The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Our data sharing code provides real-world examples and case studies of different approaches to data sharing, including where organisations found innovative ways to share data while protecting people’s information.

Here are some case studies additional to those in the code.

Data sharing to improve outcomes for disadvantaged children and families

Social workers frequently need access to information about children and their families when deciding whether there is a safeguarding risk and what support is most appropriate.

Two councils in different areas of the UK partnered with a not-for-profit organisation to find a data sharing solution where social workers would have all the information they need from the start.

After extensive user research and workshops with stakeholders and families, they found that social workers needed access to the contact details of the lead practitioner of a case from other services (police, housing, schools and adult social care), and basic information about when the service was last involved with the family. The research found that sharing such data would:

  • reduce the amount of time social workers spend looking for information;
  • enable more joint working among services (eg children’s social care working more closely with adult social care);
  • ensure social workers have access to all the information they need when assessing safeguarding risk and making support decisions for children and their families; and
  • allow children and families to access better, more timely services.

At the same time, the two councils and the not-for-profit organisation explored the information governance and ethical implications of accessing and using sensitive personal data within social care. They ran ethics workshops with the project team and conducted user research with those most likely to be affected by the data sharing (residents who have had contact with social care and social workers).

The research enabled the two councils to design, build and embed a digital data sharing solution that empowers social workers, enables professional judgement, protects privacy, and ultimately enables children and their families to access the right support and reach their potential.


Sharing with partners in the voluntary or private sector

A group of voluntary sector organisations worked with health and social care partners (both private and public sectors) on a project to deliver improved outcomes for older people in the community and in hospital.

The project team recognised that it needed to establish a culture of shared information, along with a phased, proactive approach to seeking individuals’ consent. It also recognised that the involvement of volunteers could have implications for the sharing of data within the project team, as they have a different legal status to the agencies’ employees and might not have received the same level of training as employees in the work of the organisation.

The project was set up as follows:

  • The volunteers signed contracts setting out their roles, responsibilities and standards - including those for information security - equivalent to those of the agencies’ employees. The contracts were intended to formalise and support the volunteers’ responsibilities for gathering and sharing information. Training and ongoing support were provided to the volunteers.
  • GPs asked their elderly patients whether they would like to take part in the project. They were asked specifically whether they agreed to relevant information from their health record being shared with a multi-disciplinary project team consisting of health, social care and voluntary sector practitioners.
  • At the initial home visit, the volunteer explained the information-sharing aspects of the service and asked for written consent.
  • All of the organisations and GP practices involved in the project entered into a single data sharing agreement. This built accountability and trust between the agencies involved.

Note it was important to consider whether the necessary legal power or ability to share personal data was in place. The legal power is separate from the lawful basis for data processing.


Landlord and tenant data sharing

A housing association occasionally received requests from organisations such as utility companies, debt collectors and councils for information about current and former tenants. However it was considered not to be appropriate to enter into a data sharing agreement as the sharing was not on a regular basis.

On one occasion, a utility company contacted the housing association and asked for the forwarding address of a former tenant who was in arrears on his gas and electricity account. The housing association disclosed the information because they had advised tenants at the start of their tenancy that they would make such disclosures because of the contractual relationship between tenants and the utility company. All tenants had agreed to this.

On another occasion, a debt collection company acting for a third party contacted the housing association for the forwarding address of a former tenant. The housing association decided that it could not disclose the information because it had no lawful basis for the disclosure. It withheld the tenant’s new address from the debt collection company.

The housing association dealt with requests for information effectively because it had put a system in place which required a senior person or group of people, trained in data protection, to decide whether or not to release personal information on a case-by-case basis.

This involved verifying the identity of the requester, insisting that all requests were in writing and ensuring that the requester provided enough information to make a proper decision. If the housing association decided to share the information, they only provided relevant, necessary information and, in every case, they made a record of the disclosure decision.


Sharing medical records of care home residents

Staff in a privately-owned care home did not have access to the recent medical history of residents. Instead, the home used to phone the GP practice or call out a GP every time they needed more information. This could be a risk, as the staff might need to check quickly what medicines residents were taking and at what dosages.

To make the process more efficient, the care home and the local GP practice signed up to a formal data sharing agreement, so the care home staff would have access to their residents’ electronic medical records when necessary.

The GP practice and local Clinical Commissioning Group made potential residents aware that if they were admitted to the care home there was a possibility that their medical record would be accessed. In addition, when patients were admitted to the care home, their explicit consent - or that of their representatives – was sought before their electronic medical record was accessed. Where consent was not provided, the former system of contacting a GP would continue to be used.

Other key features of the data sharing agreement were:

  • access to residents’ records could only take place while they were under the care of the home;
  • access was restricted to the clinical and professional nursing staff at the care home;
  • access was only allowed where this was necessary to provide treatment and for residents’ safety;
  • access was restricted to information relevant to the provision of care to residents;
  • access to the information was by secure means; and
  • the information obtained was held securely and in accordance with good information management practice.

A formal data sharing agreement can put in place effective safeguards for residents and can ensure the various parties involved in data sharing are working to a common set of rules. An agreement can also help to deal with the ethical and confidentiality issues that can arise in health and social care.

Even if there is a data sharing agreement in place, organisations still need to make sure that individuals whose data may be shared are aware of what is taking place. This can be done through the privacy information they provide, using various methods. In the circumstances outlined here, it might be more effective to talk to individuals to explain the situation and to find out whether they agree to their information being shared. Their decision needs to be documented.