Reasons for developing protocols
A data sharing protocol is a formal agreement between organisations that are sharing personal data. It explains why data is being shared and sets out the principles and commitments organisations will adopt when they collect, store and disclose personal information about members of the public.
Protocols also explain when information can be shared. Without such formal agreements, public organisations may find themselves falling short of common standards. Also, there may be confusion over responsibilities - both within and between organisations.
The guidance below suggests the essential elements that public bodies should aim to include within their own information sharing protocols. Partnerships may find it helpful to produce a high level document setting out the general reasons for, and principles, of the data sharing arrangement, in addition to more detailed documents spelling out how the organisations involved will operate it. The high level protocol need not be longer than about 6 pages and should be concise and written in plain English.
Protocols are intended to be a tool - not a bureaucratic hurdle to be overcome. Developing a protocol need not be a difficult, long-winded business and, if the ground rules are worked out from the start, considerable time may be saved later.
There are very many examples of data sharing protocols and looking at these may be helpful. Before producing a protocol it may be helpful to consider some practical tips - these are available in the protocol checklist.
The purpose of data sharing
A written protocol should start by explaining the reasons for sharing personal information. It should also state whether partners are obliged to, or are merely enabled to, share data. Where it is relevant to do so, achievement targets should be set. (For example, a data sharing initiative may aim to provide effective service improvements that are measurable).
The purpose of the data sharing arrangement must be approved, understood and formally agreed by those entering into a data sharing agreement.
The Role and Responsibilities of Partners
Within the protocol, formally establish who will collect, store and disclose personal information. It is essential to involve senior individuals from each organisation, so consider inviting a Steering Group to negotiate and to provide a lead on what these individuals' responsibilities will be.
Within central government, it is good practice to seek the approval and/or chairmanship, depending on the scope and size of the initiative, of a Board-level Chief Knowledge Officer (CKO) . Often projects will be initiated from within local authorities, where there are no CKOs. However, it is still important to involve a senior member of staff with responsibility for information handling issues.
Show that all the organisations are committed to maintaining agreed standards on handling information, by publishing a list of senior signatories with the protocol.
Do not forget to define the responsibilities of any sub-contractors within the protocol, as they will also be subject to the agreed standards.
Legislation
When first considering a data sharing initiative, organisations will have had to satisfy themselves that it is lawful. (For help refer to the Department for Constitutional Affairs publication [Public Sector Data Sharing - Guide on the Law]. Show that this has been done by referring briefly to the vires, or implied powers (see Guide on the Law [section 3], paragraph 10 onwards), and any relevant statutory gateways (see Guide on the Law section 3, paragraph 5 onwards) that are being relied upon.
In addition to this, the protocol should mention that partners will have to comply with The Data Protection Act 1998 (see Guide on the Law [section 6]), Article 8 of the ECHR (see Guide on the Law [section 4]), and the Freedom of Information Act 2000 (in Scotland refer to 2002 Act ). And organisations must give an assurance that they will not breach the common law duty of confidentiality (see Guide on the Law [section 5]).
Consent and the Data Protection Act 1998
A common approach on the issue of consent (see Guide on the Law [section 4 ], paragraph 21) should have already been decided. (Refer to the DCA legal guidance to help work through any difficulties). Remember, if consent is required to enable the collection, or disclosure of information, it has to be informed, specific and fair (see Guide on the Law [section 6], paragraph 5). All of the partners will have to agree procedures for obtaining consent within the law.
The protocol should mention that when obtaining consent, the data subject must be informed of the purpose for which the information is being collected, how it will be used and with whom it will be shared. Also state that if consent is sought and refused, objections must be recorded appropriately and each organisation must abide by the refusal.
In some cases it may not be reasonably practical to obtain consent (e.g. if someone is very ill). In these instances, risk assessments and a proportionality test should be conducted between the individual's right to confidentiality, and the need for reasonable intrusion. The protocol should give brief details of how this test will be carried out.
If statutory powers are to be applied to allow data sharing without consent, this should still be done in accordance with the DPA. It is good practice to explain in the protocol, why these powers may be applied and the proportionality test (see Guide on the Law [section 4], paragraph 5) that will be carried out to determine whether it is reasonable to apply them.
Data sharing
Elements of the procedures for sharing data need to be outlined briefly within the protocol. Each organisation should also describe them in detail within their own codes of practice and management guidance.
Requests between partners for personal information
Partner organisations will need to maintain accurate records and develop information systems to record given, or refused consent, data transfers (faxes, electronic exchanges, conversations) and deletion and / or amendment to data. The protocol should give brief details.
Where information is exchanged on a case by case basis, ensure that requests for information are specific and recorded. The protocol should also state that the disclosure of information will have to be authorised by an appropriate officer/professional and will be provided on a need to know basis only.
In these instances, the role of the officer/professional and his/her relationship with operational staff must be clearly stated and understood by staff involved in data sharing. This can be promoted in the protocol by stating that partner organisations will keep an up-to-date list of authorising officers and their contact details.
Mention that if there is any doubt about whether information should be stored, disclosed, or collected, staff should speak to the Chief Knowledge Officer, or a senior member of staff.
Any inaccuracies in data should be reported to the relevant partner organisation(s). The data controller responsible for the information will need to take appropriate steps to amend the details and inform partners that the data has changed, within reasonable time.
The protocol may mention that partner organisations will adopt a standard format for data entry, to maintain consistency in the way that data is collected and stored. Use the Government Data Standards Catalogue and the E-Government Metadata Standards .
Electronic data sharing and databases
In instances where organisations develop a database to share pooled data, it is necessary to establish which organisation will act as the 'data controller' (see Guide on the Law [section 6], paragraph 2) - they alone will have responsibility for disclosing information on a need to know basis.
The data controller will be responsible for storing the information safely by limiting access. Reduce the risk of information being seen by an unauthorised person by establishing levels of access. State within the protocol, whether the organisations will be annoymising aggregated information on the database, or pseudonymising data where only a few authorised personnel can access the information with a 'key' (sometimes this is required by legislation).
Remember that when disclosing data to a third party, the database is still subject to rules of confidentiality. Such databases must contain relevant information and the way that information is used should not exceed the protocol's original purpose.
Security
The public will be concerned that their information is kept safely and securely. Every partner organisation will need to be able to describe and apply its own security measures to protect, store and transmit the information it processes. There should be a commitment to gaining ISO17799 accreditation, if it has not already been achieved. (Or at least to comply with it, even if formal accreditation is not sought.)
When common protective markings are used (i.e restricted, confidential/personal, secret or top secret) each party will need to be clear how the data should be stored (files or database), or transmitted without being intercepted. The level of security required will be determined by the sensitivity of the information. They will also need to agree procedures for deleting personal information when it is no longer required.
Organisations should agree the position on subject access rights to the information being shared, and be clear on any limits on people's access to their personal information.
Complaints procedures
State that there is a commitment to establishing a system to deal with complaints about the way that organisations handle information. Organisations will need to appreciate that there will be differences in the complaints procedures of other partners. However, the Steering Group could help to establish some consistencies and standards across the board. These procedures do not need to be detailed in the protocol, but it is helpful to mention the following in the document:
Complaints about the use, or disclosure, of personal information must be addressed by the organisation where the complaint originated. If the complaint affects more than one partner organisation, it should be brought to the attention of the appropriate Data Protection officer/s and these officers should liaise with their opposite numbers to investigate the case.
Recognise the possibility that the protocol could be breached and state that organisations will have to investigate improper use of personal information. Organisations will find that a good audit trail will prove to be invaluable in these circumstances. Breaches will need to be recorded, investigated and the findings noted (this may include advice about disciplinary action) by the respective Officer(s). It should then be brought to the attention of the CKOs, or a senior member of staff. Initially partners may not be clear about what constitutes a breach and examples should be made available, as and when they occur.
Each partner (if not covered by Crown Indemnity) should strongly consider having indemnities for claims, losses, liability or costs suffered as a consequence of any information being wrongly disclosed, or as a result of any negligent act, or omission by any other partner. For further details on these standards, refer to the Department for Constitutional Affairs document on complaints procedures.
Building awareness - Training
The success of the protocol will depend upon visible high level support from senior managers within each organisation. State that there is a commitment to raising awareness of the protocol through training. Each organisation should ensure that appropriate officers/professionals are sufficiently trained to make lawful decisions about data sharing. It may be useful to arrange joint-training sessions to allow people from the different organisations to meet each other, to build co-operation between partners, and to promote a better understanding of the objectives of the data sharing arrangement.
At an operational level, staff should be made aware of procedures. A staff booklet and a checklist for disclosing data and obtaining consent, should help maintain a level of consistency and confidence that the correct procedures are being followed.
Monitoring and Review
`The protocol should be reviewed and it is helpful to say when this will take place. Initially the Steering Group may want to do this after 3 and / or 6 months, and then annually. If operational problems and complaints arise on a regular basis, the document may need to be amended. If these changes are substantial, the document will need to be reviewed completely.
Appendix
Definitions
When producing a protocol it is useful to agree a common language amongst the partners. It is helpful to define legal terms, as well as words and phrases used by professionals, which may not be fully understood by non-professional parties to the protocol. (For example, in a partnership designed to protect vulnerable children it may be helpful to give a definition of 'at risk').
'chief knowledge officer' - The PIU report on Privacy and Data Sharing published in 2002 recommended that the public sector should adopt a more integrated approach to information management. One of the options for public sector bodies was to develop a role for a 'Chief Knowledge Officer'. "The Chief Knowledge Officer would ideally be a board level official who would not only oversee compliance with the Data Protection Act (DPA) and Human Right Act (HRA) and implementation of the FOI, but also draw together business planning". (PIU Report section 9).
'data matching' - means the electronic comparison of two or more sets of personal information which have been collected for separate purposes in order to identify any information that is inconsistent or overlapping. It is a form of data sharing.
'data sharing' - The disclosure of personal data for a variety of purposes. Such disclosure could be in bulk or in relation to an individual piece of information. It could be an internal disclosure within an organisation or a disclosure to an external person.
'data subject' - means an individual who is the subject of personal data.
'personal data' - means data which relate to a living individual who can be identified - (a) from those data, or (b) from those data and other information which is in the possession of or is likely to come into the possession of, the data controller and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual.
'privacy'- The meaning of 'privacy' or 'private life' is not precisely defined for the purposes of the law. Private matters include details about a person's home, family, religion, health or sexuality.
'processing' - means obtaining, recording or holding the information or data or carrying out any operation or set of operations on the information or data, including (a) organisation, adaptation or alteration of the information or data, (b) retrieval, consultation or use of the information or data, (c) disclosure of the information or data by transmission, dissemination or otherwise making available, or alignment, combination, blocking, erasure or destruction of the information or data.
'sensitive personal data' - personal data about ethnic or racial origin, political opinions, religious or similar beliefs, trade union membership, physical or mental health, sexual life, commission or alleged commission of offences and criminal convictions or proceedings.
'statutory gateway' - An express statutory power to share personal data whether permissive or mandatory.
Examples of standards
It would be useful for partners to have examples of standards and these should be included within the protocol. The following may be included: