Transformation Directorate

This guidance has been reviewed by the Health and Care Information Governance Panel, including the Information Commissioner’s Office (ICO) and National Data Guardian (NDG).

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at england.igpolicyteam@nhs.net.

Sharing information with the police

Rapid access and reformatting of statistical data for timely discovery and research.

This guidance is about disclosure of information by health and care organisations to the police.



Guidance for patients and service users

The police may ask health and care organisations to provide them with information about patients and service users to support their work. There are times when this information:

  • must be provided to the police because the law requires it, for example, information relating to a road traffic accident. You will usually be told of this type of sharing although this will not always be the case
  • may be provided to the police because a sufficiently important reason has been given by the police. An example is in relation to the prevention or detection of a serious crime such as an assault where the victim has suffered serious harm. You will usually be asked before your information is shared with the police

There are times when it is not appropriate to inform or ask you about the sharing. Examples include where doing so would undermine a police investigation or put you or another person at risk of serious harm. Each request is considered carefully on a case by case basis.

Information:

Example

In the case of an individual admitted to hospital with a knife or gunshot wound, information may be given to the police when it is reasonable to believe that the wound is as a result of criminal activity.

If you are the victim of knife or gun crime, a health and care professional would usually ask you before sharing information with the police and will generally respect your wishes. However, if the health and care professional was informed by the police that the person who injured you posed a risk to other people, the health and care professional may decide to share your information. This may be even if you had previously declined as in their professional judgement, the need to protect others from serious harm outweighs the duty of confidentiality they owe to you. However, they should generally inform you of any disclosures that have been made as soon as possible, unless the person making the disclosure judges that it is not practical or safe to do so.

If you are the suspect of knife or gun crime, it is unlikely that your consent would be sought or that practitioners would inform you that they had decided to share information with the police. Doing so may jeopardise a police investigation.

Where a decision is made to share information with the police, health and care organisations will only share the minimum amount of information they require to investigate or prevent crime. It may be that your address is shared rather than your medical information. If you attended an outpatients appointment at a particular time, confirmation of this could be shared without details of the treatment you received.


Guidance for healthcare workers

The public interest is best served when health and care organisations co-operate with the police. However, any decisions to disclose personal or confidential patient information must be taken on a case-by-case basis. A clear legal basis must be identified and recorded and in line with professional guidance. There are legal constraints on what can and should be provided, but this depends on the circumstances. The following should help in the event that you are asked for information by the police:

Make sure you know how to get support and advice

Read and understand your local policy and procedures which should set out how requests for information from the police should be dealt with.

Be aware of, and abide by, the advice on public interest disclosures provided by your professional regulator (for example, the General Medical Council if you are a doctor).

Know who deals with requests from the police in your organisation, who you can ask for advice and who should authorise the disclosure of information to the police. Requests (whether written or verbal) should be processed by trained or experienced staff. If you work in a large organisation, there may be a team who is responsible for managing requests. In smaller organisations there should be an individual who is trained to manage requests. This should be set out in your local procedure.

Know what to do if these people are unavailable (for example, you are working out of hours). If a decision really cannot wait because someone is at imminent risk of serious harm, use your professional judgement. If in doubt, seek advice from the most senior manager on call before making a disclosure decision. You must record your reasons irrespective of whether or not you share information.

Understand that there may be times when it is appropriate to challenge a request from the police. You should not feel under pressure to provide personal or confidential patient information and never give the police an original health and care record to take away. You should use the support available in your organisation.

Make sure you know what to do if you are responsible for making a decision

If you are responsible for responding to the police or making a decision about sharing information, it is important that you are prepared in advance of any request.

Decisions on providing information to the police may be:

  • in response to a request from the police
  • due to an incident which the police should be alerted to for example, reporting knife crime

When deciding whether to disclose information, there are several things to consider:

  • if there is a legal duty to disclose
  • whether the public interest served by disclosure outweighs the public interest served by protecting the confidentiality of the individual and the public interest served by providing a confidential service to the wider public
  • whether it is necessary to disclose personal or confidential patient information. If so, when. For example, you might report a suspected knife crime to the police without disclosing the details of the victim in the first instance in order to avoid delaying or hampering their treatment
  • the minimum amount of data you need to share to support the police in their work. You don’t need to share any clinical information. An example is if you are requested to provide a patient’s contact details or you might confirm a person attended the Emergency Department without disclosing details of the treatment they received

When you must provide information to the police

Where there is a legal duty to disclose, this means you MUST provide the necessary and relevant information. You should make sure that any disclosure is required by law and, if necessary, ask the police to confirm the statutory or other legal basis they are relying upon. Also, ensure any disclosure you make is consistent with the guidance published by your professional regulator.

Common examples include:

  • prevention of Terrorism Act (1989) and Terrorism Act (2000). You must inform the police if you have information (including personal information or confidential patient information) that may assist them in preventing an act of terrorism or help in apprehending or prosecuting a terrorist
  • the Road Traffic Act (1988). You must inform the police, when asked, for any information that might identify any driver who is alleged to have committed an offence under the Act
  • the Female Genital Mutilation Act (2003). You must report to the police where it appears that a girl under the age of 18 has been subject to genital mutilation

The police sometimes get court orders to obtain information from organisations or individuals and you must comply with court orders. You should always seek advice from your Information Governance manager, senior clinical managers, Caldicott Guardian, Data Protection Officer (DPO) and/or legal advisors/medical defence organisations where a court order has been served. Where a court order is ambiguous or appears to require disclosure of too much data, it may be possible to query it with the court. The decision to query a court order needs to be made at an appropriate level of seniority and be actioned as quickly as possible.

When you need to decide whether to provide information to the police

In some cases, the law provides permission for you to disclose information, but you are not obliged to do so. You therefore have to decide whether the public interest is best served by:

(i) protecting confidentiality;

(ii) disclosing personal or confidential patient information or

(iii) disclosing information that does not identify a patient but may still assist the police in their inquiries (for example, the location of a violent incident).

Generally, a disclosure can be made in the public interest to assist the police in preventing or detecting a serious crime or to prevent serious harm to another person. Your regulator may set out professional standards in relation to public interest disclosures which you will need to abide by.

In circumstances where you have to make a decision whether to disclose information you must take into account patient confidentiality. You should generally seek explicit consent, under common law, from the patient or service user. However, there are circumstances where this would not be appropriate. This includes where it would cause harm to the patient or service user or others. For example, if you are treating a child who may be presented with injuries that suggest potential child abuse. You would not tell the parents that you are informing the police, as this may cause the parents to abscond or flee, potentially placing the child at greater risk of physical or mental harm. (See section for information governance (IG) professionals if further information is required).

General points to consider when responding to any request

You should remember the following in relation to any request for information from the police:

  • Ask the police to provide further information, if required, to assist you in ensuring any disclosure you make is necessary and proportionate. For example, helping you identify the correct person from your organisation’s records or sharing details of the incident they are investigating to help establish whether there is a public interest justification for disclosing personal or confidential patient information.
  • Consider whether it is appropriate to seek explicit consent from the individual before disclosing information to the police. For example, seeking consent would not put the patient or another person at risk of serious harm, or undermine a police investigation by allowing a suspect to abscond.
  • Only provide information that is necessary and relevant for the specific enquiry. For example, if the police want inpatient dates, only provide inpatient dates once you are satisfied with the validity of the request.
  • Document what was requested, by whom, what was given and obtain a signature from the requester. This can be documented in the health and care record or a log or register of disclosures.
  • Where time permits or you are not sure what to do, you should seek advice, for example, from a Caldicott Guardian, IG lead, medical defence organisation or DPO. You should check your organisation’s policy to understand the agreed processes.

Transfer of information to the police

If it is appropriate for you to respond to the police, this should be in writing. In an emergency or urgent situation, a verbal response may be provided but this should be followed up in writing as soon as possible. If you have been asked to provide information either on a CD, DVD, USB or via digital media or email, the files must be encrypted or sent from an NHSmail account or gov.uk account to a pnn.police.uk email account. All transfers, including paper, must be to a named individual and be secure. Guidance on secure transfer of information can be found in your organisation’s policies and procedures and/or the Data Security and Protection Toolkit.


Guidance for IG professionals

It is important your local organisation has a policy in place in relation to disclosures of information to the police and you are able to provide advice to colleagues in the event of a request for information from the police. This includes both situations where there is a legal duty to provide information to the police. For example, information that might identify any driver who is alleged to have committed an offence under The Road Traffic Act and disclosures in the absence of a legal duty (see section for health and care professionals for further information).

Disclosures to the police would still be subject to legal redactions, such as third party information. This is unless there is a justification for disclosing that information (for example, the police need access to the original, unredacted record).

In some cases, the police may want to inspect the record at your premises, rather than have a copy sent. In these cases, you should agree on a time for the visit (which should be as soon as possible). Review the record ahead of the visit to ensure that you will not inadvertently disclose information that is irrelevant to police inquiries. Ideally, you should have a clinician available to help the police understand any medical terms or content that might be unfamiliar to them.

You should respond to police requests in a timely manner (this will vary depending on the amount of information relevant to the enquiry), or within the timeframe stipulated on a court order. If the request is going to take longer than anticipated to respond to, it is advisable to contact the police or court and explain the situation.

The data subject is also free to make a Subject Access Request (SAR) and share their information with the police in that way.

Data Protection Act requirements

The UK GDPR and the Data Protection Act 2018 (DPA) set out exemptions from some of the rights and obligations in some circumstances. This includes the prevention and detection of crime (schedule 2 paragraph 2 of the DPA). This enables the work of the police to be exempt from a number of requirements (though not all) where meeting them would undermine work to investigate and prosecute crime. The Information Commissioner’s Office (ICO) has provided guidance on sharing personal data with law enforcement authorities and sharing personal data with a law enforcement authority, such as the police.

Whilst other Acts provide a duty to disclose information in certain circumstances, data protection law does not itself provide a duty to disclose. It also does not override the requirements of the common law duty of confidentiality which must be met prior to disclosure being lawful unless the disclosure is required by legislation (see below). It does no more than relax the DPA requirements that need to be met.

Common Law Duty of Confidentiality

In the absence of a statutory duty to disclose confidential patient information to the police, any disclosure would need to be supported by either the explicit consent of the individual concerned or be sufficiently in the public interest to warrant the disclosure. A public interest disclosure would mean the public good arising from the disclosure is thought to outweigh both the duty of confidentiality to the individual and the public good served by the provision of confidential care services. Health and care professionals will also need to abide with the professional standards set by their regulators. Guidance is available on public interest disclosures.

Standard forms

Many police forces have standard forms (often referred to as DP7 or DP9 - and previously known as “Section 29 forms”) for requesting personal or confidential patient information. Although the use of these forms is not mandated, they are the recommended way to obtain the information needed to make a decision about disclosure. If, however, organisations are satisfied that they have the information needed to make a disclosure decision without using the forms, they can proceed on that basis. A request should be provided in writing and signed by a senior officer (usually Inspector or above like a Chief Inspector, Superintendent or Chief Superintendent).

The request should provide:

  • a clear indication that the police are confident that they are working within the framework of the DPA. It should satisfy all relevant DPA requirements and be clear that information is required for the prevention and detection of crime. It is important to remember that in order to rely upon a public interest justification for the disclosure of personal or confidential patient information, the police must be investigating or preventing serious crime. For example, crime where a person has or might suffer serious harm
  • clarification on whether informing the individual about the disclosure would prejudice the investigation. Note, that where the request does not set the requirement to inform an individual aside, then this must be done as soon as possible and should not delay any disclosure
  • a clear description of the specific information that is requested. This must match the information you have on your systems
  • an outline of the nature of the offence so that you can make an informed decision about whether to disclose the information and whether the crime is sufficiently serious to justify a disclosure in the public interest
  • a record of the individual’s consent to share information, where this has been obtained

Whilst the forms can provide useful information to support decision making about disclosure, they do not enable confidentiality requirements to be set aside or overridden.

Further information

Rapid access and reformatting of statistical data for timely discovery and research.