This guidance has been reviewed by the Health and Care Information Governance Panel, including the ICO and NDG.

The panel exists to simplify information governance guidance. Have we done a good job? Let us know at datapolicyhub@nhsx.nhs.uk.

Use and share information with confidence

Hand holding a tablet

This guidance will support you to use and share information with confidence when caring for patients and service users.



Guidance for patients and service users

Your health and care organisations will ensure that people providing care to you have the information they need about you for your individual care. 

When your information is shared with people providing your care, your health and care organisation will ensure that this information is relevant and appropriate as they have to balance any sharing of your information with their duty to protect your confidentiality.

You can always ask how your information is being shared, and you can object to this. You should discuss any objection with your health and care organisation as there may be times when not sharing your information might impact on providing you with safe care.

Your health and care organisation must be clear about how and where they share your information. This is contained in a privacy notice, which must be clear and easily available. It is usually on your health and care organisation's website. 


Guidance for healthcare workers

Health and care professionals have a legal duty to share information to support individual care. The law and the Caldicott Principles support you to share relevant information in order to provide care and support to a patient or service user. You should therefore feel confident when doing so. You should however check whether an individual has objected to the proposed sharing and there are some very specific exceptions where you would not share information. This includes information relating to the gender history of a person who is transgender (or undergoing transgender care) and who holds a Gender Recognition Certificate. 

The duty to share information for individual care is as important as the duty to protect confidentiality. There are a number of points which you should consider so that you share information appropriately.

Legitimate and appropriate reasons

Make sure that the person you are sharing information with has a legitimate and appropriate reason to be involved in the care of the patient or service user.

Patient or service user objections

Check to see if there are any patient or service user objections to sharing information and decide whether to uphold the objection. For example, a record may indicate that a patient or service user is sensitive about a particular piece of information and does not want this shared. When sharing for individual care, there may be times when you have concerns about an objection, for example, if it will impact upon providing safe care. If someone objects but you are concerned, you should talk to your information governance support and/or Caldicott Guardian.

Share only relevant and necessary information

Sometimes there is not a clear answer to what is relevant. The key thing is that you can justify your decision and record this. Often your system will be set up to support you. For example, it will have access controls and audit functions built in enabled by smart cards.

Transfer information securely

Ensure information is transferred securely when it is shared with others, for example, via NHSmail.

The following illustration will help you remember the key points:

  • Who? - share with those directly involved in the individual's care
  • What? - make a decision about what information is relevant to share 
  • Wishes? - check for patient or service user objections. 
The key points to consider when sharing information - Who to share with, what to share and what wishes the patient or service user may have

For help, advice or support, contact your Caldicott Guardian, IG or senior staff (for example, in the case of a small care home where there may not be a Caldicott Guardian available).


Guidance for IG professionals

All health and care organisations must share information about a patient or service user (unless they object) to facilitate their individual care. This is set out in the Health and Social Care Act 2012 and the Health and Social Care (Quality and Safety) Act 2015. The following steps will help you ensure that health and care information is shared lawfully and appropriately for individual care.

What is your lawful basis under Common Law

In Common Law, there is a duty of confidentiality which means that when a patient or service user shares information in confidence, it must not be disclosed without some form of legal authority or justification. In practice, this usually means that the information cannot be disclosed without that person’s consent. For individual care, this can be implied consent. However, you should not share confidential patient information (even for individual care) if you have reason to believe that a person has objected or would be likely to object to disclosure.

What is your lawful basis under GDPR

Data protection legislation requires that personal data is processed lawfully, fairly and transparently:

  • Article 6 of the GDPR sets out the lawful bases for processing personal data. For individual care, you can rely on condition 6(1)(e) "…for the performance of a task carried out in the public interest or in the exercise of official authority…" 
  • Health data is classed as a ‘special category’ of personal data which also requires a condition under Article 9 of the GDPR. If you are a health and care professional providing individual care, you can rely on condition 9(2)(h) "…medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems…"

You must record and be transparent about these conditions for processing by including them in your privacy notice. 

GDPR also gives individuals the right to object to the processing of their personal data and have their objection considered. If someone objects to you processing their data, you will need to demonstrate "compelling, legitimate grounds for either the processing which overrides the interests, rights and freedoms of the data subject, or for the establishment, exercise or defence of legal claims". Objections must be considered on a case-by-case basis allowing IG professionals to work with their health and care colleagues and Caldicott Guardian to make the decision to uphold or reject the request.

Have you checked you are meeting the Caldicott Principles?

The Caldicott Principles help to ensure that health and care information is used and shared appropriately to support care. Please follow the guidance set out in the principles when sharing information for care and other purposes.

Hand holding a tablet