This post should have been written far, far earlier as it covers a subject issue that runs through everything I’ve written on this blog. Information sharing is one of the most difficult subjects for many people as there are perceived conflicts left, right and centre: between legal restrictions on information sharing, professional guidelines about information sharing. Do they conflict, what if they do? One reason they may conflict, is because some confidentiality guidelines about the police are just plain wrong. See the links at the bottom of the page.
This post will focus on tactical, or job-specific, information sharing. There is more to be said about more wholesale organisational information sharing to build better joint responses which cross agencies. That will be for another day.
I have written a couple of information sharing protocols in the last ten years and read countless more of them. Broadly, they all say the same things and at the end of writing the main one that I did, I wondered about the point of it all. The document ended of with the following outline structure, just like all the other protocols I’d read:
- Introductory remarks of broad principles and commitments of working together, etc., etc..
- Excerpts from legislation and professional guidelines, including the Data Protection Act 1998 (DPA), the Human Rights Act 1998 (HRA) and the GMC / BMA / NMC guidelines.
- Details on the administrative mechanisms by which the relevant organisations had agreed to share information – the design or agreement of a few forms or (secure) email arrangements.
- Review processes for governance of the protocol’s operation
- A list of contacts in each organisation for getting beyond barriers created by bureaucracy.
Meetings and training about information sharing were always interesting. Professionals are well aware that their positive decision to disclose information must be defendable against the frameworks that govern them and this gets you straight into the medical confidentiality discussion. Of course, the police are also privy to a host of confidential information – no less confidential than medical information. You have as much right to expect police officers to keep your previous convictions secret than your doctor to keep your medical history, but I came away with a perception that none of us understand the legal frameworks appropriately.
Of relevance to the NHS is the Caldicott Report. This report lead to the establishment in every NHS trust of a Caldicott Guardian to oversee issues about the sharing of “patient identifiable information” in the various ways that it flows between NHS organisations and between the NHS and non-NHS organisations. <;;<;; Please remember that “the NHS” is not one organisation.
DATA PROTECTION ACT 1998
Ultimately, this piece of legislation is the Information Sharing Protocol for the nation. Regardless of what your protocol says, you can, ultimately, be criminally prosecuted under the DPA for breaches of your duty around keeping certain information confidential. Interestingly, you can’t be prosecuted for failing to share information that could have been shared and that is perhaps why a senior police officer I know once wondered aloud how different the world would be if we had called this the “Data Sharing Act 1998”. Obviously the emphasis is “you can’t share unless you can justify it” rather than “here’s when and how you should share.”
This is of relevance because in many mental health homicide reviews, under-sharing of information has been criticised. Most notably for my own force following the killing of DC Mick Swindells in 2004, criticism of how quickly the NHS were able to access and then share mental health related risk information on a particular man, was held to have been especially problematic. It was also found that there were other, missed information-sharing opportunities before the critical events of that day. We know from other reviews that under-sharing of information has been the target of recommendations for review. I can’t find the example of where over-sharing of information was criticised. Certainly, if you review the enforcement website of the Information Commissioner, there have been no prosecutions of police or NHS professionals for over-sharing information to manage risks.
So actually, the DPA sets out an agenda where information can be shared. It divides all confidential information, or data, into two types: personal data and sensitive personal data.
- Personal data is defined in s1(1)(e) of the DPA – “data which relate to a living individual who can be identified from those data, or from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller.”
- Sensitive personal data is defined in section 2 – “personal data consisting of information as to:
(a) the racial or ethnic origin of the data subject,
(b) his political opinions,
(c) his religious beliefs or other beliefs of a similar nature,
(d) whether he is a member of a trade union,
(e) his physical or mental health or condition,
(f) his sexual life,
(g) the commission or alleged commission by him of any offence, or
(h) any proceedings for any offence committed or alleged to have been committed by him, the disposal of such proceedings or the sentence of any court in such proceedings.
The Act sets out in various schedules, information which all professionals reading this blog should know:
- Principles which govern data sharing – see Part I of Schedule I.
- Interpretation of those principles – see Part II of Schedule I.
- ‘Conditions’ relevant to the first principle of data sharing for personal information – see Schedule II.
- ‘Conditions’ relevant to the first principle for sensitive personal information – see Schedule III.
NB: When ‘processing’ sensitive personal data, there must a justification from both schedule 2 and from schedule 3.
So organisations may share information where this is necessary to the statutory functions of other agencies. I always like to raise “Risk Assessment” as the example here. The police and the NHS often have to formally or dynamically risk assess situations to determine their responses and risk assessment is a statutory responsibility – under the Health & Safety At Work Act 1974. Information held by the police which is relevant to risk assessment being undertaken by the NHS is able to be shared, so that the NHS can make appropriate decisions about keeping the public and their staff safe. And vice versa: so! –
- If the police detain someone under s136 MHA and we know from police intelligence or from convictions that the person has a particular history of violence in attacking NHS staff, that can be shared because it would be relevant to how NHS staff manage that the person within an NHS place of safety and keep staff safe.
- In this situation I have previously said, “If you would be telling the custody sergeant something which is relevant to keeping that person or custody staff safe, you should be telling the PoS nurse the same thing for the same reasons.”
- If the NHS want the police to enter a premises under a s135(1) warrant to detain someone for Mental Health Act assessment, the police have to decide whether to send a couple of ‘normal’ police officers or whether we will send extra officers and whether any of them may have specialist training or equipment. This could include Tasers, dog handlers, officers in protective equipment.
- The information in each scenario needs to be detailed enough to be meaningful: saying, “He plays up a bit” could mean any number of things. Specifying verbal aggression that has never translated up into physical violence indicates different kinds of risk. Even physical aggression varies: was in ABH or GBH … did it involve weapons or not?
All of this is relevant to the sergeant or inspector who is determine number and nature of resources or the PoS nurse who has to ensure a safe, appropriate environment for a 136 assessment and unless we’ve properly shared relevant information, how are we going to get this right, except by chance? Well, we actually know that this has been wrong in the past and it has been at a cost in terms of lives and injuries.
CRIMINAL INVESTIGATION EXEMPTION
There is also a particular provision of the Data Protection Act which is relevant when the police are undertaking a criminal investigation. Section 29(1) DPA provides an exemption for information which is shared for “the prevention or detection of crime [or] the apprehension or prosecution of offenders”. This is where it can often get interesting!
I have written before about when, where and how to share information which could be relevant to a criminal investigation of someone suffering a mental health problem. Exchange of information to the police can be crucial to statutory decisions which we make around this. By way of example, an MHA assessment recently took place in police custody in my force area where the custody officer quite properly asked for various bits of information from the assessing professionals. They wanted to take a decision to admit the patient to hospital under the MHA, but the custody officer was considering asking the CPS to prosecute the individual regardless. This was because the offence was far from trivial, someone had been seriously hurt and it may well have been in the public interest to prosecute dependent upon the individual’s previous history and an assessment of the risk that this may present for absconding or further offences. It is, ultimately, a decision for the police and CPS about whether offenders are prosecuted or diverted from justice.
There was a total lack of information sharing, despite a DPA ‘notice’ being handed over – signed up by an inspector, as it must be – because of confidentiality. And yet, this confidential information – otherwise known for DPA purposes as ‘sensitive personal data’ – can be shared according to schedule 3 if it “is necessary for the purpose of, or in connection with, any legal proceedings (including prospective legal proceedings)”.
The final thing to say on information sharing, is that where it occurs in the context of established arrangements to manage risk on a multi-agency basis, the law around Data Protection and confidentiality still apply. this would cover MAPPA arrangements which are statutory provisions for public protection with regard to violent and sexual offenders, and would also extend to MARAC (domestic abuse) and Safer Estates arrangements. Occasionally, professionals have assumed that because of a formalised agenda and structure being implemented to jointly manage certain things, that it can be a free forum to talk openly. This is true only to an extent – the law still applies.
I’ll issue a warning about some of these links, because the content of some of it is just plain wrong! Be aware of this when making decisions.
- GMC confidentiality webpages.
- BMA confidentiality webpages.
- NMC confidentiality webpages.
- Information Commissioner’s Office.
Update on 01st April 2015 – since writing this article, a new Code of Practice has come into effect in England. It doesn’t substantially alter the post but certain reference numbers have changed. My summary post about the new Code of Practice (2015) is here, the new Reference Guide is here and the full document is here. The Code of Practice (Wales) remains unchanged.
Winner of the Mind Digital Media Award.