PROCEDURE (Essex) / Linked SOP (Kent) Information Sharing Agreements. Number: W 1014 Date Published: 23 June 2017

Transcription

1 1.0 Summary of Changes 1.1 The following minor changes have been made to this procedure/sop on 23 June 2017: Paragraph link created to Privacy Impact Assessment; Paragraph 3.4 Legal Services replaced with Data Protection Officer; Paragraph Legal Services replaced with Data Protection Officer. 2.0 What this Procedure/SOP is About 2.1 This procedure/sop defines Information Sharing and Information Sharing Agreements; it identifies when Information Sharing Agreements are required; and describes the processes that will be followed to produce and manage Information Sharing Agreements. Compliance with this procedure/sop and any governing policy is mandatory. 3.0 Detail the Procedure/SOP 3.1 Understanding Information Sharing Agreements For the purposes of this procedure/sop, Information Sharing is the disclosure of personal information from one organisation to another organisation(s), or organisations (known as partners ), on a repeated and on-going basis The legal basis for information sharing can arise from one of three sources; a statutory obligation or a statutory power or under common law. Essex Police and Kent Police will establish specific controls, procedures and working practices to manage each of them: Statutory obligation: applies to information required by, or under statute (for example Criminal Procedure and Investigations Act 1996) or court order. Formal agreements are rarely needed; Statutory power: applies to the sharing of police information with another party where there is a specific legal power to do so, but not an obligation to share. This includes sharing: a. Within the police service; b. With partner agencies that have a statutory power to share or receive information (for example under Crime and Disorder Act 1998); and; c. With the Disclosure & Barring Service (DBS) - disclosures of other information under Part V of the Police Act Page 1 of 7

2 Common Law: Applies to the sharing of police information under common law to support the policing purposes. Where common law is used, a risk assessment must be undertaken, taking into account any existing information sharing agreements, statutory requirements, the source of the information and any restrictions on its onward dissemination Information Sharing can take the form of: A reciprocal exchange of information; One or more organisations providing information to another or others; Several organisations pooling information and making it available to each other; Several organisations pooling information and making it available to another or others Information Sharing can be through viewing of printed or digital documents, print-outs, , databases, information systems or web pages, or through participation in conversations or meetings Officers and staff are advised to record their decision-making rationale in case of possible subsequent review in those cases where their decision to share or not share information was likely to be regarded as contentious. A decision-making model that may be of benefit can be found at Appendix A Where a statutory obligation or statutory power is identified as the grounds for information sharing, the obligation or power must be articulated within the application Police information that is made available in response to an application should be used only for the purpose for which the disclosure was made. 3.2 Establishing the Need for an Information Sharing Agreement (ISA) An ISA is a document accepted by partners involved in Information Sharing which prescribes how Information Sharing will take place Where Essex Police or Kent Police aims to routinely share information with a partner that is not by way of a statutory obligation, the force will establish ISAs, using the force forms and templates provided It may be desirable for ISAs to be established even where a statutory obligation does exist, and in that situation one party may request this There is no requirement to create ISAs for information sharing with other UK law enforcement or criminal justice organisations. Page 2 of 7

3 3.2.5 The ISA should be supported by standard operating procedures/sops that define how the information is to be transferred; how the information is expected to be protected by all parties; and, who is responsible for the sharing within each organisation (the Primary Designated Officer or PDO). The SOPs can form part of the ISA, or it can be a separate document. The forces have created supporting templates and guidance for this purpose An ISA should not be confused with a Data Processing Contract (sometimes referred to as a Data Processing Agreement), which is required when personal data is processed on behalf of Essex Police or Kent Police by other organisations or individuals not employed by the forces. 3.3 Creating an ISA The request to establish information sharing to and/or from Essex Police or Kent Police can either come from individuals in another organisation or from staff or officers within the forces. Those individuals will be known as the proposer The proposer must first seek authorisation and sponsorship from an officer of Chief Inspector Level or above who should obtain consent to progress the ISA from the relevant Information Asset Owner(s) (IAO) of the information intended to be shared. Where practical, the relevant IAO will eventually sign the ISA If the IAO concludes the information sharing cannot be justified then they will advise the proposer accordingly If the IAO concludes that the information sharing should be developed and an ISA is to be implemented, then the proposer will check the Central Library/Register of ISAs to see if one already exists that can be adopted. Within Essex the central library is housed on the Information Management website. Within Kent, this is published in the information sharing area of the force s Intranet Where the information sharing could be achieved under an established policy/procedure/sop, then that procedure/sop should be followed. Within Essex agreements relating to Essex Retail against Crime or Behave or Be Banned scheme are dealt with under their respective procedures listed below: A 0303 Procedure Behave or Be Banned Protocol A 0606 Procedure Business against Crime initiative If a relevant force ISA or national ISA already exists, then a local procedure should be established under that ISA. The official list of national ISAs can be found within the Information Sharing Section of the Police On-line Knowledge Area (POLKA). Page 3 of 7

4 3.3.7 If a relevant ISA does not already exist, then the proposer will create a new ISA. Within Essex where an ISA is required from new then subject to the views of the other party/parties involved the ISA will be written using the Essex Police template Form A597 or, in the case of sharing with a partner within the Whole Essex Information Sharing Framework (WEISF), the WEISF template may be used. Guidance on the drafting of an ISA may be obtained from Information Management In any case a Privacy Impact Assessment or similar should be undertaken to ensure that any privacy issues are identified and mitigated. Where the information sharing involves partners having direct access to the Essex Police IT infrastructure or premises a mandatory information security assessment must take place prior to any sharing occurring Within Kent, proposers should complete the Third party working requirements document initially, which will identify any additional resources that are required. This is available from the Information Security area of the force s Intranet Where a partner wishes to use their own ISA standard, this must be checked to ensure that it meets the requirements of the relevant force. Refer to the forces guidance or protocols for more information on the specific requirements. Within Essex where the partner(s) require(s) the use of their own template then that will be acceptable to Essex Police provided that it meets the force s requirements. In such cases a check list Form A597a, derived from Essex Police s requirements must be used to test the acceptability of an ISA based on another organisation s template. Within Kent, further guidance is published on the force s Intranet. 3.4 Review and Approval of the ISA Within Kent the proposer should seek the approval of the Data Protection Officer at the earliest opportunity, and engage them in the review process. That department must confirm their approval in writing prior to the commencement of any information sharing. Within Essex the ISA must approved by a sponsor of Chief Inspector level or above prior to the commencement of any sharing. Information Management no longer approves ISAs but will intervene should it become aware of an ISA that was likely to lead to sharing of information contrary to the Data Protection Act Once the proposer has completed the ISA to their own satisfaction, it should be shared with the partners involved in the sharing initiative for a collaborative review Once the ISA is deemed acceptable to all parties, it will be signed-off by both the relevant IAO and senior counterparts from the partner organisation(s). Note: In situations where it is impractical for the IAO(s) to sign the ISA, then a sponsor may sign the ISA on behalf of the IAO(s). The IAO(s) should be made aware of this decision. Page 4 of 7

5 3.4.4 The ISA and any related SOPs must specify a future review date; this is usually within 12 months. Where access to a partner s ICT is required, the corresponding ICT accounts for these non-police personnel must have an expiry date set that corresponds with the ISA/SOP review date. This process must be compliant with W 1001 Procedure/SOP - ICT Acceptable Use or W 1002 Procedure/SOP User Account Management The sponsor/iao will send a copy of the signed ISA to the Information Management Department (Essex Police) or Data Protection Officer (Kent Police) who will then ensure that a scanned copy of the signed ISA is added to the force s Central Library/Register of ISAs, which is available on the force intranet. 3.5 Maintenance It is the responsibility of sponsor/iao, or their successor(s), to monitor the secure operation of the ISA and ensure that the operating procedures (ISA SOPs) are being followed correctly It will be the responsibility of the sponsor/iao, or their successor, to ensure the ISA is reviewed and revised or cancelled as necessary, by the official review date. 4.0 Equality Impact Assessment 4.1 This procedure/sop has been assessed with regard to an Equality Impact Assessment. As a result of this assessment it has been graded as having a low potential impact as the proposals in this procedure would have no potential or actual differential impact on grounds of race, ethnicity, nationality, gender, transgender, disability, age, religion or belief or sexual orientation. 5.0 Risk Assessment 5.1 There is an overall risk concerning the use and management of Essex and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures/sop. The Corporate Risk Register will contain any risks in relation to Information Security. 6.0 Consultation 6.1 The following were included in the consultation during the development of this procedure/sop: Unison / Federation Diversity / H&S PSD The Information Management Boards (IMB s) for Essex and Kent. Business Services Page 5 of 7

6 7.0 Monitoring and Review 7.1 The forces partnership lead departments will be responsible for ensuring that the procedure/sop will remain current in line with HMG and ACPO policy. 7.2 This procedure/sop will be reviewed by or on behalf of the forces SIROs every year. 8.0 Governing force policy. Related force policies or related procedures (Essex) / linked standard operating procedures (Kent) Joint Essex Police and Kent Police W 1000 Policy Information Management and Assurance W 1001 Procedure /SOP ICT Acceptable Use W 1002 Procedure/SOP - User Account Management W 1003 Procedure/SOP - Information Classification & Handling W 1004 Procedure/SOP - Incident Reporting & Management W 1005 Procedure/SOP - Information Asset Owners W 1007 Procedure/SOP - Accreditation of Information Assets W 1008 Procedure/SOP - Physical Security W 1009 Procedure/SOP Protective Monitoring W 1010 Procedure/SOP - Records Management (Physical and Digital) W 1011 Procedure/SOP - Data Protection W 1012 Procedure/SOP - Records Review, Retention and Disposal W 1017 Procedure/SOP Sanitisation and Disposal W 1019 Procedure/SOP Freedom of Information Essex Police Only W 2006 Procedure Cryptographic Security W 2011 Procedure Transaction Monitoring and Audit W 2013 Procedure Appropriate Access and Use of Police Information W 2020 Procedure Data Quality W 2021 Procedure Applications for the Early Disposal of Information W 2040 Procedure Records and Evidence Centre A 0303 Procedure Behave or Be Banned Protocol A 0606 Procedure Business against Crime initiative Page 6 of 7

7 9.0 Other source documents, e.g. Legislation, APP, Force forms, partnership agreements (if applicable) Form A597 Information Sharing Agreement Form A597a Information Sharing Agreement Checklist WEISF template Page 7 of 7