Managing Concerns around People in Positions of Trust Policy
This policy document builds upon existing relevant statutory provisions for sharing information and responding to concerns about a Person in a Position of Trust. This policy document gives guidance in relation to information sharing; employer responsibilities; risk assessments and employee rights.
1.1 The Care Act 2014 and supporting Care and Support Statutory Guidance, 2021 requires local authorities to have in place a framework and process for the management of allegations against “people in a position of trust.”
1.2 Other relevant legislation includes Data Protection Act 2018, European General Data Protection Regulation 2018 (GDPR) and Human Rights Act 1998, which must be considered, within these procedures.
1.3 Care and Support Statutory Guidance states that safeguarding is not a substitute for providers’ responsibilities to provide safe and high-quality care and support commissioners regularly assuring themselves of the safety and effectiveness of commissioned services:
· the Care Quality Commission (CQC) ensuring that regulated providers comply with the fundamental standards of care or by
taking enforcement action
· the core duties of the police to prevent and detect crime and protect life and property.
1.4 This policy document should be read in conjunction with the Joint Multi-Agency Safeguarding Adults Policy and Procedures.
1.5 Raising a safeguarding concern about an adult at risk.
1.5.1 If an allegation is made that concerns the actions of a professional, student or volunteer, which relates to alleged abuse or neglect of an adult with care and support needs, then a safeguarding concern should be raised in accordance with the Joint Multi-Agency Safeguarding Adults Policy and Procedures. Please note a PiPoT concern does not need to be raised. For details on how to report a safeguarding concern to North Yorkshire Council click on this link.
1.6 If a person has been arrested
1.6.1 If a person has been arrested and are employed and/or undertake voluntary work the person will receive a Common Law Disclosure Notice (CLPD) when they are given their Rights and Entitlements. This is information regarding the possibility that the police may disclose information about the individual to an employer, regulator, or voluntary organisation.
1.6.2 The CLPD provisions relate to the circumstances in which the police use common law powers to disclose police information regarding an individual to enable a third party to consider risk mitigation measures in respect of an employment or voluntary role believed to be undertaken by that individual
2.1 Where a partner organisation is made aware of information that may affect the suitability of a professional, student, or volunteer to work with adult(s) with care and support needs; where such information has originated from activity outside their professional or volunteering role and place of work and meets the criteria below in 2.2, and notify the Designated Safeguarding Lead for their organisation.
2.2 A PiPoT concern relates to a person who works with adults with care and support needs who has:
· behaved in a way that has harmed, or may have harmed an adult or child or,
· possibly committed a criminal offence against, or related to, an adult or child, or
· behaved towards an adult or child in a way that indicates they may pose a risk of harm to adults with care and support needs.
This applies whether the alleged incident is current or historical.
2.3 Partner organisations and service providers, are responsible for ensuring that information relating to a PiPoT concern, is shared, and escalated outside of their organisation in circumstances where this is required. Such sharing of information must be lawful, proportionate, and appropriate. As a Data Controller, it is the recipient organisation’s responsibility to consider whether the concern meets, the criteria for referral under these procedures see section 2.2 above.
2.4 Responsibilities of partner organisations managing concerns within employment Employers, student bodies and voluntary organisations should have clear procedures for managing concerns about a PiPoT in place, setting out a process, that states who should undertake an investigation, and what sources of support and advice will be available to individuals against whom allegations have been made, in accordance with UK Employment Law:
· Employers, student bodies and voluntary organisations should have their own Human Resources (HR) policy and source of HR advice and legal advice, for dealing with concerns about an employee who is a PiPoT.
· Any allegation against an employee, student or volunteer who works with adults should be reported immediately following internal policies and procedures to a Safeguarding Concerns Manager or Safeguarding Lead, within the organisation.
· If the employer, student body or volunteer organisation, is already aware of the concern(s) and if the PiPoT is not working anywhere else with adults with care and support needs, there is no need to make a PiPoT referral.
· It is the responsibility of the employer, student body or volunteer organisation to follow their own procedures to assess and manage risk to adults with care and support needs who use their services, and to take action required to safeguard those adults.
· It is also the responsibility of the employer to notify the Professional Bodies.
2.5 Referrals to Local Authority Designated Officer (LADO) and Children and Families.
When there is an allegation that a person who works with children has:
· Behaved in a way that has harmed a child or may have harmed a child.
· Possibly committed a criminal offence against or related to a child.
· Behaved towards a child or children in a way that indicates they may pose a risk of harm to children
· Behaved or may have behaved in a way that indicates they may not be suitable to work with children.
2.6 It is the responsibility of the partner organisation to refer to the Local Authority Designated Officer (LADO) within one working day, using the LADO Referral Form, see Managing allegations against staff giving as much detail as possible.
2.6.1 Completed LADO Referral Forms should be emailed using secure mail to lado@northyorks.gov.uk alternatively contact 01609 533080 within office hours (Monday – Friday 8:00 am to 17:30, Saturday 9:00 to 17:00). If outside these times, please contact 0300 131 2 131.
2.7 Where a concern has been identified about a PiPoT and they are a parent or carer for a child or children, then consideration should be given to whether a referral to Children and Families Service is required. If you are concerned about a child or a young person under 18 years of age, please refer to the children and families’ service.
2.7.1 Contact 0300 131 2 131 to speak to an advisor at the Customer Service Centre. If you are worried about a child, click on this link here for further guidance: worried-about-a-child
2.8 How to make a PiPoT referral.
2.8.1 Where a relevant partner organisation wishes to raise a PiPoT concern, notify the Designated Safeguarding Lead for their organisation and make a PiPoT referral to the local authority in whose area the PiPoT works, and follow the local guidance.
2.9 If the PiPoT works in North Yorkshire
2.9.1 If the PiPoT works in North Yorkshire a referral should be made to the HAS Safeguarding Team using the PiPoT referral form which is available from North Yorkshire Safeguarding Adults Board Website at: https://nysab.webc-dev.co.uk/working-with-adults/nysab-procedures/
2.9.2 Send the completed form by secure email to: PiPots@northyorks.gov.uk. Alternatively, the form can be posted to North Yorkshire Council, County Hall, Northallerton, North Yorkshire, DL7 8AD
2.10 PiPoT Enquiry. If you require advice, contact the Customer Service Centre 01609 780780. The Emergency Duty Team can be contacted out of hours on 01609 780780.
2.11 Screening the PiPoT referral and identify the lead agency. The HAS Safeguarding Team will receive and screen referral to check that the PiPoT criteria is met.
2.12 When the criteria are not met, they will feedback to the referrer and advice will be given on what action they need to take, if any. Please see Appendix 2 for PiPoT process.
2.13 If the criteria are met, then a decision is made as to which agency will lead and then this will be forwarded to either the Designated Professionals Safeguarding Adults (Health Commissioners) or the Police or remain with HAS Safeguarding Team.
2.14 The relevant lead agency will undertake an enquiry and follow their own procedures.
2.15 When a decision has been made to share information with the PiPoT’s employer, student body or volunteer organisation, the PiPoT should be:
· informed that the allegation against them will be shared with their employer or student body or voluntary organisation, unless it puts a child or any other person in danger, or the PiPoT themselves.
· offered a right to reply to the allegation or concern raised about them,
· given the opportunity to tell their employer, student body or voluntary organisation themselves, unless the immediacy and nature of the risk do not allow for this. The lead Safeguarding Team will need to be assured that appropriate information has been shared by following up with the employer, student body, or voluntary organisation.
· advised what information will be shared about them, how the information will be shared and with whom.
2.16 The lead agency undertaking the PiPoT enquiry may convene a Managing Concerns discussion or meeting, to assess and determine what actions are required to manage the risk(s) posed by a PiPoT. The following may be invited, the Police, Care Quality Commission (CQC), Local Authority Designated Officer (LADO), Health or Social Care commissioners, and any other relevant parties. Please note the PiPoT would not attend the Managing Concerns Meeting. When the relevant Integrated Care Board (ICB) or the Police have completed their enquiry, they will notify the HAS Safeguarding Team of the outcome.
2.17 Sharing Information with the PiPoT’s Employer, student body or voluntary organisation. Careful consideration is required as to whether the Lead Agency should share this information with the person’s employer, student body or voluntary organisation, to enable them to undertake a risk assessment. N.B. any organisation that receives this data will be a Data Controller as defined by the Data Protection Act 2018 and GDPR Article 4. The Lead Agency may wish to seek their own legal advice.
2.18 When a decision has been made to share information with the PiPoT’s employer, student body or voluntary organisation, the lead Safeguarding Team will need to:
· contact the employer, student body or voluntary organisation to share information and any relevant parties.
· ensure that sharing of information is justifiable and proportionate.
· request details of any actions taken and seek assurance that they have carried out a risk assessment.
· record the rationale for all decision-making, and ensure it is timely.
· make it clear whether the information relates to a criminal or civil enquiry.
3.1 Disclosure and Barring Service (DBS). If someone is removed from their role providing regulated activity following a safeguarding incident the Regulated Activity Provider (or if the person has been provided by an agency or personnel supplier) has a legal duty to refer them to the DBS.
3.2 Their legal duty to refer to the DBS also applies where a person leaves their role before a disciplinary hearing has taken place following a safeguarding incident and the employer/volunteer organisation feels they would or might have dismissed the person based upon the information they hold. Refer to the DBS Guidance on how to make a referral: https://www.gov.uk/guidance/making-barring-referrals-to-the-dbs#must-i-make-a-referral
3.3 Professional Bodies – Where appropriate, the employer should report the PiPoT to the Statutory Regulator and other bodies responsible for professional regulation.
4.1 Where appropriate, if the PiPoT is a Registered Manager, then the CQC should be notified, if there is an identified risk. CQC can take action as deemed appropriate to ensure the service has appropriate standards of practice to prevent and respond to any future risk of harm. This includes the employer’s ‘fitness’ to operate and responsibility to safeguard adults at risk.
Decisions made about sharing information must be justifiable and proportionate, based on the risk of harm to adults or children. The rationale for sharing information should always be recorded.
When sharing information about adults or children, between agencies it should only be shared:
· Where there is a legal justification for doing so
· Where relevant and necessary, not simply all the information held
· With the relevant people who need all or some of the information
· When there is a specific need for the information to be shared at that time.
5.1 Personal Data
5.1.1 Both the Data Protection Act 2018 and the GDPR define the following:
· Data Subject means an individual who is the subject of personal data.
· i.e., The data subject is the individual whom the personal data is about. The Act does not count, as a data subject, an
individual who has died or who cannot be identified or distinguished from others.
· Data Controller means a person who (either alone or jointly with other persons) determines the purposes for which and the
way any personal data are, or are to be, processed.
5.2 Data Controller
5.2.1 Data Controller is considered the owner of the information and has responsibility for taking appropriate action i.e., risk assess and decide whether disclosure to other bodies should be made. The Data Controller must exercise control over the processing and carry data protection responsibility for it. The Data Controller must be a “person” recognised in law, that is to say:
· Individuals
· Organisations; and
· Other corporate and unincorporated bodies of persons.
5.2.2 Data Controllers will usually be organisations, but can be individuals, for example, self-employed consultants. An individual given responsibility for data protection in an organisation will be acting on behalf of the organisation, which will be the Data Controller.
5.2.3 The term Data Controllers can be used where two or more persons (usually organisations), act together to decide the purpose and manner of any data processing. Data Controllers must ensure that any processing of personal data, for which they are responsible, complies with the Act. Failure to do so risks enforcement action, even prosecution and compensation claims from individuals.
5.3 Data Processor
5.3.1 In relation to personal data, this means any person, other than an employee of the Data Controller, who processes the data on behalf of the Data Controller.
5.4 The Data Protection Act 2018 and the GDPR (refer to Appendix 1) requires anyone handling personal information to comply with the principles set out in the Act:
· The information processed must be fair and lawful
· Personal data must be kept in a secure and confidential place
5.5 The Information Commissioners Office (ICO) upholds information rights in the public interest. For further information about the law, relating to data use/control can be found on their website, Home | ICO
6. The Crime and Disorder Act 1998 states any person may disclose information to a relevant authority under Section 115 of the Act:
“Where disclosure is necessary or expedient for the purposes of the Act (reduction and prevention of crime and disorder).”
The Human Rights Act 1998 , The principles set out in the Human Rights Act must also be considered within this framework in particular the following:
· Article 6 – The right to a fair trial
This applies to both criminal and civil proceedings with regard to the former, the person is presumed innocent until proven guilty according to the law and has certain guaranteed rights to defend themselves.
· Article 7 – No Punishment without law
Article 7 provides protection against arbitrary prosecution, conviction and punishment. A person who claims that a public authority has acted or proposes to act in a way, which is unlawful by section 6(1) may,
a) bring proceedings against the local authority under this act in the appropriate court or tribunal or,
b) rely on the convention rights or rights concerned in any legal proceedings.
· Article 8 – The right to respect for private and family life
Article 8 gives everyone the right to respect for his private and family life and his correspondence.
Both regulate the use of “personal data”. To understand what personal data means, we need look at how the Act defines the word “data”.
Data means information which:
a) is being processed by means of equipment operating automatically in response to instructions given for that purpose
b) is recorded with the intention that it should be processed by means of such equipment
c) is recorded as part of a relevant filing system or with the intention that it should form part of a relevant filing system
d) does not fall within a, b, or c above but forms part of an accessible record as defined by Section 68, or
e) is recorded information held by a public authority and does not fall within any points a to d above.
What is personal data?
Personal data means data, which relates to a living individual who can be identified:
a) from those data, or
b) from those data and other information, which is in the possession of, or is likely to come into the possession of, the Data Controller and involves any expression of opinion about the individual and any indication of the intentions of the Data Controller, or any other person in respect of the individual.
Sensitive personal data, also known as special category data, in Article 9 of the GDPR data, means personal data consisting of information that is:
a) racial or ethnic origin
b) political opinions
c) religious beliefs, philosophical beliefs or other beliefs of a similar nature.
d) Trade Union Membership
e) genetic data
f) biometric data for uniquely identifying an individual
g) data concerning physical or mental health
h) data concerning sex life or sexual orientation.
The Data Protection Act (2018) states that data relating to the criminal activity, whether that is in relation to an offence committed or alleged to have been committed, should be treated as special category data.
The Data Protection Act (2018) regulates the “processing” of personal data. Processing in relation to information or data, means obtaining, recording, or holding the information or data or carrying out any operation or set of operations on the information or data, including:
a) adaptation or alteration of the information or data.
b) retrieval, consultation or use of the information or data.
c) disclosure of the information or data by transmission, dissemination or otherwise making available.
d) alignment combination, blocking, erasure or destruction of the information or data.
Article 5 of the GDPR lists the data protection principles:
1. Personal data shall be processed fairly and lawfully and shall not be processed unless:
a. at least one of the conditions in Article 6 is met, and
b. in the case of special category data, at least one of the conditions in Article 9 is also met
2. Personal data will be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.
3. Personal data shall be adequate, relevant, and not excessive in relation to the purpose or purposes for which they are processed.
4. Personal data shall be accurate and where necessary, kept up to date. Every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased, or rectified without delay.
5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
6. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.