Sharing information about individuals between organisations is often essential to keep people safe, or make sure they get the best services.
The information sharing protocol below is our agreement with the organisations that we work with.
This protocol sets out the obligations on staff in public, voluntary and independent sectors:
- to share or disclose information about clients
- to maintain confidentiality
It does not impose any new obligations. It reflects current regulations and legislation. This document is an overarching information sharing protocol for the Thurrock community. Individual organisations will need to agree individual protocols that deal with more specific issues – eg crime and disorder or the sharing of information about children. Individual protocols will need to refer to and be compatible with the requirements of this protocol.
2. Organisations covered by this protocol
This protocol has been developed to meet the information security requirements for sharing person identifiable information across the organisations listed.
This overarching protocol contains the various requirements, from both legal and government, regarding safe and secure handling of information. It is supplemented by the individual policies and operational protocols of the organisations signing up to this overarching protocol. Each organisation will need to address the requirements for ensuring the secure and confidential sharing of person identifiable information internally. Each organisation will also need to ensure that these requirements are communicated to staff that provide advice and information to clients either directly or indirectly.
The signatories to this protocol recognise the importance of sharing person identifiable information for the purpose of improving client services, protecting the public and responding to statutory requirements. They also recognise the importance of having clear guidelines to follow and ensuring that this information is shared in a secure and confidential manner and in accordance with the law, including the common law of confidentiality, the Data Protection Act 2018 (DPA), the Human Rights Act 1998 (HRA) and for the health and social care community, Caldicott recommendations. This protocol will explain the principles that must be followed to ensure the proper and safe exchange of information between organisations.
5. Legal requirements
There are legal requirements that must be considered and complied with to ensure an individual's rights are respected. Standards and procedures are in place to ensure the organisations involved do not breach these legal requirements.
There is no single source of law that regulates the powers that a public body has to use and to share person identifiable information. The collection, use and disclosure of personal information are governed by a number of different areas of law.
The main pieces of legislation governing an individual's rights are:
6. Designated officers
Person-identifiable information must be exchanged only between Designated Information Sharing Officers*. All organisations should have a Designated Officer responsible for information security and confidentiality. For the purposes of information sharing a Designated Officer can be nominated to process or initiate requests for person identifiable information made between organisations.
Health and social care organisations are likely to have a Caldicott Guardian whose role will be the same as a Designated Officer. Other organisations might have an individual with specific responsibility for information management who would act as the Designated Officer.
*The exception to the above is the routine sharing of person-identifiable information (refer to 7.1 for more details). The Designated Officer will need to make an initial assessment only on whether information can be shared routinely or not (in reference to the Data Protection Act 1998).
7. Sharing of information
Organisations may only share person identifiable information about their clients in accordance with the 8 data protection principles contained within the Data Protection Act 2018.
To obtain, use, disclose, share or destroy person-identifiable information, a condition in schedule 2 of the Data Protection Act 2018must be met.
In addition, if the information being used, disclosed, shared or destroyed is sensitive (section 7.2), a condition in schedule 3 of the Data Protection Act 2018 must also be met.
The person requiring information from another organisation should submit their request in writing through the Designated Officer.
7.1 Routine and non-routine information sharing
A routine disclosure of person identifiable information is one that happens as a matter of course and is usually essential for the smooth running of a service – for example, information from the Benefits Section to the Department of Work and Pensions; although as per section 6, the Designated Officer still needs to assess whether the routine sharing of the information in question is necessary or not.
Where it has been assessed that routine disclosures of person identifiable information are appropriate, they should be logged and regularly reviewed by the Designated Officer.
If there is a possibility that routine sharing could take place, clients will need to be made aware that their information may be shared in this way and for what purpose(s). Unless for exceptional reasons (refer to 7.4), client consent will still be required.
If the client refuses to give consent or only gives consent to the sharing of certain information, the client must be made aware of how the service they receive may be affected – for example, the client may no longer be able to receive the service in question.
Non-routine sharing of information is sharing that does not happen as a matter of course – for example, police requests for information. Non-routine sharing must be authorised every time by the Designated Officer.
7.2 Sensitive information
The organisations/agencies signing up to the protocol agree to recognise the sensitivity of information about the following:
- racial or ethnic origin
- political opinions
- religious or other similar beliefs
- trade union membership
- physical and mental health
- criminal offences and proceedings
Organisations/agencies are required to adhere to a condition in Schedule 2 and Schedule 3 of the DPA 1998 in respect of such information.
The Data Protection Act 1998 specifies that personal identifiable information should only be used for specific purposes and shared only for justifiable reasons.
Consent is required from all persons whose information is to be shared with other organisations unless there are statutory grounds or other overriding justification for doing so (see exemptions 7.4).
This protocol recommends that consent should be in permanent form (ie written) and should not be assumed or implied. Obtaining 'explicit' written consent minimises the margin of error or confusion. Explicit consent should always be gained (subject to exemption) in relation to the sharing of person identifiable information classed under the Data Protection Act 1998 as sensitive (schedule 3).
The consent gained should be sufficient to cover the needs of a particular 'piece of work' or situation. If the situation or remit of the work changes, the original consent gained may no longer be sufficient.
In seeking consent to disclose personal information to another agency party to this protocol, the individual will need to be made fully aware of:
- the nature of the information that will be shared
- who the information will be shared with
- the purposes for which the information will be used
- other relevant details including their right to withhold or withdraw consent
- the potential consequences of not sharing information
In addition to the above, the organisation sharing the information should:
- anonymise or pseudo-anonymise the data wherever possible
- keep disclosures proportionate
- ensure that there is a justifiable need to know
Consent to disclose person identifiable information should be limited to the duration of the 'piece of work'.
Once the 'piece of work' has been completed, the consent given will be deemed to have lapsed.
Consent must be gained again if a similar or subsequent piece of work needs to be undertaken.
If the client decides to withdraw the consent that has originally been given or places a restriction upon personal information to be shared, no further personal information should be disclosed (unless an exemption applies) – this should be conveyed to any other agency involved.
If the client does withdraw their consent, any impact on the service that they are receiving must be explained and recorded.
7.4 Exemptions to gaining consent
There will be a limited number of situations when consent will not be required in order to share person-identifiable information about the client.
The advice and authorisation of the Information Manager / Designated Officer must always be sought prior to the sharing of information without consent taking place.
The main circumstances where sharing without consent occurs are:
- where there is concern that informing them about the disclosure would be likely to cause harm (including serious self-harm) to an individual, and information needs to be disclosed in order to protect that individual or others in society
- where informing the client would be likely to prejudice the detection and prevention of crime
- where informing the client would be likely to mean national security would be compromised
- where informing the client would be likely to prejudice regulatory functions conferred by enactment
- where disclosure is required by enactment, or for legal proceedings.
Organisations signing up to this protocol should be clear about what information should be withheld from the client, in line with Data Protection Act exemptions listed above.
Police requests for personal identifiable information should be processed through the designated officer and must be on a section 29 request form.
7.5 Recording of disclosure
Both organisations/agencies disclosing and those receiving disclosed information should have procedures in place for recording the details of the information including:
- request for sharing should be from a Designated Officer or authorised person
- reason for information being disclosed
- if without consent, justification and who authorised
- who gave the information
- who received the information
8. Onward transmission of person identifiable information
The disclosing organisation retains ownership of the data and any recipient must undertake not to disclose it without the consent of the data owner. Organisations should have procedures in place to ensure the safe and secure transportation of person identifiable information.
9. Organisational responsibility
Each organisation will ensure that:
- all staff are made aware of information security and confidentiality issues and the need to follow this protocol
- the Designated Officer is widely known within the organisation
- requests for information are responded to within a reasonable time scale, as agreed in local/specific protocols
10. Review of this protocol
The provisions of this protocol will be regularly reviewed – no longer than every 2 years.