Download
information sharing guidance n.
Skip this Video
Loading SlideShow in 5 Seconds..
Information Sharing Guidance PowerPoint Presentation
Download Presentation
Information Sharing Guidance

Information Sharing Guidance

209 Vues Download Presentation
Télécharger la présentation

Information Sharing Guidance

- - - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript

  1. Click to continue: Information Sharing Guidance

  2. Click to continue: Information Sharing Guidance Welcome to the Information sharing training. This computer based training is designed to provide staff at all levels with an introduction to information sharing in Cambridgeshire. There are two parts: • firstly an overview of the Information Sharing Framework, and • secondly an interactive Information Sharing flowchart. How to navigate You will need to read through each slide in order. Once you have read the slide click on the directional button at the bottom of the screen to proceed. The training is delivered in chapters, and your progress is illustrated on the menu bar on the left of the screen. Good luck with the training and remember, that we all have a part to play in improving data quality.

  3. Click to continue: Introduction • Public sector organisations in Cambridgeshire have worked together to develop an Information Sharing Framework. • The framework objective is to: • provide guidance on how to share information lawfully, • increase understanding of data sharing principles & legislation, • develop a template for Information Sharing Agreements, • establish an efficient and reliable process to share information quickly. • Consequently this will: • create a positive culture of sharing information, and • ensure risks are managed, providing assurance to staff and customers, • protect partner organisations from allegations of wrongful use of data, • facilitate more effective data sharing practice across the county, • aim to improve service delivery.

  4. Click to continue: Partnership All of the partner organisations are making a commitment to: • Apply the Information Commissioners code of practice for ‘Fair processing’ and ‘Best practice standards’; • Demonstrate a commitment to compliance with the Data Protection Act; • Develop local Information Sharing Agreements that clearly and transparently demonstrate reasons for sharing data. All of the public leaders are committed to the framework, which has been formally endorsed at committees within each partner organisation.

  5. Click to continue: There are 4 key documents which you should be aware of. They are available to download from the information sharing website. They will help you to manage effective information sharing. For more information please contact your local information sharing contacts.

  6. Click to continue: 4 Key Documents 1 FRAMEWORK 2 GUIDANCE 4 CHARTER 3 AGREEMENT • Developed to ensure information is shared appropriately & in line with best practice, • Offers additional best practice guidance to assist staff in making decisions, • The formal document enabling partners to share information, • Provides customers with assurance that their data will be processed fairly.

  7. Click to continue: Types of information sharing There are 2 types of information sharing: • ‘One off’: exceptional sharing of information. • ‘Systematic’: routine sharing for an agreed purpose. Information sharing is not: Sharing information that is already published, Information sharing is not: Disclosing an individuals information with that person.

  8. Click on each class for more information Click to continue: Classification of Information Information is typically classed as: • Personal • Sensitive personal • Sensitive business

  9. Click to continue: Golden rules of sharing Data sharing should be justified and proportionate to the issue you are addressing. You should have the power to share the data. Refer to the Information Sharing Framework and Guidance. If in doubt, check it out with your Information Sharing lead. Refusing to share any data can be a risk just as much as the opposite action of sharing too much data. Remember to consider the following useful Do’s and Don’ts of data sharing.

  10. Click to continue: Do • - use the Data Protection Act to share information lawfully • - Be open and honest • - Seek advice • - Share with consent where appropriate • - Consider safety and well-being • - Necessary, proportionate, relevant, accurate, timely & secure • - Keep a record….. • The Data Protection Act is not a barrier. It provides a framework to ensure that personal information about living persons is shared appropriately.

  11. Click to continue: Do • - use the Data Protection Act to share information lawfully • - be open and honest • - Seek advice • - Share with consent where appropriate • - Consider safety and well-being • - Necessary, proportionate, relevant, accurate, timely & secure • - Keep a record….. • Be open and honest with the person from the outset about why, what, how and with whom information will, or could be shared and seek their agreement, unless it is unsafe or inappropriate to do so.

  12. Click to continue: Do • - use the Data Protection Act to share information lawfully • - be open and honest • - seek advice • - Share with consent where appropriate • - Consider safety and well-being • - Necessary, proportionate, relevant, accurate, timely & secure • - Keep a record….. • Seek advice if you are in any doubt, without disclosing the identity of the person where possible.

  13. Click to continue: Do • - use the Data Protection Act to share information lawfully • - be open and honest • - seek advice • - share with consent where appropriate • - Consider safety and well-being • - Necessary, proportionate, relevant, accurate, timely & secure • - Keep a record….. • Where possible, respect the wishes of those who do not consent to share confidential information. • You may still share information without consent if, in your judgement, that lack of consent can be overridden in the public interest. • You will need to base your judgement on the facts of the case.

  14. Click to continue: Do • - use the Data Protection Act to share information lawfully • - be open and honest • - seek advice • - share with consent where appropriate • - consider safety and well-being • - Necessary, proportionate, relevant, accurate, timely & secure • - Keep a record….. • Base your information sharing decisions on considerations of the safety and well-being of the person and others who may be affected by their actions.

  15. Click to continue: Do • - use the Data Protection Act to share information lawfully • - be open and honest • - seek advice • - share with consent where appropriate • - consider safety and well-being • - think necessary, proportionate, relevant, accurate, timely & secure • - Keep a record….. • Ensure that the information you share is: • - necessary for the purpose for which you are sharing it, • - is shared only with those people who need to have it, • - is accurate and up-to-date, • - is shared in a timely fashion, and is shared securely.

  16. Click to continue: Do • - use the Data Protection Act to share information lawfully • - be open and honest • - seek advice • - share with consent where appropriate • - consider safety and well-being • - think necessary, proportionate, relevant, accurate, timely & secure • - keep a record. • Keep a record of your decision and the reasons for it – whether it is to share information or not. • If you decide to share, then record what you have shared, with whom and for what purpose.

  17. Click to continue: Don’t • - mislead individuals • - share excessive or irrelevant information about people • - share personal data when there is no need to do so • - fail to ensure that information is accurate and up to date • - use incompatible information systems • - haveinadequate security measures in place • Don’t mislead individuals about whether you intend to share their information. • For example, not telling individuals you intend to share their personal data because you think they may object.

  18. Click to continue: Don’t • - mislead individuals • - share excessive or irrelevant information about people • - share personal data when there is no need to do so • - fail to ensure that information is accurate and up to date • - use incompatible information systems • - haveinadequate security measures in place • For example, routinely sharing details about individuals that are not relevant to the purpose or objective of the information sharing.

  19. Click to continue: Don’t • - mislead individuals • - share excessive or irrelevant information about people • - share personal data when there is no need to do so • - fail to ensure that information is accurate and up to date • - use incompatible information systems • - haveinadequate security measures in place • For example where anonymised statistical information can be used to plan service provision.

  20. Click to continue: Don’t • - mislead individuals • - share excessive or irrelevant information about people • - share personal data when there is no need to do so • - fail to ensure that information is accurate and up to date • - use incompatible information systems • - haveinadequate security measures in place • You should take reasonable steps to ensure that information is accurate and up to date before you share it. • For example, failing to update address details before sharing information, leading to individuals being pursued at the wrong address or missing out on important information.

  21. Click to continue: Don’t • - mislead individuals • - share excessive or irrelevant information about people • - share personal data when there is no need to do so • - fail to ensure that information is accurate and up to date • - use incompatible information systems • - haveinadequate security measures in place • Ensure you use compatible information system to share personal data, or it could result in the loss, corruption or degradation of the data.

  22. Click to continue: Don’t • - mislead individuals • - share excessive or irrelevant information about people • - share personal data when there is no need to do so • - fail to ensure that information is accurate and up to date • - use incompatible information systems • - haveinadequate security measures in place • Inappropriate or insufficient security could lead to loss or unauthorised disclosure of personal details. • For example, sending personal data between organisations on an unencrypted memory stick which is then lost or faxing sensitive personal data to a general office number.

  23. Click to continue: Data sharing and the law Legislation gives information sharing its basis in law. The legislation gives partners a mandate to share information as well as responsibilities for protecting information and preventing improper use. The main items of legislation regarding the use and protection of personal information are on the following screen.

  24. Click on each type of legislation for more information Click to continue: Typical legislation • Data Protection Act (1998) (DPA) • Human Rights Act (1998) Article 8 (HRA) • The Childrens Act (1989) & (2004) • Civil Contingencies Act (2004) (CCA) • The Common Law Duty of Confidence • Police Act (1996) (PA) • Crime and Disorder Act (1998) (CDA) • Local Government Act (2000) (LGA) • The Gender Recognition Act 2004 (GRA)

  25. Click to continue: The Freedom of Information Act 2000 (FOIA) The FOIA gives everyone the right to request information held by public authorities and, unless exempt, to be told whether the information is held and be provided with the information. Most, if not all, public sector bodies involved in data sharing are subject to the FOIA. Any information shared between different partner organisations may be subject to an FOI request. Upon receipt of an FOI request the opinion of the originating party should be sought before decisions are made on whether to provide the information.

  26. Click to continue: Decision making The Information Sharing Guidance contains a flow-chart to help you identify whether it is appropriate to share data. The remainder of this training is an interactive version of the flow-chart. You can use it to walk through each step of the flow-chart, and it will give you guidance based on your responses to questions about the type data of data that you want to share.

  27. You are asked to or wish to share information Information sharing flow-chart Is there a clear and legitimate purpose for sharing the information? No Yes Does the information: • enable a person to be identified; & / or • contain confidential data? No Instructions: This presentation walks you through each step of the framework flow-chart by prompting you to read information and then answer questions. Seek advice from your organisations Information Sharing Lead Navigation key: Not sure Yes Click on a purple box to answer the question and continue, or return to a previous option. Click this symbol (top right of page) to return to this page. Do you have consent? Yes YES No NO BACK Do you have a legal power to share or will someone be harmed if you don’t? Yes Do not share No You can share • One Off Sharing: • Identify how much information to share • Ensure you share the right information with the right person • Ensure that you share securely in line with the advice in the Cambridgeshire Information Sharing Framework Will you be sharing data as a one-off activity or will you share data systematically over a longer period of time? Systematic Sharing: Use the agreed Information Sharing Agreement Template which will guide you to ensure your sharing activity is compliant with your organisation's agreed practice. CLICK HERE TO START THE DECISION FLOW-CHART Always record the information sharing decisions you make and your reasons for deciding whether or not to share the data

  28. Click an option to proceed Legitimate purpose You are asked to, or wish to share information Is there a clear and legitimate purpose for sharing the information? YES UNSURE NO

  29. Click an option to proceed Click here to step back Click on links for more information Personal data Is there a clear and legitimate purposes for sharing the information? • Personal data is any data which relates to a living individual who can be identified from the data. • To minimise the risk of data protection breaches it is recommended to use: • aggregate data, or • anonymised data, or • pseudonymised data. • Confidential data is information that is not already lawfully in the public domain. • The person giving the information would reasonably expect that it would not be shared with others. • Additional conditions have to be met when sharing the following types of confidential information: • sensitive personal, or • sensitive business information. YES Does the information: • enable a person to be identified; & / or • contain confidential data? Confidential data YES UNSURE NO

  30. Consent to share data Does the information: • enable a person to be identified; & / or • contain confidential data? The usual way to gain consent is by using a privacy statement or fair processing notice. Data subjects may withdraw consent at any time, consequently partners must be notified. There are certain conditions where personal data can be disclosed without consent, but this depends on ‘Conditions for processing’ as defined in the Data Protection Act. Any confidential information should be approved for disclosure by the Information Asset Owner prior to sharing. YES • Do you have: • consent to share personal data; or • permission to share business data? YES NO UNSURE

  31. Click for more information Public interest Do you have consent? • You should identify the relevant legislation for your organisation which defines the functions and powers. • Broadly there are 3 ways to share data: • Express obligations; • Express powers; • Implied powers; • If there is no relevant power to cover the disclosure, it may be possible to share if there is an overriding public interest. NO Do you have a legal power to share, or will someone be harmed if you don’t? YES UNSURE NO

  32. Back Sharing information • Sharing data is recommended in this instance. • You will need to consider how you share the data, in particular whether it is one-off sharing or whether the data will be shared regularly. You can share Will you be sharing data as a one-off activity or will you share data systematically over a longer period of time? One-off Systematic

  33. Click to continue: Back One-off • Identify how much information to share • Ensure you share the right information with the right person • Ensure that you share securely in line with advice in the Cambridgeshire Sharing framework • Refer to the checklist You can share Will you be sharing data as a one-off activity or will you share data systematically over a longer period of time? Refer to checklist One-off Always record the information sharing decisions you make and your reasons for deciding whether or not to share data

  34. Click to continue: Back Systematic • Use the agreed Information Sharing Agreement Template. • This will ensure your sharing activity is compliant with your organisation’s agreed practice. • Refer to the checklist. You can share Will you be sharing data as a one-off activity or will you share data systematically over a longer period of time? Refer to checklist Systematic Always record the information sharing decisions you make and your reasons for deciding whether or not to share data

  35. Click to continue: NO Don’t share information • In this situation it is not possible or it is not lawful to share the information. • Consider whether there are other alternatives to achieving your objectives. Do not share data Always record the information sharing decisions you make and your reasons for deciding whether or not to share data

  36. Click to continue: UNSURE Seek advice • Information sharing can sometimes be complicated. • For further assurance speak to the information sharing lead in your organisation (e.g. data protection officer, information governance manager). • Click here to see your organisations information sharing contacts Refer to your organisations lead on information sharing

  37. End of training Thank you for completing the training. You should now have an understanding of Information Sharing in Cambridgeshire. Please click here to end the training, or click here to visit the information sharing website, or click on the menu bar on the left to return to an earlier part of the training.

  38. Click to return: Checklist for one off data request

  39. Click to return: Checklist for systematic data request

  40. Security checklist

  41. Data Protection Act The main standard for processing personal data is compliance with the 8 DPA principles listed below: • Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless-(a) at least one of the conditions in Schedule 2 is met, and (b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met. • Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. • Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. • Personal data shall be accurate and, where necessary, kept up to date. • Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. • Personal data shall be processed in accordance with the rights of data subjects under this Act. • Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. • Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

  42. Human Rights Act • Article 8 of the Convention, gives everyone the right to respect for his private and family life, home and correspondence, and is especially relevant when sharing personal data. Article 8 is not an absolute right - public authorities are permitted to share data when it is lawful and proportionate to do so. • It is advisable to seek specialist advice if the disclosure or data sharing arrangement you are proposing engages Article 8 or any HRA right. If you disclose or share personal data only in ways compliant with the DPA, the disclosure of that information is likely to comply with the HRA. Personal data is normally exempt under the HRA.

  43. Children Act (1989) & (2004) Section 47 of the Children Act 1989 places a duty on local authorities to make enquiries where they have reasonable cause to suspect that a child in their area may be at risk of suffering significant harm. Section 47 states that the authorities listed below must assist a local authority with enquiries of this nature by providing relevant information, unless doing so would cause more harm or be considered unreasonable: • any local authority; • any local education authority; • any housing authority; • any health authority; and/or • any person authorised by the Secretary of State. Section 10 of the Childrens Act 2004 places a duty on each children's services authority to make arrangements to promote co-operation between itself and relevant partner agencies to improve the well-being of children in their area in relation to: • physical and mental health, and emotional well-being; • protection from harm and neglect; • education, training and recreation; • making a positive contribution to society; and/or • social and economic well-being.

  44. Civil Contingencies Act (2004) (CCA) In emergencies it may be in the interests of vulnerable people affected for personal data to be shared with emergency responders as defined in the CCA 2004. Sharing personal information will assist emergency responders perform statutory duties. The CCA 2004 1(1) defines an emergency as an event or situation which threatens serious damage to human welfare and/or the environment or war or terrorism which threatens damage to security. The principles and legislative provisions related to information sharing apply to the planning, response and recovery phases of emergencies.

  45. Common Law Duty of Confidence The duty of confidence falls within common law as opposed to statutory law and derives from cases considered by the courts. There are three categories of exception: • Where there is a legal compulsion to disclose. • Where there is an overriding duty to the public. • Where the individual to whom the information relates consented. Partners should consider which of these conditions are the most relevant for the purposes of an agreement. The guidance from the Information Commissioner states that because decisions to disclose ‘in the public interest’ involve the exercise of judgment it is important that they are taken at an appropriate level and that procedures are developed for taking the decisions.

  46. Police Act (1996) (PA) Section 30(1) of the PA gives constables all the powers and privileges of a constable throughout England and Wales. Section 30(5) defines these powers as powers under any enactment when ever passed or made. These powers include the investigating and detecting of crime, apprehension and prosecution of offenders, protection of life and property and maintenance of law and order. Under the Police Reform Act 2002, the Chief Constable can delegate certain powers to police staff.

  47. Crime and Disorder Act (1998) (CDA) Section 115 of the CDA confers a power on any ‘relevant authority’ to exchange information which is ‘necessary’ or ‘expedient’ to help implement the provisions of the Act which includes contributing to local strategies to reduce crime and disorder. Section 17 CDA requires that all Local Authorities (LAs) consider crime and disorder reduction while exercising their duties. Sections 5 and 6 of the CDA impose a general duty upon local authorities to formulate and implement a strategy for the reduction of crime and disorder in its area.

  48. Local Government Act (2000) (LGA) The main power specific to Local Authorities is section 2 LGA (2000) – the power of well-being. This enables Local Authorities to do anything to promote social, economic, or social well-being in their area provided the act is not specifically forbidden by other statute. In addition S111 LGA (1972) enables Local Authorities to do anything conducive or incidental to the discharge of any of its functions, providing it has specific statutory authority to carry out those main functions in the first place. These are general powers for Local Authorities, but if there are statutory powers relating to specific activities these should be referred to in Information Sharing Agreements.

  49. Gender Recognition Act 2004 (GRA) Under the Gender Recognition Act 2004 (GRA), individuals who have obtained gender recognition certificates (GRCs) in order to acquire legal status of their transitioned gender are entitled to legal protection from disclosure about their status. It is a criminal offence to disclose this status; ie. if someone has a gender recognition certificate stating they are a woman, it is a criminal offence to disclose that they used to be a man, except where explicit consent has been obtained from the individual involved or the disclosure is for the purposes of proceedings before a court or tribunal.

  50. Anonymised information Any data which is anonymised can usually be shared without consent provided the identity of the individual cannot be recognised. There are several approaches to anonymisation and the appropriate approach will depend on the use to be made of the data: Aggregation: Aggregation of datasets about individuals into summary tables, so there are no longer rows relating to individuals. Anonymisation: Removal of identifiers in datasets at the level of individuals, so that there is no means to re-establish the link between the data and the individuals concerned. Pseudonymisation: Replacement of identifiers with alternative meaningless alphanumeric fields and reduction of potential identifiers to a partial form (e.g. year of birth instead of date of birth, partial post codes). If a set of keys is used to generate the alternative identifiers, then records relating to the same individual can be linked across datasets treated in the same way, where research objectives require this.