Information Commissioner`s Office

advertisement
Data Sharing and
Good Practice
Maureen H Falconer
Sr Policy Officer
Information Commissioner’s Office
Data Sharing and the Law - DPA
Personal data:
Sensitive Personal data:
Consent
Explicit consent
Contract
Employment law
Legal obligation
Vital interests
Vital interests
Not-for-profit TU/religious/
political/philosophical groups
Administration of justice
Already in public domain
Public function/interest
Legal proceedings/advice
Legitimate interests of the data
controller and third party but
not prejudicial to individual
Administration of justice
Public functions
Anti-fraud activity
Medical purposes
Equal Opps Monitoring
Substantial public interest
(SI2000/417)
Data Sharing and the Law – Vires
Express Obligation: Legal requirement to share
Children & Young People (Scotland) Bill
26 Information sharing.
(3) The service provider in relation to a child or young person must
provide to a service provider or relevant authority any
information which the person holds which falls within subsection
(4).
(4) Information falls within this subsection if the information holder
considers that—
(a) it might be relevant to the exercise of any function of the
service provider or relevant authority which affects or may affect
the wellbeing of the child or young person…
Data Sharing and the Law – Vires
Express Power: a stated power to share but not to
the extent of a legal requirement
Children & Young People (Scotland) Bill
26 Information sharing.
(5) The service provider in relation to a child or young person may
provide to a service provider or relevant authority any
information which the person holds which falls within subsection
(6).
(6) Information falls within this subsection if the information holder
considers that its provision to the service provider or relevant
authority is necessary or expedient for the purposes of the
exercise of any of the named person functions.
Data Sharing and the Law – Vires
Implied Power: sharing is a reasonable consequence
of an activity within express obligations or powers
Children & Young People (Scotland) Bill
13 Reporting on children’s services plan
(1) As soon as practicable after the end of each 1 year period, a local
authority and each relevant health board must publish (in such
manner as they consider appropriate) a report on the extent to which—
(a) children’s services and related services have in that period been
provided in the area of the local authority in accordance with the children’s
services plan, and
(b) that provision has achieved—
(i) the aims listed in section 9(2),
(ii) such outcomes in relation to the wellbeing of children in the area as
the Scottish Ministers may by order prescribe.
Data Sharing and the Law - CoP
What is a statutory Code of Practice?
ICO is required by law to produce
Approved by Secretary of State and Parliament
Admissible in court proceedings
Provides ‘good practice’ advice
Not following Code is not necessarily a DPA breach
Data Sharing Agreements
Structure:
Purpose of sharing
Partner organisations & points of contact
Data to be shared
Legal basis for sharing
Access & individuals’ rights
Information governance arrangements:
Datasets; accuracy; compatibility; retention and deletion;
security; SARs; reviews; termination; appendices (glossary,
templates, diagrams/decision trees)
Scottish Accord for Sharing Personal Information (SASPI)
ICO Statement
Misconception that the Act prevents sharing
so fear of non-compliance becomes a
barrier
The Act promotes lawful and proportionate
information sharing
A risk to wellbeing can be a strong
indication that the child or young person
could be at risk of harm if the immediate
matter is not addressed
Where a practitioner believes, in their
professional opinion, that there is risk to a
child or young person that may lead to
harm, proportionate sharing of information
is unlikely to constitute a breach of the Act
Consent can be difficult and it should only
be sought when the individual has real
choice over the matter
ICO Statement
The Act provides conditions to allow sharing
of such information, e.g.: functions of a
public nature exercised in the public interest
or in the legitimate interests of the data
controller
Appropriate and relevant protocols
conveyed to practitioners to provide a
support mechanism for the decision making
process
The practitioner should use experience,
professional instinct and all available
information before they decide whether or
not to share
The Data Protection Act should not be
viewed as a barrier to proportionate
sharing
Keep in touch
Scotland Office:
45 Melville Street
Edinburgh
EH3 7HL
T: 0131 244 9001 E: Scotland@ico.gsi.gov.uk
Subscribe to our e-newsletter at www.ico.gov.uk
or find us on…
www.twitter.com/iconews
Download