Model Plan Guidance to Element 14
Model Plan Guidance to Element 14
As a result of changes to the Keeper’s Model Plan, this guidance is currently being reviewed. We hope to have this completed by the end of 2021. In the meantime, if you have any queries about the guidance, please contact the Assessment team.
Under certain conditions, information given in confidence may be shared. Most commonly this relates to personal information, but it can also happen with confidential corporate records.
The Keeper of the Records of Scotland (The Keeper) has issued the following statement about information sharing in line with his obligations under the Public Records (Scotland) Act 2011 (the Act):
Information has been shared between public authorities for a number of years for the benefit of clients and stakeholders, but also in the interests of efficient public services. Sharing relevant information leads to benefits for service users in improved and more joined-up services. Scottish Government positively encourages information sharing across the public sector when it benefits society in general, but particularly when it is necessary to protect vulnerable adults or children. If your authority is not currently sharing information then it is very likely that you will be doing this in the future. An authority's RMP must indicate what safeguards are in place to ensure that information will be shared lawfully and securely. It will for example include reference to Information Sharing Protocols (ISPs). Policy documents, protocols, agreements and other information sharing documentation should be submitted as evidence that this aspect of records management is being handled appropriately.
ISPs are not a legal requirement under the terms of the Data Protection Act 1998, but they are recognised by the Information Commissioner as important in helping organisations share information lawfully and securely. ISPs create a routine around what can be shared, with whom and when and help practitioners make informed decisions. In this regard ISP's must propose practice that complies with the Data Protection Act 1998 and have regard to the Data Sharing 'Code of Practice' issued by the Information Commissioner.
ISPs primarily set out the principles and general procedures for appropriately sharing information, but they should also address storage and archive provision. This is particularly important for information shared or jointly created that is of enduring value and may need to be disposed of to a place of permanent deposit. ISPs under these circumstances will need to consider storage and archive arrangements.
ISPs may be an integral part of an authority's overall information governance framework that might include:
- An Information Sharing Code of Practice, outlining the organisation's intentions and commitment to information sharing and promoting good practice when sharing personal information.
- Information Sharing Procedures, describing the chronological steps and considerations required after a decision to share information has been made, for example, the steps to be taken to ensure that information is shared securely. Information sharing procedures set out, in detail, good practice in sharing information.
- Privacy, confidentiality, consent (service users). The organisation should have in place processes and documentation for service users, such as 'Privacy/Confidentiality Statement', 'Fair Processing Notice', 'Consent', and 'Subject Access'. Relevant staff within the organisation must understand these processes and be able to access documentation when required.
The following are the most obvious issues that an information sharing protocol might cover, but this list is not exhaustive:
- Needs based sharing: a statement on why it is necessary to share information with specific partner organisations and describe the framework which will allow this to happen.
- Fairness and Transparency: a statement on how the authority will advertise and make known their intention to share information.
- Information Standards: a statement on the authority's commitment to maintain accurate and up-to-date information
- Retention of Shared Information: a statement on the retention schedule governing the information being shared.
- Security of Shared Information: a statement on the mechanisms in place to ensure the security and safety of the information being shared.
- Access to Personal Information: a statement on how subject access requests will be dealt with.
- Freedom of Information: a statement on how the authority will deal with requests under FOI legislation about their information sharing practices and policies.
- Review: a statement on how the authority intends to keep its protocol under review to ensure it continues to protect the rights of individuals and remains fit for purpose. The review period of information sharing should be decided at outset.
Potential evidence that an authority undertakes external information sharing in a controlled and suitable manner might include: Formal policy documents or protocols or codes of practice; a copy of a data sharing agreement (redacted if necessary); public statements about the handling of personal information or a project governance document detailing responsibilities for records created during and beyond the life of the project.
Sample Data Sharing Documents
The Information Commissioner indicates that a data sharing agreement ought to consider:
The purpose of sharing
Partner organisations & points of contact
Data to be shared
Legal basis for sharing
Access & individuals' rights
Information governance arrangements
Public authorities should consider whether to publish their data sharing practices.
Audit Scotlands have provided this sample 'Code of Data Matching Practice'. This code deals specifically with the sharing of personal information for the purposes of fraud detection. However, the general principles around which the code has been based have been approved by the UK Information Commissioner and may be considered to have general application when developing procedures that allow data sharing for other purposes. Appendix 2 of this code gives examples of text that might be used to alert the public to the potential sharing of their personal data
This is an example of a data sharing agreement issued by a Scottish public authority:
Scottish Enterprise Data Sharing Agreement (246 KB PDF)
A memorandum of understanding issued by Lothian and Borders Police:
E-IRD Memorandum of Understanding (247 KB PDF)
An information sharing protocol from a local authority:
New Greater Glasgow and Clyde protocol (361 KB PDF)
Strathclyde Fire and Rescue information sharing agreement:
Strathclyde Fire and Rescue agreement (277 KB PDF)
Dumfries and Galloway Information Sharing protocol:
D+G Information Sharing Protocol (661 KB PDF)
And their practitioner guide:
Final Info Sharing Practitioner Guidance (661 KB PDF)
And their public statement about information sharing:
Final Information Sharing Leaflet (294 KB PDF)
Guidance Specific to shared information
At the outset of creating a data sharing project, it is advised that public authorities carry out a privacy impact assessment. Consult the Information Commissioners page for more infomration.
Complete Guidance Documents
Gold Standard is a protocol designed to facilitate secure record sharing in Scotland:
Gold Standard ISP Guidance Note (297 KB PDF)
Gold Standards Information Sharing Protocol (447 KB PDF)
If you encounter difficulties opening linked websites, PDF documents and RTF documents listed on this page, please contact us at email@example.com.