Confidentiality & Information Sharing

Forms Needed

  • Service User Information Sheet on Case Management
  • Service User Information and Consent Form
  • Care Plan Case Manager Transfer Form
  • Additional Consent Given
  • Additional Consent Withdrawn
  • Consent Specific to Homeless Services PASS Database System
  • Consent Specific to Mental Health Services
  • HSE National Waiting List for Opiate Addiction Treatment Client Consent Form
Go To Forms

Why and when to use

It is recognised that maintaining confidentiality is crucial to the building of a trusting and respectful working relationship with the Service User. It is equally important that all parties recognise that confidentiality is never absolute and Service Users should be given a clear understanding of the limitations to confidentiality at the outset.

All agencies should have appropriate policies and procedures in place in line with General Data Protection Regulation (GDPR) to legally allow them to collect, retain and share information appropriately. This protocol seeks to ensure that the confidentiality of Service Users involved in the services are protected in a consistent and appropriate manner.

Also, it provides staff and Service Users with information on confidentiality, guidelines regarding handling of information, the extension of confidentiality and responsibilities for the management of confidentiality.

It is crucial that the Service User understands issues relating to confidentiality, including their right to privacy, as well as the limits to confidentiality. This conversation must happen prior to seeking written consent for assessment. The initial assessor must discuss all points 1 to 9 on page 2 of the assessment document and ensure that the Service User understands the agreement they are entering into. The assessor should give a hard copy of the information on page 3 of the assessment document to the Service User.

The Service User must be clear about the processes by which they can consent to agreed personal information being shared amongst different parties involved in the Interagency Care Plan, as well as how to review and withdraw consent.


This agreement covers all employees and Service Users participating in case management across the region where services agree on information considered appropriate and necessary based on the role and responsibility of staff attending and engaged in the interagency care planning process and the role and function of their agencies.


  • Confidentiality – All information that is obtained through the course of organisational business and service provision is confidential. In general, an employee shall not at any time, during or following working with a Service User disclose such information in any form to any person without the written consent of the Service User.
  • Extension of confidentiality – In certain circumstances information can be passed on to a third party without the consent of the individual whose information it is.
  • Wrongful disclosure – When confidential information is passed on to a third party without permission either by accident, negligence or design.


Confidentiality is not absolute and therefore cannot be guaranteed. The designated lead agency which employs the appointed Case Manager is responsible for collecting consent and storing/coordinating information. Individual agencies are responsible for the data collected by them, as each agency would be considered a separate data controller under the Data Protection Acts (

All Service Users are to be made aware of the region’s confidentiality agreement.

All Service Users have the right to have a copy of the relevant information held by services involved in case management in line with the consent provided. Requests for a copy of this information should be made in writing by the Service User to the agency from which they wish to obtain their information.

Information about a Service User will not be passed on to any third party except in the following cases:

(a) Where written consent has been obtained from the Service User.

(b)Where there is a legal obligation to extend confidentiality such as a court order, i.e. an order signed by a judge to release information.

(c) or

  • There is a perceived risk of serious harm to self or others. In this circumstance information may need to be shared with Social Work, An Garda Síochána or a mental health practitioner as appropriate.
  • Where there is a concern of risk of harm to children. The agency should follow the national guidelines (Children First) in relation to reporting the suspected child abuse to social work or An Garda Síochána as appropriate

All Service Users have the right to withdraw consent for the sharing of information at any time, except where there is a professional obligation for confidentiality to be extended as outlined above.

All Service User information is to be kept in a secure place within the organisation. Workers are expected to exercise care to keeping safe all documents or other material containing confidential information.

All Service User files should be kept in a locked filing cabinet, with the key held only by staff members involved in relevant service provision.

Agencies utilising electronic management of information operate as per their existing confidentiality guidelines.

Roles and Responsibilities

Responsibility of Rehabilitation Co-ordinator

  • Ensure that all core team members are briefed on their responsibilities when dealing with confidential information.

Service/Project Manager Responsibility

  • Ensuring that a copy of this agreement is available to all his/her staff who are working/involved with a case management approach in the region.
  • Ensuring that a copy of this agreement is available to users of the service.
  • Ensure that all staff confirm they have understood this confidentiality agreement and how it may differ from their projects normal confidentiality policy.
  • Ensuring that staff receive any training that may be necessary – Training needs specific to the region should be raised with the Rehab Co-ordinator.

Individual Worker Responsibility

  • To act in accordance with this agreement.
  • To keep Service Users informed of their rights regarding confidentiality.

Informing Service Users All Service

  • Users should be made aware of the following:
  • Individual agencies are responsible for the information collected by them. Certain and relevant information will be shared between agencies in line with the consent provided.
  • Service Users have the right to a copy of all personal data that is held by each agency in relation to them where requested.
  • Circumstances in which confidentiality may be extended.
  • Their consent to share information can be withdrawn at any time.
  • This information should be given to Service Users by their keyworker

Obtaining Consent to Share Information

  • Information held by the Case Manager and all other agencies which is not independently available to a third party, cannot be disclosed without the individual’s written consent.
  • Consent must be sought in writing using a standardised consent form and amendments should be recorded. The Service User should be informed each time information regarding them will be shared with a third party.

The consent form should stipulate:

  • The third party with whom the information is to be shared.
  • The timeframe that the consent form applies to.
  • The organisations covered by the consent form.
  • The date and signature

The Service User should also be verbally informed of:

  • The third party with whom the information is to be shared.
  • Whether the third party has a confidentiality policy.
  • The reason for sharing the information

(The 3rd party may not be signed up to the interagency protocols. It should be explained that the Case Manager/agency does not have as much control over the data once given to a third party however the 3rd party should be bound by the data protection act)

Limits to Confidentiality

Confidentiality is not absolute and cannot be guaranteed. Limits to confidentiality exist to protect workers from withholding information that may require immediate action in the interest of public or individual safety.

Confidentiality may be extended when a Service User discloses that:

  • There is a risk of serious harm to self or others. In this circumstance information may need to be shared with Social Work, An Garda Síochána or a mental health practitioner as appropriate.
  • Where there is a suspicion/risk of harm to children. The agency should follow the national guidelines (Children First) in relation to reporting the suspected child abuse to social work or An Garda Síochána as appropriate.
  • Confidentiality may also be extended as required by certain legal obligations (e.g. court order).

In the event of a disclosure of any of the above, the worker should inform the Service User that they may need to report the issue to their manager. If it is necessary to pass on the information the Service Users consent should be obtained if possible. If this is not possible, the Service Users should still be informed of the decision to share information.

Sharing Information with agencies that are not Drug and Alcohol, Homeless or Mental Health specific such as Social Work, Probation, Hospital and others

  • Typically requests for information from organisations must be accompanied by a signed consent from the Service User to share information. The Manager should be made aware of all requests for information from outside agencies. However, the exception applies to court orders, i.e. signed by a judge.
  • If a service is requested to write a report on a Service User, this report would only be written further to a court order or where the Service User consents.
  • Care must be taken with phone calls in relation to queries around Service Users to ensure that information is not unintentionally passed on to a third party. Service User attendance or presence in the service should not be confirmed without the Service User consent.
  • Staff members called to give evidence in court should contact their Manager, and follow the organisation’s legal policy.

Data Protection Breach

Please consult General Data Protection Regulation (GDPR) guidelines

Data protection breaches will be dealt with in organisations through their internal policies and procedures.

Data Protection Responsibilities

In addition to the duty of care regarding confidentiality outlined above, the Data Protection Acts imposes legal obligations on the services. The following eight Data Protection principles apply.

  • Obtain and process information fairly.
  • Keep it only for one or more specified, explicit and lawful purposes.
  • Use and disclose information only in ways compatible with these purposes.
  • Keep it safe and secure.
  • Keep it accurate, complete and up-to-date.
  • Ensure it is adequate, relevant and not excessive.
  • Retain for no longer than is necessary.
  • Allow individual’s access to their personal data, on request.

Email, Fax, Social Media and Phone Usage in Relation to Confidentiality

Phone usage

Care should be taken not to unintentionally disclose information when communicating by phone. Confirmation that an individual is attending the service to a person, who has not been covered through consent to share information, could be considered a breach of confidentiality.

Fax usage

Faxed messages containing sensitive case information should only be sent to specified individuals at confirmed numbers. All faxes should contain cover sheets stating the person whom the fax is intended for. Receipt of fax should be confirmed by phone. Using pre-programmed numbers on the fax machine is preferable to dialling the number every time.

Email usage

Any information from which a Service User could possibly be identified should not be sent via email. This applies to services contacting other services.

Social media

Staff and Service Users should not form relationships through social media (e.g. accepting friend requests on Facebook) as this can lead to inappropriate information sharing.

Service User Request for Information

If a Service User wishes to have access to their file, they need to complete a written request. Requests for a copy of this information should be made in writing by the Service User to the agency from which they wish to obtain their information. If necessary, the Service User should be supported in making this request. The request will be processed by the Project Manager with that agency who will respond to the request within ten working days. In such cases care will be taken to ensure that any information relating to other individuals that is held within the Service Users file (i.e. in letter from an external agency that relates also to other family members) is not released. It is essential that legal advice (consider Freedom of Information and GDPR) is sought in relation to requests of this nature.