Service User Confidentiality Policy
Approval Date: January 2020
Revision Date: January 2022
Within this policy
1. DoulaCare Ireland will be referred to as DCI
2. DoulaCare Ireland Co-Owners will be referred to as Owners
3. Independent Contractors (including Doulas and Administrative support persons) will be referred to as IC’s
4. DoulaCare Ireland Clients will be referred to as Service Users
5. Members working within DoulaCare Ireland agency include Owners, Directors, Admin personnel, Independent Contractors.
6. This policy covers any employees, current or future of DoulaCare Ireland who will be referred to as staff.
1. Policy Statement
1. The confidentiality of service user information is a central and integral part of DCI’s service delivery. DCI is committed to ensuring that all service user information is managed in line with accepted good practice and current relevant legislation.
2. Purpose
2.1. To ensure that the confidentiality of people using the services of the organisation is protected in a consistent and appropriate manner.
2.2. To provide staff, IC’s and service users with the organisation’s understanding of confidentiality and clear guidelines regarding handling of information, including the extension of confidentiality.
2.3. To assign responsibilities for the management of confidential information.
3. Scope
3.1. This policy covers all DCI employees, staff, owners and IC’s.
3.2. This policy applies to service users over 18 years of age.
4. Legislation and relevant documents
4.1. Children First: National Guidance for the Protection and Welfare of Children (2011)
4.2. The Children Act 2001
4.3. Child Care Act 1991
4.4. The Data Protection Act 1988
4.5. The Data Protection (Amendment) Act 2003
4.6. The Freedom of Information Act 1997
4.7. The Freedom of Information (Amendment) Act 2003
4.8. Consent to share form (appendix 1)
4.9. DCI Data Protection policy
5. Glossary of Terms and Definitions
5.1. Personnel: in this document, personnel is used as a collective term to cover all persons to whom this policy applies.
5.2. Service user: in this document, a ‘service user’ is someone who utilises DCI’s client services.
5.3. Confidentiality: All information that is obtained about a service user through the course of organisational business and service provision is to be treated as confidential to the organisation. Personnel shall not at any time, whether during or after their involvement with DCI disclose such information in any form to a third party without the prior written consent of that service user. Exceptions to this are outlined in section 10: Limits to confidentiality.
5.4. Sharing without consent: In certain circumstances information about an individual service user may be passed on to a third party without the consent of that service user. These circumstances are outlined in section 10: Limits to confidentiality.
5.5. Wrongful disclosure: Is disclosure without consent, whether accidental or deliberate, which is not covered by section 10.
6. Roles and Responsibilities
6.1. Mary Tighe, Co-Owner, is responsible for:
6.1.1. Ensuring that a copy of this document is available to all personnel including service users.
6.1.2. Ensuring that all relevant personnel receive training as necessary and sign to confirm they have understood read, understood and agree to be bound by the confidentiality policy.
6.2. All personnel are responsible for working in accordance with this policy. Failure to do so will be considered as an act of misconduct or gross misconduct, as appropriate, and may result in disciplinary or legal action as appropriate.
7. General Guidelines
7.1. Confidentiality can never be absolute and therefore absolute confidentiality can never be guaranteed.
7.2. All service users are to be made aware of DCI’s confidentiality policy as soon as is practicable after they first access DCI’s services
7.3. All personnel and service users will have access to this confidentiality policy.
7.4. Confidentiality is between the service user and DCI. Case specific information will be shared with the organisational personnel as relevant and necessary.
7.5. Confidential information should only be shared with, or accessible to, personnel covered by this policy where needed for the proper care of the person to whom it relates
7.6. All service users have the right to have a copy of any information held regarding them by DCI, with the proviso that, where certain information in the file identifies other people to whom the organisation owes a duty of confidentiality, such information will be redacted. Copy information must be requested in writing by the service user. Staff members should assist with this as appropriate. Mary Tighe will deal with all such requests; the organisation endeavours that all requests will receive a response within ten working days.
7.7. No information about a service user will be passed on to any third party except in the following cases:
7.7.1. Where consent has been obtained under this policy
7.7.2. Where there is a legal obligation to provide information to a third party
7.7.3 Where a decision is taken by management to share information with a third party as outlined in section 10.
7.7.4 Consent to share information with a third party should always be given initially in writing, and thereafter may be given verbally. Service users have the right to withdraw consent for the sharing of information at any time, except where the organisation decides, or is obliged, to share information, as outlined in section 10.
7.8 All service user files are to be kept in a secure place within the organisation. Personnel are expected to exercise care to keeping safe all documentation or other material containing confidential information in line with the organisation’s Data Protection policies.
7.9 Paper files should be kept in a locked filing cabinet or drawer, with the key held only by personnel involved in relevant service provision.
7.10 Computer files should be password protected with the password held only by personnel involved in relevant service provision.
7.11 Information obtained and retained by IC’s in the performance of their duties are subject to the same requirements:
7.12. Paper files should be kept in a locked filing cabinet or drawer, with the key held only by personnel involved in relevant service provision.
7.13. Computer files should be password protected with the password held only by personnel involved in relevant service provision.
7.14 Any exchange of information between separate IC’s providing services to the same Service User must be in approved format and over authorised communication platforms, currently ‘Telegram’
7.15 Any exchange of information over public file sharing platforms, e.g. google documents’ must be approved in advance by the agency owners and can never include information that identifies service user. Generic information such as ‘Dublin 18 client’ may be used with prior approval.
8. Informing Service Users
8.1. All service users should be made aware of the following at the first point of contact with DCI:
1. That they have a right to confidentiality of their personal information
2. That confidentiality is between the service user and DCI; information will be shared by DCI with relevant personnel including IC assigned to service user.
3. That information shared with the Doula as Independent Contractor is also covered by DCI confidentiality policy as same has been shared with and agreed to by each IC.
4. That they have a right to have a copy of all information held by the organisation concerning them, and that if they want a copy of same, they will need to request this in writing.
5. That confidentiality is not absolute, and the circumstances in which information about them may be shared with a third party, as set out section 10.
6. That their consent to share information can be withdrawn by them at any time, except where circumstances in which information about them may be shared with a third party, as set out section 10, apply
9. Obtaining Consent to Share Information
9.1. Information held by the organisation about a service user, and not independently available to a third party, cannot be disclosed without that service user’s prior written consent.
9.2. Consent must be sought initially in writing, using a consent form. Thereafter it should be sought verbally. The service user should be informed each time information regarding them will be shared with a third party.
9.3. Written consent to share information cannot be given for periods longer than 6 months. Once the initial period for which the written consent is valid is expired, fresh written consent must be sought.
9.4. The consent form should stipulate:
1. The third party(s) with whom the information is to be shared
2. The period of time for which consent is given
3. Specific details concerning the information that will be shared including what information can be shared and through what mode of communication (e.g.: in person, fax, telephone, email, in writing)
4. The date and signatures of the service user and DCI representative.
9.5 Each time it is sought to share information under the written consent, the service user should verbally be informed of:
1. The third party with whom the information is to be shared
2. Whether the third party has a confidentiality policy
3. The reason for sharing the information
4. That DCI has no control over the information once it is given to a third party.
5. That they can withdraw their consent to share if they so wish
10. Limits to Confidentiality
10.1. Confidentiality can never be absolute and therefore absolute confidentiality can never be guaranteed. Limits to confidentiality exist to protect personnel from withholding information that may require immediate action in the interest of public or individual safety.
10.2. Decisions to share confidential information where no valid consent exists will, in all cases, be decided by Jen Crawford and Mary Tighe as agency Co-Owners. In the absence of the application of a factor under 10.3, information will only be shared where it is in the interests of the person to whom the information relates to do so.
10.3. Confidential information may be shared with an external third party without service user consent when:
1. The service user discloses information which reveals a substantial risk of harm to self or others.
2. There is a suspicion or risk of harm to children. The service will, in this instance, follow the guidelines and reporting procedure as set out in Children First: National Guidance for the Protection and Welfare of Children (Dept. of Children and Youth Affairs, 2011).
3. There is a court or tribunal order, or as otherwise required by law.
4. In other circumstances as set out by Section 8 of the Data Protection Act, 1988
10.4. If a service user discloses information which may require to be shared, the IC or staff member should inform the service user that they will report the issue to the agency Co-Owner. If it is decided that the information will be shared, the service user’s consent should be obtained if possible. If this is not possible, the service user should still be informed of the decision to share the information, if possible.
11. Sharing Information with External Third Parties
11.1. In all cases, there must be a written consent form, signed by the service user, on file before any information is to be shared with any other external third party. In the event that the consent form does not originate from DCI, the validity of the consent form received must be confirmed verbally with the service user before any information is shared.
11.2. If DCI is requested to write a service report, where possible this will be shown to the service user for comment prior to it being sent.
11.3. Care must be taken in relation to specific modes of communication to ensure confidential information is not unintentionally incorrectly shared. Always ensure that consent covers the type of communication by which it is intended to share information:
11.3.1 Emails should be sent to organisational, not personal email addresses. Be aware that emails are not a secure method of communication unless encrypted. DCI does not operate an encrypted email system to external domains. Thus, if email is to be used as a method of communication, the service user whose information is to be shared must specifically agree to transmission by this method and be advised of the risks of same, which include:
11.3.1.1. The email may be intercepted in transit
11.3.2. The email may be forwarded or otherwise dealt with by the recipient
11.3.3. Phone calls do not allow us to see who we are talking to. There is a risk that the person calling is not who they say they are. Service user attendance or presence in the service must not be confirmed to a caller unless we are sure they are covered by a valid consent form.
11.3.4. Fax numbers should be confirmed as organisational numbers. It is also useful to confirm where in the building a fax machine is located, to ensure that faxed confidential information does not arrive in a public place.
11.4. If a staff member or IC becomes aware of information relating to a service user from sources outside DCI, and where no consent to share information is in place, this information should be taken to Agency Co-Owners in the first instance who will make a decision as to whether, in all the circumstances, further action needs to be taken. Further action could include, but is not limited to:
11.4.1. Telling the service user about the information
11.4.2. If the information comes from another organisation, making a formal complaint to that organisation
11.4.3. Other action as the information warrants
11.5. IC’s or Staff members called to give evidence in court should contact the Agency Co-Owners, who will provide support in this area.
11.6. All requests for service user involvement in research, evaluation or for other data collection purposes need to have ethical approval from a recognised body and must include clear guidelines on confidentiality. Any such research should comply with Data Protection guidance on research, a copy of which is available at [INSERT LOCATION]. All such requests must be approved by the Agency Co-Owners prior to these being facilitated by staff or displayed within the organisation.
12. Wrongful Disclosure
12.1. Wrongful disclosure will be considered as an act of misconduct or gross misconduct, as appropriate, and may result in legal and or disciplinary action.
12.2. Where wrongful disclosure has taken place, the service user will be informed.
12.3. DCI will inform the office of the data commissioner of the wrongful disclosure, as appropriate.
13. Data Protection Responsibilities
13.1. In addition to the duty of care regarding confidentiality outlined above, the Data Protection Acts imposes legal obligations on DCI, its staff and IC’s. DCI takes seriously its responsibilities under the Data Protection Acts. The organisation is aware of and acts in accordance with the following eight Data Protection rules regarding information:
13.1.1. Obtain and process the information fairly
13.1.2. Keep it only for one or more specified and lawful purposes
13.1.3. Process it only in ways compatible with the purposes for which it was given to you initially
13.1.4. Keep it safe and secure
13.1.5. Keep it accurate and up-to-date Ensure that it is adequate, relevant and not excessive
13.1.6. Retain it no longer than is necessary for the specified purpose or purposes
13.1.7. Give a copy of his/her personal data to any individual, on request.
DCI Data Protection Policy outlines our data protection practices and procedures and is available on request from Mary Tighe.
14. Service User Request for Information
14.1. If a service user wishes to have a copy of the information the service holds on them, they should complete a written request.
14.2. The request will be processed by Mary Tighe who will process the request, where possible, within ten working days.
14.3. In this case care will be taken to ensure that any information naming, or which could be used to identify, other individuals that is held within the service user’s file is blanked out.
Date implemented: 20th JANUARY 2020
Review Date: 20th JANUARY 2022
Responsibility for approval of policy: MARY TIGHE & JEN CRAWFORD
Responsibility for implementation: MARY TIGHE
Responsibility for ensuring review: MARY TIGHE