Information sharing, both within the Authority and with other bodies or individuals, is necessary, lawful and controlled.
The Keeper of the Records of Scotland (The Keeper) has issued the following statement about information sharing in line with obligations under the Public Records (Scotland) Act 2011 (the Act):
Information has been shared between separate public authorities for a number of years for the benefit of clients and stakeholders, but also in the interests of efficient public services. Sharing relevant information leads to benefits for service users in the form of improved and more joined-up services. The Scottish Government positively encourages information sharing across the public sector when this benefits society in general, but particularly when it is necessary to protect vulnerable adults or children. If your authority is not currently sharing information, then it is very likely that you will be doing so in the future. An authority’s Records Management Plan (RMP) must indicate what safeguards are in place to ensure that information will be shared lawfully and securely. It might, for example, include reference to information sharing protocols (ISPs), policy documents, or data sharing agreements. Samples of these, and other information sharing documentation, should be submitted as evidence that this aspect of records management is being handled appropriately.
Formal data sharing agreements, such as ISPs, are recognised by the Information Commissioner as important in helping organisations share personal information lawfully and securely. In this regard, data sharing agreements must impose practice that complies with the Data Protection Act 2018, and have regard to the Data Sharing ‘Code of Practice’ issued by the Information Commissioner. However, similar formal agreements should also be used for routine sharing of non-personal records (such as financial or statistical information). For both personal and non-personal information, the Keeper will expect to see an agreement around what can be shared, with whom, and when. These agreements also need to provide clauses that help practitioners make informed decisions.
Although they primarily set out the principles and general procedures for appropriately sharing information, formal data sharing agreements should also address storage and archive provision. This is particularly important for information that is of enduring value and may need to be disposed of to a place of permanent deposit. This applies whether this information is shared or jointly created.
Data sharing agreements may be an integral part of an authority’s overall information governance framework which might include the following:
- An Information Sharing Code of Practice, outlining the organisation’s intentions and commitment to information sharing and promoting good practice when sharing personal information.
- Information Sharing Procedures, describing the chronological steps and considerations required after a decision to share information has been made, for example, the steps to be taken to ensure that information is shared securely. Information sharing procedures set out, in detail, good practice in sharing information.
- Privacy, confidentiality, consent (service users). The organisation should have in place processes and documentation for service users, such as ‘Privacy/Confidentiality Statement’, ‘Fair Processing Notice’, ‘Consent’, and ‘Subject Access’. Relevant staff within the organisation must understand these processes and be able to access documentation when required.
Although not an exhaustive list, the following are the most obvious issues that an information sharing protocol might cover:
- Needs-based sharing: a statement on why it is necessary to share information with specific partner organisations, describing the framework which will allow this to happen.
- Fairness and Transparency: a statement on how the authority will advertise and make known their intention to share information.
- Information Standards: a statement on the authority’s commitment to maintain accurate and up-to-date information.
- Retention of Shared Information: a statement on the retention schedule governing the information being shared.
- Security of Shared Information: a statement on the mechanisms in place to ensure the security and safety of the information being shared.
- Access to Personal Information: a statement on how Subject Access Requests (SARs) will be dealt with.
- Freedom of Information: a statement on how the authority will deal with requests legislation about their information sharing practices and policies under FOISA.
- Review: a statement on how the authority intends to keep its protocol under review to ensure it continues to protect the rights of individuals, and remains fit for purpose.
Public authorities should consider whether to publish their data sharing practice documentation.
Audit Scotland have provided a sample ‘Code of Data Matching Practice’. This code deals specifically with the sharing of personal information for the purposes of fraud detection. However, the general principles around which the code has been based have been approved by the UK Information Commissioner and may be considered to have general application when developing procedures that allow data sharing for other purposes. Appendix 2 of this code gives examples of text that might be used to alert the public to the potential sharing of their personal data:
Link: http://www.audit-scotland.gov.uk/docs/central/2010/nr_101112_nfi_data_matching_practice.pdf
It is important to recognise that this Element does not refer to one-off events, such as an authority responding to an FOI enquiry. Rather, it covers routine information sharing, for example one public authority providing monthly updates to another to allow them both to pursue their functions. However, Element 14 does cover the management of records created in shared projects. For example, when two or more public authorities combine for a specific limited purpose, there should be processes put in place to manage any records created during that activity – especially after the project ends.
To give a hypothetical example:
a) If a social work department of a council sends information about a child to Police Scotland, they should do so under the terms of an Information Sharing Protocol. The Keeper would need to see a sample of such a protocol, and be satisfied that it is clear whose record it is, and what will happen to the Police copy of the record.
b) If there is then a multidisciplinary group put in place around the child with a meeting between the police, the council and the local health board, one of the earliest decisions that must be made is what happens to the record of their deliberations. Which of the partners will be responsible for managing the records of the group? This is liable to be stated in a standard protocol if these sorts of meetings regularly occur. The Keeper would need to see a sample of such a protocol.
c) Finally, if it is then determined that a new general procedure needs to be developed and representatives of council, police and health board are sequestered from their normal jobs to work together for six months to create a new policy, it should be decided at the outset who will take the records management role. In this case, because this is new situation, a ‘terms of reference’ style document may be drawn up. The Keeper would need to see this and to check that the management of the records created the new group have been properly considered.
Evidence
Potential evidence that an authority undertakes information sharing in a controlled and suitable manner might include formal policy documents such as protocols or codes of practice; a copy of a data sharing agreement or ISP (redacted if necessary); public statements about the handling of personal information; or a project governance document detailing responsibilities for records created during and beyond the life of the project.
It is likely that a public authority may have more than one separate data sharing arrangement to consider. If this is the case, the Keeper simply requires a sample in evidence; s/he does not need to view every data sharing agreement pursued by an authority.
