Information Sharing - presenting a Business Case:

Introduction

This document is a tool for practitioners and sets out the principles that will be applied to sharing information (such as aggregate data) across organisations, both internal and external. It sets out the commitment to information sharing, explains what information is generally shared, grounds for sharing information and the controls and assurances which are agreed. Most importantly it provides a clear way of demonstrating compliance with the various legislation, such as the Data Protection Act.

When to use this document?

This document is a guide designed for use when sharing aggregate data or personal/ sensitive data between different organisations on a regular basis and/or seeking permission for staff to access specific databases outside of their own service area. You should use it as part of the early stages of considering to share information.

What it includes and how used?

The key principles of good practice in sharing information and compliance with various legislation (e.g. the Data Protection Act) are set out. This document can be used for a wide range of information sharing purposes, for example, to facilitate information sharing under the Crime and Disorder Act 1998.

This document does not intend to set out all legal issues; instead it is designed for use by practitioners focussing on the practicalities of information sharing and requires them to detail how compliance will be achieved.

Using this document does not invalidate any existing information sharing agreements.

The proforma

Attached to this principles document (Appendix 1) is the proforma to set up individual information sharing arrangements. The proforma requires practitioners to describe what, where and how information will be shared by answering a series of questions.

The proforma is designed to be completed by practitioners responsible for the day to day management of the information which is proposed to be shared. To ensure proper compliance checks, the proforma must be sent to the Caldicott Guardian /Data Controller for each participating organisation who will arrange for the information sharing arrangement to be checked and verified by the Integrated Information Governance Board.

Aggregated data - is statistical information (i.e. non-personal). Sometimes, even though data is statistical and aggregated, individuals may be identifiable (e.g. data by postcode – where there is one property in a postcode an individual could be identifiable). Therefore care must be taken to check whether data is statistical or personal or where information together can reveal a person (e.g. Age, Postcode and Gender).

Personal data* - is information which identifies a living individual – Data Protection Legislation and related legislation must be complied with. For example, a name of an individual and home address.

Special category data - The conditions are listed in Article 9(2) of the GDPR:

• a) the data subject has given explicit consent to the processing of those personal data for one or more specified purposes, except where Union or Member State law provide that the prohibition referred to in paragraph 1 may not be lifted by the data subject;
• b) processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject;
• c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• d) processing is carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim and on condition that the processing relates solely to the members or to former members of the body or to persons who have regular contact with it in connection with its purposes and that the personal data are not disclosed outside that body without the consent of the data subjects;
• e) processing relates to personal data which are manifestly made public by the data subject;
• f) processing is necessary for the establishment, exercise or defence of legal claims or whenever courts are acting in their judicial capacity;
• g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
• h) processing is necessary for the purposes of preventive or occupational medicine, for the assessment of the working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3;
• i) processing is necessary for reasons of public interest in the area of public health, such as protecting against serious cross-border threats to health or ensuring high standards of quality and safety of health care and of medicinal products or medical devices, on the basis of Union or Member State law which provides for suitable and specific measures to safeguard the rights and freedoms of the data subject, in particular professional secrecy;
• j) processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes in accordance with Article 89(1) based on Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.

Controls, whether legislative or otherwise, need to be commensurate with the risk and proportionate to the objective which is sought to be achieved.

Legislative controls include:

• Data Protection Act 2018 and GDPR
  • The first principle requires that you process all information lawfully, fairly and in a transparent manner. Sharing information is only lawful if you have a lawful basis under Article 6. And to comply with the accountability principle in Article 5(2), you must be able to demonstrate that a lawful basis applies.
  • The DPA and GDPR places duties on organisations on how to process personal data (‘process’ includes obtaining, holding, use of or disclosure of information). It also gives rights to individuals e.g. to access information about themselves. There are 7 GDPR key principles which form the backbone of the data protection legislation.
  • Where personal data is shared, the GDPR sets out seven key principles which lie at the heart of the general data protection regime.
    • 1. processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
    • 2. collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
    • 3. adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’);
    • 4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
    • 5. kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
    • 6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organisational measures (‘integrity and confidentiality’).
    • 7. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).
• Human Rights Act 1998: Under Article 8 of the European Convention of Human Rights (brought into force by the Human Rights Act 1998) individuals have the ‘right to respect for private and family life, home and correspondence’. As a general rule information sharing should not interfere with this right. Provided that the interference had a clear legal basis, was necessary, and was proportionate to the aim, then the interference could be justified on the following grounds: national security, protection of economy, public safety, protection of health and morals, prevention of crime and disorder, and the protection of the rights and freedoms of others.
• Law of confidentiality: Even though there may be legal powers to share, the law of confidence still applies (even after death of the individual, who the information is about). This means that anyone proposing to disclose information not publicly available and obtained in circumstances giving rise to a duty of confidence will need to establish whether there is an overriding justification for doing so. If not, then consent would need to be obtained.

See https://ico.org.uk for further detail and information on the above legislative controls.

Accuracy of information – the accuracy of information is likely to be relied upon by partner organisations and therefore, the accuracy of information must be communicated to all parties (subject to legal obligations).

Updating of information – the information providing and receiving organisations should put arrangements in place to inform each other (and any other parties to the arrangement) of any relevant changes or updates to the information shared (after the information has been shared). The responsibility of onward correction must be considered and assigned.

Information use – Whether aggregated or personal data, information must only be used for the purposes it has been shared. If the organisation receiving the information wishes to use it for purposes not clearly described in the proforma separate permission must be sought from the organisation that has provided the information.

Disclosure –information should only be disclosed to any other partner organisations/ third parties with the permission of the partner organisation providing the information or, where appropriate, the permission of the individual who the information is about.

Security measures should be commensurate with the type of information shared and the risk (e.g. of loss, inappropriate disclosure etc).  Any special security controls that need to be taken in regard to transfer, collection, holding and use of the information should be communicated to all organisations involved in the handling of the shared information.

The partner organisation receiving the information should set out what security controls they plan to have in place; they are responsible for the security of that information.  In some cases a signed undertaking may be appropriate, but generally the information sharing arrangements (such as the proforma, Appendix 1) will be sufficient. 

Where the information is protectively marked then further advice should be sought on the specific handling and care arrangements that need to be in place when dealing with that information. 

The final record of the completed proforma should be kept on record in a central register (a copy held by all parties to the arrangement).

As a matter of good practice, in setting up arrangements for accountable and auditable information sharing, key information about arrangements in place should be recorded in a central system. Following should be recorded as a minimum: -

• Data to be shared (e.g. data set, or data user)
• Partners to the information sharing agreement
• Start date of agreement (and end date where appropriate)
• Frequency of sharing information
• Review date for arrangement

Partner organisations will ensure that all relevant staff are aware of and comply with their responsibilities in relation to:

• the information sharing arrangements
• the confidentiality of information about any service users; and
• the commitment to share information in accordance with the agreement (principles and proforma which is agreed) and appropriate legislation.

As appropriate, the public will be informed of information sharing arrangements (in particular, where this involves sharing of personal data).

As far as possible, the individual information sharing arrangements should be published on websites/ publication schemes or in some other way to ensure openness and transparency.

Complaints procedures

Partners are committed to having procedures in place to address complaints relating to the sharing of information and or about how information about individual service users has been shared. Complaints procedures will be provided to members of the public/ service users, ideally on the website.

A DPIA is a way for you to systematically and comprehensively analyse your processing and help you identify and minimise data protection risks.

DPIAs should consider compliance risks, but also broader risks to the rights and freedoms of individuals, including the potential for any significant social or economic disadvantage. The focus is on the potential for harm - to individuals or to society at large, whether it is physical, material or non-material.

To assess the level of risk, a DPIA must consider both the likelihood and the severity of any impact on individuals.

A DPIA does not have to eradicate the risks altogether, but should help to minimise risks and assess whether or not remaining risks are justified.

DPIAs are a legal requirement for processing that is likely to be high risk. But an effective DPIA can also bring broader compliance, financial and reputational benefits, helping you demonstrate accountability and building trust and engagement with individuals.

A DPIA may cover a single processing operation or a group of similar processing operations. A group of controllers can do a joint DPIA.

It’s important to embed DPIAs into your organisational processes and ensure the outcome can influence your plans. A DPIA is not a one-off exercise and you should see it as an ongoing process, and regularly review it.

Who completes what?

It is suggested the partner organisation (lead organisation if more than one partner) receiving the information completes sections 1 – 5 and the partner organisation providing the information completes section 6 and sections 7 and 8 completed at the end by all parties. Once agreed and completed, all parties should sign section 9.