{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Sharing Information with Third-Party Organisations Policy

1. Purpose

The purpose of this policy is to ensure that {{org_field_name}} shares information with third-party organisations in a manner that is lawful, ethical, secure, and in compliance with CQC regulations. The sharing of information is essential for effective care coordination, safeguarding, regulatory compliance, and operational efficiency, but it must be done with strict data protection measures in place.

This policy ensures that:

• Information is shared lawfully, fairly, and transparently in compliance with GDPR and the Data Protection Act 2018.
• Only necessary and relevant information is shared, minimising risks to data security.
• People we support, their representatives, and staff understand their rights regarding data sharing.
• CQC compliance is maintained by ensuring proper governance and record-keeping.
• Information is shared efficiently, securely, and only with authorised organisations.

2. Scope

This policy applies to:

• All employees, including full-time, part-time, agency, and voluntary staff who handle or share information.
• Management teams, responsible for ensuring compliance with data-sharing regulations.
• Third-party organisations, including healthcare providers, regulatory bodies, safeguarding teams, local authorities, legal representatives, law enforcement, and external service providers.
• People we support and their families, ensuring their data is handled securely and transparently.

3. Legal and Regulatory Compliance

This policy aligns with:

CQC Regulations (Health and Social Care Act 2008, Regulated Activities Regulations 2014)

• Regulation 17 (Good Governance) – Requires providers to maintain accurate records and ensure secure information management​.
• Regulation 9 (Person-Centred Care) – Ensures that information is shared appropriately to deliver coordinated care​.
• Regulation 10 (Dignity and Respect) – Protects individuals’ privacy and dignity when sharing personal information​.
• Regulation 13 (Safeguarding Service Users from Abuse and Improper Treatment) – Ensures information is shared appropriately with safeguarding authorities to protect vulnerable individuals​.

Other Relevant Laws and Guidelines

• General Data Protection Regulation (GDPR) & Data Protection Act 2018 – Governs lawful information processing and individual rights.
• The Freedom of Information Act 2000 – Outlines public rights to access non-confidential information from public authorities.
• The Care Act 2014 – Requires care providers to share safeguarding information appropriately.
• The Mental Capacity Act 2005 – Ensures individuals who lack capacity have their data shared in their best interests.
• The NHS Data Security and Protection Toolkit – Provides guidelines for secure data handling in health and social care settings.

4. Principles of Information Sharing

All information sharing must adhere to the six GDPR principles:

1. Lawfulness, Fairness, and Transparency – Information must be shared legally and transparently.
2. Purpose Limitation – Data must be shared only for specified, legitimate purposes.
3. Data Minimisation – Only necessary information should be shared.
4. Accuracy – Information must be correct and up to date.
5. Storage Limitation – Information should not be kept longer than necessary.
6. Integrity and Confidentiality – Data must be protected from unauthorised access or loss.

5. Approved Third-Party Organisations for Information Sharing

{{org_field_name}} may share information with the following approved organisations:

5.1. Health and Social Care Providers

• GPs, hospitals, NHS trusts, district nurses, mental health teams – To coordinate treatment and care.
• Pharmacists and medication management services – To ensure safe prescribing and administration of medication.
• Tissue viability nurses, physiotherapists, and dietitians – For specialist health interventions.

5.2. Regulatory and Safeguarding Bodies

• Care Quality Commission (CQC) – For compliance monitoring and incident reporting.
• Local Authority Safeguarding Teams – For protecting vulnerable adults from harm.
• Integrated Care Boards (ICBs) and Social Services – For funding, assessments, and care planning.
• The Office of the Public Guardian (OPG) – Where legal representatives or power of attorney are involved.

5.3. Law Enforcement and Legal Bodies

• Police and emergency services – If a crime is suspected or there is an urgent safeguarding concern.
• Legal representatives and courts – If required by law or in the individual’s best interests.
• Coroners and forensic services – If an investigation is required into an individual’s death.

5.4. External Service Providers

• IT and software providers – If using electronic care planning or data storage systems.
• Payroll and HR service providers – For staff employment records and pension administration.
• Insurance companies – For claims related to health, safety, or care provision.

6. Lawful Bases for Information Sharing

Information will only be shared when a lawful basis under GDPR is met:

• Consent – The individual has given explicit permission for their data to be shared.
• Legal Obligation – The information must be shared by law (e.g., safeguarding cases).
• Vital Interests – The sharing of data is necessary to protect life (e.g., emergency medical situations).
• Public Task – The information is required for a public duty (e.g., CQC reporting).
• Legitimate Interests – The sharing of data is necessary for business operations and does not infringe on individuals’ rights.

7. Obtaining and Documenting Consent

• Informed consent should be obtained before sharing information unless there is a legal or safeguarding requirement.
• Consent should be documented in the person’s care plan or records.
• Where an individual lacks capacity, decisions must be made in their best interests following the Mental Capacity Act 2005.
• If consent is refused, but sharing is legally required, the decision must be documented, and legal advice sought if necessary.

8. Data Security and Confidentiality in Information Sharing

8.1. Secure Methods for Sharing Information

All information sharing must be done using secure and approved communication channels, including:

• NHS Mail or encrypted email for electronic correspondence.
• Secure cloud-based care management systems.
• Recorded telephone calls where necessary for legal documentation.
• Face-to-face meetings, ensuring confidentiality is maintained.
• Post or courier for confidential legal documents, using tracked delivery.

8.2. Restrictions on Informal or Unauthorised Information Sharing

Staff must not:

• Share information via personal email, phone, or social media.
• Discuss personal data in public or unauthorised areas.
• Print or copy records unless required for legal purposes.

9. Staff Training and Responsibilities

All employees must:

• Complete GDPR and data protection training annually.
• Understand who information can be shared with and when.
• Seek guidance from the Data Protection Officer if unsure about information sharing.
• Report any data breaches immediately to management.

10. Monitoring, Audits, and Compliance

To ensure compliance with this policy:

• Regular audits will check that information is being shared correctly.
• Incidents of unauthorised data sharing will be investigated and reported.
• CQC inspections will review information governance procedures.
• Staff feedback will be gathered to ensure understanding and compliance.

11. Related Policies

This policy should be read alongside:

• CH34 – Confidentiality and Data Protection (GDPR) Policy​.
• CH13 – Safeguarding Adults from Abuse and Improper Treatment Policy​.
• CH17 – Information Security and Record-Keeping Policy​.

12. Policy Review

This policy will be reviewed annually or sooner if:

• Legislation changes.
• CQC guidance updates occur.
• A data breach or compliance concern arises.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.