Skip to main content


View LCP Procedures View LCP Procedures

1.1.4 Confidentiality and Loss of Sensitive Data


This chapter was significantly amended in August 2013 in respect of practices in communication and processes and should be read in it’s entirety.


  1. Taking or Sending Personal Information about Service Users Out of the Office
  2. Any Breach of Confidentiality

1. Taking or Sending Personal Information about Service Users Out of the Office

There are times when it is necessary to take service users’ records out of the office. On such occasions it is essential that the utmost care is taken to keeping the personal data safe. Please be reminded of the following:

The Data Protection Act and the Human Rights Act require that we give priority to maintaining confidentiality in relation to personal records that we hold about individuals and families. For social care professionals this is also a requirement of the Code of Ethics and professional registration.

Each person who has access to confidential data about individuals in any format (paper, electronic, photographic) must take the personal and professional responsibility to keep such data secure at all times. This includes maintaining security where agreement has been given to working on records from home or other bases by remote electronic access.

Paper records (print outs or original documents) should not be removed from the office, unless it is for agreed professional tasks relating to court, professional meetings (i.e. child protection or children looked after functions) and meetings with service users.

Removal of papers for any other reason must be with line manager’s agreement and a record should be kept of that agreement (on Mosaic/careworks running records), indicating which papers have been removed and when they will be returned/destroyed.

Staff should not take confidential data on USB memory sticks. Where Laptops are taken outside of office premises for use in writing reports, the Laptop must be password protected. Laptops and any paper documents taken outside of office premises must be carried in lockable bags.

Notebooks must be kept secure and identity of children and families or their addresses kept secure.

Any confidential documents being sent by secure email ( items to be password protected ) or posted using special delivery post should be sent securely. Care must always be taken with emails and post that the data is being sent to the correct address and addressee and that the intended recipient has a right to the information.

2. Any Breach of Confidentiality

The Council has an Information Security Policy a revised version is being finalised (April 2013). Please refer to this document for action to be undertaken within the Council services.

Any breach of confidentiality arising from loss or theft must be reported to the Police immediately and details passed to the relevant line-manager.

For all breaches, a detailed report of the information unlawfully disclosed, lost or stolen must be made to the appropriate Director within Children’s and Adults Services with a risk assessment of the likely outcomes of the breach/loss and the actions being taken to minimise impact on service user/s & redress the loss. The loss should also be reported to the Business Improvement Manager, the Caldecott Guardian and the Information & Records Manager. The Council’s Governance Team will need to be informed of all data breaches or ‘near misses’. The Information & Records manager will prepare a report on that data breach.

The Council’s Insurers should be informed through the Insurance Section based at Tooley Street.

Consideration should be given to whether the Council’s media office should be advised of the loss if there is a risk to the Council’s reputation.

The service user should be informed in a face to face meeting what data has been disclosed, lost or stolen and also in writing after a face to face discussion.

On receiving a report of the breach of confidentiality the Assistant Director will make a decision with the Caldicott Guardian, and possibly with legal advice, what further action may need to be taken. This will include the need to consider a disciplinary investigation, referral of the breach to the Information Commissioner’s Office, (see Council policy and procedure for this element), and/or the Health and Care Professionals Council.