||» Home|

» Search |  » Contact |  » Help |  » Site map

| Publications | Press notices | Consultation papers | Reports and reviews | Research | Speeches | Annual reports | Legislation | Green papers | White papers | Better regulation | General guidance for individuals | Guidance for professionals | Statistics | Archive

Data Sharing Management Guidance:

This document provides suggestions on the guidance that should be available to staff who are responsible for handling requests for personal data from other public sector organisations. It does not cover guidance on data protection generally. Examples of data protection staff handbooks are available in the best practice library.

1. Data Sharing - What do staff need to know?

Let staff know about the training that is available to them on data sharing issues. This could be done through training programmes, raising awareness seminars, presentations and information packs, such as those prepared by the Scottish NHS. Joint training sessions, involving data sharing partners, can be extremely useful.

When deciding what to put into the management guidance, consider the overall message that you wish to give your staff. Staff who share personal data within, and with other, public organisations, should be clear about the following:

• The purpose of the data sharing partnership and the consequences of sharing or not sharing information with others. Administrative and common law powers will determine where personal data can be shared with another public body. We suggest that you list the relevant legislation in the management guidance. Staff should be made aware of this in a meaningful way. It is for the organisation to decide how to raise individual staff awareness of this area, depending on factors such as the amount of data sharing taking place and the need for staff to be able to quote relevant legislation.
• There are situations where organisations are obliged to share data. For example, section 17 of the Criminal Appeal Act 1995 makes it obligatory for a public body to provide information, when requested, to the Criminal Cases Review Commission in connection with the exercise of its functions. In other cases, it is permissible to share data, but there is no legal obligation to do so. For example, The Crime and Disorder Act 1998 created a framework to help public bodies share information. The NHS, which often deals with domestic violence and drug misuse, can pass on information to the police, but professionals are not obliged to do so. Nevertheless, the consequences of making an ill-judged decision on whether or not to share data may be equally serious.
• It is therefore fundamental that staff adhere to the data sharing protocol that any data sharing partnership should have in place. For guidance see: http://www.dca.gov.uk/foi/sharing/toolkit/infosharing.htm. The protocol sets out the commitments and responsibilities of each data sharing organisation. We recommend that you include a copy of this agreement within the management guidance.
• Staff will need to know with whom they must or may share data, so we suggest that the guidance include contact details for staff within each organisation.
• They will also have to be told how to share data with partner organisations:
• Staff will need to know the standards for entering personal information on a database or on manual files so that there is consistency in the format of the data that is shared.
• If consent is required to share data between partner organisations, staff should know the procedure for obtaining it; for example, they may need to provide data subjects with information about how their data will be used by the partner organisation. The Leeds interagency protocol's guidance on operational procedures gives useful advice on procedures for obtaining consent, establishing fitness to give consent, checking on whether consent already exists and recording consent.
• It is essential that staff are clear about the circumstances when they can disclose personal information without consent. See Procedure A5 of the Leeds guidance on operational procedures.
• Staff should record, for audit purposes, every time a request from any other organisation to disclose data is made and whether or not the transfer of personal information occurred. It might also be necessary to record how the transfer took place, e.g. by e-mail. If the data is refused, the reasons should be recorded.
• Staff should know what steps they need to follow to settle a dispute between organisations on whether data should be shared and who to contact in these circumstances, e.g. departmental lawyers or senior managers. (To help staff understand what will be required, provide contact details and produce examples of responses to requests for information from partner organisations).
• We suggest that you try and tackle difficult issues about data sharing by illustrating them with specific cases. For instance, the British Medical Association's code of practice sets out a tricky scenario in which GPs and social services need to share confidential information about an individual, but there are concerns about breaching patient confidentiality. This particular code of practice recommends co-operation and points out that these two different professionals are working towards the same end and that good judgement is needed in such cases. (see Section 9.1.4 in Confidentiality and disclosure of health information
• Disputes should usually be referred to someone suitable senior in the organisation, such as a Chief Knowledge Officer. If the dispute cannot be resolved, it may need to be referred for advice to the Information Commissioner's Office. The DCA may also be able to give advice and their contact details should be included. [Information Rights enquiry line 020 7960 6509].

• Back to top

2. Responsibilities of managers and staff

• Line managers must be committed to interpreting the recommendations in this guidance and determining what controls should be put in place within their areas of responsibility.
• Line Managers must set the standards that staff will be expected to achieve when processing data. For example, there might be a standard of two working days to respond to a request for data. The job descriptions of individual members of staff should contain relevant standards and individual performance should be assessed against them at regular appraisals.
• Individual employees must therefore apply the controls, as agreed with their line manager.
• A senior manager, such as the Chief Knowledge Officer, or Records Manager, should monitor the accuracy and effectiveness of the data protection and data sharing controls across the organisation. Contact details for that person should be made available to all employees at Section 8 .

• Back to top

3. Confidentiality

Public organisations must adhere to principles arising from the common law of confidentiality. Government Departments cannot freely disclose data without taking into account that information such as names, addresses and dates of birth, may be subject to an obligation of confidentiality. Confidentiality becomes even more important when organisations share data, as the risk of breaching it increases with the number of organisations that potentially have access to information. We suggest that you provide accessible legal advice on confidentiality within your staff guidance and that the following is set out:

• Nobody should handle personal information without having had adequate training on confidentiality issues.
• Data should be available to staff on a "need to know" basis. Organisations will have to decide amongst their partners whether they need to issue varying levels of access to data for staff and professionals (e.g. doctors and social workers). This can be done via a key or code to control, and possibly monitor, access to files or a database.
• Staff should be reminded that if they receive confidential information for one purpose, they should not use it for another, without getting consent or applying the relevant tests for sharing data without consent.
• It should be emphasised that staff must be careful when discussing information about the data that their organisation or partners process, for example to ensure that the person they are talking to has the necessary authority and to make certain that they cannot be overheard.
• Staff should always check the identity of any telephone callers asking for personal information. For example, by offering to return the call and then phoning a known number.
• Unauthorised disclosure of personal information or misuse of information by staff in any partner organisation may lead to disciplinary action (See Section 7). Staff should be encouraged to report any such breaches and they should be told whom they can contact for advice. Your data sharing partnership may have a specific way of dealing with such breaches of confidentiality and security. We suggest that you also include a disciplinary section in the management guidance, outlining the steps that will be taken when these cases arise.

• Back to top

4. Accuracy

In order to ensure the integrity of the information that that you process and share with other organisations, it is important to monitor the data that is processed against agreed standards of accuracy. To maintain a consistent approach, refer to standards set by partners and include guidelines on how to meet them by explaining any data matching and up-dating exercises that are carried out. You might want to set target dates for making amendments to data.

• Back to top

5. Security

Data sharing partners will want to know that their information is being handled appropriately, that the storage of data is safe and secure and that data cannot be intercepted. Staff must take care when transferring data electronically, for example, by using encrypted e-mails. Management guidance should remind staff that when data is transferred electronically or by post, appropriate security markings should be used, such as ‘personal and confidential' or the recognised Government markings (restricted, confidential, secret, top secret). We recommend that you agree security procedures with other organisations to ensure confidence and consistency in procedures for processing manual and electronic records.

The security of IT and record systems are the responsibility of individual organisations. We suggest that you refer to and implement The National Archive's policy on records management, the E-government security framework , and the international security standard ISO 17799 ]. You may need to interpret and state these rules in the guidance in an easily accessible way for staff. For example, to protect against unauthorised access, keep systems secure by:

• Checking IT systems for viruses
• Protecting PCs and databases with passwords and changing them on a regular basis
• Designating levels of access to data to staff, depending upon the sensitivity of the information that they handle. For example, a code must be entered to access social care information and NHS records.
• Disks should be locked away, or erased and destroyed at regular intervals.
• Arrangements must be made to dispose of data securely; for example, the collection of confidential paper waste

If any significant security breaches occur, we suggest that you update your guidance to include the steps that need to be taken to ensure that mistakes do not happen again.

• Back to top

6. Complaints Procedures

Every partner organisation should publish their procedures for handling data sharing complaints and staff should be adequately trained to deal with complaints from the public and other partner organisations. We recommend that you refer to the DCA guidance on handling complaints.

• Back to top

7. Disciplinary Policy

You should explain to staff that disciplinary action may be taken against any member of staff who does not fully adhere to the organisation's privacy policy through:

• unauthorised access to data
• unauthorised disclosure of data
• unauthorised use of data (e.g. not for reason given to data subject)
• not adhering to the organisation's policies as set out in Codes of Practice, data sharing protocols, Management Guidance etc.

It may be helpful to highlight the importance of adhering to these rules by providing a statement about possible criminal penalties for breaking the Data Protection Act 1998. Also, set out the appeals process in a clear and accessible way and provide contact names and numbers where advice can be sought about these procedures.

For further advice and contact details

• Internal contacts:
• Senior information officers and Chief Knowledge Officers
• data protection officers and, where relevant, Caldicott Guardians
• details of where to obtain legal advice
• details of where to obtain advice on confidentiality issues
• External contacts:
• Information Commissioner
• Data protection officers in partner organisations

• Back to top

9. Some Suggested Annexes

Checklists:

• What to do when receiving a request for data from partners
• What to do when receiving data from partner organisations
• What to do when disclosing data to partner organisations
• Dealing with complaints
• Security audits

Examples:

• Awareness-raising training manuals and seminars. For example, see the crime reduction centre's series of seminars
• Standard letters in responses to a request for data from partner organisations
• Examples of letters explaining why data cannot be shared
• Examples of letters about data sharing disputes

• Back to top

---

© Crown Copyright