For Support Contact kim.raggett@hse.ie
It is recognised that maintaining confidentiality is crucial to the building of a trusting and respectful working relationship with the Service User. It is equally important that all parties recognise that confidentiality is never absolute and Service Users should be given a clear understanding of the limitations to confidentiality at the outset.
All agencies should have appropriate policies and procedures in place in line with General Data Protection Regulation (GDPR) to legally allow them to collect, retain and share information appropriately. This protocol seeks to ensure that the confidentiality of Service Users involved in the services are protected in a consistent and appropriate manner.
Also, it provides staff and Service Users with information on confidentiality, guidelines regarding handling of information, the extension of confidentiality and responsibilities for the management of confidentiality.
It is crucial that the Service User understands issues relating to confidentiality, including their right to privacy, as well as the limits to confidentiality. This conversation must happen prior to seeking written consent for assessment. The initial assessor must discuss all points 1 to 9 on page 2 of the assessment document and ensure that the Service User understands the agreement they are entering into. The assessor should give a hard copy of the information on page 3 of the assessment document to the Service User.
The Service User must be clear about the processes by which they can consent to agreed personal information being shared amongst different parties involved in the Interagency Care Plan, as well as how to review and withdraw consent.
This agreement covers all employees and Service Users participating in case management across the region where services agree on information considered appropriate and necessary based on the role and responsibility of staff attending and engaged in the interagency care planning process and the role and function of their agencies.
Confidentiality is not absolute and therefore cannot be guaranteed. The designated lead agency which employs the appointed Case Manager is responsible for collecting consent and storing/coordinating information. Individual agencies are responsible for the data collected by them, as each agency would be considered a separate data controller under the Data Protection Acts (www.dataprotection.ie).
All Service Users are to be made aware of the region’s confidentiality agreement.
All Service Users have the right to have a copy of the relevant information held by services involved in case management in line with the consent provided. Requests for a copy of this information should be made in writing by the Service User to the agency from which they wish to obtain their information.
Information about a Service User will not be passed on to any third party except in the following cases:
(a) Where written consent has been obtained from the Service User.
(b)Where there is a legal obligation to extend confidentiality such as a court order, i.e. an order signed by a judge to release information.
(c) or
All Service Users have the right to withdraw consent for the sharing of information at any time, except where there is a professional obligation for confidentiality to be extended as outlined above.
All Service User information is to be kept in a secure place within the organisation. Workers are expected to exercise care to keeping safe all documents or other material containing confidential information.
All Service User files should be kept in a locked filing cabinet, with the key held only by staff members involved in relevant service provision.
Agencies utilising electronic management of information operate as per their existing confidentiality guidelines.
(The 3rd party may not be signed up to the interagency protocols. It should be explained that the Case Manager/agency does not have as much control over the data once given to a third party however the 3rd party should be bound by the data protection act)
Confidentiality is not absolute and cannot be guaranteed. Limits to confidentiality exist to protect workers from withholding information that may require immediate action in the interest of public or individual safety.
In the event of a disclosure of any of the above, the worker should inform the Service User that they may need to report the issue to their manager. If it is necessary to pass on the information the Service Users consent should be obtained if possible. If this is not possible, the Service Users should still be informed of the decision to share information.
Please consult General Data Protection Regulation (GDPR) guidelines
Data protection breaches will be dealt with in organisations through their internal policies and procedures.
In addition to the duty of care regarding confidentiality outlined above, the Data Protection Acts imposes legal obligations on the services. The following eight Data Protection principles apply.
Care should be taken not to unintentionally disclose information when communicating by phone. Confirmation that an individual is attending the service to a person, who has not been covered through consent to share information, could be considered a breach of confidentiality.
Faxed messages containing sensitive case information should only be sent to specified individuals at confirmed numbers. All faxes should contain cover sheets stating the person whom the fax is intended for. Receipt of fax should be confirmed by phone. Using pre-programmed numbers on the fax machine is preferable to dialling the number every time.
Any information from which a Service User could possibly be identified should not be sent via email. This applies to services contacting other services.
Staff and Service Users should not form relationships through social media (e.g. accepting friend requests on Facebook) as this can lead to inappropriate information sharing.
If a Service User wishes to have access to their file, they need to complete a written request. Requests for a copy of this information should be made in writing by the Service User to the agency from which they wish to obtain their information. If necessary, the Service User should be supported in making this request. The request will be processed by the Project Manager with that agency who will respond to the request within ten working days. In such cases care will be taken to ensure that any information relating to other individuals that is held within the Service Users file (i.e. in letter from an external agency that relates also to other family members) is not released. It is essential that legal advice (consider Freedom of Information and GDPR) is sought in relation to requests of this nature.