National Records of Scotland

Preserving the past, Recording the present, Informing the future

Model Plan Guidance to Element 14

Model Plan Guidance to Element 14

Shared information

Under certain conditions, information given in confidence may be shared. Most commonly this relates to personal information, but it can also happen with confidential corporate records.

The Keeper of the Records of Scotland (The Keeper) has issued the following statement about information sharing in line with his obligations under the Public Records (Scotland) Act 2011 (the Act):

Information has been shared between public authorities for a number of years for the benefit of clients and stakeholders, but also in the interests of efficient public services. Sharing relevant information leads to benefits for service users in improved and more joined-up services. Scottish Government positively encourages information sharing across the public sector when it benefits society in general, but particularly when it is necessary to protect vulnerable adults or children. If your authority is not currently sharing information then it is very likely that you will be doing this in the future. An authority's RMP must indicate what safeguards are in place to ensure that information will be shared lawfully and securely. It will for example include reference to Information Sharing Protocols (ISPs). Policy documents, protocols, agreements and other information sharing documentation should be submitted as evidence that this aspect of records management is being handled appropriately.

ISPs are not a legal requirement under the terms of the Data Protection Act 1998, but they are recognised by the Information Commissioner as important in helping organisations share information lawfully and securely. ISPs create a routine around what can be shared, with whom and when and help practitioners make informed decisions. In this regard ISP's must propose practice that complies with the Data Protection Act 1998 and have regard to the Data Sharing 'Code of Practice' issued by the Information Commissioner.

ISPs primarily set out the principles and general procedures for appropriately sharing information, but they should also address storage and archive provision. This is particularly important for information shared or jointly created that is of enduring value and may need to be disposed of to a place of permanent deposit. ISPs under these circumstances will need to consider storage and archive arrangements.

ISPs may be an integral part of an authority's overall information governance framework that might include:

  • An Information Sharing Code of Practice, outlining the organisation's intentions and commitment to information sharing and promoting good practice when sharing personal information.
  • Information Sharing Procedures, describing the chronological steps and considerations required after a decision to share information has been made, for example, the steps to be taken to ensure that information is shared securely. Information sharing procedures set out, in detail, good practice in sharing information.
  • Privacy, confidentiality, consent (service users). The organisation should have in place processes and documentation for service users, such as 'Privacy/Confidentiality Statement', 'Fair Processing Notice', 'Consent', and 'Subject Access'. Relevant staff within the organisation must understand these processes and be able to access documentation when required.

The following are the most obvious issues that an information sharing protocol might cover, but this list is not exhaustive:

  • Needs based sharing: a statement on why it is necessary to share information with specific partner organisations and describe the framework which will allow this to happen.
  • Fairness and Transparency: a statement on how the authority will advertise and make known their intention to share information.
  • Information Standards: a statement on the authority's commitment to maintain accurate and up-to-date information
  • Retention of Shared Information: a statement on the retention schedule governing the information being shared.
  • Security of Shared Information: a statement on the mechanisms in place to ensure the security and safety of the information being shared.
  • Access to Personal Information: a statement on how subject access requests will be dealt with.
  • Freedom of Information: a statement on how the authority will deal with requests under FOI legislation about their information sharing practices and policies.
  • Review: a statement on how the authority intends to keep its protocol under review to ensure it continues to protect the rights of individuals and remains fit for purpose. The review period of information sharing should be decided at outset.

Evidence

Potential evidence that an authority undertakes external information sharing in a controlled and suitable manner might include: Formal policy documents or protocols or codes of practice; a copy of a data sharing agreement (redacted if necessary); public statements about the handling of personal information or a project governance document detailing responsibilities for records created during and beyond the life of the project.

Sample Data Sharing Documents

The Information Commissioner indicates that a data sharing agreement ought to consider:
The purpose of sharing
Partner organisations & points of contact
Data to be shared
Legal basis for sharing
Access & individuals' rights
Information governance arrangements

Public authorities should consider whether to publish their data sharing practices.

Audit Scotlands have provided this sample 'Code of Data Matching Practice'. This code deals specifically with the sharing of personal information for the purposes of fraud detection. However, the general principles around which the code has been based have been approved by the UK Information Commissioner and may be considered to have general application when developing procedures that allow data sharing for other purposes. Appendix 2 of this code gives examples of text that might be used to alert the public to the potential sharing of their personal data: (http://www.audit-scotland.gov.uk/docs/central/2010/nr_101112_nfi_data_matching_practice.pdf)

This is an example of a data sharing agreement issued by a Scottish public authority:
[Scottish Enterprise Data Sharing Agreement - Acrobat PDF 246KB, new window]

A memorandum of understanding issued by Lothian and Borders Police:
[E-IRD Memorandum of Understanding - Acrobat PDF 247KB, new window]

An information sharing protocol from a local authority:
[New Greater Glasgow and Clyde protocol - Acrobat PDF 361KB, new window]

Strathclyde Fire and Rescue information sharing agreement:
[Strathclyde Fire and Rescue agreement - Acrobat PDF 277KB, new window]

Dumfries and Galloway Information Sharing protocol:
[D+G Information Sharing Protocol - Acrobat PDF 661KB, new window]
And their practitioner guide:
[Final Info Sharing Practitioner Guidance - Acrobat PDF 661KB, new window]
And their public statement about information sharing:
[Final Information Sharing Leaflet - Acrobat PDF 294KB, new window]

Guidance Specific to shared information

The Gold Standard [footnote 1] has been adopted by many public authorities including Dundee City Council (https://www.dundeecity.gov.uk/chserv/docs/practitioners.pdf)

The Information Commissioner's Office publishes checklists to provide a handy step by step guide through the process of deciding whether to share personal data. This assessment could be included in a project initiation document that might also include agreed operating. standards.(http://www.ico.org.uk/for_organisations/data_protection/topic_guides/data_sharing)

At the outset of creating a data sharing project, it is advised that public authorities carry out a privacy impact assessment. Consult the Information Commissioners page for more infomration.
(http://www.ico.org.uk/for_organisations/data_protection/topic_guides/privacy_impact_assessment)

Complete Guidance Documents

Gold Standard is a protocol designed to facilitate secure record sharing in Scotland:
[Gold Standard ISP Guidance Note - Acrobat PDF 297KB, new window]
[Gold Standards Information Sharing Protocol - Acrobat PDF 447KB, new window]

The information Commissioner's data sharing code of practice (http://www.ico.org.uk/for_organisations/data_protection/topic_guides/data_sharing )

The Scottish Accord on the Sharing of Personal Information (SASPI) was launched on 9th May 2012 and is now being piloted in Fife. This is intended to be a high level information sharing tool to help public authorities develop a robust mechanism for sharing information to other authorities (and, potentially, arms length contractors). As SASPI tools become available, they will be added to this guidance suite.

If you encounter difficulties opening linked websites, PDF documents and RTF documents listed on this page, please contact us at publicrecords@nas.gov.uk.

Return to Model Plan

Return to Model Plan or read the complete guidance to Model Plan.

Footnotes:

1. The Scottish Executive's Gold Standard for Information Sharing Protocols is a 'high level' document designed to help public authorities deal with the overall legal and technical elements to be considered when sharing information.