When considering whether to share concerns, if possible, the individual's consent should be attained prior to sharing information. Although the ICO have said that public authorities should avoid relying on consent as a legal basis for data sharing due to the perceived power imbalance, individuals should still be told that their information is to be shared and for what purpose. Transparency and clarity with the individual is imperative to satisfy ECHR.
Do you need the consent of the adult to make a referral?
No, while adults with capacity have the right to consent or otherwise to the GP making a referral, there may be a lawful basis to share information under the 2007 Act without consent (see paragraph below on public task). It is however important to be open and transparent with the adult.
The multi-agency approach to adult support and protection means that, where it is lawful and ethical to do so, the appropriate information should be shared between relevant agencies to ensure that support and protection that is right for the individual can be provided. A case by case approach should be taken to identify the lawful basis to be relied upon in terms of GDPR. Given the inherent power imbalance, the ICO has advised that it may be difficult to demonstrate that consent was freely given to a public authority. It may therefore be more appropriate to rely on Public Task in respect of the councils functions under 2007. GPs should take a proportionate approach to make balanced decisions about whether to share information without consent. However having decided to refer it is best practice to advise the patient of this unless you feel it will increase the risk of harm to them or others.
In regard to an adult with capacity refusing consent to disclose, in their own guidance, the BMA state that "As part of the consent-seeking process, where an adult at risk is making a decision that is seriously at odds with an objective assessment of his or her interests, health professionals should sensitively explore the reasons behind the decision. This could include exploration of the possibility of confidential referrals to groups or organisations that offer support to adults at risk."
When sharing information to the appropriate authorities seeks to address a perceived risk of harm to that individual, practitioners should consider whether the sharing is necessary for the exercise of their statutory function under the 2007 Act . This would constitute the legal basis of public task. It is vital that GPs are aware of their local contact and protocol for making such a referral and should familiarise themselves with the details.
The ICO state that when considering Public Task as the lawful basis for sharing information this applies to "any organisation who is exercising official authority or carrying out a specific task in the public interest. The focus is on the nature of the function, not the nature of the organisation" An individual "should also ensure that they can demonstrate there is no other reasonable and less intrusive means to achieve their purpose", and thus, the BMA advise that "It is only when the health professional has properly explored the patient's circumstances and the reasons behind the apparent refusal that they should consider some of the options discussed".
A refusal of disclosure by a patient should not result in them being abandoned by services. Care and support should continue to be offered, given the difficulties associated with preventing crime where the victim refuses to co-operate, in this instance, practitioners should consider disclosure under public task. This is likely to be proportionate where there is strong evidence of a clear and imminent risk of a serious crime likely to result in serious harm to the individual, and the disclosure of information is likely to prevent it.
Where data sharing is necessary to ensure safeguarding but is not specifically covered by the 2007 Act, specific legal advice should be sought. Any information received in the course of an investigation is treated with the utmost confidence and will not be disclosed to any third parties other than in accordance with the provisions of the 2007 Act.
Note that nothing in the Act authorises someone who is not a health professional to inspect health records. If the council officer requesting health records under section 10 is not a health professional they must pass the records to a health professional for examination and the GP should be informed of this.
When sharing patient records take account of third party confidentiality and redact appropriately.
Resources: The GMC has detailed further detailed guidance for medical professionals here - Decision Making and Consent. The BMA also have further guidance here - Adults at risk, confidentiality and disclosure of information. MDDUS offer guidance around the safeguarding of adults.
Information can be found online about members and contacts for the UK Caldicott Guardian.
Special category personal data
Where information contains special category personal data, having firstly identified a lawful basis for processing data, additional conditions must also be met in order to share data lawfully. Special Category data includes: Racial or ethnic origin; Political opinions; Religious or philosophical beliefs; Trade Union Membership; Genetic data; Biometric data (when used for ID purposes); Health (physical or mental); and, Sexual life or orientation.
In the context of special category data, practitioners should consider Article 9(2) UK GDPR 2018 together with paragraph 6 of Schedule 1 of the Data Protection Act 2018 . These conditions do not replace or override the usual lawful basis for processing, they act as an additional layer of conditions on top of the usual rules.