Learn, Do Not Copy!

Identify the legislation that relates to the recording, storage and sharing of information in care settings

This page is designed to answer the following questions:

NOTE: This page has been quality assured for 2021 as per our Quality Assurance policy.

As a care worker, you will have access to the personal data of others, so you need to have an awareness of the legislation and best practices for recording, storing and sharing information.

If an organisation does not comply with information handling legislation then they may be subject to a heavy fine as well as damage to their reputation.

Legislation

The Data Protection Act and General Data Protection Regulations

The main pieces of legislation relating to the recording, storage and sharing of information are the Data Protection Act (DPA) 2018 and The UK General Data Protection Regulations (UK-GDPR).

The DPA sets out the framework for data protection in the UK. It was originally introduced in 1984 and has been updated regularly as technology has advanced. The latest incarnation came into force in 2018 and was then amended in January 2021 when the United Kingdom (UK) left the European Union (EU).

GDPR was first introduced in 2018 to bring the UK in line with EU data protection laws. UK-GDPR came into effect in January 2021 when the UK left the EU. In essence, GDPR affects the whole of the EU (EU-GDPR) and UK-GDPR is the UK’s implementation of EU-GDPR.

The DPA balances an individual’s right to privacy and an organisation’s right to hold their data by ensuring that personal information is kept securely, can only be used for what it was originally intended when collected, be accurate and up-to-date and should be removed when no longer needed.

The key principles of the DPA are:

  • Fair, lawful, and transparent processing – data may only be processed for the reason that it was originally collected, organisations must be transparent about what they want to use the information for and must obtain the individual’s consent.
  • Purpose limitation – supports the previous point that data must only be used for the reason intended.
  • Data minimisation – only the minimum amount of personal data should be acquired to be used for the reason intended.
  • Accuracy – data must be accurate and up-to-date and systems must be in place to correct errors.
  • Data retention periods – data should be deleted if it is no longer needed for it’s intended purpose or the individual requests that it is erased (their right to be forgotten).
  • Data security – data should not be accessible or erasable by unauthorised persons.
  • Accountability – organisations must be able to prove that they are complying with data protection laws and regulation.

The Freedom of Information Act

The Freedom of Information Act 2000 allows individuals to request certain information held by public authorities, including the government, local authorities, the police force, hospitals and GP surgeries.

This does not cover private companies and organisations.

In addition, it gives individuals the right to look at anything written about them so if you work for a public authority you must be aware that anything you write about an individual may be viewed by them in the future. Therefore you must ensure that everything you record is accurate and professional.

Common Law Duty of Confidentiality

Common law (in contrast to statutory law, which is passed in acts of parliament), is developed through judicial cases, reports and precedents.

The Common Law Duty of Confidentiality means that when personal information is provided, it should be kept confidential and not be disclosed to others without good reason.

Other legislation

Other legislation that indirectly relates to the handling of information includes:

  • The Human Rights Act 1998 – sets out the rights and freedoms of all UK citizens
  • The Care Act 2014 – sets out the rights of individuals for accessing information from local authorities relating to their care and support
  • The Health and Social Care Act 2008  (Regulated Activities) Regulations 2014 – established duty of candour and the Care Quality Commission’s fundamental standards

Agreed ways of working

Your employer’s agreed ways of working include their policies and procedures but can also include emails and verbal instructions. These are the ways that your employer requires you to work and should always be followed because they are designed to ensure that your work is within the law and meets best practices.

Some agreed ways of working that your employer may have relating to handling information can include:

  • Information handling policy and procedure
  • ICT policy including password policy
  • How you record information
  • How you store information
  • How information should be shared
  • Guidelines for ensuring confidentiality

Codes of practice

Although not enshrined in law, codes of practice provide guidance about working in ways that follow best practices.

Caldicott principles

The Caldicott Principles are seven fundamental principles for protecting the private information of NHS patients. They are:

  1. Justify the purpose(s) of using confidential information
  2. Only use it when absolutely necessary
  3. Use the minimum that is required
  4. Access should be on a strictly need-to-know basis
  5. Everyone must understand his or her responsibilities
  6. Understand and comply with the law
  7. The duty to share information can be as important as the duty to protect patient confidentiality

Code of Conduct

The Code of Conduct for Healthcare Support Workers and Adult Social Care Workers in England contains guidance for information handling relating to confidentiality, particularly in Standard 5: Respect people’s right to confidentiality.