October 2020: This chapter has been completely revised as a result of local review and should be re-read.
- 1. Introduction
- 2. Responsibilities
- 3. Information Sharing
- 4. Legal Framework
- Appendix 1: Data Protection Act 2018 and UK GDPR overview
- Appendix 2: Flowchart for Managing Concerns and Allegations against People who Work with Adults with Care and Support Needs
- Appendix 3: The PiPOT Process Guidance
- Appendix 4: Letter Template
- Appendix 5: Referral Form to the Local Authority
- Appendix 6: References
- Appendix 7: Glossary
This chapter provides an overarching policy for the Leicester, Leicestershire and Rutland (LLR) which has been ratified by the Leicester and Leicestershire and Rutland Safeguarding Adults Boards.
The Care Act requires that partner agencies and their commissioners of services should have clear recordings and information sharing guidance, set explicit timescales for action and are aware of the need to preserve evidence. This policy builds upon existing relevant statutory provision. The guidance for ‘Managing allegations against people in a position of Trust’ is contained within section 14 of the Care and Support Statutory Guidance of the Care Act 2014. Other relevant legislation includes: Data Protection Act 2018/ UK General Data Protection Regulation [UK GDPR]; Human Rights Act 1998 and employment legislation.
As with all adult safeguarding work the six principles underpinning the Care Act 2014 should inform this area of activity:
- Empowerment – People being supported and encouraged to make their own decisions and informed consent
- Prevention – It is better to take action before harm occurs
- Proportionality – The least intrusive response appropriate to the risk presented
- Protection – Support and representation for those in greatest need
- Partnership – Local solutions through services working with their communities. Communities have a part to play in preventing, detecting and reporting neglect and abuse
- Accountability – Accountability and transparency in safeguarding practice.
This policy gives guidance about the following considerations: information sharing; employer responsibilities; risk assessments; employee rights etc. The Data Protection Act 2018, UK General Data Protection Regulation, Human Rights Act 1998 and Crime and Disorder Act 1998 must be taken into account within this process.
This policy relates to those instances where a relevant agency is alerted to information that may affect the suitability of a professional, or volunteer to work with an adult(s) at risk, where such information has originated from activity outside their professional or volunteer role and place of work. The alleged victim, in such circumstances, does not have to be an adult at risk, for example, it could be their partner or a child. This document refers to when there is an allegation which does not directly involve an adult at risk but may have risk implications in relation to the employment or volunteer work of a person in a position of trust.
Examples of such concerns could include allegations that relate to a person who works with adults with care and support needs who has:
- behaved in a way that has harmed, or may have harmed an adult or child possibly committed a criminal offence against, or related to, an adult or child;
- behaved towards an adult or child in a way that indicates they may pose a risk of harm to adults with care and support needs.
1.1 What is excluded from this Policy?
The following are excluded from this policy.
- If an allegation is made that does concern the actions of a professional, or volunteer which related to alleged abuse or neglect of a person with care and support needs and this amounts to a safeguarding enquiry, then such an allegation should be dealt with by following the local adult safeguarding policies and procedures. Such procedures should include directions about how such allegations are referred and investigated.
- Referrals from the employer themselves- if the employer is aware of concerns about a staff member, it is their responsibility to manage the risks around this (unless this is also a safeguarding concern-see above), and a PiPOT referral to the local authority is not required. This policy however does provide some guidance about employers’ responsibilities. Please refer to Section 2, Responsibilities for further guidance.
- Complaints about a care worker, professional, or volunteer where concerns are raised about the quality of practice provided by the person in a position of trust, but these do not pose a specific risk to adults or children. Other relevant bodies and their procedures should be used to recognise, respond to and resolve these issues, such as complaints or contractual processes.
2.1 Safeguarding Adults Board (SAB)
Safeguarding Adults Boards need to establish and agree a framework and process, for how concerns and allegations against people working with adults with care and support needs (i.e. those in positions of trust) should be notified and responded to. Whilst the focus on safeguarding adults work is to safeguard one or more identified adults with care and support needs, there are occasions when incidents are reported that do not involve an adult at risk, but indicate, nevertheless, that a risk may be posed to adults at risk by a person in a position of trust.
Each partner agency, in their annual assurance statement to the SAB, will be required to provide assurance that arrangements to deal with allegations against a person in a position of trust, within their organisation are adequate and are functioning effectively. The SAB will, in turn, maintain oversight of whether these arrangements are considered to be working effectively between, and across partner agencies in the local authority area. Appropriate cross organisational challenge should be possible as it is an important part of this process.
2.2 Statutory partners
Statutory partners are defined as:
- local authorities;
- NHS agencies, specifically University Hospitals of Leicester (UHL), Leicestershire Partnerships Trust (LPT) and the Clinical Commissioning Group (CCG);
These agencies are expected to use this policy within their own agencies, with accountability to the SAB. This means that as well as being responsible for managing risk around any PiPOT concerns about their own staff, where they become aware of potential PiPOT concerns about individuals working for other agencies, they are responsible for applying this policy and where necessary informing and working with the employer to manage risk. Please refer to Appendix 4 for template for letter to inform an employer and PiPOT process guidance.
2.3 Other partner agencies
Other partner agencies, for example East Midlands Ambulance Services, adult education and universities, voluntary organisation’s and care provider services should ensure their safeguarding leads and managers are aware of this Policy. They should have clear and accessible policy and procedures in place setting out their process for managing risk should they become aware of a PiPOT concern about a member of their staff. These should determine who should undertake an investigation in terms of seniority it is suggested this should be safeguarding lead in the organisation, including setting timescales and how support and advice will be made available to individuals against whom allegations have been made. Any allegations against people who work with adults, should be reported immediately to a senior manager within the organisation. Employers should have their own source of advice (including legal advice) in place for dealing with such concerns.
Where such concerns are raised about someone who works with adults with care and support needs, it will be necessary for the employer to assess any potential risk to adults with care and support needs who use their services and, if necessary, to take action to safeguard those adults. If partner agencies become aware of any potential PiPOT concerns about a person who works for another organisation, they should refer to the local authority which has responsibility for the area where the Person in a Position of Trust works. The referral form at Appendix 5 should be used for referral to the relevant local authority.
2.4 Responsibilities when there are potential risks to children
When a person’s conduct towards an adult may impact on their suitability to work with, or continue to work with children, this must be referred to the Local Authority Designated Officer (LADO). Where concerns have been identified about their practice and they are a parent / carer for children, then consideration by the Data Controller should be given to whether a referral to children’s services is required.
2.5 Responsibilities of the Data Controller
If an organisation is in receipt of information, that gives cause for concern about a person in a position of trust, then that organisation should give careful consideration as to whether they should share the information with either the local authority or if they are a statutory partner agency listed above, with the person’s employers, to enable them to conduct an effective risk assessment.
The receiving organisation becomes the Data Controller as defined by the Data Protection Act 2018 and UK GDPR; Article 4 (please refer to Section 4, Legal Framework, Employer’s responsibilities when they are made aware of PiPOT concerns).
Partner agencies and the service providers they commission, are individually responsible for ensuring that information relating to PiPOT concerns, are shared and escalated outside of their organisation in circumstances where this is required. Such sharing of information must be lawful, proportionate and appropriate. Organisations are responsible for making the judgment that this is the case in every instance when they are the data controller.
If, following an investigation a Person in a Position of Trust is removed, by either dismissal or permanent redeployment, to a non-regulated activity, because they pose a risk of harm to adults with care and support needs, (or would have, had the person not left first), then the employer (or student body or voluntary organisation), has a legal duty to refer the person to the Disclosure and Barring Service (DBS).
It is a criminal offence to fail to make a referral without good reason. This includes situations where if the person in a position of trust resigns, retires or leaves before any investigation is completed, as long as all of the conditions of making a barring referral have been met then this referral should be completed regardless of whether an organisation has accepted or not accepted the person’s resignation.
In addition, where appropriate, employers should report workers to the statutory and other bodies, responsible for professional regulation such as the Health and Care Professions Council, Social Work England, General Medical Council and the Nursing and Midwifery Council where appropriate.
If a person subject to a PiPOT investigation, attempts to leave employment by resigning in an effort to avoid the investigation or disciplinary process, the employer (or student body or voluntary organisation), is entitled not to accept that resignation and conclude whatever process has been utilised with the evidence before them. If the investigation outcome warrants it, the employer can dismiss the employee or volunteer instead and make a referral to the DBS. This would also be the case where the person intends to take up legitimate employment or a course of study.
3. Information Sharing
Decisions on sharing information must be justifiable and proportionate, based on the potential or actual harm to adults or children at risk and the rationale for decision-making should always be recorded.
When sharing information about adults, children and young people at risk between agencies it should only be shared:
- where there is a legal justification for doing so (note: this is not the Data Protection Act, but comes from underlying legislation);
- where relevant and necessary, not simply all the information held with the relevant people who need all or some of the information;
- when there is a specific need for the information to be shared at that time;
- is shared securely.
This policy applies whether the allegation or incident is historical where the information indicates current risk.
4. Legal Framework
Both the Data Protection Act 2018 and the UK GDPR define the following.
Data Subject means an individual who is the subject of personal data. In other words, the data subject is the individual whom particular personal data is about. Personal data is not just about names or addresses, it can be situation or circumstances from which someone can be identified or associated with. The Act does not apply to an individual who has died or who cannot be identified or distinguished from others.
Data Controller means a person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed.
In other words the Data Controller is the organisation or individual who first becomes aware of the allegation or concern. The Data Controller is considered to be the owner of the information and has responsibility for taking appropriate action i.e. risk assess and decide whether disclosure to other bodies should be made.
It is the Data Controller that must exercise control over the processing and carry data protection responsibility for it. The Data Controller must be a “person” recognised in law, that is to say:
- organisations; and
- other corporate and unincorporated bodies of persons.
Data Controllers will usually be organisations, but can be individuals, for example self-employed consultants. An individual given responsibility for data protection in an organisation will be acting on behalf of the organisation, which will be the Data Controller.
In relation to Data Controllers, the term jointly is used where two or more persons (usually organisations), act together to decide the purpose and manner of any data processing. The term in common applies where two or more persons, share a pool of personal data that they process independently of each other. Data Controllers must ensure that any processing of personal data, for which they are responsible complies with the act. Failure to do so risks enforcement action, even prosecution and compensation claims from individuals.
Data Processor – in relation to personal data, means any person (other than an employee of the Data Controller, who processes the data on behalf of the Data Controller, usually providing a technical service, acting on the instruction of the data controller.
Processing – means use of personal or special category data; everything from the collection of personal data to its eventual disposal.
Data Protection legislation (please refer to Appendix 1) requires anyone handling personal information to comply with the principles set out in the Act:
- personal data must be processed fairly, lawfully and in a transparent manner;
- personal data must be processed for specified, explicit and legitimate purposes;
- personal data must only be processed to the extent it is required to do a job; only the minimum must be used;
- personal data must be processed accurately; collected appropriately and kept up-to-date personal data must not be retained for longer than is necessary in an identifiable form; and
- personal data must be kept secure.
The Information Commissioner’s Office (ICO) upholds information rights in the public interest. In addition to complying with the principles, Data Controllers must be accountable for their compliance and be able to support Data Subject Rights. For further information about the law relating to data use/control can be found on their website.
The Crime and Disorder Act 1998 states any person may disclose information to a relevant authority under Section 115 of the Act:
“Where disclosure is necessary or expedient for the purposes of the Act (reduction and prevention of crime and disorder)”
The Human Rights Act 1998 – The principles set out in the Human Rights Act must also be taken into account within this framework in particular the following:
- Article 6 – The right to a fair trial; this applies to both criminal and civil cases against them …… the person is presumed innocent until proven guilty according to the law and has certain guaranteed rights to defend themselves.
- Article 7 – A person who claims that a public authority has acted or proposes to act in a way which is unlawful by section 6(1) may a) bring proceedings against public authorities under this act in the appropriate court or tribunal or b) rely on the convention rights or rights concerned in any legal proceedings.
- Article 8 – The right to respect for private and family life.
Appendix 1: Data Protection Act 2018 and UK GDPR overview
1. What is personal data?
Personal data means data which relate to an identifiable natural person who can be identified from those data, such as name, an identification number, location data, online identifiers or data relating to physical, physiological, genetic, mental, economic, cultural or social identity.
Special category data, in Article 9 of the UK GDPR data means personal data consisting of information as to:
- the racial or ethnic origin of the data subject;
- his / her political opinions;
- his / her religious beliefs or other beliefs of a similar nature;
- whether he / she is a member of a trade union (within the meaning of the Trade Union and Labour Relations (Consolidation) Act 1992);
- genetic / biometric data of the purpose of identifying a natural person;
- his / her physical or mental health condition;
- his / her sexual orientation.
The Act regulates the “processing” of personal data. Processing in relation to information or data, means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including:
- organisation, adaptation or alteration of the information or data;
- retrieval, consultation or use of the information or data;
- disclosure of the information or data by transmission, dissemination or otherwise making available;
- alignment, combination, blocking, erasure or destruction of the information or data.
Article 5 of the UK GDPR lists the data protection principles described above.
To determine whether you are a data controller you need to ascertain which organisation decides:
- to collect the personal data in the first place and the legal basis (contained in underlying legislation and other lawful purposes) for doing so;
- which items of personal data to collect, i.e. the content of the data;
- the purpose or purposes the data are to be used for;
- which individuals to collect data about;
- whether to disclose the data, and if so, who to;
- whether subject access and other individuals’ rights apply i.e. the application of exemptions; and
- how long to retain the data or whether to make non-routine amendments to the data.
These are all decisions that can only be taken by the data controller as part of its overall control of the data processing operation.
Appendix 2: Flowchart for Managing Concerns and Allegations against People who Work with Adults with Care and Support Needs
Appendix 3: The PiPOT Process Guidance
1. Statutory agency decision making process
Sufficient information should be gathered by the Data Controller (that is the statutory partner agency which holds the information LPT, UHL, CCG, local authority, police or other partner agency as described in section 2), in order to make a decision on whether further action is required under the PiPOT process. If the information has been referred to the local authority by another organisation they should use the Referral Form below.
Minimum information to take a referral should include:
- name, address and contact details for the subject of referral;
- confirmation that the subject of the referral is aware of the referral to ASC Where the subject of the referral works or volunteers;
- specific reason why the referrer feels the PiPOT process is required, specifically risks and reason for concern.
In circumstances where sufficient information as detailed above has not been provided by the referrer consideration should be given to whether this enables a decision to be made about whether this meets the criteria for PiPOT. In these circumstances the referrer can be asked to provide further information, as appropriate.
Following discussion with person in the organisation identified as the lead for PiPOT, the case should be allocated to an appropriate person to gather information. Advice and guidance should be provided through usual line management routes; with the option to escalate to one of the lead Safeguarding officers if the situation is particularly complex or contentious, Special consideration should be given to whom the case is allocated if the referral is about a member of staff working for the Data Controller to ensure that there is no conflict of interest. It would not be appropriate for a case to be allocated to someone in the same team or for the direct line manager to be involved in giving advice. The line manager(s) should not be made aware of the referral unless / until it has been agreed that the employer should be advised of the potential risk.
Usual practice should be to involve the referred person in this process. Only where discussion with the referred person may be considered harmful to them or others should this not take place and the decision not to involve the person requires management authorisation. In most cases, the referred person should be made aware from the outset that a referral has been received and their involvement and engagement in the process sought. Reassurance should be given that whilst the Data Controller will gather information, no disclosure will be made to the employer without the referred person being made aware. The exception to this is where the alleged concern indicates that the risk is so high that there is sufficient justification to contact the employer / voluntary organisation without making prior contact with the referred person. In all such instances, there needs to be a discussion with a manager in advance of the contact.
The allegation should be recorded, how and where this is recorded should be agreed locally. The referred person should be made aware that information will be held on the Data Controller’s database.
There will be occasions when the allegation spans across both Adult’s (PiPOT) and Children’s (LADO) processes. In such circumstances, it should be agreed which process will take the lead, with a commitment to appropriate and proportionate information sharing. There is an option to escalate this decision to the LADO / Lead Officer, if required.
2. Managing the allegation
Following the fact finding and information gathering process, a management decision needs to be taken in terms of whether, and what, to disclose to the person’s employer / voluntary organisation. In most cases, the decision will be made by the responsible manager, but with the option to seek advice from one of the safeguarding lead officers if the situation is especially complex. Legal opinion should also be sought, as required, on a case by case basis.
The rationale for decision making needs to be clearly recorded by the Data Controller for assurance and audit purposes.
If it is decided that the employer needs to be informed, an appropriate Manager within the employing organisation should be contacted. Initial contact can be verbal but should be followed up with a written referral using the template at Appendix 4.
The person referred should be kept updated during the process and informed of the outcome. If the decision is taken to inform the employer / voluntary organisation, the information shared should be proportionate and the person should be advised what information will be shared. Wherever possible, the referred person should be encouraged to share the information with their employer / voluntary organisation themselves, although this will need to be followed up by the Data Controller to confirm.
3. Working with the employer
Once the employer or voluntary body has been informed, they are responsible for assessing the risks in the context of their service or organisation. Only the employer has the authority to suspend, redeploy or make other changes to the working arrangements. Each organisation will have policies or procedures in place for investigating concerns about staff, such as disciplinary processes and these should be the employer’s primary source of guidance.
The employer should be advised of their duty to assess and effectively manage the potential risk of harm posed by the staff member to adults with care and support needs, considering the nature and seriousness of the allegation. The Data Controller can advise the employer on the need to undertake a risk assessment and action plan and request a copy of this if the level of concern is sufficiently high, but this is dependent on the cooperation of the employer and is not enforceable.
4. End of the process
The PiPOT process ends either once a decision has been taken not to disclose on the basis that the criteria is not met or following the disclosure to the employer a response has been received as to the outcome of the referral. At this point, the responsible manager will review the interventions and close the case as per standard protocol.
If the original referrer has concerns about how the employer has responded to the referral, and they are not able to resolve these with the employer, the Data Controller should escalate to the Safeguarding Adults Board if they believe adults remain at risk.
Appendix 4: Letter Template
Click here to view the PiPoT Letter Template
Appendix 5: Referral Form to the Local Authority
Click here to view the PiPOT – Referral Form to the Local Authority
Appendix 6: References
Information Commissioner’s Office – Data Controllers and Data Processors: What Difference is and What the Governance Implications are. Data Protection Act.
Information Commissioner’s Officer – Guide to the Data Protection Act.
West Midlands Adult Position of Trust Framework: A Framework and Process for responding to allegations and concerns against people working with adults with care and support needs (2017).
For further information, visit the Information Commissioner’s Office (ICO) webpage outlining the UK GDPR seven key principles.
Appendix 7: Glossary
|ADASS||Association of Directors of Adult Social Services|
|CCG||Clinical Commissioning Groups|
|DBS||Disclosure & Barring Service|
|Data Controller||A person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or are to be, processed|
|Data Subject||An individual who is the subject of personal data|
|Data Processor||In relation to personal data any person (other than an employee of the data controller), who processes the data on behalf of the data controller|
|ICO||Information Commissioner’s Office – The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.|
|LADO||Local Authority Designated Officer|
|LPT||Leicestershire Partnership Trust|
|PiPOT||Person in a position of trust|
|UHL||University Hospitals of Leicester|
|SAB||Safeguarding Adults Board|