Chapter 10 – Anthony Corcoran (D1SOP10)

This chapter will discuss: what personal information is; what confidentiality is; confidentiality between staff; when confidentiality might be broken or breached; how information relating to a service user is used only for the purposes for which it was gathered; and the legislation impacting confidentiality in social care work. It aims to explore from a theoretical perspective the role social care workers play in maintaining confidentiality while also giving guidance on how to demonstrate confidentiality in practice. It will explore the knowledge that underpins confidentiality and also how confidentiality applies to social care settings including homecare, residential care, day services, homeless services and hospital settings (HIQA 2012).

What is Personal Information?

Personal information is data about an individual that can be used, directly or indirectly, to identify them, from a combination of data such as their name, address, race, health status, allergies, physical/ mental disability history, political opinions, religious beliefs, age, sexual orientation, fingerprints (to mention a few examples). This information can be held on computers, mobile phones, external hard drives, tablets or in physical files. Privacy is the individual’s right to control when, where and with whom their information can be shared, as outlined in the Data Protection Acts 1988 and 2003.

The Data Protection Act, implemented in Ireland in 2018 (DPC 2018a), was designed to protect the personal data of individuals in the European Union (EU). In Ireland, since 25 May 2018, this is implemented through the General Data Protection Regulations (GDPR). The legislation applies to the processing of personal data in the EU. It sets obligations on data controllers and processors to protect the data of the individual/s it relates to and gives the individual the right to the privacy of their own personal data. Where a breach or potential breach of GDPR occurs, you should notify the manager or supervisor in the service (DPC 2018b). Under the Freedom of Information Act 2014, a service user or member of staff can gain access to the personal information held by a service provider about them.

In practice

In social care, information about service users is contained within the service and may be provided to the key worker and staff who work with the service user as well as the manager or supervisor. Personal data about service users could include, for example, their age, family details, mental health status and case history. This data can be stored in a variety of formats such as service user files, daily records and computers. The data on service users and staff within the service are to be protected by the service provider and the staff who process the data. Staff members have access to personal data on service users in work when writing daily reports and adding to service users’ care plan. This includes what is said about service users in team meetings, supervisions and in work – this should also be kept confidential.

Confidential information is private information. Confidentiality is the protection of personal information that relates to service users and staff within the service. Confidentiality applies to all information that service users or staff give to other individual(s), either orally or in writing, and it applies to information gained through observation. Social care workers must comply with confidentiality as an aspect of their duty of care to their service users (‘always follow employer guidelines and relevant legislation when handling service user information’ (SCWRB 2019)). Service providers may redact service users’ and staff names and use codes or pseudonyms to protect their data should it become lost or accessed outside its intended use.

A social care worker in the position of having access to or being given data on service users works in an area where their career is based on the ability to maintain confidentiality. The protection of confidential information is vital across all professions, but especially in the caring professions as the information tends to be of a sensitive nature and relates to vulnerable individuals. Confidentiality between service users and professionals in the caring roles is highly important and forms the basis for the therapeutic framework of appropriate boundaries. This creates a safe space for the development of a meaningful and positive working relationship to begin. By breaking confidentiality, the professional loses the trust of the service user, puts their work contract at risk; and they could be at risk of legal action (HSE 2018).

If a service user no longer trusts the staff who work with them, it limits their ability to fully avail of the service and achieve their goals. At the initial stage of relationship development with a new service user, the social care worker should discuss, at the service user’s level of understanding, the boundaries in place, such as: the limitations of confidentiality; not being able to add the service user on social media; and other relevant boundaries in the service.

Confidentiality between Staff

Confidentiality applies not only to service users’ information but also to information held on staff members, including information about staff members shared by other staff. When working in social care, information staff share with each other should be considered private and confidential unless there is a risk to the individual or other people. Due to the sensitive nature of the work, social care workers can at times have demanding challenges to overcome. One study by Keogh and Byrne (2016) found that 90% of social care workers have experienced violence in the workplace. As a form of self-care, staff may discuss their concerns or worries with colleagues, which may include personal information about their home life. When a staff member shares personal information, this should be viewed as confidential information and treated as such. If a staff member’s performance is being impacted by personal life issues (which they have made you aware of), the best course of action is to discuss this with the staff member in question. If the impact is significant, encourage the staff member to share the issues with their manager to ensure that it does not affect their work. If the staff member is unwilling to discuss the issue with their manager and it is impacting their work with service users and putting others at risk, you should bring the issue to your line manager or supervisor.

The laws relating to confidentiality come from the common law duty of confidentiality, the Irish Constitution and the European Convention. Healthcare professionals are legally obligated under these laws to protect the service user’s confidentiality. There are legal sanctions for breaches in service user confidentiality.

Certain offences and provisions, such as various forms of abuse, override confidentiality. For example, if a child is hit by their parent this is a criminal offence which must be reported to the appropriate authorities such as the Gardaí and/or Tusla (the Child and Family Agency). Safeguarding concerns must also be reported when someone is at risk. Where a staff member is a mandated person there is a legal obligation under the Children First Act 2015 to report child protection concerns to Tusla (Tusla 2015).

Below is a list of the laws that impact confidentiality and that social care workers are obligated to follow in their work:

• Human Rights Act 1998
• Data Protection Acts 1988 and 2003
• Freedom of Information Acts 1997, 2003 and 2014
• Care Act 2014
• Health and Social care (Safety and Quality) Act 2015
• Data Protection Act 2018 and GDPR

Breaches of Confidentiality

A breach of confidentiality is a disclosure of information to an individual without the consent of the individual who owns the information. A breach of confidentiality breaks respect for the individual’s privacy and the confidence in which the information or data was given. In the case of a personal data breach, the controller shall without undue delay and, where feasible, not later than 72 hours after having become aware of it, notify the personal data breach to the supervisory authority in accordance with Article 55 of the GDPR.

Confidentiality in social care is not absolute. If an individual discloses that they are a significant risk to themselves or there is a risk to someone else, the social care worker must break confidentiality and report the risk to their manager or supervisor and the relevant authorities. This is especially important where a child or a vulnerable person is involved. Where a service user has broken the law, you must report it or place yourself at risk of appearing to be complicit by association. In social care work, as the service users are typically vulnerable members of society, where confidentiality must be broken it should be done appropriately to protect the service user, staff and members of the public.

Where multidisciplinary teams are involved, information about the service user may be passed between the social care workers, social worker, doctor, psychologist and other relevant professionals working with the service user.

Examples of breaches of confidentiality:

• Sharing confidential information about a service user with your family or friends.
• Talking to another member of the staff about a service user who the other member of staff does not work directly with as part of the service user’s team.
• Talking in a public place where other individuals can hear you discussing a service user’s confidential information.
• Losing technology (laptop, computer, USB stick, handheld device, phone, etc.) which contains confidential information on service users, staff and the service, whether encrypted and secure or not.
• Sharing a service user’s information outside the confines of confidentiality and consent. This situation creates confusion and constitutes a potential breach as it is unclear whether this information can be shared with staff or other professionals working with the service user.
• Losing a service user’s file or emailing private information to the wrong recipient.

What to do when a Breach Occurs

Where a possible breach of confidentiality occurs, staff should report their concerns to their manager or supervisor in the service. After being notified, the manger or supervisor should investigate the breach of confidentiality and follow the service’s policy on breaches of confidentiality (DPC 2018b).

• Where the breach occurred due to something of concern expressed by the service user around harming themselves or someone else, a risk assessment must be completed by the service provider. Relevant professionals and authorities should be notified where a risk is present.
• Where the breach has occurred from staff disclosing information inappropriately to other people, the service manager or supervisor should take the staff member through the appropriate disciplinary procedure.

Where a breach happens, the first step is to discuss it with the manager or supervisor immediately, giving clear information based on the situation. More social care workers in recent years have become mandated reporters after completing the Children First e-learning programme offered by Tusla, which has been implemented from the Children First Act 2015 (Tusla 2017). Mandated reporting (reporting child protection concerns) may involve breaking confidentiality where child protection concerns are at or above the threshold set by Tusla, such as abuse or neglect of the child. In this situation the staff member must contact their manager, supervisor or company child protection officer immediately and if the incident breaches the Tusla threshold a Tusla report must be completed.

With the best intentions in the world, at times breaches in confidentiality can occur. A breach of GDPR must be reported to the Data Protection Commissioner within 72 hours of becoming aware of the breach. Examples of breaches in GDPR can be losing records containing service user or staff details, uploading data onto the wrong computer or network, emailing data to the wrong individual, etc.

Confidentiality in Practice

As a social care worker, respecting the service users is a critical aspect of the work which was discussed in Domain 1 Proficiency 5. In social care, the service user may lack capacity to consent to confidentiality or know when confidentiality has been broken. As a social care worker, therefore, it is essential that you understand confidentiality and the limitations it has in practice. When you need to share information about a service user, the first step is to seek advice from the manager or supervisor in the service. Using the scenario below as a case study, consider if confidentiality was breached.

In the above scenario a breach of confidentiality is required to protect the safety of the service user due to the risks involved. As the social care worker covering the shift, you should inform the service user that you will have to discuss this information with your manager and, while it is great that the service user was able to go to the shop unsupported, it should be discussed as part of the care plan in place. Then this information must be passed on to the manager or supervisor in the best interest of the service user.

Service User Information and Consent

The right of service users to control their private information is an aspect of self-determination. The result of not respecting the confidentiality of the service user can be that the service user no longer trusts the staff and service provider, and the service user might refuse to give vital information, such as their health status, to the service provider.

• Only relevant information about the service user is collected and this information is stored appropriately, with a written contract explaining why the information is being collected.
• The service provider may only give ‘relevant information’ about the service user to staff.
• Personal data is only stored as long as is necessary in a secure location such as a locked room or encrypted laptop.

In Practice

At times information on a service user may only be partially passed on to staff. This can be to protect the service user from further trauma, which can have both positive and negative implications. The positive benefits of not disclosing all the service user information to staff is that it reduces potential breaches of confidentiality, respects the privacy of the service user and encourages professional boundaries (‘need to know’ basis). The negative implications of not disclosing all the information about a service user is that staff may ask the service user questions about their life, which may be triggers that the staff is unaware of. Staff may unwittingly make the service user feel vulnerable if they ask questions about events in their past that they do not wish to share. For example, a service user who was abused by a family member being asked by staff, ‘Do you see your relations often?’ This could easily cause a situation to escalate, leading to an outburst triggered by the topic being discussed.

Typically, the manager in the service would decide what information should be disclosed to staff. Where staff show that they are able to maintain confidentiality over time it gives the manager assurance that staff are professional and that there is a reduced risk of breaches in confidentiality. This will lead to staff being given full disclosure of service user information more often.