Derbyshire Constabulary INFORMATION SHARING POLICY POLICY REFERENCE 06/101. This policy is suitable for Public Disclosure

Transcription

1 Derbyshire Constabulary INFORMATION SHARING POLICY POLICY REFERENCE 06/101 This policy is suitable for Public Disclosure Owner of Doc: Head of Information Management Date Approved: April 2005 Review Date: December

2 INDEX Heading Page No 1. Policy Identification Page Legislative Compliance Introduction Policy Statement Procedures Monitoring and Review Appeals Legislative Compliance Pack Part 1 Human Rights Part 2 Equality and Diversity Part 3 Customer Service Part 4 Data Protection Part 5 Health and Safety Part 6 Information Security Part 7 Freedom of Information Part 8 Bureaucracy Impact Part 10 Consultation 2

3 1. Policy Identification Page Policy title: Information Sharing Policy Registry Reference number: 06/101 Policy implementation date: Original version April 2005 Policy review date: December 2016 Department / Division responsible: Policy owner: Corporate Services Head of Information Management Last reviewed by: Jenna Boulter Date last reviewed: February 2014 Impacts on other policies / guidance / documents (list): ACPO (2005) Code of Practice on the Management of Police Information ACPO (2010) Guidance on the Management of Police Information ACPO Data Protection Manual of Guidance 2010 ACPO Community Security Policy 2009 Data Protection Act 1998 Information Management Strategy Information Commissioner s Data Sharing Code of Practice 2011 Security Classification: Disclosable under FOI Act: YES Policy to be published on Intranet YES Policy to be published on Force Website NO Policy disclosable to public via FOI request YES 3

4 2. Legislative Compliance This document has been drafted to comply with the principles of the Human Rights Act. Proportionality has been identified as the key to Human Rights compliance, this means striking a fair balance between the rights of the individual and those of the rest of the community. There must be a reasonable relationship between the aim to be achieved and the means used. Equality and Diversity issues have also been considered to ensure compliance with the Equality Act 2010 and meet our legal obligation in relation to the equality duty. In addition, Data Protection, Freedom of Information and Health and Safety Issues have been considered. Adherence to this policy or procedure will therefore ensure compliance with all relevant legislation and internal policies. 3. Introduction The Derbyshire Constabulary is committed to working in partnership with other agencies involved in providing services to the public. It is recognised that the exchange of relevant information between such bodies is fundamental to achieving an effective quality service. This policy applies to all Derbyshire Constabulary staff whether working on Derbyshire police premises or remotely. The Chief Constable together with other key partners in Derbyshire has signed up to the Derbyshire Partnership Forum Information Sharing Protocol, which sets out a framework for information sharing across the respective organisations. The Protocol commits the partner organisations to draw up information sharing agreements to meet specific business needs in an agreed format. This policy provides a framework for the management of information sharing initiatives within the Force to recognise and align local procedures to national agreements and protocols where appropriate. This policy and guidance should be read in conjunction with the ACPO (2010) Guidance on the Management of Police Information, Second Edition which requires that protocols or Information Sharing Agreements are in place and adhered to between key Crime and Disorder Reduction Partnerships, Youth Offending Teams and other key partnership agencies including Neighbourhood Action Groups and Local Safeguarding Children s Boards and other law enforcement or prosecuting agencies. It should also be read in conjunction with the Information Commissioner s Data Sharing Code of Practice 2011 which aims to provide guidance on the practical measures that should be implemented to ensure compliance with the Data Protection Act This policy further requires that agreed processes are in place for sharing information held by partners and that processes exist for the review and evaluation of information from other agencies and partners into the organisational memory. It also relates to: Data Protection Act 1998; Government Protective Marking Scheme; 4

5 ACPO/ACPOS Information Systems Community Security Policy; ACPO (2005) Guidance on the National Intelligence Model; Common Law Duty of Confidentiality; UK Government Transparency Agenda; Information Commissioner s Office Data Sharing Code of Practice 2011; Other relevant legal gateways for the disclosure of information. Where appropriate, national protocols will be acknowledged and local arrangements will be aligned accordingly. This policy does not preclude the urgent sharing of information to safeguard children and vulnerable adults, nor does it preclude the sharing of information between Police forces for a policing purpose. Aims To facilitate the lawful exchange of information; To ensure that Information Sharing Agreements adhere to common standards; To provide realistic expectations for agencies and partners; To improve public services through an increased capability of all stakeholders to make informed decisions about how best to protect the public; To support operational policing requirements and associated strategic partnership objectives through effective working arrangements; To provide all staff with the appropriate guidance with regard to the sharing of information with other agencies, to ensure that realistic expectations prevail and that common standards are applied across the partner organisations to address compliance with the principles of the Data Protection Act 1998 and other relevant legal obligations; To ensure that any use of data is lawful, properly controlled and the Data Protection rights of individuals are respected. It is important that high quality customer service is provided as part of the Information Sharing Policy and the standards specified in the Customer Service Policy apply through-out this document. 4. Policy Statement Derbyshire Constabulary recognises the emerging importance of partnership working and the consequential demands for greater sharing of information between the Constabulary and its partners. By information sharing the force will secure continuous and sustained improvement in the exchange of information to and from partner agencies to assist in the prevention and detection of crime, the apprehension and prosecution of offenders and to prevent harm. 5

6 Where information sharing requirements are identified to support any business area to work more effectively with partner agencies, an Information Sharing Agreement shall be produced ensuring that public confidence in the Constabulary is not undermined by concerns that it does not manage information appropriately. 5. Procedures Definition of Information Sharing Information Sharing means the disclosure of data from one or more organisations to a third party organisation or organisations, or the sharing of data between different parts of an organisation. Types of Information Sharing There are two types of information sharing: - Systematic: - routine information sharing where the same data sets are shared between the same organisations for an established purpose. Ad hoc or one-off : -organisations may decide or be asked to share data in situations which are not covered by any routine agreement, for example, in an emergency. This policy applies to both systematic and ad hoc information sharing. Information Subject to this Policy The policy encompasses all personal information processed electronically (e.g. computer systems, CCTV, audio etc.) and in paper records; and sensitive police data including any information classified as RESTRICTED or above under the Government Protective Marking Scheme. Business Needs Where a Divisional commander or Head of Department identifies that a business need exists for the exchange of information between the police and partner organisations, the following arrangements will apply. The Divisional Commander or Head of Department shall appoint a Designated Manager to liaise with the partner organisations and oversee the development of an Information Sharing Agreement on behalf of the Force. The Designated Manager shall identify the specific objectives to be achieved, the nature of the information to be shared, what arrangements will be in place to facilitate the partner aims and how the information sharing processes will be managed. The Force Data Protection Officer will provide assistance to Designated Managers in negotiating and producing relevant agreements. A template document and guidance notes will be available. Where it is necessary to make any amendments to any specific agreements, the Force Data Protection Officer will provide necessary support and guidance. 6

7 Where an Information Sharing Agreement is being led or driven by a partner agency, the Force Data Protection Officer will provide such assistance as is required by the Designated Manager to meet the terms of this policy. Governance and Authorisation Any proposed agreement shall be considered by the relevant Business Lead who must be satisfied that the business requirements are met and that the terms of the agreement can be effectively resources and managed. This will include the consideration and adoption of any relevant national agreements at a local level, or Information Sharing Agreements promoted or presented by partner agencies. Any proposed agreement will be submitted to the Force Data Protection Officer for data protection compliance and approval who will authorise documents, as appropriate on behalf of the Chief Constable. The Force Data Protection Officer shall maintain a central registry of all authorised agreements and will make this available to all relevant staff, as required. Original endorsed documents shall be retained as part of a central registry. Where no information sharing agreement is in place reference must be made to the disclosure of information policy. Content of Agreements Information sharing agreements will seek to specifically address the following: Partners Who the partners are and their responsibilities; Purpose The specific business objective for information sharing; The information to be shared What information is required; Fair and lawful processing The specific lawful powers for processing the information; How the information may be used How the information is intended to be used and any restrictions that may apply; Information quality What standards will apply for data quality and how errors will be handled; Information retention, review and disposal How long the information is to be retained and details of specific review and disposal arrangements; Access and security an explanation of the standards and conditions required to protect the information, having regard to the nature of the data to be shared and the harm which might arise from any compromise; General operational guidance Any operational guidance relevant to the purpose; Management of the agreement Handling of complaints, requests for information under the Data Protection Act 1998 or Freedom of Information Act 2000, review of the agreement, signatories, closure, termination and indemnity. Responsibilities The Chief Constable remains statutorily responsible for the Constabulary s use of personal data under the Data Protection Act

8 The Force Data Protection Officer is responsible for managing the Chief Constable s statutory obligations in respect of data protection and for ensuring the annual review of all Information Sharing Agreements. The Business Lead usually the Divisional Commander or Head of Department will determine business priorities; ensure the partnerships and information to be are appropriate and will commit resources where necessary. The Designated Manager for any specific information sharing agreement will retain overall responsibility for its day to day management. The Designated Manager shall ensure that information sharing arrangements are consistent with this policy and that all users are sufficiently trained in the agreement s operation. The Designated Manager will ensure that processes are in place for the review and evaluation of information from other agencies and partners into the organisational memory. Each Information Sharing Agreement will be reviewed at least annually by the Designated Manager to ensure that the agreement is achieving its purpose and the actual process of information sharing is operating effectively. The review will include contact lists being up to date, changes, if required, which are approved and recorded, and a decision either to terminate or extend the agreement. Supervisors are responsible for ensuring that monitoring processes are in place to ensure that a user s decision to share meets the policing purpose and the adherence to risk assessment processes, where necessary. Supervisors will ensure that quality assurance processes are in place in accordance with force policy. Users are responsible for complying with relevant data quality standards and ensuring that information collected and shared is for a policing purpose and any disclosure is lawful, for a statutory purpose and is proportionate and necessary. Legal Responsibilities The legal circumstances relating to the sharing of police information can be summarised into three distinct groups: Those required to under statute ( Express or Statutory obligations); Those permitted to under statute ( Express or Statutory Powers); Those made under common law to support the policing purposes including information sharing and dissemination (Common Law). Express (Statutory) Obligations these apply where there a specific legal obligation to disclose Police information to another party. Where there is a frequent and continuing need for the Force to disclose information, a Memorandum of Understanding (MOU), Service Level Agreement (SLA), or an Information Sharing Agreement (ISA) that clearly sets out the statutory obligations of the organisations involved, together with procedures for managing them, should be used for effective, timely and consistent disclosure. Such statutory obligations include: Disclosures to the Disclosure and Barring Service (formerly Criminal Records Bureau) under Part V of the Police Act Schemes to protect children and vulnerable adults. Court Orders. 8

9 Express (Statutory) Powers this applies when there is a specific legal power, but not an obligation to share Police information. Express powers and statutory obligations are often referred to as legal gateways. An express power is designed to facilitate disclosure of information for certain purposes. When the Force is requested to share information with a partner, that partner must identify a legal power to lawfully request and use such information, for example, Social Services may request information under Section 47 of the Children s Act 1989, which allows local authority social services departments to request information from other agencies as part of child protection enquiries. Common Law When Derbyshire Constabulary is asked to share information with a partner Agency where a statutory obligation or power does not exist, a policing purpose must be established, as any decision to share is risk based and must be balanced against the requirements of the common law duty of confidence and the Data Protection Act Implied powers Where no express statutory power to share or receive data exists, such a power may be implicit in the provisions defining the relevant powers or functions of the requesting agency. Many activities of statutory bodies will necessarily be carried out pursuant to implied statutory powers, given the difficulty of defining expressly all the activities that they may carry out in connection with their day to day functions. When considering whether a body has an implied power to share data, it is firstly necessary to identify the function or activity to which that sharing would be ancillary. If the body does not have the power to perform that function or activity, there can be no implicit power to share data. Account should also be taken of other relevant statutory provisions that might expressly or implicitly prohibit the data sharing that is being proposed. Guidance on implied powers should be sought from the Force Data Protection Officer before relying on such power as a basis for disclosure or sharing. Whatever the source of the power to share information is, it must be checked that the power covers the particular disclosure or information sharing that is proposed. Any Information Sharing Agreement shall contain clear details of the legal basis which is being relied upon. Deciding to share personal data When deciding whether to enter into an agreement to share personal data, the objective of the sharing of the data should be identified. The potential benefits and risks should be considered and the likely results of not sharing the data should be taken into account. The following questions are factors to consider: What is the sharing meant to achieve? There should be a clear purpose and objective or set of objectives; What information needs to be shared? Not all personal data has to be shared, ensure that only the data that is necessary to meet the objective is shared; Who requires access to the shared personal data? Need to know principles should be applied; When should it be shared? Set out whether it should be an on-going, routine process, or if it should only apply in certain circumstances; How should it be shared? Set out protocol for sharing and address security issues; How can we check the sharing is achieving its objectives? Review policy frequently to check it is still appropriate and confirm that safeguards still match the risks; What risk does data sharing pose? Is any individual likely to be damaged by it or to object? Might it undermine any individual s trust? 9

10 Could the objective be achieved without sharing the data or by anonymising it? It is not appropriate to use personal data when the same result could be achieved without using personal data; Will any of the data be transferred outside of the European Economic Area (EEA)? The requirements of Principle 8 of the Data Protection Act 1998 will apply. Guidance on Principle 8 is published by the Information Commissioner. Conditions for processing Principle 1 of the Data Protection Act 1998 states that organisations have to satisfy one or more conditions in order to legitimise their processing of personal data, unless an exemption applies under schedules two and three of the Act. It is good practice to identify the relevant conditions for processing within the Information Sharing Agreement to further demonstrate how the processing is lawful. Fairness and transparency The Government Transparency Agenda has identified that organisations have a duty to act visibly, predictably and understandably to promote participation and accountability. Information Sharing Agreements provide shared understanding, test necessity and proportionality and result in a consistent approach to the sharing of information. Information Sharing Agreements will be published internally in accordance with the Force s Freedom of Information Publication Scheme for the information of all staff and where appropriate, externally on the Constabulary website for the purposes of fairness and transparency. Where agreements contain sensitive procedures these should be appended to the agreement and identified as not suitable for disclosure. Security The Information Sharing Agreement and associated arrangements will identify the relative terms and conditions for the secure sharing of information in accordance with the ACPO Community Security Policy, the relevant national standards and the Data Protection Act Whilst a standard set will commonly apply, it will be necessary to establish what and if any standards are appropriate to protect the integrity of any given partnership agreements. 6. Monitoring and Review Subject to any new legislation or changes in case law, which require immediate amendments, this document will be reviewed annually by the Head of Information Management, Corporate Services. 7. Appeals Process If a member of staff has an issue with the application of this policy they should raise this in the first instance with their Line Manager. Staff may have recourse to the Dispute Resolution Procedure. Members of the public who take issue with the application of this policy have recourse to the police complaints system. 10

11