Allied Health Professions: disclosure guidance

7 Disclosure And Data Protection Legislation

The disclosure of a mental illness, a learning disability or a history of offending to an employer is a sensitive matter, which is regulated by data protection legislation (the UK General Data Protection Regulation (UKGDPR), and the Data Protection Act 2018 (DPA 2018).

Information relating to an individual's health status would be considered 'special category data' under current data protection legislation. A full definition can be found here. Information relating to an individual's criminal activity, including allegations, investigations and criminal proceedings, is defined as 'criminal offence data' in data protection legislation.

Because of the sensitivity and the impact that data can have on individuals, it is subject to more additional rules and safeguards than non-sensitive data. Information should be kept confidential and should not become a matter of general workplace knowledge. Employers should have procedures for how they deal with this information and restrict those who have access to it, and they should ensure that their use of this data is proportionate and lawful.

It is an offence under the Data Protection Act 2018 and section 9 of the Rehabilitation of Offenders Act 1974 for anyone with access to personal data (including criminal records) to disclose spent convictions unless authorised to do so. There are also offences under sections 123 and 124 of The Police Act 1997 and sections 65 to 67 of the Protection of Vulnerable Groups (Scotland) Act 2007 about the handling and use of information provided by Disclosure Scotland, making false statements in connection with disclosure applications, and falsifying disclosure certificates and records.

Key considerations include:

• Is the individual interested in paid work, voluntary work or education?
• How does the type of work/opportunity relate to the individual's functional capacity, mental health condition and/or offence history. Consider referral to an Occupational Therapist for assessment of the issues supporting and hindering ability in a work role and identifying triggers to relapse and/or potential risks?
• Is the individual a Restricted Patient? If yes, consider and discuss with the individual the implications this will have on information sharing, disclosure of offences and the role that you and the multi-disciplinary team will play?
• What type of disclosure should be applied for?
• Are the individual's convictions likely to be spent or unspent and what will this mean in relation to disclosure?
• Does the type of work fall within the scope of the Police Act standard or enhanced disclosure?
• Does the type of work fall under the definition of regulated work i.e. does it require PVG scheme membership. If so, could the matters disclosed raise a concern with the employer or Scottish Ministers about the individual's suitability for regulated work?
• Would the disclosure or sharing of data be proportionate and lawful?

7.1 To Share or Not to Share

Managing sensitive information across complex partnerships or with third parties requires careful consideration. The legal requirements on all organisations that hold personal information on individuals are specific, uncompromising and absolute.

All personal information, whether held in paper or electronic form should be kept securely and accessed solely by persons who are entitled to view it, as defined in legislation. It is not sufficient for people to have authority to access systems; they must have a legitimate reason to see the specific information they view. All data management systems whether paper or electronic must include safeguards that prevent inappropriate access.

Where information is required to be shared with employers or other third parties, careful thought should be given to how that information is handled. To comply with the data protection legislation, all organisations must be able to demonstrate that they are holding information for a useful purpose and also have clear reasons as to why it is shared.

The Information Commissioner's Office has published a Code of Practice on data sharing, which provides further guidance on this topic: Data sharing: a code of practice | ICO. This includes a data sharing checklist, which will be useful to organisations who are unsure whether they can share data in certain circumstances:

• What is the sharing meant to achieve?
• Have you assessed the potential benefits and risks to individuals and/or society of sharing or not sharing?
• Is it fair to share data in this way?
• Is the sharing necessary and proportionate to the issue you are addressing?
• What is the minimum data you can share to achieve the aim - could the objective be achieved without sharing personal data, or by sharing less?
• What safeguards can you put in place to minimise the risks or potential adverse effects of the sharing?
• Is there an applicable exemption in the DPA 2018?

It may be necessary to seek independent legal advice on data sharing.