||The Meaning of 'Lawfully'
All MAPPA Agencies must have some legal power entitling them to share information.
Section 325 of the Act places statutory obligations on RA and DtC agencies to co-operate in order to carry out their MAPPA functions. Section 325(4) expressly permits the sharing of information between these agencies for MAPPA purposes and is the primary power to share information under MAPPA.
Section 115 of the Crime and Disorder Act 1998 (as amended by the Police and Justice Act 2006) (CDA) empowers any person to disclose information to certain specified authorities (which includes the MAPPA RA and most of the DtC agencies) for the purposes of preventing crime and disorder and re-offending.
Section 14 of the Offender Management Act 2007 empowers certain persons (including the MAPPA RA) to exchange information in relation to the probation and prison services and offender management purposes.
The MAPPA RA and DtC agencies will have their own additional statutory powers to share information on sexual and violent offenders for MAPPA purposes and agencies who are party to this Agreement should expressly identify those statutory powers and ensure that they exercise them. The duty to co-operate with the RA lies with the DtC agency and each agency must resolve any actual or perceived conflict with that statutory duty in accordance with the conflicted agency’s policies and procedures. Each agency should follow its own data protection policies in sharing information with other agencies under MAPPA.
The Common Law also enables certain authorities (including the police) to process personal information in connection with the exercise of their Common Law powers. The police may use this legal gateway to exchange information with any person if it pursues a policing purpose (defined as including the prevention and detection of crime and disorder, protection of vulnerable groups, and bringing offenders to justice) and it does not breach any statutory restriction or duty of confidentiality.
Common Law Duty of Confidence
If any of the RA or DtC agencies have received any information in confidence, a duty of confidence towards the data subject may exist. However, an obligation of confidence is not absolute and can be overridden by several factors, such as another legal obligation, the consent of the individual concerned, or by demonstrating that disclosing the information would be in the public interest. Public interest factors for MAPPA disclosure include:
- Safeguarding children
- Protecting other vulnerable people
- Preventing the commission of criminal offences
- Bringing offenders to justice
In deciding where the public interest lies, Common Law principles establish that disclosure of some conviction and non-conviction or “soft” information can be justified, and can defeat a presumption against disclosure, where there is real evidence of a pressing need to do so. In circumstances such as the protection of children or other vulnerable people, factors informing that decision may include:
- A subjective belief in the truth of the allegation/information
- The interest of the third party in obtaining the information
- The degree of risk posed by the person if the disclosure (about them) is not made
Sharing Information with non MAPP Agencies
The RA and the DtC agencies are routinely and regularly involved in the management of MAPPA offenders, but, from time to time, other agencies can contribute significantly to the Risk Management Plan. Information-sharing between the MAPPA agencies and these third parties does not benefit from section 325(4) of the CJA 2003 (although section 115 of the CDA 1998 may apply). In general, non-statutory bodies are able to share information provided this does not breach the law. They are bound by the common law duty of confidence. The key principle of the duty of confidence is that information provided should not be used or disclosed further in an identifiable form, except as originally understood by the provider, or with his or her subsequent permission. However, case law has established a defence to breach of confidence where an individual breaches the confidence in the public interest. The prevention, detection, investigation and punishment of serious crime and the prevention of abuse or serious harm will usually be sufficiently strong public interests to override the duty.
||The Meaning of 'Fairly'
When data is obtained from a data subject, they must, so far as practicable, be provided with, or have ready access to, the following information:
- the identity of the data controller
- if the data controller has nominated a representative for the purposes of the DPA, the identity of that representative
- the purpose or purposes for which the data are intended to be processed and with whom the data might be shared
- any further information which is necessary, taking into account the specific circumstances in which the data are or are to be processed, to enable processing in respect of the data subject to be fair
The provision of this information is commonly known as a ‘Fair Processing Notice’ or more recently as a ‘Privacy Notice’.
Where RA or DtC agencies obtain information about a data subject directly or from a third party, the RA and DtC agencies must ensure that the data subject has ready access to the Privacy Notice, so far as practicable, either at the time the data is first processed or as soon as practicable after that time. In many cases it will not be possible, practicable or desirable to issue a Privacy Notice and in these cases it is necessary to rely on an exemption under the DPA to proceed.
Exemption under s.29 Data Protection Act 1998
If the purpose for collecting or sharing the information is to prevent or detect crime or apprehend or prosecute offenders, and giving a Privacy Notice would or would be likely to prejudice the relevant purpose, then the processing agency can rely on the exemption under Section 29(1) of the DPA to avoid giving a Privacy Notice. This removes the need to apply the fair processing conditions described above, but not the duty to satisfy one of the fair processing conditions set out in Schedules 2 and 3 of the DPA (see further below).
The exemption is not a blanket one, but it can usually be relied on for the purposes of this Agreement because the RA and DtC agencies are statutorily obliged to co-operate to assess and manage the risk to the public from sexual and violent offenders, and that co-operation often means the processing and sharing of personal data, often without the data subject’s knowledge or consent. The important point to note is that the processing and sharing of specific personal information on each occasion must be for the purpose of avoiding prejudice to preventing or detecting crime and/or apprehending or prosecuting offenders.
The Data Subject’s Reasonable Expectations
An individual’s expectation as to how information given to a public body will be used is relevant in determining whether the first data protection principle has been complied with.
Information given to the police, probation, and prison services will carry with it a reasonable expectation by the provider of the information that it will be used in the detection or prevention of crime or for legitimate policing and offender management purposes.
To help to comply with the fair and lawful processing principle of the DPA, the Guidance issued by the ICO and the principles of the FOIA, the RA will publish this information sharing Agreement in their FOIA Publication Schemes so that members of the public can see how their information will be used and with whom it may be shared.
||The DPA Fair Processing Conditions
Schedule 2, DPA
In addition to the legal criteria set out above, information processing and sharing arrangements for personal data within and outside of MAPPA must satisfy at least one condition in Schedule 2 of the DPA. For the purposes of MAPPA and this information sharing Agreement one or more of the following conditions can be satisfied:
- Condition1 – the data subject’s consent
- Condition 3 - compliance with a legal obligation to which the data controller is subject (other than one imposed by contract)
- Condition 5(b) - the exercise of functions conferred under statute
- Condition 5(c) - for the exercise of any functions of the Crown, a Minister of the Crown or a government department,
Schedule 3, DPA
If the information is sensitive (that is, where it relates to race, ethnic origin, political opinions, religion or belief system, membership of a trades union, physical or mental health or sexual life, the commission or alleged commission of any offence or proceedings relating to the offence) at least one condition in Schedule 3 must also be satisfied. For the purposes of MAPPA and this information sharing Agreement one or more of the following conditions can be satisfied:
- Condition 1 - The data subject has given his explicit consent to the processing of the personal data.
- Condition 3 - The processing is necessary (a) in order to protect the vital interests of the data subject or another person, in a case where (i) consent cannot be given by or on behalf of the data subject, or (ii) the data controller cannot reasonably be expected to obtain the consent of the data subject, or (b) in order to protect the vital interests of another person, in a case where consent by or on behalf of the data subject has been unreasonably withheld.
- Condition 7 – The processing is necessary (a) for the administration of justice, (b) for the exercise of any functions conferred on any person by or under an enactment, or (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department.
- Condition 10 - Personal data are processed in circumstances specified in an Order made by the Secretary of State.
The relevant Order is The Data Protection (Processing of Sensitive Personal Data) Order 2000. Paragraph 1 of the Schedule to that Order covers processing for the purposes of the prevention or detection of any unlawful act, where seeking the consent of the data subject to the processing would prejudice those purposes. Paragraph 10 of the Schedule covers processing by the police in the exercise of their Common Law powers.
Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.
The agencies of the RA are appropriately registered with the Information Commissioner’s Office for their respective lawful purposes. The information processed under this agreement will relate to offender risk assessment and management purposes and under this Agreement it will not be processed in any manner contradictory to that purpose.
Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. The information to be shared under this agreement shall be no more than is necessary to be shared in order to assess and manage risk associated with MAPPA offenders.
Personal data shall be accurate and, where necessary, kept up to date.
Information shared under this Agreement originates from the RA and DtC agencies’ corporate systems and is subject to standard procedures and validations intended to ensure data quality. Any inaccuracies should be notified to the originating agency’s SPOC specified in this Agreement.
Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.
The assessment and management of risk posed by MAPPA offenders is a continuous process and will, due to the length and conditions of Court Orders, involve regular sharing of information. Information processed under this Agreement will be retained for as long as the RA deems the offender to present a risk or is otherwise needed for another lawful purpose in line with each of their retention and destruction schedules.
Personal data shall be processed in accordance with the rights of data subjects under the DPA.
The parties to this Agreement will comply with the DPA Principles and respond to any notices from the Information Commissioner that impose requirements to cease or change the way in which data is processed under this Agreement. The parties will comply with subject access requests in compliance with the relevant legislation.
Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.
Measures to satisfy the Seventh Principle are detailed in Section 5 - Description of Arrangements including Security Matters.
Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.
Where information exchanged under this agreement is intended for transfer to a country or territory outside the European Economic Area the RA and DtC agencies will ensure that that country or territory ensures an adequate level of protection of the rights and freedoms of data subjects in relation to the processing of personal data.
||Information Sharing Protocols
The RA may establish other arrangements with DtC Agencies, including good practice guidance, protocols and memoranda of understanding (the protocols). These protocols will set out a common set of rules to be adopted by the RA and DtC agencies involved in data sharing under MAPPA. The protocols will cover the two main types of data sharing within and outside of MAPPA:
- systematic, routine data sharing where the same data sets are shared between MAPPA agencies for MAPPA established purposes; and
- one-off decisions to share data for any of a range of purposes within MAPPA or to disclose outside of MAPPA with the Third sector and/or private sector contractors.
The protocols will focus on the sharing of personal data and sensitive personal data between joint data controllers, i.e. where both agencies determine the purposes for which and the manner in which the personal data is processed. Where a data controller shares data with data processors, i.e. another party that processes personal data on its behalf, the data controller must ensure, in a written contract, that:
- the processor only acts on instructions from the data controller; and
- has security in place that is equivalent to that imposed on the data controller by the seventh data protection principle.
The protocols will document the following issues:
- The legal basis for the sharing
- the purpose, or purposes, of the sharing;
- the potential recipients or types of recipient and
- the circumstances in which they will have access;
- the data to be shared;
- data quality – accuracy, relevance, usability etc;
- data security;
- retention of shared data;
- individuals’ rights – procedures for dealing with access requests, queries and complaints;
- review of effectiveness/termination of the sharing agreement; and
- sanctions for failure to comply with the agreement or breaches by individual staff.