Data Sharing and Good Practice

Maureen H FalconerSr Policy Officer

Information Commissioner’s Office

Data Sharing and the Law - DPAConsent

Contract

Legal obligation

Vital interests

Administration of justice

Public function/interest

Legitimate interests of the data controller and third party but not prejudicial to individual

Explicit consent

Employment law

Vital interests

Not-for-profit TU/religious/ political/philosophical groups

Already in public domain

Legal proceedings/advice

Administration of justice

Public functions

Anti-fraud activity

Medical purposes

Equal Opps Monitoring

Substantial public interest (SI2000/417)

Personal data: Sensitive Personal data:

Data Sharing and the Law – Vires

Express Obligation: Legal requirement to share

Children & Young People (Scotland) Bill

26 Information sharing.

(3) The service provider in relation to a child or young person must provide to a service provider or relevant authority any information which the person holds which falls within subsection (4).

(4) Information falls within this subsection if the information holder considers that—

(a) it might be relevant to the exercise of any function of the service provider or relevant authority which affects or may affect the wellbeing of the child or young person…

Data Sharing and the Law – Vires

Express Power: a stated power to share but not to the extent of a legal requirement

Children & Young People (Scotland) Bill

26 Information sharing.

(5) The service provider in relation to a child or young person may provide to a service provider or relevant authority any information which the person holds which falls within subsection (6).

(6) Information falls within this subsection if the information holder considers that its provision to the service provider or relevant authority is necessary or expedient for the purposes of the exercise of any of the named person functions.

Data Sharing and the Law – Vires

Implied Power: sharing is a reasonable consequence of an activity within express obligations or powers

Children & Young People (Scotland) Bill

13 Reporting on children’s services plan

(1) As soon as practicable after the end of each 1 year period, a local authority and each relevant health board must publish (in such manner as they consider appropriate) a report on the extent to which—

(a) children’s services and related services have in that period been provided in the area of the local authority in accordance with the children’s services plan, and

(b) that provision has achieved—

(i) the aims listed in section 9(2), (ii) such outcomes in relation to the wellbeing of children in the area as the Scottish Ministers may by order prescribe.

Data Sharing and the Law - CoP

What is a statutory Code of Practice?

ICO is required by law to produce

Approved by Secretary of State and Parliament

Admissible in court proceedings

Provides ‘good practice’ advice

Not following Code is not necessarily a DPA breach

Data Sharing Agreements

Structure:

Purpose of sharing

Partner organisations & points of contact

Data to be shared

Legal basis for sharing

Access & individuals’ rights

Information governance arrangements:

Datasets; accuracy; compatibility; retention and deletion; security; SARs; reviews; termination; appendices (glossary, templates, diagrams/decision trees)

Scottish Accord for Sharing Personal Information (SASPI)

ICO StatementMisconception that the Act prevents sharing so fear of non-compliance becomes a barrier

The Act promotes lawful and proportionate information sharing

A risk to wellbeing can be a strong indication that the child or young person could be at risk of harm if the immediate matter is not addressed

Where a practitioner believes, in their professional opinion, that there is risk to a child or young person that may lead to harm, proportionate sharing of information is unlikely to constitute a breach of the Act

Consent can be difficult and it should only be sought when the individual has real choice over the matter

ICO StatementThe Act provides conditions to allow sharing of such information, e.g.: functions of a public nature exercised in the public interest or in the legitimate interests of the data controller

Appropriate and relevant protocols conveyed to practitioners to provide a support mechanism for the decision making process

The practitioner should use experience, professional instinct and all available information before they decide whether or not to share

The Data Protection Act should not be viewed as a barrier to proportionate sharing

www.twitter.com/iconews

Keep in touchScotland Office:

45 Melville Street

Edinburgh

EH3 7HL

T: 0131 244 9001 E: Scotland@ico.gsi.gov.uk

Subscribe to our e-newsletter at www.ico.gov.uk

or find us on…