SEFTON LSCB Safeguarding Policies and Procedures Online Manual

    12.3 Information to be Shared

    Last updated 18/05/2017

    12.3.1 General Principles

    The purpose of sharing information about individuals (data subjects) is to enable the relevant agencies to work more effectively together in assessing risks and considering how to manage them. This points towards sharing all relevant available information so that nothing is overlooked and public protection is not compromised. However, information sharing must be lawful, necessary and proportionate to comply with legislation.

    12.3.2 Information-sharing must be lawful

    This means that information sharing must be in accordance with the law. The statutory basis for sharing information between RA and DtC agencies lies in Section 325(4) of the Act, expressly permits the sharing of information between these agencies for MAPPA purposes.

    From time to time, other agencies may contribute significantly to the Risk Management Plan (RMP). Information-sharing between MAPPA agencies and these third parties does not benefit from section 325(4) of the Act. In general, non-statutory bodies are bound by the common law duty of confidence but can share information provided this does not breach the law. The key principle of the duty of confidence is that information provided should not be used or disclosed further in an identifiable form, except as originally understood by the provider, or with his or her subsequent permission. However, case law has established a defence to breach of confidence where an individual breaches the confidence in the public interest. The prevention, detection, investigation and punishment of serious crime and the prevention of abuse or serious harm will usually be sufficiently strong public interests to override the duty of confidence.

    Any person or organisation processing personal data (data controller) must comply with the eight Data Protection Principles (Principles) set out in the DPA. Among other things this means that the information shared about the data subject must be accurate and up-to-date, stored securely and not be retained any longer than necessary. Each MAPPA agency will act as joint data controllers when exercising their statutory functions under MAPPA and will have joint, as well as individual, responsibility for complying with their legal obligations as data controllers under the DPA. Further information about the DPA is contained in Annex B.

    12.3.3 Information-sharing must be necessary

    Article 8 of the European Convention on Human Rights, given domestic effect by the Human Rights Act 1998 (HRA), provides a right to respect for private and family life, home and correspondence. Any interference with this right by a public authority (such as a criminal justice agency) must be

    “necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.”

    The sharing of information by MAPPA agencies for MAPPA purposes satisfies these conditions in that it is clearly aimed at preventing disorder or crime or administering justice. Provided the information shared is only used for MAPPA purposes the necessity test will be met, as information-sharing by way of MAPPA is not an excessive or unreasonable way of assessing and managing these risks. Further information about the HRA is contained in Annex B.

    12.3.4 Information-sharing must be proportionate

    In human rights law, the concept of proportionality means doing no more than is necessary to achieve a lawful and reasonable result. The third Principle provides that personal data must be relevant, and not excessive in relation to the purpose for which it is being shared.

    MAPPA agencies must ensure that information about the data subject is relevant to assessing and managing risk and that no more information is shared than is needed to manage that risk. For example, if a data subject’s name and address is required, sharing their race and religion as well would probably be disproportionate.

    Each agency should follow its own data protection policies in sharing information with other agencies under MAPPA. Although based on the same legislation, there may be differences on points of detail and co-operation between agencies will be easier if there is a shared understanding of each other’s’ policies. For this reason, the MAPPA Strategic Management Board (SMB) should develop an Information-Sharing Agreement setting out how MAPPA agencies will share information with each other, so that they are following a common set of rules and security standards as far as possible.

    Sections 8 and 14 of the ICO Code of Practice are concerned with the issues that an information-sharing agreement should cover. These include what information is to be shared, with whom, and why; the quality and security of the information; the circumstances governing the length of time for which the information is retained; and what happens if the agreement is breached.

    Although the exchange of information with non-MAPPA agencies has to be considered on a case-by-case basis, formal protocols or agreements should be in place in advance if possible. These agreements should pay particular attention to ensuring the safety and security of the personal information shared.

    12.3.5 NHS

    Health professionals are governed by a range of guidance on information exchange and have a duty to share information in accordance with this guidance:

    • Royal College of Psychiatrists (2010)
    • General Medical Council (GMC; 2009)
    • British Medical Association (BMA; 2009)
    • Department of Health (2003, 2010).

    Decisions as to what is appropriate to share must be made on a case by case basis. Information shared should always be the minimum necessary to assist with risk assessment and management of individual cases.