Sharing sensitive information

Last reviewed on 20/11/2012 14:03

Many commonly confuse data protection legislation and its associated rights of privacy for the aggressor to supersede those of the worker believing personal information cannot be shared.

Balancing rights

Organisations are often faced with the need to balance client’s rights with the responsibility to protect staff from the potential of violent or aggressive behaviour from service users. In these circumstances staff need information to be able to make informed judgments about how to safely approach differing situations.

It is often believed that data protection legislation protects the rights of the aggressor and takes priority over the rights of the worker, and that personal information cannot and must not be shared. Yet, the sharing of personal information is often essential to provide a level of awareness to staff within an organisation, and sometimes in other organisations, to enable them to make an adequate risk assessment for their own safety.

The Data Protection Act 1998 (DPA) is not a barrier to sharing information. It is intended to form the basis of data management. Further information about the DPA is available from the Information Commissioner’s Office website

Where there is concern about the behaviour of service users or customers and to protect staff organisations can share information with other organisations as long as these comply with legislation and this is done in a fair and lawful manner.

Any information collected must be used fairly and transparently and must:

  • state the identity of the organisation that’s collecting the information
  • say what the information being collected will be used for
  • provide any further information necessary to make the processing of the information fair in the circumstances.

Making sure people understand

It is crucial that the process is simple, clear and genuinely informative, telling people:

  • if you intend to pass on any personal information to other organisations, and, if so, the reason(s) for the disclosure; the identity of other organisations and details of what they will do with the information
  • how long your organisation will keep the information
  • whether replies to questions are compulsory or voluntary
  • the consequences of not replying - for example, non-receipt of a benefit
  • what measures are in place to ensure the security of personal information
  • people’s rights and how they can exercise them - for example, the fact that a person can obtain a copy of their personal information (subject to certain exemptions)
  • how to complain or find out more about how information will be used
  • the right to complain to the Information Commissioner if there is an issue.

Transparency and consent

There is a fundamental difference between telling a person how you’re going to use their personal information and getting their consent to this. In many cases involving service users positive agreement will be needed.

In such cases, choice is not an issue, because the individual cannot expect to receive what he or she has asked for unless any necessary processing of personal information takes place.

Even if individuals have no real choice, the collection of information about them still has to be fair and transparent. A privacy notice can be used to make sure that this is the case.

An organisation’s decision to share information doesn’t negate its duty to treat people fairly. This means that prior to sharing information, the organisation holding it must consider carefully what any recipient organisation is going to do with the information, and what the effect on people is likely to be. It is good practice to obtain an written assurance about this. Once information is shared with another organisation the disclosing organisation cannot restrict its use unless the disclosure is subject to a legally binding agreement.

Keeping the situation under review

It is unfair and misleading to keep or share information that isn’t accurate or up to date. It is good practice therefore to keep this under regular review to check for accuracy and rectify any mistakes.

The benefits of a good policy which staff understand will improve trust and relationships with staff who know the process and the reasons behind it and reduce the risk of queries, complaints and disputes about the use of personal information.