SEFTON LSCB Safeguarding Policies and Procedures Online Manual

    12.5 Other Arrangements

    Last updated 18/05/2017

    12.5.1 Business Continuity
     

    Each partner will keep this agreement in a central location accessible to all members of staff who need to be aware of it. Each partner will appoint a nominated person and a deputy to be its main point of contact for all matters relating to this agreement. Deputies will ensure business continuity if the original point of contact is absent.

    12.5.2 Publication of Agreement
     

    To help to comply with the fair and lawful processing principle of the DPA, the Guidance issued by the ICO and the principles of the FOIA, the RA will publish this Information Sharing Agreement in their FOIA Publication Schemes so that members of the public can see how their information will be used and with whom it may be shared.

    12.5.3 ViSOR
     

    ViSOR is a National Policing Improvement Agency (NPIA) resource designed specifically for the management of MAPPA offenders. RA agencies should use the ViSOR system to share information under this Agreement. Instructions on the use of ViSOR are available from Merseyside Police and NPS CPCs, and ViSOR Standards will also be available on the National MAPPA Website www.mappa.justice.gov.uk and must be adhered to. All parties to this Agreement accept responsibility for ensuring that all agreed security arrangements are complied with. Each party reserves the right to audit were an information security breach has occurred. Any unauthorised access or disclosure of information or breach of this Agreement will be dealt with through the internal discipline procedures of the individual parties. The annual review of this agreement will include a review of any issues around compliance with the agreed security measures.

    12.5.4 Transfer of Information
     

    All hard copies of information about MAPPA offenders should be sent by trackable post or trusted courier service using double envelopes, both fully addressed, but with the protective marking and descriptor shown on the inner envelope only.

    Electronic information must be sent via secure email only. Secure email addresses are identified by extensions such as pnn, gsi, gsx, nhs.net etc. The inclusion of gov.uk alone does not indicate a secure email address. If the agency does not have a secure email address then arrangements must be made for them to set up a secure email via the CJSM (Criminal Justice Secure email) service.

    Information sent by fax must be by secure fax only.

    Computers must employ unique user accounts, whose use is auditable to the extent that transactions may be identified to specific individuals, machines, times and dates.

    When leaving computers for short periods, users must activate secure screen-locks or log off from the password protected application or account that contains personal or sensitive information. When leaving their computers for longer periods or when leaving the premises, users must close down their computer accounts. Access to the information must be restricted to users who have the authority to see such information and for the agreed purpose.

    Ensure when printing MAPPA information that printers are located within sight of the computers to which they are attached. They must not be left unattended when printing out personal or other sensitive information. Printouts must be removed from printers immediately after printing and must be stored securely when not in use.

    No hard copies of MAPPA minutes are to be taken from an office by any individual / agency when attending meetings. The host of the meeting must provide numbered hard copies counted out at beginning and in at the end so no hard copies are ever in ‘transit’.

    Retention of confidential information on MAPPA eligible offenders, information on offenders subject to determinate sentences must only be retained for 6 years after the end of their statutory supervision or preparation of the report. In respect of offenders subject to indeterminate sentences the data should be destroyed on their death or 99 years after his or her date of birth.

    12.5.5 Disposal of Papers
     

    When papers are no longer needed they will be destroyed in line with relevant agency retention and destruction policies using a cross cut shredder, or returned to the originating partner for destruction.

    Retention of confidential information on MAPPA eligible offenders, information on offenders subject to determinate sentences must only be retained for 6 years after the end of their statutory supervision or preparation of the report. In respect of offenders subject to indeterminate sentences the data should be destroyed on their death or 99 years after his or her date of birth.

    12.5.6 Disposal of Electronic Information
     

    Once information contained within emails is transferred to a partner’s electronic systems, they will be responsible for its storage, management and disposal.

    Information will be held in electronic systems until the information is no longer required. Information provided as part of this agreement will be the subject of review by the partner agencies. When information is no longer required, it will be destroyed. Information will be destroyed in accordance with each agency’s code of practice in handling information and their retention and destruction policies, with due regard to their responsibilities under the DPA.

    12.5.7 Freedom of Information and Subject Access Requests (SAR)
     

    It is recognised that any of the parties to this agreement may receive FOI or Subject Access Requests (SAR) for information that relate to the operation of this agreement. All agencies will follow the instructions in the MAPPA Guidance in relation to requests for MAPPA minutes. All other requests should be dealt with in line with the receiving agency’s procedures. In addition, all agencies will consult with others who are likely to be affected by the disclosure (or non-disclosure) of the information requested.

    12.5.8 Breaches
     

    If any party to this Agreement becomes aware of a security breach, or breach of confidence in relation to the data covered by this Agreement, or any breach of the terms of this Agreement, the party with responsibility for the area of activity in which the breach occurred, shall:

    • immediately inform other parties to this agreement that a breach has occurred
    • immediately investigate the cause, effect and extent of the breach
    • report the results of the investigation to the other parties, without delay
    • use all reasonable efforts to rectify the cause of such breach.

    Each party will ensure that all staff with responsibility for implementing this Agreement are made aware that the disclosure of personal information without consent of the data subject must only occur where allowed under the DPA and as specified in this Agreement.

    12.5.9 Complaints
      Complaints about the disclosure or use of information under the terms of this Agreement should be dealt with in accordance with the relevant party's internal arrangements or in line with the MAPPA Guidance.