Next Event: DSPT 2024-2025 for NHS Trusts, Integrated care boards, Commissioning support units and Arm’s length bodies

View Event

Search Digital Care Hub

Sharing stories safely: how to protect privacy in social care communications

Sharing stories safely: how to protect privacy in social care communications

April 9th 2025

In adult social care, stories matter. Whether it’s a photo of a birthday celebration, a staff shout-out on social media, or a heartfelt success story in a newsletter, these moments help us build trust, show the human side of care, and attract new staff. But behind every post or picture is a real person — with a right to privacy and dignity.

That’s why Caldicott Guardians, managers, and communications leads all have a vital role in making sure we get this right. With the right processes, we can share stories ethically and lawfully — and avoid causing upset or breaking the rules.

We explored this issue at one of our recent Caldicott Guardian Network Meetings.

Why data protection matters in public storytelling

When you publish a story, photo or video about someone — even if it’s just a first name and a health detail — you’re using personal data. That means data protection laws, including the UK General Data Protection Regulation (GDPR) and the Data Protection Act, apply. More importantly, people’s dignity is at stake.

Getting this wrong can lead to complaints, distress, and reputational damage. But when it’s done right, communications can build pride and show the positive impact of care.

Start with the Caldicott Principles

Caldicott Guardians were created to help health and care organisations use people’s information safely and responsibly. Several of the Caldicott Principles are especially relevant when it comes to public communications:

  • Justify the purpose – Have a clear reason for sharing a story or image. Is it necessary?
  • Don’t use personal data unless needed – Can you tell the story without naming someone or showing their face?
  • Use the minimum necessary – Avoid over-sharing. First names or anonymised case studies often work just as well.
  • Be aware of responsibilities – Make sure staff involved in storytelling or social media understand their role.
  • Comply with the law – Always follow data protection rules.
  • Inform people – Be clear about where and how their information will be used.

Understanding consent — and who can give it

For any personal story or image, consent must be:

  • Informed – The person knows exactly what’s being shared and where.
  • Voluntary – They are not under pressure.
  • Specific – General consent isn’t enough; it needs to cover the exact use.

If someone lacks capacity to give consent (for example, due to dementia), the Mental Capacity Act 2005 applies. Decisions should be made in their best interests — considering what the person would have wanted, involving family or advocates, and exploring less intrusive options. SCIE’s guidance reminds us to avoid assumptions and to record our decision-making process carefully.

If the person has a Lasting Power of Attorney (LPA) for health and welfare, and it is active, their attorney may be able to make this decision — but only if the LPA covers that area. It’s important to seek advice and involve your Caldicott Guardian in these situations.

What about after someone dies?

Once someone has died, GDPR no longer applies. But ethical responsibilities and public trust remain. Sharing personal stories or images after death should still be handled sensitively.

You should:

  • Only continue to use the information if the person gave clear consent while they were alive or
  • If there is a Lasting Power of Attorney in place, get agreement from them
  • If in doubt, remove or review content that may no longer feel appropriate

Ask yourself: would this feel respectful if it were about someone I loved

Common scenarios — and how to handle them

Here are some typical examples:

Birthday photo shared online
A care home shares a post of Jean’s 90th birthday. Her family complains — Jean had dementia and couldn’t give consent.

What to do: Remove the post. Always check capacity and get written, informed consent. If capacity is lacking, follow best interests guidance and involve family or advocates. LPAs may be involved where appropriate.

Client success story in a newsletter
A provider shares that John is now managing his own medication after a stroke.

What to do: Consider whether health details or names are necessary. Make sure John understands where the story will appear — and that he has given informed consent and is happy with it.

Photo from a minibus outing
A staff member posts a group photo of residents on a beach trip.

What to do: Only trained staff should take photos, using work devices. All posts should be approved before being shared. Always check consent has been given.

Congratulating staff online
A care provider posts about Mary’s promotion on LinkedIn — but she wasn’t asked and is upset.

What to do: Always ask before using someone’s name or photo. Give staff the option to opt out.

Reusing a case study after death
A provider wants to keep using a client’s story in marketing materials after they’ve passed away.

What to do: You can do this if the person gave consent while alive, or someone has LPA and agrees that it can still be used. It is challenging to rely on a family member or next of kin as it is very likely that family members maty disagree. If unsure, take the material down. And update your consent forms so that they consider use after death.

Personal social media sharing by staff
A care worker posts a “day in the life” video with clips of clients and their homes.

What to do: Enforce your social media policy. Personal accounts should never be used to share client information. Provide regular training and deal with breaches quickly.

What managers and Caldicott Guardians should do

  • Be involved early in any campaigns or public-facing materials
  • Promote robust consent processes and check capacity where needed
  • Support staff training — especially on the Mental Capacity Act and best interests decisions
  • Make sure policies are clear on:
    • Social media
    • Photography and video
    • Consent and capacity
  • Encourage a culture of “check before you share”

Helpful tools and reminders

  • Keep your consent forms up to date (e.g. options for internal, website, social media use)
  • Use a communications checklist:
    • Is consent recorded?
    • Does the person have capacity?
    • Is it respectful and necessary?
    • Would I be happy with this being shared about me?
  • Offer regular refresher sessions for staff on consent, capacity, and social media boundaries

Final reminder

Communicating well helps people feel seen and valued — and can raise awareness of the care sector. But it must always be grounded in respect, dignity, and the law.

If you’re unsure, remember:
“If in doubt, leave it out — or check with your Caldicott Guardian first.”

Find out more

The purpose of the Caldicott Guardian Network is to provide support to all those across the care sector who have the Caldicott Guardian role as part of their jobs, offer a networking, sharing and learning space and promote the role as best practice . We aspire to encourage and explore innovation in relation to the role and influence future ways of working.

Find out more about the Caldicott Guardian Network – and join our next session on 12 June 2025

 

View all News

Next Event

View all Events
April

15

April

15

View all Events