data sharing and good practice maureen h falconer sr policy officer information commissioner’s...
TRANSCRIPT
Data Sharing and Good Practice
Maureen H FalconerSr Policy Officer
Information Commissioner’s Office
Data Sharing and the Law - DPAConsent
Contract
Legal obligation
Vital interests
Administration of justice
Public function/interest
Legitimate interests of the data controller and third party but not prejudicial to individual
Explicit consent
Employment law
Vital interests
Not-for-profit TU/religious/ political/philosophical groups
Already in public domain
Legal proceedings/advice
Administration of justice
Public functions
Anti-fraud activity
Medical purposes
Equal Opps Monitoring
Substantial public interest (SI2000/417)
Personal data: Sensitive Personal data:
Data Sharing and the Law – Vires
Express Obligation: Legal requirement to share
Children & Young People (Scotland) Bill
26 Information sharing.
(3) The service provider in relation to a child or young person must provide to a service provider or relevant authority any information which the person holds which falls within subsection (4).
(4) Information falls within this subsection if the information holder considers that—
(a) it might be relevant to the exercise of any function of the service provider or relevant authority which affects or may affect the wellbeing of the child or young person…
Data Sharing and the Law – Vires
Express Power: a stated power to share but not to the extent of a legal requirement
Children & Young People (Scotland) Bill
26 Information sharing.
(5) The service provider in relation to a child or young person may provide to a service provider or relevant authority any information which the person holds which falls within subsection (6).
(6) Information falls within this subsection if the information holder considers that its provision to the service provider or relevant authority is necessary or expedient for the purposes of the exercise of any of the named person functions.
Data Sharing and the Law – Vires
Implied Power: sharing is a reasonable consequence of an activity within express obligations or powers
Children & Young People (Scotland) Bill
13 Reporting on children’s services plan
(1) As soon as practicable after the end of each 1 year period, a local authority and each relevant health board must publish (in such manner as they consider appropriate) a report on the extent to which—
(a) children’s services and related services have in that period been provided in the area of the local authority in accordance with the children’s services plan, and
(b) that provision has achieved—
(i) the aims listed in section 9(2), (ii) such outcomes in relation to the wellbeing of children in the area as the Scottish Ministers may by order prescribe.
Data Sharing and the Law - CoP
What is a statutory Code of Practice?
ICO is required by law to produce
Approved by Secretary of State and Parliament
Admissible in court proceedings
Provides ‘good practice’ advice
Not following Code is not necessarily a DPA breach
Data Sharing Agreements
Structure:
Purpose of sharing
Partner organisations & points of contact
Data to be shared
Legal basis for sharing
Access & individuals’ rights
Information governance arrangements:
Datasets; accuracy; compatibility; retention and deletion; security; SARs; reviews; termination; appendices (glossary, templates, diagrams/decision trees)
Scottish Accord for Sharing Personal Information (SASPI)
ICO StatementMisconception that the Act prevents sharing so fear of non-compliance becomes a barrier
The Act promotes lawful and proportionate information sharing
A risk to wellbeing can be a strong indication that the child or young person could be at risk of harm if the immediate matter is not addressed
Where a practitioner believes, in their professional opinion, that there is risk to a child or young person that may lead to harm, proportionate sharing of information is unlikely to constitute a breach of the Act
Consent can be difficult and it should only be sought when the individual has real choice over the matter
ICO StatementThe Act provides conditions to allow sharing of such information, e.g.: functions of a public nature exercised in the public interest or in the legitimate interests of the data controller
Appropriate and relevant protocols conveyed to practitioners to provide a support mechanism for the decision making process
The practitioner should use experience, professional instinct and all available information before they decide whether or not to share
The Data Protection Act should not be viewed as a barrier to proportionate sharing
www.twitter.com/iconews
Keep in touchScotland Office:
45 Melville Street
Edinburgh
EH3 7HL
T: 0131 244 9001 E: [email protected]
Subscribe to our e-newsletter at www.ico.gov.uk
or find us on…