Handling Information


  • 14.1 Handle information
    • 14.1a Describe the agreed ways of working and legislation regarding the recording, storing and sharing of information
    • 14.1b Explain why it is important to have secure systems for recording, storing and sharing information
    • 14.1c Demonstrate how to keep records that are up to date, complete, accurate and legible
    • 14.1d Explain how, and to whom, to report if they become aware that agreed ways of working have not been followed


  • 1 Understand the need for secure handling of information in care settings
    • 1.1 Identify the legislation that relates to the recording, storage and sharing of information in care settings
    • 1.2 Explain why it is important to have secure systems for recording and storing information in a care setting
  • 2 Know how to access support for handling information
    • 2.1 Describe how to access guidance, information and advice about handling information
    • 2.2 Explain what actions to take when there are concerns over the recording, storing or sharing of information
  • 3 Be able to handle information in accordance with agreed ways of working
    • 3.1 Keep records that are up to date, complete, accurate and legible
    • 3.1 Follow agreed ways of working for: recording information, storing information, sharing information


  • 1 Understand requirements for handling information in care settings.
    • 1.1 Identify legislation and codes of practice that relate to handling information in care settings.
    • 1.2 Summarise the main points of legal requirements and codes of practice for handling information in care settings.
  • 2 Be able to implement good practice in handling information.
    • 2.1 Describe features of manual and electronic information storage systems that help ensure security.
    • 2.2 Demonstrate practices that ensure security when storing and accessing information.
    • 2.3 Maintain records that are up-to-date, complete, accurate and legible.
    • 2.4 Support audit processes in line with own role and responsibilities.
  • 3 Be able to support others to handle information.
    • 3.1 Support others to understand the need for secure handling of information.
    • 3.2 Support others to understand and contribute to records.


On this page, we will be looking at good practices in handling information in health and social care settings.

We will explore the legislation that underpins data handling and the features of both manual and electronic secure storage systems. We will discuss why good record-keeping and secure storage are essential, how concerns should be reported, and touch upon the use of audit processes.


Legislation underpins the work we carry out and we must always ensure that we are working within the boundaries of the legal system.

Legislation relating to the handling of information in care settings includes:

  • The Data Protection Act 2018, including General Data Protection Regulations (GDPR)
  • The Freedom of Information Act 2000
  • Common-Law Duty of Confidentiality

The Data Protection Act 2018 and GDPR

The Data Protection Act governs how personally identifiable data (e.g. name, address, telephone number etc.) is collected, stored and processed. There are eight guiding principles:

  1. Personal data shall be processed fairly and lawfully
  2. Data must be obtained only for specified and legal purposes
  3. Personal data shall be adequate, relevant and not excessive for the purpose(s) they are being processed for.
  4. Personal data shall be accurate and, where necessary, kept up to date
  5. Personal data shall not be kept for longer than is necessary for the given purpose(s)
  6. Personal data shall be processed in accordance with the rights of the data subjects
  7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data
  8. Personal data shall not be transferred out of the European Economic Area unless that country ensures adequate protection for data subject’s rights

GDPR is the UK’s implementation of EU data law, which means that data protection is consistent across Europe. GDPR is incorporated in the Data Protection Act 2018.

The Freedom of Information Act 2000

The Freedom of Information Act puts an obligation on government agencies, such as local authorities and the NHS, to provide internal information that is of the public interest when it is requested.

This means that if you work for these agencies, things like records, emails and other communications may be given to the public if they ask for them. Therefore, it is prudent to act professionally at all times.

The Common-Law Duty of Confidentiality

The Common Law Duty of Confidentiality is a law that is based upon previous legal cases or precedents, rather than an act of parliament. Although it can be subjective, a common principle is that when individuals provide personal information to organisations or professionals, they can reasonably expect it to be treated with confidentiality.

Therefore, when we request or have access to personal data, we must respect the privacy and confidentiality of the individual to whom it belongs and not share it with others.

Codes of practice

Professional codes of practice also govern the handling of data.

Code of Conduct

The Code of Conduct for Healthcare Support Workers and Adult Social Care Workers in England states that care workers must “respect a person’s right to confidentiality.” This guidance is further detailed with:

As a Healthcare Support Worker or Adult Social Care Worker in England you must:

1. treat all information about people who use health and care services and their carers as confidential.
2. only discuss or disclose information about people who use health and care services and their carers in accordance with legislation and agreed ways of working.
3. always seek guidance from a senior member of staff regarding any information or issues that you are concerned about.
4. always discuss issues of disclosure with a senior member of staff.

– Code of Conduct for Healthcare Support Workers and Adult Social Care Workers in England

Caldicott Principles

The Caldicott Principles are a set of tenets for guiding confidentiality and the sharing of information in health and social care settings. They are:

Principle 1 — justify the purpose(s) for using confidential information.
Principle 2 — only use confidential information when absolutely necessary.
Principle 3 — use the minimum information that is required.
Principle 4 — access to confidential information should be on a strict need-to-know basis.
Principle 5 — everyone must understand their responsibilities.
Principle 6 — understand and comply with the law.
Principle 7 — the duty to share information for individual care is as important as the duty to protect patient confidentiality
Principle 8 — inform patients and service users about how their confidential information is used

– Caldicott Principles

Policies and Procedures

All health and social care organisations and agencies will also have their own internal policies and procedures governing the handling and sharing of information. All workers must be familiar with these documents.

Importance of secure systems

Secure systems are essential for ensuring that we adhere to the legislation above. It is also good professional practice to use secure systems and ensures that we work in line with our organisation’s policies and procedures.

If secure systems are not used, it could result in a data breach in which unauthorised parties access personal data. As well as being unlawful, this could be damaging to the individual and harm the organisation’s reputation.

Principles of secure storage systems

A good storage system must ensure that information can only be accessed by authorised parties. For example, an individual’s care plan should be accessible by care staff, care managers and the individual themselves but other parties (e.g. other service users etc.) should not be able to read the contents. There may be times when information needs to be shared with others (e.g. a nurse, advocate etc.) but your organisation will have procedures for when and how this should be carried out and consent must be obtained from the individual.

Secure storage systems may be paper-based or digital. We will look at each of them below.

Paper-based secure storage systems

Paper-based systems are repositories of written or typed records.

This means that anyone with physical access to the records will be able to read them, so it is best practice to ensure that the physical location is secure. Locked filing cabinets in locked rooms can achieve this, with access restricted to those that have a key or code.

It is prudent to ensure that records are returned to the secure storage location immediately after being used. Documents left unattended in public areas may be stolen or read by unauthorised parties. Some organisations have policies which state that records cannot be taken outside the storage room or off-premises.

Digital secure storage systems

Digital systems are records that are stored of computer systems and may be accessed remotely via networks, the Internet or VPNs.

This means that records could be read without physical access to the computer that they are stored on, so additional security measures are required. This is often achieved by password protecting the information so that only individuals that have an authorised username/password combination can access it. Risks from viruses, malware and hacking can also lead to data breaches, so computer systems must be made robust with antivirus software and firewalls.

Policies and procedures will also contribute to secure systems. For example, it should be explained to employees that they shouldn’t share their password or leave a computer logged in unattended.

Principles of good record-keeping

As care workers, we will create, maintain and update many records as part of our day-to-day practice, so it is important to have an understanding of the principles that underpin good record-keeping.

All records should be kept up-to-date with current information. If data is outdated, it could result in incorrect care being provided. For example, if a doctor reduces the dosage of an individual’s medication, the record should be adjusted immediately to ensure that the individual is not given an overdose.

All records should also be as complete as possible. If information is missing, it can lead to delays in carrying out tasks and activities. For example, if an elderly individual dies and their next-of-kin data is not available in their records, it would create delays in contacting their family about the news.

In addition, if there is not enough detail in a record, it could lead to inconsistent care as information may be subjective or ambiguous.

Accuracy is of the utmost importance in maintaining records. Decisions are informed by the available data and if the data is wrong, it could lead to incorrect decisions being made. It is also important to ensure that recorded information is objective and factual. Personal views or opinions should not be recorded unless there is a requirement for a professional judgment.

Written records should be written legibly so that they can be easily read and understood by others. Messy handwriting can make it difficult to comprehend the information and may result in the wrong conclusions being formed. Although this is less of an issue these days with the introduction of digital systems, we should still ensure that we use correct spelling and grammar to aid comprehension.

Audit processes

Audit processes are used within organisations to ensure that information handling and storage systems are working correctly. This could include checking things like if the organisation is complying with GDPR, if staff are following procedures correctly or if records are regularly being reviewed and kept up-to-date.

Depending on your role and responsibilities, you may be involved in audit processes.

Reporting concerns

Whenever you have concerns about the handling of information or confidentiality, you should approach your manager or supervisor for guidance. It is also useful to make a written record of your concern to formalise it.

Your manager or supervisor should promptly respond to your concern, however, if you are not satisfied with their answer, you may need to escalate it to more senior management. Larger organisations will have a dedicated data protection officer that you can approach with concerns.

If serious concerns are not being dealt with appropriately by your organisation, (e.g. large data breaches, the illegal use of personal information etc.) you may need to whistleblow to outside agencies. This could be to the Care Quality Commission (CQC) if it risks the safety of individuals that are receiving care or the Information Commissioners Office (ICO) for a breach of data security.

Obtaining further information

Further information about your role and responsibilities in relation to handling data and confidentiality can be found at the sources below:

  • Your manager or senior colleagues
  • Your organisation’s data protection officer
  • Your organisation’s policies and procedures
  • Formal/informal training
  • Coaching/mentoring
  • The Information Commissioner’s Office
  • The Code of Practice
  • Own research