Data Sharing and Good Practice Maureen H Falconer Sr Policy Officer Information Commissioner’s Office Data Sharing and the Law - DPA Personal data: Sensitive Personal data: Consent Explicit consent Contract Employment law Legal obligation Vital interests Vital interests Not-for-profit TU/religious/ political/philosophical groups Administration of justice Already in public domain Public function/interest Legal proceedings/advice Legitimate interests of the data controller and third party but not prejudicial to individual Administration of justice Public functions Anti-fraud activity Medical purposes Equal Opps Monitoring Substantial public interest (SI2000/417) Data Sharing and the Law – Vires Express Obligation: Legal requirement to share Children & Young People (Scotland) Bill 26 Information sharing. (3) The service provider in relation to a child or young person must provide to a service provider or relevant authority any information which the person holds which falls within subsection (4). (4) Information falls within this subsection if the information holder considers that— (a) it might be relevant to the exercise of any function of the service provider or relevant authority which affects or may affect the wellbeing of the child or young person… Data Sharing and the Law – Vires Express Power: a stated power to share but not to the extent of a legal requirement Children & Young People (Scotland) Bill 26 Information sharing. (5) The service provider in relation to a child or young person may provide to a service provider or relevant authority any information which the person holds which falls within subsection (6). (6) Information falls within this subsection if the information holder considers that its provision to the service provider or relevant authority is necessary or expedient for the purposes of the exercise of any of the named person functions. Data Sharing and the Law – Vires Implied Power: sharing is a reasonable consequence of an activity within express obligations or powers Children & Young People (Scotland) Bill 13 Reporting on children’s services plan (1) As soon as practicable after the end of each 1 year period, a local authority and each relevant health board must publish (in such manner as they consider appropriate) a report on the extent to which— (a) children’s services and related services have in that period been provided in the area of the local authority in accordance with the children’s services plan, and (b) that provision has achieved— (i) the aims listed in section 9(2), (ii) such outcomes in relation to the wellbeing of children in the area as the Scottish Ministers may by order prescribe. Data Sharing and the Law - CoP What is a statutory Code of Practice? ICO is required by law to produce Approved by Secretary of State and Parliament Admissible in court proceedings Provides ‘good practice’ advice Not following Code is not necessarily a DPA breach Data Sharing Agreements Structure: Purpose of sharing Partner organisations & points of contact Data to be shared Legal basis for sharing Access & individuals’ rights Information governance arrangements: Datasets; accuracy; compatibility; retention and deletion; security; SARs; reviews; termination; appendices (glossary, templates, diagrams/decision trees) Scottish Accord for Sharing Personal Information (SASPI) ICO Statement Misconception that the Act prevents sharing so fear of non-compliance becomes a barrier The Act promotes lawful and proportionate information sharing A risk to wellbeing can be a strong indication that the child or young person could be at risk of harm if the immediate matter is not addressed Where a practitioner believes, in their professional opinion, that there is risk to a child or young person that may lead to harm, proportionate sharing of information is unlikely to constitute a breach of the Act Consent can be difficult and it should only be sought when the individual has real choice over the matter ICO Statement The Act provides conditions to allow sharing of such information, e.g.: functions of a public nature exercised in the public interest or in the legitimate interests of the data controller Appropriate and relevant protocols conveyed to practitioners to provide a support mechanism for the decision making process The practitioner should use experience, professional instinct and all available information before they decide whether or not to share The Data Protection Act should not be viewed as a barrier to proportionate sharing Keep in touch Scotland Office: 45 Melville Street Edinburgh EH3 7HL T: 0131 244 9001 E: Scotland@ico.gsi.gov.uk Subscribe to our e-newsletter at www.ico.gov.uk or find us on… www.twitter.com/iconews