Can you share? Yes you can!! Angus Council Adult Protection Maureen H Falconer, Senior Policy Officer Information Commissioner’s Office

Data Protection Principles Processed fairly and lawfully and must meet appropriate conditions for processing; Obtained only for one or more specified lawful purposes; Adequate, relevant and not excessive; Accurate and, where necessary, kept up to date; Kept for no longer than is necessary; Processed in accordance with individuals’ rights; Subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing, or the accidental loss, destruction, or damage to, personal data; Only transferred to a country or territory outside the EEA where adequate levels of protection for the rights and freedoms of individuals in relation to the processing of personal data can be ensured. Personal information must be…

Data Protection Principles Processed fairly and lawfully and must meet appropriate conditions for processing; Obtained only for one or more specified lawful purposes; Adequate, relevant and not excessive; Accurate and, where necessary, kept up to date; Kept for no longer than is necessary; Processed in accordance with individuals’ rights; Subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing, or the accidental loss, destruction, or damage to, personal data; Only transferred to a country or territory outside the EEA where adequate levels of protection for the rights and freedoms of individuals in relation to the processing of personal data can be ensured. Personal information must be…

Fair – privacy notices Privacy notices: Passive vs Active Identity of the organisation in control of processing The purpose, or purposes, for processing Any other information necessary, in the specific circumstances, to enable the processing to be fair

Lawful – conditions for processing Consent Contract Legal obligation Vital interests Administration of justice Public function/interest Legitimate interests of the data controller and third party but not prejudicial to individual Explicit consent Employment law Vital interests Not-for-profit TU/religious/ political/philosophical groups Already in public domain Legal proceedings/advice Administration of justice Public functions Anti-fraud activity Medical purposes Equal Opps Monitoring Substantial public interest (SI2000/417) Personal data:Sensitive personal data:

Lawful – conditions for processing Consent Contract Legal obligation Vital interests Administration of justice Public function/interest Legitimate interests of the data controller and third party but not prejudicial to individual Explicit consent Employment law Vital interests Not-for-profit TU/religious/ political/philosophical groups Already in public domain Legal proceedings/advice Administration of justice Public functions Anti-fraud activity Medical purposes Equal Opps Monitoring Substantial public interest (SI2000/417) Personal data:Sensitive personal data:

Lawful – individuals’ rights Right to Access – sources & disclosures Right to Object – unwarranted & substantial damage or distress Right to Accuracy – matters of fact, not opinion Right to Complain – internal & external procedures

Data Protection Principles Processed fairly and lawfully and must meet appropriate conditions for processing; Obtained only for one or more specified lawful purposes; Adequate, relevant and not excessive; Accurate and, where necessary, kept up to date; Kept for no longer than is necessary; Processed in accordance with individuals’ rights; Subject to appropriate technical and organisational measures to prevent the unauthorised or unlawful processing, or the accidental loss, destruction, or damage to, personal data; Only transferred to a country or territory outside the EEA where adequate levels of protection for the rights and freedoms of individuals in relation to the processing of personal data can be ensured. Personal information must be…

Tools for good governance: Minimum data sets & data standards Procedures for corrections & forwarding alerts Formal retention schedule Robust security standards & up-to-date systems & software Formal near-miss & breach procedures Information governance

Tools for good governance: Staff training Security standards Policies & Procedures Privacy Impact Assessments Formal information governance lines of accountability Data Sharing Agreements/Information Sharing Protocols Information governance

Information governance – data sharing EmergencyExceptional Reciproca l Regular Named person Police Health Social work School

Data sharing code of practice What is a statutory Code of Practice? ICO is required by law to produce Approved by Secretary of State and UK Parliament Provides ‘good practice’ advice Not following Code is not necessarily a DPA breach Admissible in court proceedings

Information governance – data sharing What is the sharing meant to achieve? What information needs to be shared? When and how should sharing take place? Who requires access to the shared data? Will the sharing involve any transfers outside the EEA? How do you check objectives are being achieved? Does your notification need to be updated? Are current fair processing notices adequate? What is your legal basis for sharing? Should a data sharing agreement be in place? Factors to consider:

Data sharing agreements Structure Purpose of sharing Partner organisations & points of contact Data to be shared Legal basis for sharing Access & individuals’ rights Information governance arrangements: Datasets; accuracy; compatibility; retention and deletion; security; SARs; reviews; termination; appendices (glossary, templates, diagrams/decision trees)

ICO statement Misconception that the Act prevents sharing so fear of non-compliance becomes a barrier The Act promotes lawful and proportionate information sharing A risk to wellbeing can be a strong indication that a person could be at risk of harm if the immediate matter is not addressed Where a practitioner believes, in their professional opinion, that there is risk to a person that may lead to harm, proportionate sharing of information is unlikely to constitute a breach of the Act Consent can be difficult and it should only be sought when the individual has real choice over the matter

ICO statement The Act provides conditions to allow sharing of such information: functions of a public nature exercised in the public interest (Sch2) and functions conferred under an enactment (Sch3) Appropriate and relevant protocols conveyed to practitioners to provide a support mechanism for the decision making process The practitioner should use experience, professional instinct and all available information before they decide whether or not to share The Data Protection Act should not be viewed as a barrier to appropriate and proportionate sharing!

Scotland Office: 45 Melville Street Edinburgh EH3 7HL T: E: Subscribe to our e-newsletter at or find us #icoscotland Keep in touch /iconews