Part of Objective E - Using and sharing information appropriately
Principle: E3 Using and sharing information
E3.a Using and sharing information for direct care
"You lawfully and appropriately use and share information for direct care.”
Overview
This contributing outcome relates to your organisation facilitating the lawful and appropriate using and sharing of information for direct care.
If you have assessed all your organisation’s uses of information and determined that none of the uses are relevant to direct care, you should mark this outcome as ‘Achieved’. In your supporting statement, you should explain the process you have gone through to reach your determination.
Using and sharing information for direct care
Your organisation has a duty to share information about a patient or service user for direct care purposes unless a specific exception applies. This is set out in the Health and Social Care Act 2012.
Your organisation’s policies and procedures for using and sharing information for direct care should reflect that an appropriate legal basis is considered under both Common Law and UK General Data Protection Regulation (GDPR), and also be informed by the National Data Guardian's Caldicott Principles.
Practical ways to gain assurance that clinical staff within your organisation are appropriately using and sharing information for direct care include:
- policies and procedures - clearly signposting policies and procedures for staff members on your organisation’s intranet pages that establish how information should be used and shared
- training - ensuring that training is delivered to staff members covering their day-to-day information sharing responsibilities under UK GDPR, Common Law and the Caldicott Principles (such as the Data Security Awareness training and Information Sharing training provided by NHS England)
- engagement – using internal communications channels to promote the importance of robust information sharing practices and highlight improvements made as a result of things that have gone wrong as opportunities for continuous learning and improvement
Reasonable expectations and objections
Staff members should use and share information in line with patients’ reasonable expectations. This means that before using or sharing information, staff members should:
- ensure that it is reasonable to believe that the patient concerned understands the reason for and expects their use or sharing of the patient’s information
- check the patient record for any objections, and if relevant, decide whether to uphold them
Both of these concepts are covered in the Data Security Awareness training and Information Sharing training provided by NHS England.
Specific legislation about confidential information
Specific legislation exist which apply some limitations on information being shared for direct care. These include:
- the Health and Social Care Act 2012 which sets out restrictions on sharing where a service is an anonymous access provider, such as a dedicated human immunodeficiency virus (HIV) and sexually transmitted disease (STI) service
- the Gender Recognition Act 2004 and Gender Recognition Order 2005 which limits the circumstances in which certain information can be disclosed without explicit consent
- the Human Fertilisation and Embryology Act 1990 which prevents information from being disclosed relating to certain treatments defined under the Act
Your organisation must be aware of these legal restrictions on using and sharing information, where relevant.
Non-routine ad hoc data sharing for direct care purposes
Most information sharing for direct care will occur within your own organisation, or with other health and care providers within your local network.
However, you may receive information requests from health or care organisations for direct care who are not part of your usual sharing networks, for example organisations situated abroad. These requests should be considered on a case-by-case basis, with controls to ensure that data protection principles and best practices for information sharing are adhered to.
In practice, when staff members receive information sharing requests for direct care which they consider to be unusual, they should know to contact your IG teams and Caldicott Guardian for advice. In turn, your IG teams and Caldicott Guardian should be ready to advise on an appropriate course of action. You should have an internal process which ensures this happens where necessary, and that the disclosures are appropriately recorded.
Arrangements for information sharing for direct care
If you're routinely sharing data with another controller organisation, it's good practice to have arrangements in place such as:
- data sharing agreements (see NHS England’s Data Sharing and Processing Agreement template for more information)
- policies, processes and procedures (information sharing frameworks, data protection impact assessments (DPIAs))
There are different forms your arrangements for information sharing can take. What's important is that you can demonstrate that you have considered:
- the nature of the information being shared
- measures to ensure the sharing adheres to legal and professional requirements
- roles and responsibilities of those involved in the sharing
Supporting evidence
To support your response, you can review and upload (or link to) evidence which best demonstrates your achievement of the contributing outcome. Examples include:
- evidence of policies and procedures for direct care information sharing
- training needs analysis and materials used for staff awareness
- documents related to data sharing arrangements for direct care
This is not an exhaustive list. You're welcome to provide other types of evidence if you feel they are relevant to the contributing outcome.
Your supporting statement should cross-reference how each piece of evidence provides justification for your achievement of the contributing outcome, including relevant page numbers where appropriate.
Interpreting indicators of good practice
| Indicator(s) of good practice | Term | Interpretation |
|---|---|---|
|
A#1 Relevant staff understand what direct care is, the activities it covers, and when they should use or share information to facilitate it. |
'relevant staff' |
These should include anyone who has access to confidential patient information. Examples include, but should not be limited to:
|
|
A#1 Relevant staff understand what direct care is, the activities it covers, and when they should use or share information to facilitate it. |
'direct care' | For the purposes of the DSPT assessment, 'direct care' should be interpreted as per the definition given in the National Data Guardian’s 2013 Information Governance Review. |
|
A#3 Information which is used or shared for direct care is relevant and proportionate. |
'relevant and proportionate' |
Assessing the relevance and proportionality of information before using or sharing it forms part of your legal obligations under UK GDPR and professional obligations under the Caldicott Principles. Decisions made in situations where there is a question over relevance or proportionality should be justified and recorded. |
Additional guidance
For additional guidance, see:
NHS England | Use and share information with confidence
NHS England | Information sharing in multidisciplinary teams
NHS England | Sharing information with the voluntary sector
NHS England | HIV and sexually transmitted infections (STIs)
Information Commissioner’s Office | Data sharing: a code of practice
E3.b Using and sharing information for other purposes
"You lawfully and appropriately use and share information for purposes outside of direct care.”
Overview
This contributing outcome relates to your organisation facilitating the lawful and appropriate using and sharing of information for other purposes outside of direct care.
Using information for other purposes outside of direct care
When using confidential patient information for purposes other than individual care, such as planning or research, you must have an appropriate UK General Data Protection Regulation (GDPR) legal basis and ensure you have satisfied the common law duty of confidentiality.
You must always consider whether confidential patient information is actually needed for the purpose. If confidential patient information is essential, then explicit consent is normally required for purposes beyond individual care.
If it's not practicable to seek consent for purposes beyond individual care, approval for sharing for medical research or health service planning can be sought from the Health Research Authority or the Secretary of State for Health and Social Care under the Health Service (Control of Patient Information) Regulations 2002. This is often known as 'section 251 support'. Section 251 enables the common law duty of confidentiality to be lifted for a period of time, subject to review, so that confidential patient information can be used without breaching the duty of confidentiality. Refer to HRA guidance for further information.
Sharing information for other purposes outside of direct care
Your organisation should have procedures in place to deal with requests for information from third parties for purposes outside of direct care, such as:
Your procedures for dealing with these requests should involve an appropriate legal basis being used under both common law and UK GDPR.
Under common law, this may include consideration of:
- whether it's appropriate to seek explicit consent from the data subject
- whether there is a legal duty or permission to disclose
- whether the public interest served by the disclosure outweighs the public interest served by protecting the confidentiality of the individual concerned, as well as the public interest in maintaining a confidential health and care service
- whether support under section 251 support is required to set aside the legal obligation of confidentiality
For UK GDPR considerations, see the ICO’s data sharing code of practice.
Your procedures should also be informed by The Caldicott Principles.
Documenting decisions and disclosures
Appropriate members of staff such as your Caldicott Guardian and information governance (IG) steering group should be involved in decisions and procedures associated with using and sharing information for secondary purposes.
For any decisions taken, details should be recorded with a clear UK GDPR legal basis and common law basis identified in line with professional guidance.
There is no mandated format for recording disclosures, however your disclosure log should include:
- nature and quantity of information requested
- details of the requester
- nature and quantity of information given
- names and roles of decision makers
- justifications for any decisions taken
- risk assessments carried out
Arrangements for information sharing for other purposes outside of direct care
If you're routinely sharing data with another controller organisation, it's good practice to have arrangements in place such as:
- data sharing agreements (see NHS England’s Data Sharing and Processing Agreement template for more information)
- agreed policies, processes and procedures, such as information sharing frameworks, and data protection impact assessments (DPIAs)
There are different forms your arrangements for information sharing can take. What's important is that you can demonstrate that you have considered:
- the nature of the information being shared
- measures to ensure the sharing adheres to legal and professional requirements
- roles and responsibilities of those involved in the sharing
Supporting evidence
To support your response, you can review and upload (or link to) evidence which best demonstrates your achievement of the contributing outcome. Examples include:
- evidence of policies and procedures for non-direct care information sharing
- training needs analysis and materials used for staff awareness
- privacy information or equivalent
- documents related to data sharing arrangements for other purposes outside of direct care
- disclosure log
This is not an exhaustive list. You're welcome to provide other types of evidence if you feel they are relevant to the contributing outcome.
Your supporting statement should cross-reference how each piece of evidence provides justification for your achievement of the contributing outcome, including relevant page numbers where appropriate.
Interpreting indicators of good practice
| Indicator(s) of good practice | Term | Interpretation |
|---|---|---|
|
PA#1 Relevant staff members understand which of your organisation’s information sharing activities fall outside of direct care. |
'relevant staff' |
Requests to share information (whether written or verbal) should be processed by trained or experienced staff. If you work in a large organisation, there may be a team who is responsible for managing requests. In smaller organisations there should be an individual who is trained to manage requests. |
|
PA#1 Relevant staff members understand which of your organisation’s information sharing activities fall outside of direct care. |
'direct care' | For the purposes of the DSPT assessment, 'direct care' should be interpreted as per the definition given in the National Data Guardian’s 2013 Information Governance Review. |
Additional guidance
For additional guidance, see:
NHS England | Use and share information with confidence
NHS England | Sharing information with the voluntary sector
NHS England | Sharing information with the police
NHS England | Access to the health and care records of deceased people
NHS England | Inquiries, reviews, investigations and court orders in health and social care services
Information Commissioner’s Office | Data sharing: a code of practice
Information Commissioner’s Office | Sharing personal data with law enforcement authorities
Last edited: 26 August 2025 3:32 pm