Purpose specific Information Sharing Agreement. Community Safety Accreditation Scheme Part 2

Similar documents
GENERAL PROTOCOL FOR SHARING INFORMATION BETWEEN AGENCIES IN KINGSTON UPON HULL AND THE EAST RIDING OF YORKSHIRE

INFORMATION SHARING AGREEMENT (ISA) BETWEEN

Data Protection Policy and Procedure

Data Protection. Policy & Procedure. Greater Manchester Police

INFORMATION SHARING AGREEMENT This document is NOT PROTECTIVELY MARKED

Version No. Date Amendments made Authorised by N/A ACC Hamilton (PSNI)

DATA SHARING AND PROCESSING

INVESTIGATION OF ELECTRONIC DATA PROTECTED BY ENCRYPTION ETC DRAFT CODE OF PRACTICE

PROCEDURE (Essex) / Linked SOP (Kent) Data Protection. Number: W 1011 Date Published: 24 November 2016

INFORMATION SHARING AGREEMENT WEST YORKSHIRE POLICE. and LEEDS AND YORK PARTNERSHIP NHS FOUNDATION TRUST

SCHEDULE Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

MEMORANDUM OF UNDERSTANDING

Law Enforcement processing (Part 3 of the DPA 2018)

PROTECTION OF PERSONAL INFORMATION ACT NO. 4 OF 2013

Data Protection REFERENCE NUMBER. IMPLEMENTATION DATE June 2014 NEXT REVIEW DATE: September 2020 RISK RATING

PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2017 ARRANGEMENT OF SECTIONS PART I PRELIMINARY

ARTICLE 29 Data Protection Working Party

General Rules on the Processing of Personal Data SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)...

Data Protection Act 1998

DATA PROTECTION POLICY STATUTORY

DURHAM CONSTABULARY POLICY

A closed circuit television system is used at the Memorial Hall by the Parish Council.

CCTV Code of Practice

SUBSIDIARY LEGISLATION DATA PROTECTION (PROCESSING OF PERSONAL DATA IN THE POLICE SECTOR) REGULATIONS

APPENDIX. 1. The Equipment Interference Regime which is relevant to the activities of GCHQ principally derives from the following statutes:

The installation of CCTV can provide information on activities at the Water,

Merseyside Police and Probation Area. Working together to. Protect the Public of Merseyside MULTI AGENCY PUBLIC PROTECTION ARRANGEMENTS

SCHEDULE 1 DATA TRANSFER AGREEMENT (Data Controller to Data Controller transfers)... 16

European College of Business and Management Data Protection Policy

Data Protection Act 1998 Policy

Federal Act on Data Protection (FADP) Section 1: Aim, Scope and Definitions

Data Protection Policy

OTrack Data Processing Terms

Practical Guidance on the sharing of information and information governance for all NHS organisations specifically for Prevent and the Channel process

APPLICATION FOR COMMUNICATIONS DATA (UNDER THE DATA PROTECTION ACT 1998) RESTRICTED

Code of Practice Issued Under Section 377A of the Proceeds of Crime Act 2002

Derbyshire Constabulary TRUANCY GUIDANCE POLICY REFERENCE 08/232. This guidance is suitable for Public Disclosure

How we use Personal Information

PROTOCOL BETWEEN WEST MIDLANDS POLICE CPS WEST MIDLANDS AND WEST MIDLANDS LOCAL AUTHORITIES

Access to Personal Information Procedure

Protection of Freedoms Act 2012

Covert Human Intelligence Sources Code of Practice

DATA PROTECTION (JERSEY) LAW 2005 CODE OF PRACTICE & GUIDANCE ON THE USE OF CCTV GD6

Staff Data Protection Policy

closer look at Rights & remedies

16 March Purpose & Introduction

Interstate Commission for Adult Offender Supervision

CCTV POLICY. Document Type Corporate Policy. Unique Identifier HS-103

How we use Personal Information

- and - OPINION. Reasons

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 [CONSOLIDATED TEXT] NOTE

DATA PROTECTION (JERSEY) LAW 2018

Data Protection Commissioner s Foreword 3. Chapter 1: Introduction - Scope of the Guidance 5. Chapter 2: First Data Protection Principle 7

Data Protection Bill [HL]

Derbyshire Constabulary SIMPLE CAUTIONING OF ADULT OFFENDERS POLICY POLICY REFERENCE 06/122. This policy is suitable for Public Disclosure

The London Borough of Barnet. The Metropolitan Police Barnet Borough Division

The Committee of Ministers, under the terms of Article 15.b of the Statute of the Council of Europe,

Page1. Employment of Ex- Offenders. Issue Date 01/01/2017 Issue 1 Document No: 105 Uncontrolled when copied

Mannofield Parish Church. Registered Scottish Charity No: SC (the Congregation ) Data Protection Policy

Charities & Not-for-Profits Overview of Data Protection Law

THE DATA PROTECTION PRINCIPLES

Data Protection Policy

Schools Subject Access Request Procedures

What Is Criminal Intelligence?

Memorandum of Understanding. between. HM Land Registry. and. Solicitors Regulation Authority (SRA)

Data Protection Policy

Official Gazette No. 55 issued on 8 May Data Protection Act. of 14 March 2002

Act No. 502 of 23 May 2018

Port Glasgow St Andrew s Data Protection Policy

AIA Australia Limited

THE PROCESSING OF PERSONAL DATA (PROTECTION OF INDIVIDUALS) LAW 138 (I) 2001 PART I GENERAL PROVISIONS

COMP Article 1. Article 1 Subject matter and objectives

Data protection and journalism: a guide for the media

DISCLOSURE & BARRING SERVICE (DBS) PROCEDURE

Standard Operating Procedure

This unofficial translation is provided for information purposes only and has no legal force. Data Protection Act.

Identifying arrested, charged or convicted persons

Code of Practice - Covert Human Intelligence Sources. Covert Human Intelligence Sources. Code of Practice

Introduction. The highly anticipated text of the Irish Data Protection Bill 2018 has been published.

T he European Union s Article 29 Data Protection

Personal Data Protection Act

Privacy. Purpose. Scope. Policy. Appendix A

Data Protection Policy. Malta Gaming Authority

EDPS Opinion on the proposal for a recast of Brussels IIa Regulation

Data protection and journalism: a guide for the media

Code of Ethics. policing with PRIDE. Professionalism Respect Integrity Dedication Empathy

A Legal Overview of the Data Protection Act By: Mrs D. Madhub Data Protection Commissioner

DIRECTIVE 95/46/EC OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. of 24 October 1995

ACT GUIDELINES FOR COUNCIL. Approved 5 June 2008 (last updated 1 December 2014)

TORONTO POLICE SERVICES BOARD REGULATED INTERACTION WITH THE COMMUNITY AND THE COLLECTION OF IDENTIFYING INFORMATION

Data Protection Bill [HL]

Quick Reference Guides to Out of Court Disposals

CRIMINAL RECORDS CHECK (DBS) POLICY. Author/Reviewer: Date Approved: Jan 2006

DATA PROTECTION (JERSEY) LAW 2005

Consolidated text PROJET DE LOI ENTITLED. The Data Protection (Bailiwick of Guernsey) Law, 2001 * [CONSOLIDATED TEXT] NOTE

Fixed Penalty Notice Enforcement Policy

LAW OF THE REPUBLIC OF ARMENIA ON PROTECTION OF PERSONAL DATA CHAPTER 1 GENERAL PROVISIONS

Interest Balancing Test Assessment regarding data processing for the purpose of the exercise of legal claims

5418/16 AV/NT/vm DGD 2

Mandatory data breach reporting comes to Australia new notification requirements under the Privacy Act (2018) 15(4) PRIVLB 54

Transcription:

Document Information Summary Partners ISA Ref: As Part 1 An agreement to formalise the information sharing arrangements for the purpose of specific Information sharing pursuant to Crime and Disorder reduction through partnership working. Hampshire Constabulary and The Community Safety Accreditation Scheme Partner as named in - Part 1 1. Date agreement comes into force: As Part 1 Date agreement to be reviewed: As Part 1 Agreement owner: Hampshire Constabulary Agreement drawn up by: Information Governance, Joint Information Management Unit, Hampshire Constabulary Version Record Version No Amendments Made Authorisation 1.4 Note on updating Part 2 of this ISA: Part 2 of this agreement will not be updated without seeking approval of the signatures to Part 1. The exceptions to this are: The addition of a new signatory to the Partner section A new review date, following a review resulting in no changes 1 See Part 1 for the agreement by the specific partners to abide by this ISA v1.4 1 of 15

Table of Contents 1. PURPOSE AND SCOPE OF THIS AGREEMENT 3 2. PROCESS OF SHARING 4 3. DATA PROTECTION AND CONFIDENTIALITY CONSIDERATIONS 7 4. ROLES AND RESPONSIBILITIES 14 APPENDIX A PRINCIPLES OF THE DATA PROTECTION ACT 15 APPENDIX B HUMAN RIGHTS ARTICLE 8 15 v1.4 2 of 15

1. Purpose and scope of this agreement Hampshire Constabulary is committed to working in partnerships to increase community safety; to look continually for opportunities to work more closely with organisations that can assist the police to detect, prevent and reduce crime and anti-social behaviour; and to develop and monitor strategies to reduce crime and anti-social behaviour. This agreement is to facilitate the lawful exchange of information in order to enable accredited persons as appropriate to exercise powers listed under schedule 5 of the Police Reform Act, 2002 and for the police to gather information in support of crime and disorder reduction initiatives. In pursuance of Section 41(1) of the Police Reform Act 2002, the Chief Officer can enter into an arrangement with an organisation, which enables employees to apply for accreditation under the Community Safety Accreditation Scheme (CSAS). The Chief Officer invites participation and partnership with organisations to work together to develop and implement a strategy and tactics for crime reduction. It also identifies where other mechanisms exist to facilitate an exchange of information for the same basic aims. This agreement is mainly concerned with the exchange of personal information. Therefore, where de-personalised information is requested the assumption is that this information will be shared. Wherever possible, information that does not identify individuals should be used and disclosed. It must be recognised that this document cannot provide clear guidance on every type of scenario and should be used only as an overall guide. As each case must be treated on its own merit, it may be necessary for organisations to seek specialist advice before requesting or disclosing any personal information. This ISA describes the formalisation of a pre-existing and lawful process and presents no additional privacy concerns to necessitate a privacy impact assessment. It has been determined in this case that the ISA addresses the privacy points. 1.1 Specific aims and benefits of sharing The aim of this agreement is to reduce and prevent incidents of criminal and disorderly behaviour through the sharing of information and intelligence; and in order for a co-ordinated response to resolve an incident at the earliest opportunity. The benefits of agreement between the organisations are: v1.4 3 of 15

Better informed decision making and collaborative working Improved inter-agency relationships Better profiling of crime and disorder activity to enable the more effective targeting of resources Safeguarding the vulnerable Reducing crime and disorder Increasing community safety Bringing offenders to justice Protecting life and property The parameters of the agreement will also allow the two agencies to work in partnership for the benefit of the wider public interest in reducing crime, preventing crime and anti-social behaviour which are encompassed by the Crime and Disorder Partnership. 2. Process of Sharing Personal data shared must be justified on the merits of each case and must be proportionate and no more than necessary for the purpose for which it is being shared. (See 3.1.1 for the policing purpose in full). 2.1 Types of data that could be shared To prevent irrelevant or excessive information being disclosed, the type of information that may be shared under the terms of this agreement may consist of any information the organisations can justify as necessary and proportionate to target and reduce crime and disorder; such as: Information available on SafetyNet, Individuals involved in anti-social behaviour, Vulnerable people, Witnesses of crime, Stolen vehicles, ASB hot spots and Information supplied in the daily briefings (unless evaluated as not suitable for sharing with partners agencies). Once received, police officers will ensure that all information is processed diligently and expeditiously and that in all relevant cases, each organisation will ensure that all parties are appraised and briefed as appropriate regarding the relevant outcomes. The object is to encourage positive working relationships, maintaining the understanding that police review all submissions, regardless of whether any results or actions are made apparent to the partner and that they will not be in a position to confirm or deny v1.4 4 of 15

presence of information which is not relevant to the function of the CSAS accredited person. Where police become aware of specific criminal intelligence there is no expectation that this will be shared with the scheme. Should the police become aware of any specific information that would lead to concern over personal safety they will endeavour to inform all relevant parties accordingly. Information will not be shared where disclosure would prejudice ongoing criminal proceedings unless there is an overriding public safety requirement to do so. Hampshire Constabulary can share where necessary and proportionate to meet the policing purpose. No police tactics will be shared under this agreement. 2.2 Disclosure of Photographs Photographs / images of juveniles, aged under 18 years, will not be circulated unless approved and in accordance with provisions of the Anti-Social Behaviour Act. The publication of photographs under this age is prohibited by the Children and Young Persons Act 1933. Photographs / images will only be released subject to compliance with the conditions outlined with this agreement and where it is necessary in support of schedule 5 of the Police Reform Act 2002. The information is exchanged for this purpose in accordance with the Data Protection Act 1998. Photographs / images will only be disclosed against signature of the Designated Person(s) and dated. Only the image, name and date of birth will be disclosed, as the image will only be used to ensure correct identification. At the time of disclosure a review date will be set. The review date will be determined in consideration of the level of risk an individual poses. The Police Liaison Officer will, prior to this date and in order to comply with audit controls, collect all circulated images. In any event, a review of all circulations will be carried out. Furthermore, the photographs / images will be reviewed at a maximum of 12 months from the date they were last updated and be returned to the owner, if no longer required or relevant. Should an identification using a photograph / image be made, which results in legal process, then that photograph / image must be seized and retained as v1.4 5 of 15

evidence in accordance with the Police and Criminal Evidence Act, 1984 and Criminal Procedures and Investigation Act 1996. 2.3 Making a request All requests for police data should be made by via the NPT Police Liaison Officer and 24/7 Intel. The request for information sharing must contain o Reason for the request o Relevance of the data sought to the request o Data Sought o Any necessary information to identify the data sought The identity of the originator must be recorded against relevant data. 2.4 Sharing data Ensure the request for data meets the joint purpose and has come from a legitimate source. Ensure the data to be shared is relevant to meet the joint purpose o Ensure the partner has enough data to act upon o Remove all excessive data o Check emails chains to ensure excess data is not sent to a recipient in error Ensure the data is accurate Ensure transfer is secure o Use one of the following secure methods SafetyNet NPT/Event briefings Anti-Social Behaviour Panels Daily Management Meetings Police Control Room(including Resolution Centre) Community Tasking and Co-ordinating Groups Secure email (e.g..pnn,.cjsm) Community Focus Team (based at CWUN) Airwave radio terminal (Provided that appropriate authorisation has been granted for access to the police channel) Keep a record 2 of: o The request for data o What information has been shared o With whom the information was shared o Purpose for sharing 2 Using the Z Information Sharing (Management Occurrence) on Hampshire Constabulary s RMS v1.4 6 of 15

o Rationale for: Disclosing data Withholding data Declining a request in full In the event of data loss or error: o Establish the facts of the loss or compromise o If possible, identify where the data is or who it has gone to o Identify the data which has been compromised o Inform your Information Security officer The process will provide evidence if the disclosure is challenged or formal complaint is made. Clear records of evidence provided by various partners will be required to justify any challenges of the proportionality of the action taken (See 3.10 regarding further disclosure). 3. Data Protection and Confidentiality Considerations 3.1 Data Protection Act 1998 Principle 1 Fair and Lawful 3 3.1.1 Principle 1 Lawful A public authority can only act intra vires; that is, within its explicit or implied statutory or common law powers. Therefore, the Police and The Community Safety Accreditation Scheme Partner can only share information with each other if the disclosure is believed to be necessary and proportionate and that the common purpose meets the policing purposes of: protecting life and property preserving order preventing the commission of offences bringing offenders to justice fulfilling a duty or responsibility arising from common law or statute) Therefore, sharing necessary to support criminal proceedings will be permitted, while sharing for civil cases will only occur where the civil case relates directly to a policing purpose. The disclosure of any personal data must be bound to both common law and statute, for example Human Rights Act 1998, Data Protection Act 1998 and the common law duty of confidence. (Appendices A & B) 3.1.2 Schedule 2 Conditions for processing personal data 3 See Appendix A for a full list of Data Protection Principles v1.4 7 of 15

Processing, therefore sharing, of any personal data must be necessary for one or more condition of Schedule 2 of the Data Protection Act 1998. The relevant conditions are as follows: Consent: Where the information subject gives their informed consent to share information about them, then sharing for the specified purpose will be lawful under the Data Protection Act 1998. Consent provides lawful power of disclosure, but does not exempt the organisations from lawful handling and security requirements. Administration of justice: Where the sharing is necessary for the functioning of the judiciary, for example the trial, finding and sentencing. Legal gateway under statute which allows sharing, implicitly or explicitly: o Crime and Disorder Act, 1998 (Section 115) any person has a legal power (not a legal duty) to share information with a relevant authority if it is necessary to support the local Community Safety Strategy or other conditions in the Act o Police Reform Act, 2002 (S41(1) and schedule 5) Powers exercisable by accredited persons are contained under schedule 5 of The Police Reform Act 2002. Where these powers support a clear policing purpose, disclosure from the police service is appropriate where it enables an accredited person to more ably support that purpose through the exercise of those powers, in support of reducing crime and disorder, public nuisance and antisocial behaviour within the communities where problems have been identified. Legitimate interests of any party: Where the disclosure is necessary and compatible with legitimate aims of the police or the accredited scheme to exercise powers to reduce crime and disorder or to protect the welfare of individuals living in the community; and where this is not unwarranted in any particular case by reason of prejudice to the rights and freedoms, or legitimate interests of a data subject. It is anticipated that disclosure will be warranted should the data subject be linked to or responsible for the causes of crime and anti-social behaviour in the immediate area, or where a victim needs the support from local officers. 3.1.3 Schedule 3 Conditions for processing sensitive personal data Sensitive personal data is information about a living individual which relates to the actual or alleged commission of an offence and any related proceedings; physical or mental health; sex life; race; ethnic origin; religious belief; political or trade union membership. Where the information of this nature will be shared under this agreement, the sharing must satisfy one or more of the v1.4 8 of 15

following conditions of schedule 3 of the Data Protection Act. This list is not exhaustive, but contains relevant conditions. Explicit and informed consent of the data subject has been obtained. The data subject must be fully aware of the scope of what they are consenting to. The sharing of the information is necessary for: o the administration of justice o the exercise of any functions conferred on any person (including a constable) by or under an enactment The sharing is necessary for the purpose of, or in connection with, legal proceedings these must be directly compatible with the common lawful purpose to prevent public authorities acting ultra vires. The sharing of the information is necessary for the exercise of any functions conferred on a constable by any rule of law this covers the use of common law powers to meet the policing purpose. 3.1.4 Exemptions The Data Protection Act 1998: o Section 29 of this Act allows the disclosure of personal information for the purpose of prevention / detection of crime and the apprehension / prosecution of offenders. It removes the obligation for the Data Controller or recipient to inform the data subject, where doing so would prejudice this purpose; but still requires a schedule 2 and 3 condition to be met. This exemption would be relevant where non-disclosure prejudices the prevention of crime. o Section 35 allows for the disclosure of personal data where it is required for establishing or defending legal rights. It removes the obligation for the Data Controller or recipient to inform the data subject of the disclosure but still requires a schedule 2 and 3 condition to be met. 3.1.5 Further considerations for lawful processing The Human Rights Act 1998 - Under Article 8 everyone has the right to respect for their private and family life, home and correspondence and there shall be no interference by a public authority with this right except as in accordance with the law, necessary for public safety, the prevention of crime or disorder, the protection of health or morals or for the protection of the rights and freedoms of others. The principle of proportionality is a common theme that runs through both the European Convention on Human Rights and judgements of the European Court of Human Rights (ECHR). It is explicitly expressed in the limitations v1.4 9 of 15

contained in Articles 8-11 where it is stated that any interference or restriction of those rights must be lawful and necessary in a democratic society. Any restriction of rights must, therefore, be justified in that a fair balance must be achieved between the protection of an individual s rights and general interests of society. In the context of information exchange, any disclosure of information should be restricted to a minimum and be the least damaging that is required in achieving the objective. Duty of confidence: Information provided by a third party may be considered as having been provided in confidence. For example, a witness to a crime would not ordinarily expect the police to provide their details or statements to anyone not involved in investigating or prosecuting that offence, having an expectation of confidence and that this would not be shared further. This falls under the common law duty of confidence. The justification for sharing such data under this agreement, where such a duty of confidence exists will be satisfied by meeting the following conditions: The individual to whom the information relates has consented to the sharing of the information, or where there is legal requirement (either under statute or a court order) to disclose the information Where there is an overriding duty to the public (for instance, the information concerns the commission of a criminal offence or relates to life-threatening circumstances) Rehabilitation of Offenders Act 1974: Sharing of personal data relating to criminal record data must comply with this act which places prohibitions on the use of criminal record data. This is also relevant when considering Principle 3 adequacy. 3.2 Principle 1 - Fairness The Data Protection Act requires the fair processing of information unless an exemption applies. In particular, fairness involves being open with people about who is processing their data and how their data is being used. Put simply, a data subject should not be surprised by their information being shared between Hampshire Constabulary and The Community Safety Accreditation Scheme Partner. Therefore so that individuals are not deceived or misled partners to this agreement should issue whenever possible a fair processing notice, either in writing or verbally. In some cases, it is in our interest to be open as to how data is shared. For Example: v1.4 10 of 15

A fair processing statement will generally be provided to a victim of crime or anti-social behaviour by informing them what we intend to do as a result of that contact. Where disclosure is made to tackle a crime and disorder issue, it is expected that subject(s) will be contacted about such behaviour and by virtue of that contact be informed of the identity of the data controller and the purpose for processing their personal data. Police officers and accredited persons will generally provide a fair processing statement by informing an offender what they intend to do as a result of that contact; such as by issuing a fixed penalty notice. Section 29 of the Data Protection Act removes the obligation to inform the data subject, where the purpose for processing directly relates to the prevention or detection of crime or the apprehension or prosecution of offenders, where disclosure of that fact would be likely to prejudice the investigation. 3.3 Principle 2 Secondary Processing The Data Controllers will agree that the data shared shall not be used for a purpose other than that for which it is shared, unless the considerations in principle 1 can be met for that new second purpose. 3.4 Principle 3 Adequate, relevant, not excessive The Data Protection Act 1998 requires that the data shared is necessary and relevant to the purpose. Data shared should also be sufficient to achieve the purpose - too little and the benefit is lost, too much and the disclosure becomes disproportionate for the purpose. In essence only relevant information should be shared that effectively assists in the prevention and detection of crime, reduction of anti-social behaviour and protecting vulnerable persons. 3.5 Principle 4 Accurate and up to date It is acknowledged that each partner will only have data that is accurate to their best knowledge. Before sharing, information will be checked for accuracy. If a Data Controller provides information and subsequently finds it to be inaccurate, they will inform all recipients. If a Data Controller receives data which is discovered to be inaccurate, they will inform the provider of those data. In all cases, a Data Controllers providing inaccurate data must take all reasonable steps to notifying all other recipients of the data who must then ensure that the correction is made. v1.4 11 of 15

3.6 Principle 5 Kept no longer than is necessary Partners to this agreement undertake that personal data shared will only be used for the specific purpose under which they were requested. The recipient of the information is required to keep it stored securely and destroy it in a secure manner or return it when no longer necessary for that purpose. Each partner is subject to principle 5 and is therefore responsible for setting their own review periods, and recording a justification proportionate to their lawful purpose for processing. Where a longer period of retention is necessary, these may be justified by specific legal obligations placed on the recipient partner. All necessary, adequate and up-to-date records, including pocket note book entries, will need to be retained for a minimum period of six years, after which they should be reviewed for further retention. This is to allow for information to be available to account for the activities of the accredited scheme or Hampshire Constabulary. It is necessary to maintain a record of information sharing and the actions resulting from that sharing should civil action be instigated. [Limitation Act 1980] Retention of data for policing purposes will be governed by Authorised Professional Practice on Information Management. Retention periods may be reduced, or specific data deleted to minimise collateral intrusion. 3.7 Principle 6 Rights of the data subject If a party to this agreement receives a subject access application under section 7 of the Data Protection Act 1998 and personal data is identified as having originated from another signatory partner, it will be the responsibility of the receiving agency to contact that partner to determine whether the latter wishes to advise use of any statutory exemption under the provisions of the Data Protection Act 1998, or to consider further sharing on live matters. Disputes as to accuracy, damage or distress relating to the data processing will be passed promptly to the relevant Data Controller to resolve. 3.8 Principle 7 Technical and Organisational Security Partners agree to ensure the reliability their employees through appropriate training around principle 7. As a bare minimum this should involve making staff aware of the processes outlined within this sharing agreement. The information must be stored securely and is the responsibility of all partners to ensure that adequate security arrangements are in place in order to protect the integrity and confidentiality of information shared. Each party agrees to apply appropriate security measures, to meet the requirements of principle 7 of the Data Protection Act to the data. That is, to make accidental compromise, loss or damage unlikely during storage, v1.4 12 of 15

handling, use, processing, communication, transmission or transport; deter deliberate compromise or opportunist attack, and promote discretion in order to avoid unauthorised access. Any loss of data by a recipient partner must be notified to the originating partner at the earliest opportunity. Hampshire Constabulary may, by arrangement, undertake a physical review of the security in place to ensure the confidentiality, integrity, availability and non-repudiation of the Force information being stored under this agreement. The force may also wish to request a copy of the partner s information security policy (where it exists) when sensitive personal data is to be shared. Only nominated representatives can access, request information, and make disclosure decisions and they should adhere to the 'need to know' principle when obtaining or disclosing information. The Government has introduced a three-tier Security Classification Scheme (GCS) to replace the Government Protective Marking Scheme (GPMS). Police Forces will phase implementation, subject to confirmation of adoption in the future. In the interim period information may be classified using either the existing protective marking scheme or the new classification policy. Hampshire Constabulary will only transfer information electronically where a secure encrypted e-mail facility exists at both the sender and recipient and in these cases the information will not be above RESTRICTED as defined in the GPMS, or classified as OFFICIAL under the GCS. The following are recognised encrypted secure email pathways:.pnn,.xgsi,.gsi,.gsx,.gse,.nhs.net,.cjsm, and.scn. The use of fax to transfer sensitive personal data may only be used in cases of operational emergency and with the appropriate security safeguards. Due consideration should be given to any marking of documents under the GPMS or GCS and those documents given adequate levels of protection. Consideration of this marking will also be required in any onward dissemination of those data contained within. 3.9 Principle 8 Transfer outside of the EEA Personal data supplied under the agreement will not be transferred outside the EEA. 3.10 Further disclosure The partners agree that the recipient of shared information will not disclose it to any third party without consultation of the partner that provided the information; exceptions to this may occur when it is disclosed under a statutory obligation or by Hampshire Constabulary for a policing purpose. v1.4 13 of 15

This consultation may highlight a need or benefit for further relevant information to be shared between partners. 4. Roles and responsibilities 4.1 Specialist advice within your organisation There is an obligation on all organisations that the information shared is, directly relevant to the purposes this agreement seeks to achieve. Should any organisation's staff members have concerns regarding information they wish to share, or information already shared, they should consult their Information Governance Officer. 4.2 Single point of contact Each partner will appoint a SPOC, to be named in part 1 of this agreement, who will be a manager of sufficient standing and who will have a co-ordinating and authorising role. A partner may also appoint a supervisor or manager to deputise for the SPOC The specific responsibilities of the SPOC are: Making sure the named party abides by this agreement Ensuring relevant staff are fully aware of their responsibilities Appointing other staff to act in their absence Controlling the release of the information and maintaining its integrity Deciding on a case by case basis if and why a public interest overrides a duty of confidence Keeping an information sharing file (or similar), which holds all the partner s information sharing documents in general Ensuring any changes to the SPOC are confirmed in writing 4.3 Freedom of Information Act considerations If a party receives a request for information under the Freedom of Information Act 2000 and the information requested is identified as belonging to another signatory partner, it will be the responsibility of the receiving agency to contact that partner to determine whether the latter wishes to rely on any statutory exemption under the provisions of the Freedom of Information Act 2000 and to identify any perceived harm. v1.4 14 of 15

Appendix A Principles of the Data Protection Act Principle 1 Principle 2 Principle 3 Principle 4 Principle 5 Principle 6 Principle 7 Principle 8 Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless: At least one of the conditions in Schedule 2 is met and; In the case of sensitive data at least one of the conditions in Schedule 3 is also met. Personal data shall be obtained only for one or more specified and lawful purposes and shall not be further processed in any manner incompatible with that purpose or those purposes. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed. Personal data shall be accurate and, where necessary, kept up to date. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes. Personal data shall be processed in accordance with the rights of data subjects under this Act. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. Personal data shall not be transferred to a country or territory outside the European Economic Area, unless that country or territory ensures an adequate level of protection for the rights and freedom of data subjects in relation to the processing of personal data. Appendix B Human Rights Article 8 Article 8 Right to Respect for Private and Family Life Everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law. v1.4 15 of 15

2024 © lawsdocbox.com Privacy Policy | Terms of Service | Feedback