This page is designed to answer the following questions:
- 6.4b List any legislation and agreed ways of working to maintain confidentiality in day-to-day communication (Care Certificate, Standard 6: Communication)
- 14.1a Describe the agreed ways of working and legislation regarding the recording, storing and sharing of information (Care Certificate, Standard 14: Handling information)
- 1.1 Identify the legislation that relates to the recording, storage and sharing of information in care settings (Level 2 Diploma in Care, Handle information in care settings)
- 1.1 Identify legislation and codes of practice that relate to handling information in care settings. (Level 3 Diploma in Adult Care, Promote effective handling of information in care settings)
- 1.2 Summarise the main points of legal requirements and codes of practice for handling information in care settings. (Level 3 Diploma in Adult Care, Promote effective handling of information in care settings)
- 1.2 Explain the legal requirements and agreed ways of working for the security and confidentiality of information (Level 4 Diploma in Adult Care, Develop, Maintain and Use Records and Reports)
- 2.4 Ensure that records and reports comply with legal and organisational requirements (Level 4 Diploma in Adult Care, Develop, Maintain and Use Records and Reports)
NOTE: This page has been quality assured for 2023 as per our Quality Assurance policy.
As a care worker, you will have access to the personal data of others, so you need to be aware of the legislation and best practices for recording, storing and sharing information.
If an organisation does not comply with information handling legislation, then it may be subject to a heavy fine as well as damage to its reputation.
On this page
Legislation
The Data Protection Act and General Data Protection Regulations
The main pieces of legislation relating to the recording, storage and sharing of information are the Data Protection Act (DPA) 2018 and The UK General Data Protection Regulations (UK-GDPR).
The DPA sets out the framework for data protection in the UK. It was originally introduced in 1984 and has been updated regularly as technology has advanced. The latest incarnation came into force in 2018 and was amended in January 2021 when the United Kingdom (UK) left the European Union (EU).
GDPR was initially introduced in 2018 to bring the UK in line with EU data protection laws. UK-GDPR came into effect in January 2021 when the UK left the EU. In essence, GDPR affects the whole of the EU (EU-GDPR), and UK-GDPR is the UK’s implementation of EU-GDPR.
The DPA balances an individual’s right to privacy and an organisation’s right to hold their data by ensuring that personal information is stored securely, can only be used for what it was originally intended for when collected, be accurate and up-to-date and should be removed when no longer needed.
The key principles of the DPA are:
- Fair, lawful, and transparent processing – data may only be processed for the reason that it was originally collected; organisations must be transparent about what they want to use the information for and must obtain the individual’s consent.
- Purpose limitation – supports the previous point that data must only be used for the reason intended.
- Data minimisation – only the minimum amount of personal data should be acquired to be used for the reason intended.
- Accuracy – data must be accurate and up-to-date, and systems must be in place to correct errors.
- Data retention periods – data should be deleted if it is no longer needed for its intended purpose or the individual requests that it is erased (their right to be forgotten).
- Data security – data should not be accessible or erasable by unauthorised persons.
- Accountability – organisations must be able to prove that they are complying with data protection laws and regulations.
The Freedom of Information Act
The Freedom of Information Act 2000 allows individuals to request certain information held by public authorities, including the government, local authorities, the police force, hospitals and GP surgeries.
This does not cover private companies and organisations.
In addition, it gives individuals the right to look at anything written about them, so if you work for a public authority, you must be aware that anything you write about an individual may be viewed by them in the future. Therefore you must ensure that everything you record is accurate and professional.
Common Law Duty of Confidentiality
Common law (in contrast to statutory law, which is passed in acts of parliament), is developed through judicial cases, reports and precedents.
The Common Law Duty of Confidentiality means that when personal information is provided, it should be kept confidential and not be disclosed to others without good reason.
Other legislation
Other legislation that indirectly relates to the handling of information includes:
- The Human Rights Act 1998 – sets out the rights and freedoms of all UK citizens
- The Care Act 2014 – sets out the rights of individuals to access information from local authorities relating to their care and support
- The Health and Social Care Act 2008 (Regulated Activities) Regulations 2014 – established duty of candour and the Care Quality Commission’s fundamental standards
Agreed ways of working
Your employer’s agreed ways of working include their policies and procedures but can also include emails and verbal instructions. These are the ways that your employer requires you to work and should always be followed because they are designed to ensure that your work is within the law and meets best practices.
Some agreed ways of working that your employer may have relating to handling information can include:
- Information handling policy and procedure
- ICT policy, including password policy
- How you record information
- How you store information
- How information should be shared
- Guidelines for ensuring confidentiality
Codes of practice
Although not enshrined in law, codes of practice provide guidance about working in ways that follow best practices.
Caldicott principles
The Caldicott Principles are seven fundamental principles for protecting the private information of NHS patients. They are:
- Justify the purpose(s) of using confidential information
- Only use it when absolutely necessary
- Use the minimum that is required
- Access should be on a strictly need-to-know basis
- Everyone must understand his or her responsibilities
- Understand and comply with the law
- The duty to share information can be as important as the duty to protect patient confidentiality
Code of Conduct
The Code of Conduct for Healthcare Support Workers and Adult Social Care Workers in England contains guidance for information handling relating to confidentiality, particularly in Standard 5: Respect people’s right to confidentiality.
Ensuring records and reports comply with legislation and regulation
For the Level 4 Diploma, you will be required to demonstrate that you can ensure that records and reports comply with legislation and regulation.
How you do this will depend on your particular job role, but some approaches might include:
- Monitoring your team’s records/reports and highlighting any non-compliance issues
- Auditing your organisation’s policies and procedures relating to the recording, storing and sharing of information
- Reporting concerns about processes that may not be compliant with your manager