| 1.1 |
Public sector agencies and organisations are able to make differing resource contributions to crime and disorder reductions: one of the most vital resources is information. This agreement provides the framework upon which the exchange of information can be facilitated between the relevant authorities where it is "necessary or expedient" for the purposes of any provision of the Crime and Disorder Act 1998. |
| 1.2 |
Whilst Section 115 of the Crime and Disorder Act 1998 provides a power to disclose information, it does not impose a duty to disclose, thus control over the disclosure of information remains with the agency which owns the data. Disclosure relies on good relations and mutual trust, and the effectiveness of these information sharing arrangements is a reflection of the effectiveness of the partnership as a whole. |
| 1.3 |
The purpose of this agreement is to facilitate the exchange of information in order to comply with the statutory duty on Chief Police Officers and local authorities to work together to develop and implement a strategy and tactics for crime reduction. The agreement will further facilitate the exchange of information in respect of certain Orders and other provisions under the Crime and Disorder Act 1998. |
| 1.4 |
The Data Protection Act 1998 and the Human Rights Act 1998 require that personal information held by statutory agencies is properly protected. |
| 1.5 |
The Crime and Disorder Act does not permit the wholesale disclosure of information, but it does allow for information exchange in furtherance of its objectives. In particular it allows for disclosure connected with the addressing of particular objectives outlined in local Crime and Disorder Reduction Strategies, the Youth Justice Plan, or the obtaining of specific Orders under the Act itself. However, any exchange of information under the Crime and Disorder Act must comply with Data Protection legislation and the common law duty of confidentiality. Participating agencies will also be subject to their own policies on information exchange. |
| 1.6 |
Depersonalised Information (Data) |
|
1.6.1 |
The Data Protection Act places no restrictions on the disclosure of information which does not identify individuals. If Depersonalised Information (Data) can be used for information sharing purposes there will be no data protection implications. Disclosure shall be limited to depersonalised data wherever possible. |
| 1.7 |
Personal Information (Data) |
|
1.7.1 |
Any disclosure of Personal Information (Data) must have regard to both common and statute law, for example defamation, the common law duty of confidence and the Data Protection principles. Participating agencies will also be subject to their own policies on information exchange. |
| 2.1 |
It is the responsibility of all parties to this agreement to ensure that they are properly registered to exchange information in accordance with this protocol as required under the Data Protection Act 1998. |
| 2.2 |
The Data Protection principles require:-
- that personal data is obtained and processed fairly and lawfully;
- is only disclosed in appropriate circumstances;
- is accurate, relevant and kept up to date;
- is not held longer than necessary;
- is kept securely.
|
| 2.3 |
The extent of any Personal Information (Data) requested and disclosed will be limited to that which is relevant to the purpose or purposes for which the information was requested. |
| 2.4 |
Each party will keep a record of all requests from and disclosures to other parties to this agreement of Personal Information (Data). Any request will clearly set out the purpose or purposes for which the information is requested. The Data Owner will carefully consider the relevance of the information being requested and shall make a record of the factors taken into consideration in reaching their decision. Any request for personal information whose purpose is the prevention or detection of crime will also specify as clearly as possible how failure to disclose such information would prejudice this purpose. |
| 2.5 |
Personal data will not be kept for longer than is necessary for the purpose for which it was provided: after which it will be destroyed by the parties to this agreement, other than the Data Owner who will review and read the data in accordance with agreed policy. |
| 2.6 |
The parties to this agreement will ensure that appropriate security arrangements are in place within their respective organisations to prevent unauthorised access to and disclosure of personal data. |
| 3.1 |
In order to ensure compliance with the Data Protection Act, the parties to this agreement, shall nominate one or more designated officers to whom all requests and from whom all disclosures of Personal Information (Data) will be made. |
| 3.2 |
Disclosure requests, disclosure decisions and the details of the Personal Information (Data) which has been disclosed will be in writing, and a record will be maintained by the designated officer. The identity of the Data Owner must also be recorded against the relevant data. |
| 3.3 |
No secondary use or other use of the Personal Information (Data) may be made unless the consent of the Data Owner is sought and obtained. The data owner will need to consider whether the request is consistent with the purposes for which the information was originally disclosed and must give further consideration to obtaining the consent of the individual concerned or other relevant individual. For the purpose of this requirement each local authority department shall be treated as a separate agency. |
| 3.4 |
Information discovered to be inaccurate or inadequate for the purpose for which it was disclosed will be notified to the Data Owner who will be responsible for correcting the data. The data owner will then notify all other Recipient (Data) of that data, who must ensure that the correction is applied. |
| 3.5 |
Records will be kept accurately and will be audited by authorised personnel in accordance with the specific system in place. |
| 3.6 |
Decisions on disclosure reached at meetings must be minuted and will include details of the arguments supportive of and against the decision and showing how it was arrived at. |
| 4.1 |
When disclosing Personal Information (Data), many of the data protection issues surrounding disclosures can be avoided if the consent of the individual concerned has been sought and obtained. Obtaining the consent of the individual concerned or other relevant individual must always be considered and details of arguments for and against obtaining that consent must be fully documented. |
| 4.2 |
The agency which originally discloses personal information to another party to this agreement (the Data Owner) always retains ownership of the data. Each agency must therefore decide the propriety of, and assume responsibility for any particular disclosure itself. The identity of the data owner must, therefore, always be recorded against that data. |
| 4.3 |
A Recipient (Data) of personal information must obtain the consent of the Data Owner before making a secondary disclosure to another party to this agreement. The data owner must consider whether the request is consistent with the purposes for which the information was originally disclosed and must give further consideration to obtaining the consent of the individual concerned or other relevant individual. For the purpose of this requirement, each local authority department will be treated as a separate agency. |
| 4.4 |
Personal information can only be released without the consent of the person concerned (or if that person is incompetent, the consent of lawfully authorised others) where it is clear that the right of the individual to confidentiality is overridden by a greater public interest. |
| 5.1 |
Under Data Protection legislation, individuals have a right of access to any personally identifiable information held about them. This right may be denied in certain limited circumstances, which include where access would prejudice the prevention or detection of crime. The Data Protection (Miscellaneous Subject Access Exemptions) Order 2000 also provides an exemption in respect of certain classes of information including information contained in adoption records, statements of special educational needs and Court welfare reports. |
| 5.2 |
In addition to the requirements in paragraph 4.3 where a party to this agreement receives a request for information about an individual, and personal information which it holds is identified as belonging to another agency, it will be the responsibility of the receiving agency, through the designated officer, to contact the agency that owns the data to determine whether the latter wishes to claim an exemption under the provisions of the Data Protection Act or the Order. |
| 5.3 |
Where an agency receives a request for information and compliance with that request would involve disclosing information relating to another individual who can be identified from that information, they should not comply with the request unless:
- the other individual has consented to the disclosure of the information to the person making the request; or
- compliance with the request can be justified on the grounds of a greater public interest overriding the individuals right to confidentiality; or
- the information is capable of anonomisation so that the individual cannot be identified.
|
| 5.4 |
Where a party to this agreement seeks to rely on an exemption to the disclosure of Personal Information (Data) under the Data Protection Act 1998, it needs to consider and weigh in the balance with other relevant information whether failure to disclose would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. The decision made will be the product of weighing all the relevant circumstances of the case in the balance and if necessary seeking legal advice. Deliberations should be fully documented so that the reasons behind the decision are clear. |
