Sharing Personal Data ‘What you need to know’ Corporate Information Governance Team Strategic Intelligence

Sharing personal data Sharing must comply with the law These laws must be complied with when sharing personal data: 1. Human Rights Act Data Protection Act Common law duty of confidence The following slides provide information on how to comply with the law. Failure to comply could result in someone suffering damage or distress as a result. Deliberate breaches could also amount to a criminal offence or a disciplinary offence

Sharing personal data Human Rights Act – right to a private life Article 8 of the European Convention of Human Rights, gives people the right to a private life, family life, home and correspondence. Public authorities are not allowed to interfere with people’s privacy, for example disclose their personal data, unless the disclosure is lawful and necessary and is for: public safety or the economic wellbeing of the country prevention of disorder or crime protection of health or morals the rights and freedoms of others national security Disclosures must be proportionate. The public interest in making the disclosure must outweigh the person’s right to a private life. In practice, if the person disclosing the information complies with the Data Protection Act, disclosure is unlikely to breach the Human Rights Act.

Sharing personal data Data Protection Act - the principles The Data Protection Act is the main law that governs how organisations process i.e. obtain, use, record and disclose personal data, about living people and sets out 8 principles which must be complied with. These are summarised as: Personal data must be: 1. Processed fairly & lawfully 2. Processed for specified & lawful purposes 3. Adequate, relevant & not excessive 4. Accurate & where necessary kept up to date 5. Not kept for longer than is necessary 6. Processed in accordance with the rights of data subject 7. Kept secure 8. Transferred only to countries with adequate security

Sharing personal data Data Protection Act – sharing must be fair The first data protection principle is very important. It requires personal data to be shared fairly. In order to be ‘fair’, the subject of the data must be told that their information will be shared, with whom and why, and it must be communicated to the person in a way in which they can understand. This is sometimes known as providing a ‘privacy notice’ or a ‘fair processing statement’ and is often stated on forms when personal data is collected. However, this may not always be the case and therefore it is best practice to tell the person that their data is being shared (or it can be in writing). A person does not have to be told their information will be shared, if by doing this it would prejudice the prevention or detection of a crime or put someone at increased risk of harm.

Sharing personal data Data Protection Act – sharing must be lawful The first data protection principle also requires that any sharing is lawful. The Data Protection Act provides several powers which allows personal data to be shared. For example, it can be shared if one or more of the following applies: the person has given their consent there is a specific legal obligation to share disclosure is necessary to protect someone’s life or from serious harm disclosure is necessary in the public interest and is necessary for our organisation or another organisation to undertake its official duties disclosure is for a legitimate and lawful purpose and does not cause unwarranted prejudice to the person disclosure is in the substantial public interest disclosure will assist in the prevention or detection of an unlawful act Disclosures must be relevant, not excessive and proportionate.

Sharing personal data Data Protection Act – sharing with consent If it is appropriate to obtain consent, then the person giving it must be fully informed, understand why their information may be shared, who will see it and what might happen as a result. Consent must also be freely given and not obtained through coercion. Where possible consent should be in writing. Competent Where a child is under 12 yrs, consent should be obtained from the parent or carer. Where a child is over 12 but under 16yrs, you need to assess whether they are competent to consent for themselves and if so, obtain their consent. Individuals aged 16yrs and over are presumed, in law, to have the capacity to give or withhold consent to the sharing of their personal data, unless there is evidence to the contrary. If a person is considered not to have capacity to make decisions (whether child or adult), their views should still be sought as far as possible.

Sharing personal data Data Protection Act – sharing without consent It is not always necessary or appropriate to obtain consent in some circumstances, for example if: someone has been hurt and information needs to be shared quickly to help them; obtaining consent would put someone at increased risk of harm; obtaining consent would prejudice a criminal investigation or prevent a person being caught or questioned for a crime they may have committed the information must be disclosed regardless of whether consent is given, for example if a court order or other legal obligation requires disclosure. The Data Protection Act provides other powers to share without consent (see previous slides)

Sharing personal data Data Protection Act – share information securely… Whenever personal data is shared, it must only be given to people who have a legal power to see it and it must be shared in a way that is secure. Verbal – make sure you cannot be overheard by people who shouldn’t hear. If sharing over the phone, make sure you know who you are talking to, they are the right person to speak to and are legally entitled to the information. – sensitive personal data should not be sent by unless both the sender and recipient have a secure address i.e. both addresses contain one of the following sets of letters:.pnn.gov.uk,.gsi.gov.uk, gsx.gov.uk, gsm.net and nhs.net. To obtain a secure address go to ‘Keep Devon’s Data Safe’ on the Source.‘Keep Devon’s Data Safe’

Sharing personal data Data Protection Act – …share information securely …continued Post – mark it ‘for the attention of the addressee only’ and make sure envelopes and packages are properly sealed. Tell the person receiving it that you have sent it and ask them to contact you if they do not receive it within the expected time frame. Limit the amount of personal data disclosed, to those details necessary for the recipient to carry out their role effectively. Fax – mark the cover sheet ‘for the attention of the addressee only’. Only fax the minimum personal data you need to. Do not identify clients by name unless you have to and there is no other secure means of sending the information. Telephone the recipient beforehand, to ensure they know they will shortly be receiving a fax. Double check the fax number before sending. If personal data is lost or sent to the wrong person, you must notify the Information Governance Team immediately on or

Sharing personal data Duty of Confidentiality – sharing confidential data… There may be times when you want to share personal data which was originally provided to you in confidence. Case law has surmised confidential information as something that has the “…necessary quality of confidence about it” and is not public knowledge. A duty of confidence will generally arise in circumstances where a person receives information that he/she knows or ought to know, is being given in confidence. In such cases the organisation or person given the information, is restricted from using it for a purpose other than that for which it was provided, or disclosing it without the individual’s permission, unless there is an overriding reason in the public interest for this to happen or another law or power permits disclosure.

Sharing personal data Duty of Confidentiality – …sharing confidential data …continued When deciding whether there is a public interest in sharing confidential personal data, ask yourself the following questions: do I have the person’s consent? is the sharing necessary to protect a child, young person or adult from harm? is the sharing necessary to prevent or detect a crime? is the sharing necessary to apprehend an offender? is the sharing necessary to comply with a court order or legal obligation? If you can say yes to one or more of these, then you can override a duty of confidence and share confidential personal data. Disclosures must be kept to a minimum, be relevant, and proportionate to what you are trying to achieve.

Sharing personal data Summary Only share personal data if it is for a legitimate & lawful reason Tell the person you want to share their data, with whom and why Decide whether you need the person’s consent. If you have consent, it must be informed, explicit & they must have capacity to give consent Decide whether you can share without consent - do you have other powers? Keep personal data disclosures to a minimum Check the identity of the person you want to share data with & their entitlement Be careful when discussing clients, that you cannot be overheard Do not send personal data by unless sender and recipient have a secure address. If this is not possible, password protect the document or use alternative methods of disclosing the data securely. To find out more go to the Knowing when to Share pages on the SourceKnowing when to Share