Information sharing in the NHS under the Prevent and the Channel programmes

Guidance for healthcare practitioners on information sharing with the Prevent and Channel programmes was published by the Government on 27 September 2022. Intended to steer vulnerable individuals away from radicalisation and criminal behaviours, the programmes rely upon rapid disclosure by programme partners of both initial concerns and information specifically requested.

When deciding whether to make a disclosure, a healthcare practitioner must take into account a multitude of considerations including GDPR expectations, the common law duty of confidence owed to patients, and the Caldicott principles. The new guidance sets out for practitioners the process they are expected to follow.

In the first instance, a practitioner should always consider whether the informed consent of the individual being referred can be sought. Given that participation on Prevent and Channel is consent-based, it should ordinarily be the case that consent can be obtained. There may be instances however, where the individual is mentally incapable of providing consent, or seeking consent poses a risk of harm to the individual or others.

In such cases, healthcare professionals should document the reasons consent is not an option. Then they should assess whether there are legal grounds under GDPR for making the disclosure. If yes, they must consider whether the proposed disclosure would be lawful, necessary, and proportionate. The full assessment must occur before any information is provided – despite the often short timescales. An organisation’s data governance and function and Caldicott guardian are likely to need to be involved.

From a GDPR perspective, the guidance points out that the data involved will usually be ‘special category’ data, so legal grounds for disclosure under both Articles 6 and 9 of the GDPR are needed. The other GDPR principles, including minimisation of data, are also relevant. For example, disclosures must consist only of data necessary to respond to a request. Requests that are insufficiently clear in scope should be clarified before disclosure is made. In addition, to breach the duty of confidence, a practitioner will need to identify public interest or best interests justifications for overriding that duty.

To minimise the burden on healthcare practitioners, the guidance suggests ensuring that practitioners understand the Prevent and Channel processes. Expectations surrounding such disclosures should be highlighted within organisational policies and procedures, including how concerns are to be noted on patient records and handed on when patients are transferred. Data sharing agreements should also be in place at a local level, to support and protect the necessary data flows.

Our content explained

Every piece of content we create is correct on the date it’s published but please don’t rely on it as legal advice. If you’d like to speak to us about your own legal requirements, please contact one of our expert lawyers.


Mills & Reeve Sites navigation
A tabbed collection of Mills & Reeve sites.
My Mills & Reeve navigation
Subscribe to, or manage your My Mills & Reeve account.
My M&R


Register for My M&R to stay up-to-date with legal news and events, create brochures and bookmark pages.

Existing clients

Log in to your client extranet for free matter information, know-how and documents.


Mills & Reeve system for employees.