In human rights law, the concept of proportionality means doing no more than is necessary to achieve a lawful and reasonable result. The third Principle provides that personal data must be relevant, and not excessive in relation to the purpose for which it is being shared.
MAPPA agencies must ensure that information about the data subject is relevant to assessing and managing risk and that no more information is shared than is needed to manage that risk. For example, if a data subject’s name and address is required, sharing their race and religion as well would probably be disproportionate.
Each agency should follow its own data protection policies in sharing information with other agencies under MAPPA. Although based on the same legislation, there may be differences on points of detail and co-operation between agencies will be easier if there is a shared understanding of each other’s’ policies. For this reason, the MAPPA Strategic Management Board (SMB) should develop an Information-Sharing Agreement setting out how MAPPA agencies will share information with each other, so that they are following a common set of rules and security standards as far as possible.
Sections 8 and 14 of the ICO Code of Practice are concerned with the issues that an information-sharing agreement should cover. These include what information is to be shared, with whom, and why; the quality and security of the information; the circumstances governing the length of time for which the information is retained; and what happens if the agreement is breached.
Although the exchange of information with non-MAPPA agencies has to be considered on a case-by-case basis, formal protocols or agreements should be in place in advance if possible. These agreements should pay particular attention to ensuring the safety and security of the personal information shared.