Information Sharing Protocol
Standard No 8
INFORMATION SHARING GLOSSARY
A
Anonymised Information - information from which in practice the data subject cannot be
identified by the recipient of the information, and where the theoretical probability of the data
subject’s identity being discovered is extremely small
Aggregated Data - Data which has been reduced to such an extent, that it is no longer
possible, by any means, to identify any individual. Typically this will include information for
statistical returns at both local and national level.
Anti – social behavior - is acting in a manner which causes or is likely to cause
harassment, alarm, or distress to one or more persons who are not of the same household
as the identified person.
B
Biometric identification - uses physical characteristics to identify individuals. Biometric
identification systems use voice, fingerprint or physical appearance to check the identity.
C
Caldicott Principles - are a set of principles recommended by the Caldicott Committee to
the NHS to guide the use and transfer of patient – identifiable information. They are  Principle 1
Justify the purpose(s)
Every proposed use or transfer of patient-identifiable information within or from an
organisation should be clearly defined and scrutinised, with continuing uses regularly
reviewed by an appropriate guardian.
 Principle 2
Don’t use patient-identifiable information unless it is absolutely necessary
Patient-identifiable data items should not be used unless there is no alternative.
 Principle 3
Use the minimum necessary patient-identifiable information
Where use of patient-identifiable information is considered to be essential, each individual
item of information should be justified with the aim of reducing identifiably.
 Principle 4
Access to patient-identifiable information should be on a strict need to know basis
Only those individuals who need access to patient-identifiable information should have
access to it, and they should only have access to the information items that they need to
see.
 Principle 5
Everyone should be aware of their responsibilities
Action should be taken to ensure that those handling patient-identifiable information, (both
clinical and non-clinical staff) are made fully aware of their responsibilities and obligations to
respect patient confidentiality.
 Principle 6
Understand and comply with the law
Every use of patient-identifiable information must be lawful. Someone in each organisation
should be responsible for ensuring that the organisation complies with legal requirements.
The Information Governance Review, April 2013 (known as Caldicott 2), added a 7th
Principle:
 Principle 7
The duty to share information can be as important as the duty to protect patient
confidentiality
Health and social care professionals should have the confidence to share information in the
best interests of their patients within the framework set out by these principles. They should
be supported by the policies of their employers, regulators and professional bodies.
Caldicott Guardian - is the NHS representative responsible for agreeing and reviewing
internal protocols governing the protection and use of patient-identifiable information by the
staff in their organisation.
Confidentiality - Respect for the privacy of information - one of the principles that underpin
all health and social care practice. Information about a person is generally held under legal
and ethical obligations of confidentiality. With certain important exceptions, information
provided in confidence must not be used or disclosed in a form that might identify the person
concerned without their consent.
Common law duty of confidentiality - a common law duty of confidentiality is owed to
individuals who have been told that a matter will be dealt with in confidence or have
discussed a matter under circumstances in which they might reasonably expect that it would
remain confidential. This duty can only be broken if the public interest requires it. Statutory
provisions on disclosure override common law provisions.
Consent to share information - Agreement articulated by an individual with the care
professional to share information about them with other care professionals 

Explicit or express consent refers to a clear and voluntary indication of preference or
choice, usually oral or in writing and freely given in circumstances where the
available options and their consequences have been made clear (informed consent).
Implied consent refers to agreement signaled by the behaviour of an informed
individual.
It is essential that people with higher support and communication needs are given the time
and assistance they need to give their consent on issues that involve them.
Consent - the Data Protection Act defines the Data Subject’s consent as - 'any freely given
specific and informed indication of his / her wishes by which the data subject signifies his /
her agreement to personal data relating to him / her being processed'.
The fact that the data subject must signify their agreement means that there must be some
active communication between the parties. Agencies cannot infer consent from nonresponse to a communication or from a customer's failure to return or respond to a leaflet.
Informed Consent - Where a person has been informed about the information to be
shared, the purpose for sharing, and their right to object to all or part of the
information to be shared. The person has subsequently given a clear and voluntary
indication of preference of choice.
Explicit Consent - Can be given in writing or orally (and then recorded) agreeing
that information can be used purposes described.
Implicit Consent - Is where the person has been informed about the information to
be shared, the purpose for sharing and that they have the right to object; their
agreement to sharing has subsequently been signalled by their behaviour rather than
orally or in writing.
Consent directions - are directions expressed by the data subject indicating the
terms on which their personal information may be disclosed, and what and where
data may not be disclosed.
D
Data - is information recorded in a form in which it can be processed automatically in
response to instructions; information recorded as part of a relevant filing system or an
accessible record.
Data controller - a person who (alone, jointly or in common with other persons)
determines the purposes for which and the manner in which personal data is processed.
Data Protection Act 1998 (DPA) - the main UK legislation which governs the handling
and protection of information relating to living people.
Data Protection Officer - Person employed to develop and maintain comprehensive data
protection and confidentiality policies and procedures and ensure that the company is
complying with regard to relevant legislation, such as Data Protection, Freedom of
Information, etc.
Data sharing - The disclosure of data from one or more organisations to a third party
organisation(s), or the sharing of data within an organisation. Sharing can take the form of
systematic, routine data sharing where the same data sets are shared between the same
organisations for an established purpose; and exceptional, one off decisions to share data
for a range of purposes.
Data sharing agreements/Frameworks - Set out a common set of rules to be adopted by
the various organisations involved in a data sharing operation.
Data (Personal) - Anything which is capable of identifying a living individual, e.g. name,
address, CCTV image, telephone call recording, e-mail address, postcode, photograph etc.
Sensitive Personal Data - information about 
racial and ethnic origin,

political opinions

religious beliefs

physical and mental health

sexual life

trade union membership

criminal convictions and proceedings.
Data matching - means the electronic comparison of two or more sets of personal
information which have been collected for separate purposes in order to identify any
information that is inconsistent or overlapping. It is a form of data sharing and can be used to
help prevent and detect fraud.
De-personalised data - is data about an individual from which all personally identifying
information has been removed, including any unique identifiers such as a computer
reference number.
Data processor - a person, who processes personal information on a data controller's
behalf. Anyone responsible for the disposal of confidential waste is also included under this
definition.
Data processing - this has a very broad definition and includes 
obtaining, recording or holding information or data

organisation, adaptation or alteration of data

retrieval, consultation or use of data

disclosure of data

alignment, combination, blocking, erasure or destruction of data
Data subject - a person who is the subject of personal data

they must be a living individual

they need not be a UK national or resident

organisations cannot be data subjects
Data Transfer - In general, any outward-bound traffic (with the exception of email) is
considered to be data transfer. Email is primarily a communication tool; it can be used to
transfer data in the form of attachments, for example over a secure internet link.
Disclosure - this is the divulging or provision of access to data.
Duty of confidentiality - everyone has a duty under common law to safeguard personal
information.
F
Fair Processing Notice
This is issued to children, young people, adults and their families to inform them
what information is being collected and recorded about them, the reasons for doing
so, under what circumstances it might be shared and why, and their right of access
to the data.
I
Information Commissioner - the independent public official who reports to Parliament and
whose principal duty is to enforce DPA 1998 and to educate businesses and individuals
about the legislation. Website - www.ico.gov.uk
Information Sharing Protocol (ISP) - Locally developed, documented rules and procedures
for the disclosure and use of information, which specifically relate to security, confidentiality
and data destruction, between two or more organisations or agencies.
M
Media - is computer data in whatever form, eg. paper, disk, floppy disk, tape, CD, DVD
N
Need to know - sharing of information should only be with those who need to know and,
even then, only the information that is actually required to provide any appropriate service.
O
Overseas transfer of data - If data is to be transferred overseas, then the eighth data
protection principle must be observed - Personal data shall not be transferred to a country or
territory outside the European Economic Area, unless that country ensures an adequate
level of protection for the rights and freedoms of data subjects in relation to the processing of
personal data. (The EEA consists of the EU member states and Iceland, Norway and
Liechtenstein).
P
Parent / Guardian / Carer - is a Parent or Guardian who, within the meaning of the Children
Act 1989, is deemed to have Parental Responsibility. A Carer has care of the child but does
not have Parental Responsibility.
Partner Organisation (Organisation(s)) - Those organisations which have adopted the
Whole Essex Information Sharing Framework and/or signed up to a particular Information
Sharing Arrangement. There may also be a working Partnership Agreement.
Partnership Agreement - A document that outlines the common aims and objectives of
each organisation and describes how through partnership working each party can support
the other in the achievement of these. It will state any joint working arrangements and may
include reference to the resources each party will contribute.
Privacy impact assessment (PIA) - is a comprehensive process for determining the
privacy, confidentiality and security risks associated with the collection, use and disclosure
of personal data.
Protected personal information - is material that links an identifiable individual with
information that, if released, would put them at significant risk of harm or distress, or
alternatively any source of information relating to 1000 or more individuals that is not in the
public domain, even if the information about an individual is not considered likely to cause
harm or distress.
Public Interest - is the interest of the community as a whole, a group within the community,
or an individual other than the data subject.
Publication Scheme - The Freedom of Information Act places a duty on public authorities to
adopt and maintain a publication scheme that must be approved by the Information
Commissioner. The scheme lists and defines the classes of information that will be
published, indicates how information is or is intended to be published, and states whether
charges apply to supplying the information.
Purpose - The use / reason for which information is stored or processed.
R
Recipient - the person(s) to whom the data is disclosed
S
Service User Personal Data - means the personal data relating to a Service User.
Secondary Disclosure
Disclosure by the person to whom information has been disclosed to another agency
or person (eg a doctor provides to a school and the school passes it to the local
authority social services department).
Statuary gateway - an express statutory power to share personal data whether permissive
or mandatory.
Y
Young Person
Persons aged 13 to 19 and those with additional needs up to the age of 25 (as
stated in the Learning and Skills Act 2000).