearly documented and recorded.

Public interest and best interest decisions are described in greater detail in the GMC guidance document confidentiality: good practice in handling patient information.

Disclosure required or permitted by law

There may in some circumstances be a legal requirement or a court order which compels clinicians or other staff to disclose patient sensitive data.

Care should always be taken to only disclose the information required to comply with and fulfil the purpose of the law. If you have any concerns regarding the disclosure, you should seek appropriate advice.

If in any doubt, or if you have any concerns about sharing personal or sensitive information in these circumstances, consult with your organisational information governance team, data protection officer, legal advisor and/or Caldicott guardian for further advice and guidance.

4. Making a Prevent referral

It is a key NHS safeguarding requirement for staff to know who to contact and where to seek advice if they have concerns about an individual who may be being groomed into terrorist activity and be able to raise concerns and take action when they arise.

Organisations should have formal arrangements in place so that relevant and timely information can be shared with partners, for example local authorities or police, when necessary. It is regarded as good practice to have a data sharing agreement in place for this purpose.

This includes understanding the organisational Prevent referral pathway (see diagram 1 above) and having robust data sharing arrangements and formal referral pathways so that partners can be appropriately advised in a timely manner.

When making a Prevent referral to third party or partner agencies, including the police and local authorities, please consider all the following:

  • you should use the standard national Prevent referral form to make the referral to your relevant police contact and the relevant local authority Prevent coordinator or lead (under the specified regional contact arrangements) using a recognised secure email that is via your secure nhs.net account or equivalent secure nhs.uk emails
  • nhs.uk emails must be accredited to the DCB1596 secure email standard
  • the recipient’s email should also meet a secure email standard – for example, cjsm.net or pnn.police.uk (see diagram 2 below)
  • you should include contact details in the national Prevent referral form detailing where possible the original source or person who made the initial referrals within your organisation – this will ensure that the referral source can be contacted where necessary by police and the relevant partner agencies if any further clarity is required
  • the form should be always be protectively marked at official sensitive according to the Government security classification policy (see the section ‘Other relevant legislation or principles’ below)
  • if it has been decided that seeking consent from the patient or service user or staff member being referred is not appropriate, you should always clearly document your decision and rationale in the patient, service user or staff record (see the section ‘Consent’ below). This should explain which public interest or safeguarding and best interest considerations have been applied to set aside their rights under the Common Law Duty of Confidentiality (CLDC), the DPA 2018 or the Human Rights Act 1998 (HRA 1988) to safeguard and prevent harm

If in doubt, please speak with your organisational information governance lead or IT team.

Diagram 2: secure email standard

Text alterative to diagram 2: NHSmail – sending sensitive information quick quide

These domains are secure (no further action):

  • nhs.net
  • all domains accredited to the secure email standard
  • gov.uk (no longer needs to be gsi.gov.uk)
  • cjsm.net
  • pnn.police.uk
  • mod.uk
  • parliament.uk

Put [secure] in the subject line if sending personal confidential data or sensitive information to:

  • nhs.uk (if not accredited to the secure email standard)
  • any other email address

Always check your local organisation policies and processes on sharing personal confidential data and sensitive information first which will take precedence over this guidance.

See more detailed guidance at NHSmail 2 training and guidance.

The decision and rationale for making a referral without the data subject’s informed consent should be subject to a case-by-case basis assessment which considers whether the informed consent of the individual can be obtained, and if the proposed data sharing is legitimate, necessary, proportionate and lawful (see the section ‘Case-by-case decisions’ below). This assessment should be based on your professional opinion that there is tangible public interest or best interest considerations involved (that is, you believe the individual may be of harm to themselves or others, and patient consent should therefore legitimately be overridden in this instance).

Without the case-by-case assessment, there is a higher risk of unlawful sharing of personal data and there may be no legal basis to share personal data between statutory agencies (even for safeguarding purposes), without the data subject’s informed consent.

5. Responding to data requests from other partners

When externals partners (third parties) request patient or staff information from health providers for Prevent case management purposes, you should always consider the following:

  • has the data requestor used an appropriate official information sharing request proforma sanctioned by their organisation? Different organisations have different forms for sharing personal data or special category data, and they should always be sent by secure protectively marked email
  • has the data requestor provided clarification on whether or not the data subject has consented to share or process their personal data?
  • in the provided absence of the data subject’s consent, has the data requestor provided a legitimate reason for you to share the patient or service user or staff member’s personal or sensitive information with them?
  • what permissible powers and legal exemptions are being relied upon to share or process personal data? These are described in the section ‘Legal gateways, exemptions and explicit powers’ below

It is good practice to have a partnership data sharing agreement (DSA) in place at a local level to support this process. It is important that this agreement is signed by the appropriate senior level member of staff, (usually the senior information risk owner) for each NHS organisation.

Providing a ‘form of words’

Has the data requestor explained in broad terms why informed consent has not been sought from the data subject to share and process their personal data? In other words, has the requestor defined the legal justification clearly? That is, that there are tangible public interest or best interest considerations where the individual is at risk of being drawn into terrorism and by informing the data subject, we may prejudice the intended outcome or lead to further harm.

This baseline information will then enable the health provider to satisfy themselves that:

  • there are tangible public interest or best interest considerations for providing the data or information being requested
  • the relevant public interest or best interest exemptions will therefore override your duty to protect the confidentiality of patient information
  • it is legitimate to provide information specific to the safeguarding concern which has been identified by the data requestor

Being specific

Data requestors should clearly explain to you in writing what specific or relevant information is required from the patient or service user or staff member record to assist with the Prevent case management of the individual in question. It is important to note that if the request is not specific and relevant, the data should not be shared until further clarity has been sought, and the agreed timescales may not be met.

Health providers should only release personal data that is relevant, necessary and proportionate to the public interest described in the request. This will always come down to your own professional judgement and be based on the nature of the inquiry and the information provided by the data requestor.

6. Case-by-case decisions

Each instance where personal or special category data is to be shared for Prevent purposes should be decided through a case-by-case assessment by the health professional.

This should consider:

  • whether the informed consent of the individual can be obtained
  • any legal exemptions which are being relied upon as described in the section ‘Legal gateways, exemptions and explicit powers’ below
  • that the proposed data or information sharing and processing is necessary, proportionate and lawful

If it has been decided that seeking consent from the individual to refer them to Prevent or share their personal data with a third party is not appropriate, you should always clearly document your decision and rationale in the patient record that is to explain which public interest or best interest considerations have been applied to set aside their rights under the CLDC, the DPA 2018 or HRA 1998.

Additionally, health practitioners may often be required to share limited and proportionate data prior to seeking informed consent when this is urgently required to establish whether a case should be managed under Prevent, as a counter terrorism case. This must also be on a case-by-case basis carried out in line with the public interest principles.

Any disclosures or discussions on data sharing or consent must always be documented in the patient record.

7. Channel and other partners

Prevent relies on early and effective information sharing to protect vulnerable individuals from being drawn into radicalisation, and part of this process is being able to build up an accurate picture of the level and extent of a person’s vulnerability and identify any relevant protective factors. This data will help inform any help or support which may be required for the individual, including through the Channel process.

Section 38 of the Counter-Terrorism and Security Act 2015 (CTSA 2015) (amended by the Counter-Terrorism and Border Security Act 2019), requires Channel partners to co-operate with the local authority and the police in providing any relevant information to the panel, so that they can effectively carry out their functions to determine whether an individual is vulnerable to being drawn into terrorism. Information should be provided in a timely manner subject to the requirements as detailed in the section ‘Responding to data requests from other partners’ (above) being fully met by the requestor.

It is also important to note that the support received through Channel remains voluntary and section 36(4)(b) of the CTSA 2015 requires consent to be given by the individual to participate in any interventions. All individuals who receive support through Channel must be made aware of and consent to this as part of a programme. They must fully understand what the aims of the programme are and what to expect, including that their personal data may be shared with specific third parties as part of their support plan.

Vulnerability Support Service

Vulnerability Support Service (VSS) are multi-disciplinary mental health teams that work collaboratively with the police and health providers to safeguard individuals who have mental health vulnerabilities and who are at risk from radicalisation. Mental health practitioners from the VSS may liaise with healthcare providers either to provide information to support safeguarding or to clarify whether a safeguarding issue exists. Staff from the VSS will always state what their role is and what the suspected safeguarding issue is when requesting information.

8. Key general principles of data sharing

The DPA 2018 and GDPR act as a framework on how to process and share personal data with trusted partners. In common with all safeguarding matters, information sharing for Prevent purposes must comply with the relevant legislation – that is, the DPA 2018, HRA 1998 and the CLDC (among others), and meet the same standard required for sharing information in respect of any other safeguarding concern.

Lawfulness of information sharing and data processing

Data Protection Act 2018 (DPA 2018)

The DPA 2018 is the principal legislation governing the use and processing (including collection, storage and disclosure) of data relating to individuals.

The act defines personal data as “information by which an individual can be identified either on its own or with other information” – that is, sensitive personal data (including information about an individual’s health, criminal record and political or religious views). The act also states the circumstances and extent to which this type of data can be processed.

The GDPR, which underpins chapter 2, part 3 of the DPA 2018, is based around 6 key data protection principles and provides a range of rights for individuals which are applicable to the processing or sharing of personal and sensitive data. The principles state that personal data must:

  • be processed lawfully, fairly and in a transparent manner
  • be processed for specified, explicit and legitimate purposes and not in any manner incompatible with those purposes
  • be adequate, relevant and limited to what is necessary in relation to the purposes
  • be accurate and up to date
  • not be kept for longer than is necessary
  • be held securely

Personal data

Personal data is any information which is related to an identified or identifiable natural person – for example, name, address, telephone number, customer number or an online identifier.

Special category data is a sub-category of personal data that needs more protection because it is of a particularly sensitive nature – for example:

  • personal data revealing racial or ethnic origin
  • political opinions
  • religious or philosophical beliefs
  • trade union membership
  • genetic data and biometric data processed for the purpose of uniquely identifying a natural person
  • data concerning health
  • data concerning a natural person’s sex life or sexual orientation

Article 6 of the GDPR requires that organisations have a valid, lawful basis for processing personal data. There are 6 lawful bases for processing:

  • consent
  • contract
  • legal obligation
  • vital interests
  • public task
  • legitimate interests

Article 9 of the GDPR prohibits the processing of special category data. There are 10 exceptions to this prohibition which are referred to as conditions for processing special category data:

  • (a) explicit consent
  • (b) employment, social security and social protection
  • (c) vital interests
  • (d) not-for-profit bodies
  • (e) made public by the data subject
  • (f) legal claims of judicial acts
  • (g) reasons for substantial public interest (with a basis in law)
  • (h) health or social care (with a basis in law)
  • (i) public health (with a basis in law)
  • (j) archiving research and statistics (with a basis in law)

Lawful, transparent and fair

The 6 data protection principles listed in chapter 2 of part 3 to the DPA 2018 must be complied with when sharing personal data, but the first data protection principle is particularly relevant. It states that the processing of personal data for any of the law enforcement purposes must be lawful and fair. This requirement for fair processing will not be met if the data subject is not informed about that processing, without good reason for not doing so.

To disclose data into the Prevent programme the lawfulness of the processing of the personal data must meet one of the conditions found in Article 6 of the GDPR.

If any special category data is to be disclosed, then one of the conditions of Article 9 of the GDPR must also be met (such as “exception g – reasons for substantial public interest (with a basis in law)”).

The primary conditions for disclosing and processing personal data for the purposes of Prevent should always be on the basis of informed consent. However, as with any safeguarding concern, this may not always be appropriate or achievable. If consent is not appropriate or achievable, then a different lawful basis must be met in order to share personal data (see the section ‘Legal gateways, exemptions and explicit powers’ below). If another lawful basis is not met, then personal data cannot be shared.

The exemptions contained in the DPA 2018 will specifically mean that an organisation can relieve some of its obligations contained under the legalisation. This includes:

  • the right to be informed
  • the subject’s right of access to personal data
  • dealing with other individual rights
  • reporting personal data breaches
  • complying with the (data protection) principles

Hence the sharing or disclosure of data can take place without the knowledge or consent of the individual.

Data processing

Part 3 of the DPA 2018 allows for the processing of personal data by a competent authority for the purposes of the detection and/or prevention of crime.

This provides a legitimate basis upon which a competent authority is permitted to share information for the prevention of crime and disorder, because it will be exercising a statutory function for law enforcement purposes. Part 3 (schedule 8) of the DPA 2018 allows for the processing of sensitive data to safeguard children and adults at risk from harm. A competent authority means:

  • a person specified in schedule 7 of the DPA 2018
  • any other person if, and to the extent that, they have statutory functions to exercise public authority or public powers for the law enforcement purposes

Furthermore, if the sharing is to any organisation other than the police, and if the disclosure is for the purposes of the prevention and detection of crime, then that receiving organisation must be a competent authority as defined by the DPA 2018, otherwise the disclosure cannot be made for this purpose.

In the vast majority of cases, information to be shared for Prevent purposes will contain special category personal data and so will need to satisfy one of the conditions in schedule 8 of the DPA 2018:

  • the processing is necessary for the exercise of a function conferred on a person by an enactment or rule of laws and is necessary for reasons of substantial public interest (schedule 8, condition 1: DPA 2018)
  • the processing is necessary to protect the vital interests of the data subject or of another individual (schedule 8, condition 3: DPA 2018)
  • the processing is necessary for the purposes of protecting an individual from neglect or physical, mental or emotional harm, or, protecting the physical, mental or emotional well-being of an individual (schedule 8, condition 4: DPA 2018)

There are also lawful exemptions set out in the DPA 2018 for requesting organisations to receive disclosed data for Prevent or for wider safeguarding purposes, where the consent of the individual or patient is inappropriate or unachievable.

Examples of exemptions which meet the schedule 8 conditions are contained in schedule 2, part 1 of the DPA 2018:

  • paragraph 10 of part 2, schedule 1 DPA 2018 (Preventing or detecting unlawful acts) – this condition is met if the processing:
    • (a) is necessary for the purposes of the prevention or detection of an unlawful act
    • (b) must be carried out without the consent of the data subject so as not to prejudice those purposes
    • (c) is necessary for reasons of substantial public interest
  • paragraph 18 of part 2, schedule 1 of the DPA 2018 (Safeguarding of children and of individuals at risk) – this condition is met if the processing is necessary for the purposes of:
  • (a) the processing is necessary for the purposes of -
    • (i) protecting an individual from neglect or physical, mental or emotional harm
    • (ii) protecting the physical, mental or emotional well-being of an individual
  • (b) the individual is aged:
    • (i) under 18
    • (ii) aged 18 or over and at risk

Part 2, schedule 1 exemptions do not automatically supersede the data subject’s right to be informed of the disclosure. This should always be considered on a case-by-case basis, as while it is likely that informing the data subject might be detrimental to an investigation, there should be no automatic assumption of this.

Section 115 of the Crime and Disorder Act 1998

The sharing of personal or special category data by public sector bodies requires the existence of a power to do so, in addition to satisfying the requirements of the DPA 2018, the HRA 1998 and the CLDC. Section 115 of the Crime and Disorder Act 1998 provides agencies and professionals with a permissive power (but not a legal duty) to disclose personal information for crime prevention purposes.

It provides that any person can lawfully disclose information, where necessary or expedient for any provision of the act, to a chief officer of police, a police authority, local authorities, probation provider or health authority (or to a person acting on behalf of any of these bodies), even if they do not otherwise have a power.

Common law powers to share

Because the range of partners that the police work with has grown, including the public, private and voluntary sectors, there may not be either an implied or explicit statutory power to share information in every circumstance. This does not necessarily mean that police cannot share the information, because it is often possible to use the common law to do so. The decision to share using common law powers will be based on establishing a policing purpose for the activity that the information sharing will support, as well as an assessment of any risk.

10. Other relevant legislation or principles

Human Rights Act 1998 (HRA 1998)

Article 8 protects the right to respect for an individual private life, family life, home and correspondence (letters, telephone calls and emails, for example). There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Article 8 of the European Convention on Human Rights (ECHR)

Article 8 has particular relevance to Prevent. ECHR states that individuals have a right to respect for private and family life. The HRA 1998 further states that:

Everyone has the right to respect for his private and family life, his home and his correspondence

and that public authorities shall not interfere with:

the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.

Common Law Duty of Confidentiality (CLDC)

CLDC arises in situations where an individual provides sensitive information about themselves, in the expectation that the person they are disclosing to will keep that information confidential. The CLDC is built up from case law and its basis is that information that has the necessary quality of confidence should not be used or disclosed further, except as originally understood by the discloser, or with their subsequent permission. Some situations and relationships (such as doctor and patient relationship) also add a level of quality to the information imparted, which can help to achieve the necessary threshold for CLDC.

Case law has been established that exceptions can exist “in the public interest”, and confidentiality can also be overridden, or set aside, by legislation (see the section ‘Legal gateways, exemptions and explicit powers’ above).

The Caldicott Principles

Principle 7 of the Caldicott Principles explains that duty to share information can be as important as the duty to protect patient confidentiality. Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies.

Please remember that if in doubt, you should always consult with your Caldicott guardian and or data protection officer for your organisation for further advice and guidance before sharing personal or sensitive information for Prevent purposes.

11. Summary

Every health practitioner has a duty and must take responsibility for sharing the personal information and data that they hold regarding Prevent safeguarding concerns and should not assume that someone else will pass on this information, which may be critical in keeping someone at risk safe.

Confidentiality is an important ethical and legal duty, but it is not an absolute. You may disclose personal data without breaching duties of confidentiality in certain circumstances, particularly for safeguarding or public interest reasons. There are legal exemptions contained in the DPA 2018 and GDPR which allow for information sharing to take place in this context.

Each decision must be made on a case-by-case basis using your professional judgement and the rationale should always be recorded.

Fears about sharing personal data should not, therefore, be allowed to stand in the way of the need to safeguard and promote the welfare of children and adults at risk of abuse or exploitation.

Our partner agencies involved in information sharing are also subject to the same legal frameworks contained in the DPA 2018 or GDPR and the same rigour must be applied when responding to external third-party information sharing with or from these bodies.

If in any doubt, you should always consult with your organisational information governance team or data protection officer, organisational legal advisor or Caldicott guardian for further advice and guidance.

Appendix: further reading

Documents are available in support of this guidance and have been referenced throughout. This guidance should therefore be read in conjunction with the following documents:

Back to top