Sharing information to safeguard an adult at risk

The general principle is that the person’s explicit consent should be sought to share information about them. If a person is reluctant for information to be shared, it is important to try and understand the person’s reasons for this, so that their concerns can be addressed. 

It is often helpful to: 

• Explore the reasons for the person’s objections – what are they worried about? Seek to understand any personal or cultural barriers to seeking support.
• Explain the concern and the risks and why you think it is important to share the information
• Tell the person who you would like to share the information with and why
• Explain the benefits, to them or others, of sharing information – could they access better help and support? • Discuss the consequences of not sharing the information – could someone come to harm?
• Reassure them that the information will not be shared with anyone who does not need to know
• Reassure them that they are not alone and that support is available to them. Do not assume that people know and understand what support is available, how it is provided, or how to access it.

 Key features of giving consent include: 

• The consent to share information must be for a specific reason and purpose
• Consent must provide individuals with real choice and control. It must be freely given, specific and informed. 

It can sometimes be difficult for an organisation to show that consent is freely given because of the imbalance of power between it and the individual. This is  because those who depend on the organisation’s services might feel they have no choice but to agree, so consent is not considered freely given. 

Example: Consent not freely given 

'A patient attending hospital discloses that they are being abused by a care home worker, but they do not want the hospital to do anything. The hospital worker explains that because the concerns involve a care home worker, they need to raise a safeguarding concern with the local authority even if the patient does not wish for this to happen. The individual therefore consents, but does so knowing that the actions will be taken even if they do not consent. In effect they had no real choice but to agree'. 

For these reasons, it will not always be possible to rely on consent as a lawful basis for sharing information. In the example above, the hospital would need to consider if their lawful basis for sharing the information actually results from a ‘substantial public interest’ as set out in 5.1.3. 

However, organisations may be able to rely on consent as a basis for sharing where they are convinced they can demonstrate that it is freely given. Consent must be given by a clear affirmative act. Clear records must be kept to demonstrate, and evidence, consent. Individuals should also be told about their right to withdraw consent at any time. 

It is very important to remember that difficulties relying on consent as a legal basis for sharing information does not mean that consent should not be sought. The question of consent as a lawful basis for sharing information is distinct from the obligations practitioners hold to adults to seek their consent to share information. 

The obligation to seek consent arises out of good safeguarding practice and the Caldicott principles. Where consent has been given, in certain circumstances, as explained above, you will be able to rely on it as a lawful basis for sharing information under the GDPR and Data Protection Act 2018.

The Mental Capacity Act 2005 states that mental capacity to consent must be assumed unless it is assessed as otherwise. An adult who is either assumed to have mental capacity or assessed to have capacity is therefore able to consent to sharing information about the risk they experience. 

Mental capacity assessments are decision-specific. Furthermore, a person who lacks capacity at a certain time may be able to make that decision at a later date. Where it is assessed that an individual lacks capacity to consent to sharing data at a particular time, consideration should be given to whether the data needs to be shared now, or could wait until a time when the person is able to consent. 

If the individual does not have the mental capacity to consent there should be consideration as to whether it is in the best interests of the person at risk, as determined in accordance with the Mental Capacity Act 2005, for this information to be shared. Staff or volunteers should record such decisions in-line with the policies and procedures of their organisation.

As set out above, the general principle is that consent should be sought from someone about the sharing of information about them. There are however, circumstances in which obtaining consent may not be possible, or it may not be relied upon. If this is the case, the following guidance should be followed to decide whether it is appropriate to share the information without the person’s consent. 

Firstly, sharing of the information should be in the substantial public interest, and necessary for the purposes of either: 

• Protecting an individual from neglect or physical, mental or emotional harm; or
• Protecting the physical, mental or emotional wellbeing of an individual 

As the nature of safeguarding is to protect a person, or a group of people, from harm or the risk of harm it is likely that this criteria will be satisfied when information is being shared for the purposes of taking actions to safeguard someone. 

For this clause to apply however, there must be reasonable cause to suspect that the individual (or a group of individuals or a ‘type of individual’: 

• has needs for care and support,
• is experiencing, or at risk of, neglect or physical, mental or emotional harm, and
• as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it. 

Such information can only be shared without consent if one of the following criteria is met: 

• Consent cannot be given, For example, the person is unable to consent due to intimidation or duress.
• Consent cannot reasonably be expected to be obtained, 

For example, the risks are such that action is needed urgently; it is not practicable in the circumstances; seeking consent may place someone at greater risk; or the nature of your relationship makes this inappropriate. 

• Obtaining consent would prejudice the purposes of safeguarding, 

For example, the information needs to be shared to protect an individual from abuse or neglect; to protect others from harm; or to fulfil public interest duties such as will occur when there are safeguarding concerns involving a service, employee or volunteer. 

Practitioners should refer to their own internal policies, their safeguarding and information sharing leads as required, for advice in relation to how this applies to individual cases. The Leeds Multi-Agency Safeguarding Adults Policy and Procedures also provides further practice guidance on raising a concern with the local authority, with and without consent. 

Guidance from the Information Commissioners Office confirms that the General Data Protection Regulations only apply to information which relates to an identifiable living individual. 

Information relating to a deceased person does not constitute personal data and is therefore not subject to General Data Protection Regulations. 

Whilst the provisions of GDPR/DPA 2018 do not apply to data in relation to deceased persons, consideration should still be given to whether the sharing of information is justified and necessary, accurate and up-to-date and can be shared securely as set out below.