Bristol Information-sharing protocol (DVA/SV)
Information Sharing Protocol
For
Assessing and Protecting Victims
Of
Domestic and Sexual Violence and Abuse
April 2011
Contents
1. The Purpose & Legitimate Aim
2. Application
3. Definitions
4. Notification
5. Consent
6. Requesting/Disclosing Personal Data
7. Third Parties
8. Nomination of Staff
9. Accuracy of Data
10. Retention of Data
11. Security of Data
12. Data Subject Requests
13. Freedom of Information
14. Complaints
15. Training
16. Confidentiality
17. Compliance and Good Practice
18. Indemnity
19. Publication
20. Non Discrimination Clause
21. Agencies/Organisations signed up to the Information Sharing Protocol
22. Protocol Signatures
Appendix 1 –Contact Information
Appendix 2 - Section 115 Crime and Disorder Act 1998
Appendix 3 – Individuals' Rights of Access - Procedures for Handling Requests for Access to Information - (Subject Access
Appendix 4 - The Indemity
Appendix 5 - Multi Agency Risk Assessment Conferences (MARAC)
2
Bristol Information-sharing protocol (DVA/SV)
1. The Purpose and Legitimate Aim
The purpose of this Protocol is to facilitate the exchange of information between the partner agencies, that will enable the partnership to fulfill its statutory duty and work together (sect 17 of the Act 1998) to ensure public safety and for the prevention of disorder and crime, furthering the aims of the Crime and Disorder Act 1998. (See Appendix 2).
This Protocol is mainly concerned with the exchange of personal data where no other form of data will satisfy the requirement of ensuring public safety and preventing disorder and crime. When completely de-personalised information is requested, the assumption is that this information will be shared, e.g. statistical information. This protocol replaces all other previous protocols that refer to information sharing in relation to domesticand sexual violence and abuse in Bristol.
2. Application
1. The partnership subscribes to the following for this Protocol and any sub- Protocols:
i) The agreed standards must provide safeguards and an appropriate framework for the controlled exchange of information ensuring such information is proportionate, relevant and the minimum necessary to achieve the lawful aim
ii) The principles of the Data Protection Act 1998 must be upheld. (See The Data Protection Act 1998 Principles 1-8).
iii) All partner agencies must be compliant with the Human Rights Act 1998.
iv) The Bristol Domestic Violence and Abuse Strategy Group will review this Protocol annually. However intermediate and subsequent reviews may be initiated by any changes in legislation, case stated or ruling by the Commissioner for information.
v) Partners may request changes to this Protocol at any time by submitting a suggested revision to the Protocol holder in writing.
Any suggested alterations to this will be discussed at the Domestic Violence and Abuse Strategy Group meeting who in turn will consult all signatory agencies and a legal advisor before alterations are made. All decisions must be formally minuted and their actions recorded and retained by the protocol holder.
2. The nominated holder of this Protocol is the Chair of the Domestic Violence and Abuse Strategy Group , who shall, on behalf of the Bristol Domestic Violence and Abuse Strategy Group:
i) Ensure that a review is carried out on an annual basis.
ii) Circulate all requests for change, co-ordinate responses, obtains agreement for the changes.
3. Definitions
1. 'Crime' is defined as any act, default or conduct prejudicial to the community, the commission of which, by law, renders the person responsible liable to punishment by a fine, imprisonment or other penalty.
2. 'Anti-social behaviour' means acting in a manner which causes or is likely to cause harassment, alarm or distress to one or more persons who is/are not of the same household as the identified person.
3. 'Disorder' is an expression that refers to a level or pattern of anti-social behaviour within a particular area.
4. 'Prevention of Offending' is activity which reduces the likelihood of offending/re-offending e.g. by promoting young peoples' best interests through provision of community programmes, that reduce the risk factors associated with offending and promotes protective factors.
5. 'Personal data' is information that relates to a living individual, that can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of the data controller. It includes any expression of opinion or intention in respect of the individual.
6. 'De-personalised'- where an individual cannot be identified – e.g. by part of a postcode, NP4 etc.
7. 'Data Controller' is the organisation or the nominated person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or to be processed.
8. 'Data Processor' in relation to personal data, means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller. 'Any person' includes Computer Bureaux or Third Party Agencies or Organisations that process the data on behalf of the Data Controller.
4. Notification
1. Each partner will ensure that they are appropriately registered under the Data Protection Act for the purpose of this Protocol.
2. As data exchanged will include some sensitive information, it will be necessary, at the registration stage, to select the appropriate criteria for processing from Schedules 2 and 3 of the Data Protection Act 1998.
5 .Consent
1. Many (but not all) of the data protection issues surrounding a disclosure can be avoided if the consent of the individual has been sought and obtained. The first consideration should be whether the individual has consented to the disclosure. Details of victims, witnesses and complainants should not be disclosed ordinarily without their written consent.
2. Subject to paragraph 3 below, personal information will not be shared without explicit written consent of the subject of that information
3. Information may be shared without consent strictly on a case by case basis for the purposes of prevention or detection of crime, apprehension or prosecution of offenders or if it is required by law. The legal ability for sharing this information without consent can be found under the provisions of
· Section 115 Crime and Disorder Act 1998
· Section 29 Data Protection Act
· Article 8 Human Rights Act 1998
· Children’s Act 2004 as referred to under 'Working Together to Safeguard Children'
· Management of Police Information (MoPI) Code of Practice (Section 6)
· Over-riding Public Interest
6. Requesting/Disclosing Personal Data
1. It is essential that adequate control of the flow of data be maintained. The Data Protection Act 1998 permits the exchange of data, provided the data has been fairly obtained and processed (the individual has been clearly informed how their data will be used and disclosed) and it is appropriately registered under the Act.
2. Disclosures can also take place under the Act's non-disclosure exception provisions. Reliance on these must be assessed on a case by case basis. The provisions are:
i) For the prevention or detection of crime, the apprehension or prosecution of offenders, and taxation purposes. Request for information must be on a case by case basis. If in any case it is felt that to follow Data Protection Act principles to either: inform the subject, check the accuracy of data or to destroy data that may be of benefit would prejudice any matters, then these principles can be disregarded. All requests and responses must be appropriately authorised and documented. (Section 29(3) Data Protection Act 1998).
ii) Where information is made available to the public by or under enactment. (Section 34 Data Protection Act 1998).
iii) Where the disclosure is required by law or by the order of a court. (Section 35 Data Protection Act 1998).
iv) Where a disclosure is made in connection with legal proceedings, for the purpose of obtaining legal advice, and establishing, exercising or defending legal rights. (Section 35 Data Protection Act 1998).
v) For the purpose of safeguarding national security. (Section 28 Data Protection Act 1998).
vi) By order of the Secretary of State. (Section 38 Data Protection Act 1998).
7. Third Parties
1. The Act permits Third Parties to process data on behalf of a Data Controller (see Data Protection Act 1998). It is imperative that should a partner be party to such an arrangement, that the processing is carried out with appropriate safeguards in place (see sec 11, 12 & 13). Partners should therefore ensure that:
i) Contracts/agreements between themselves and external suppliers include adequate and concise requirements for the processing, security and exchange of personal data. The contracts/agreements must include the requirement for service providers to act only on instructions given by the partner.
ii) Guarantees are provided by the service provider in respect of security measures they intend to take, and partners should take reasonable steps to ensure the service provider complies with those measures.
iii) Flows of information are limited to those between the partner and their service provider only.
iv). Partners have sufficient access to confirm the adequacy of standards also to satisfy data subject requests.
v) Partners carry out all relevant checks with prospective suppliers prior to awarding any use the contractor to process or store shared data
9
Bristol Information-sharing protocol (DVA/SV)
8. Nomination of Staff
1. To ensure compliance with the principle of security and the common law duty of confidentiality, this Protocol contains contact details for each organisation (Appendix 1).
§ with whom contact should be made in relation to this Protocol.
§ to whom requests for information should be sent (see Appendix 3), and who are responsible for resolving issues arising from non-disclosure.
§ to whom disclosures should be made (see Appendix 3).
2. Requests from unauthorised organisations/staff will be declined.
3. In the event of a serious investigation or large scale information exchange between partner agencies, a pre-meeting should be arranged between all relevant agencies and interested parties to discuss what information is to be requested and by whom. All subsequent requests should then be made in writing.
9. Accuracy of Data
1. Each partner has a responsibility to maintain the accuracy of data supplied under this Protocol. There is a duty in the Data Protection Act 1998 on a partner supplying personal data to advise the recipients if the data supplied is subsequently found to be inaccurate.
2. Where an inaccuracy is discovered after a disclosure has been made, it will be the responsibility of the party discovering the inaccuracy, to bring this to the notice of the data owner who should notify all recipients of the correction.
3. To meet this responsibility, partners will maintain records that indicate a disclosure has been made and to inform recipients if they become aware of any inaccuracies, which may either prejudice or detrimentally affect the rights and freedoms of the data subject or individual.
4. Material amendments ONLY (i.e. significant to the nature of the request) require notification on a cross-referenced disclosure document.
5. The responsibility on the discloser will continue for a period of two months after the date of the original disclosure. If the requester is still using that data after the two-month period, he/she shall obtain confirmation of the accuracy of the data, if required.
10. Retention of Data
The data should be retained for as long as necessary with regard to the purpose for which it was collected and shared, with regard to any recognised retention periods for such data.
11. Security of Data
1. Each partner must ensure they have appropriate security arrangements in place and take all reasonable steps to adequately protect the data from both a technological and physical point of view. This must include security of computer data, manual files and all forms of transfers of data between partners. Each partner must state:
i) Who can access what information
ii) Who makes disclosure decisions
iii) How data is transmitted
iv) Where data/information is stored
v) How requests for data disclosure are recorded
12. Data Subject Requests
Partners will follow their own organisational procedures for handling requests for individual access to information. If that information is identified as shared, or belonging to another partner organisation, it will be your responsibility to contact the data owner. The data owner should be contacted via the nominated contact person to determine whether they wish to claim an exemption to withhold the information under the provisions of the Data Protection Act
13. Freedom of Information
Requests for personal information under the Freedom of Information Act will be dealt with under the amended ‘subject access’ provisions of the Data Protection Act. Any other requests made under the Freedom of Information Act should be dealt with in accordance to each partner’s organisational procedures. See also Section 21 regarding the publication of this protocol and Appendix 3.
14. Complaints
1. Any complaints will be brought to the attention of the nominated officer of the relevant partner(s) and will be dealt with in accordance with their organisation’s internal complaint procedures.
2. Partners will keep each other informed of developments following receipt of a complaint, where relevant.
15. Training
Each partner is responsible for ensuring that appropriate members of staff are adequately trained in respect of all matters covered in this protocol.
16. Confidentiality
1. Each partner organisation shall at all times keep confidential, all personal data supplied pursuant to this Protocol. This clause shall survive termination of the agreement or the withdrawal of or removal of any partner.
2. Any publication of data supplied pursuant to this agreement will not identify any individual.
17. Compliance and Good Practice
Any further guidance or codes of practice should be distributed via the Protocol holder for consideration and possible attachment to this Protocol.
18. Indemnity
See Appendix 4
19. Publication
This Protocol is published by Bristol Domestic Violence and Abuse Strategy Group and is available on the Bristol Domestic Abuse Forum website www.bdaf.org.uk.
20. Non Discriminatory Clause
Whilst ensuring its compliance with Article 14 of the European Convention on Human Rights (ECHR) 1998, there will be no discrimination to any person irrespective of their gender, sexual orientation, race, colour, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth or other status.