DCW136-Sharing Information with 3rd Party Organisations Policy

Registration Number: {{org_field_registration_no}}

Sharing Information with 3rd Party Organisations Policy

1. Purpose

The purpose of this policy is to provide clear guidance on how {{org_field_name}} shares information with third-party organisations while ensuring compliance with the UK General Data Protection Regulation (UK GDPR), Data Protection Act 2018, and Care Inspectorate Wales (CIW) regulations.

Information sharing is essential for effective service delivery, safeguarding, and multi-agency collaboration, but it must be managed in a way that protects service user confidentiality, ensures legal compliance, and maintains trust. This policy outlines when, how, and why information may be shared and how we ensure safe, lawful, and efficient handling of data.

2. Scope

This policy applies to:

All employees, including care workers, managers, and administrative staff.
Third-party organisations, including local authorities, NHS teams, regulatory bodies, law enforcement, advocacy groups, and other health and social care providers.
Any personal data, including service user records, staff information, and business-sensitive data.

This policy applies to all formats of data, including written, verbal, electronic, and digital communications.

3. Legal and Regulatory Framework

Information sharing at {{org_field_name}} must comply with the following legislation and regulations:

UK GDPR & Data Protection Act 2018 – Defines how personal data must be processed, stored, and shared.
The Regulation and Inspection of Social Care (Wales) Act 2016 (RISCA) – Establishes requirements for information-sharing in regulated services.
The Social Services and Well-being (Wales) Act 2014 – Mandates collaborative working and data sharing to support vulnerable individuals.
The Freedom of Information Act 2000 – Governs the release of non-personal organisational information.
The Common Law Duty of Confidentiality – Ensures information is shared only when legally justified.

Failure to comply with these laws could result in regulatory action, fines, and reputational damage to {{org_field_name}}.

4. Principles of Information Sharing

When sharing information with third-party organisations, {{org_field_name}} adheres to the following principles:

Lawfulness, Fairness, and Transparency – We only share data where there is a legal basis and inform individuals where appropriate.
Purpose Limitation – Data is shared only for legitimate and specified reasons.
Data Minimisation – We only share the minimum necessary information required for the purpose.
Accuracy – We ensure data is accurate and up to date before sharing.
Confidentiality and Security – Data is shared securely and only with authorised recipients.
Accountability – We keep records of all data-sharing activities to demonstrate compliance with GDPR.

5. When Information May Be Shared with Third Parties

Information may be shared with external organisations under the following circumstances:

5.1 Safeguarding and Protection of Individuals

We are legally required to share information when:

There are concerns about abuse, neglect, or exploitation.
There is a risk of significant harm to a service user or others.
We are making a safeguarding referral to the Local Authority.

In these cases, consent may not be required, but only relevant information will be shared with authorised professionals.

5.2 Multi-Agency Care Planning and Service Coordination

To provide safe and effective care, we may need to share service user information with:

General Practitioners (GPs) and healthcare professionals.
Social workers, local authorities, and case managers.
Specialist services (e.g., physiotherapists, occupational therapists, mental health teams).

Before sharing, we obtain explicit consent from the service user unless it is required for urgent care or safeguarding.

5.3 Regulatory and Legal Compliance

We must share information when:

CIW, the Information Commissioner’s Office (ICO), or other regulatory bodies request information as part of an inspection or investigation.
We receive a lawful request from law enforcement or a court order.
We submit statutory notifications to CIW regarding serious incidents.

Only necessary data is shared, and we ensure appropriate safeguards are in place.

5.4 Emergency Situations

In emergencies, we may share essential medical or personal information to prevent:

Serious harm to the individual or others.
A medical emergency requiring immediate intervention.

If the service user is unable to give consent, decisions will be made in their best interests, following Mental Capacity Act 2005 principles.

5.5 Sharing for Research and Training Purposes

Any non-identifiable data may be shared for training, auditing, and research to improve services. If identifiable information is required, we will obtain informed consent from the individual before sharing.

6. Gaining and Recording Consent

Where required, informed consent will be obtained from service users or their legal representatives before sharing information. This includes:

Explaining what data will be shared, with whom, and why.
Providing an opportunity to object (unless legally required to share).
Recording consent in care records.

If consent is refused and there is no legal obligation to share data, we will respect the individual’s wishes.

7. Secure Methods of Sharing Information

To ensure data security and prevent unauthorised access, we follow strict protocols:

Email Encryption: All emails containing personal data are encrypted using secure NHS or Local Authority-approved platforms.
Secure File Transfers: Large data files are sent via approved secure transfer platforms.
Telephone Communication: When sharing information over the phone, we verify the recipient’s identity and authorisation before disclosure.
Paper Records: Physical documents are shared only via recorded delivery or hand-delivered to authorised persons.

Any data breach or unauthorised disclosure must be reported immediately to the Data Protection Officer.

8. Managing Information Requests from Third Parties

Requests for information must be:

Assessed for legality before processing.
Documented, including details of the request, what was shared, and why.
Approved by senior management if containing sensitive data.

Service users have the right to request access to their information under the Data Subject Access Request (DSAR) process.

9. Employee Responsibilities and Training

All employees handling personal data must:

Follow GDPR and Data Protection Act guidelines.
Attend annual data protection training.
Report any data breaches immediately.

Failure to follow this policy may result in disciplinary action and potential legal consequences.

10. Related Policies

This policy should be read alongside:

Confidentiality and Data Protection Policy (DCW34)
Safeguarding Adults from Abuse and Improper Treatment Policy (DCW13)
Staff Conduct and Code of Ethics Policy (DCW28)
Disciplinary and Grievance Policy (DCW31)

11. Policy Review

This policy will be reviewed annually or sooner if legislation, CIW regulations, or business needs change. Updates will be communicated to all employees and relevant stakeholders.

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.