Sandwell Blue Light Approach - West Midlands Ambulance Service

DATA SHARING AGREEMENT
for the Sandwell Blue Light Approach
Partners to Agreement:
 Sandwell Metropolitan Borough Council
 West Midlands Ambulance Service NHS Foundation Trust
 West Midlands Police
 Black Country Partnership Foundation Trust
 Swanswell Charitable Trust
 Sandwell and West Birmingham Hospital Trust
 Sandwell Women’s Aid
 West Midlands Fire Service
 The Staffordshire and West Midlands Community Rehabilitation Company Limited
 National Probation Service
 IRiS Sandwell
Date agreement comes into force: Add date the contract was signed by all parties
Date of Agreement Review: Twelve months after date comes into force and annually
thereafter.
Agreement Owner: Sandwell Drug and Alcohol Partnership
Version control:
Version no.
Amendments made
Authorisation
[IL0: UNCLASSIFIED]
1
TABLE OF CONTENTS
1
DEFINITIONS AND INTERPRETATION
2
PARTNER AND PARTNER RESPONSIBILITIES
3
PROCESSING ONLY FOR AGREED PURPOSES
4
SHARING WITH OTHER THIRD PARTIES
5
FAIR AND LAWFUL PROCESSING
6
INFORMATION TO BE SHARED
7
OWNERSHIP OF THE INFORMATION
8
DATA QUALITY
9
TRANSMISSION OF PERSONAL DATA
10
DATA RETENTION, REVIEW AND DISPOSAL
11
DATA PROTECTION REGISTRATION
12
DATA SECURITY
13
SECURITY INCIDENTS
14
DESTRUCTION OF DATA
15
ASSIGNMENT AND SUBCONTRACTING
16
DATA SUBJECT ACCESS RIGHTS
17
TRANSFER OF DATA OUTSIDE THE EEA
18
FREEDOM OF INFORMATION
19
DURATION
20
TERMINATION
21
DISPUTE RESOLUTION
22
INDEMNITY AND LIABILITY
23
WAIVER
24
CONFIDENTIALITY
25
LAW
26
SIGNATORIES TO THE AGREEMENT
APPENDIX A
DATA SHARING REQUEST FORM
[IL0: UNCLASSIFIED]
2
APPENDIX B
SMBC INFORMATION SECURITY POLICY
APPENDIX C
BLUE
OPERATING PROCEDURE
LIGHT
PROJECT
TERMS
OF
REFERENCE
AND
[IL0: UNCLASSIFIED]
3
INTRODUCTION

This Information Sharing Agreement has been developed to facilitate information
sharing between Sandwell Metropolitan Borough Council and West Midlands
Ambulance Service; West Midlands Police; Black Country Partnership Foundation
Trust; Swanswell Charitable Trust (Community Alcohol Service); Sandwell and West
Birmingham Hospital Trust; Sandwell Women’s Aid; West Midlands Fire Service; The
Staffordshire and West Midlands Community Rehabilitation Company Limited;
National Probation Service; Iris (Community drug service).
This document replaces any former agreements by the parties named for the described
Purpose(s).
Sandwell’s Blue Light Approach:
Using the Department of Health’s Alcohol Ready Reckoner and the 2011 census we estimate
that Sandwell has 10,680 harmful/higher risk drinkers and 9,187 dependent drinkers.
The perception exists that if a problem drinker does not want to change, nothing can be
done to help until the person discovers some motivation. Sandwell’s Blue Light project aims
to challenge this view by using harm reduction, risk management and motivation
enhancement strategies. More importantly tackling this group will target some of the most
risky, vulnerable and costly individuals in the community.
Sandwell Metropolitan Borough Council and its partners aim to work together to target the
burden on our community from change resistant problem drinkers.
A multi-agency framework has been set up to manage high risk change resistant drinkers.
At the heart of this process is a multi-agency group which meets regularly - aiming to
improve the management of change resistant drinkers and thereby reduce the impact they
have on the community generally and public services specifically.
1. DEFINITIONS AND INTERPRETATION
1.1 The definitions are as follows:
“Agreed Purpose(s)” means the purpose(s) for which the Parties are authorised to use the
Data as set out in Clause 4;
“Agreement” means the following document and its Appendixes;
“Data” (same meaning as Information) means all Personal Data provided by a Party to one
or several other Patries for the Agreed Purposes under the terms of this Agreement;
“Data Protection Principles” means the eight principles set out in Schedule 1 of the Data
Protection Act 1998;
“DPA” means the Data Protection Act 1998;
[IL0: UNCLASSIFIED]
4
“FOIA” means the Freedom of Information Act 2000;
“Information” (same meaning as “Data”) means all Personal Data provided by a Party to
one or several other Patries for the Agreed Purposes under the terms of this Agreement;
“Parties” means organisations listed under Clause 2.1 ‘Partners to this Agreement’
“Personal Data” as defined in the DPA and which, for the avoidance of doubt, includes
Sensitive Personal Data;
“Security Policy” means each Parties’ respective Information Security Policy – or if this is
not applicable Sandwell Metropolitan Borough Council’s (SMBC) Information Security Policy
to be used as a minimum standard, as attached to Appendix B;
“Sensitive Personal Data” as defined in the DPA; and
“Working Day” means any day (other than a Saturday or Sunday) on which banks are open
for domestic business.
1.2
In this Agreement (except where the context otherwise requires):

use of the singular includes the plural (and vice versa) and use of any gender
includes the other genders;

a reference to a Party shall include that Party's personal representatives,
successors or permitted assignees;

a reference to persons includes natural persons, firms, partnerships, bodies
corporate and corporations, and associations, organisations, governments,
states, foundations, trusts and other unincorporated bodies (in each case
whether or not having separate legal personality and irrespective of their
jurisdiction of origin, incorporation or residence);

a reference to a Clause is to the relevant clause of this Agreement;

any reference to a statute, order, regulation or other similar instrument
shall be construed as a reference to the statute, order, regulation or
instrument together with all rules and regulations made under it as from
time to time amended, consolidated or re-enacted by any subsequent
statute, order, regulation or instrument;

general words are not to be given a restrictive meaning because they are
followed by particular examples, and any words introduced by the terms
"including", "include", "in particular" or any similar expression will be
construed as illustrative and the words following any of those terms will not
limit the sense of the words preceding those terms;and

headings to clauses are for the purpose of information and identification
only and shall not be construed as forming part of this Agreement.
[IL0: UNCLASSIFIED]
5
2. PARTNER AND PARTNER RESPONSIBILITIES
Partners
2.1
The Partners to this Agreement are:











Sandwell Metropolitan Borough Council
West Midlands Ambulance Service NHS Foundation Trust
West Midlands Police
Black Country Partnership Foundation Trust
Swanswell Charitable Trust
Sandwell and West Birmingham Hospital Trust
Sandwell Women’s Aid
West Midlands Fire Service
The Staffordshire and West Midlands Community Rehabilitation Company Limited
National Probation Service
IRiS Sandwell
Role /relevance of the above parties within the Blue Light approach
 Sandwell Metropolitan Borough Council – housing, social care, anti-social behaviour
and victim support input
 West Midlands Ambulance Service NHS Foundation Trust – frequent /high risk
ambulance call outs where alcohol is a factor
 West Midlands Police – repeat offenders where alcohol is the major contributing
factor to offending behaviour
 Black Country Partnership Foundation Trust – individuals whose mental health is
affected by alcohol – provision of assessment and identified relevant support
 Swanswell Charitable Trust – alcohol community treatment services
 Sandwell and West Birmingham Hospital Trust – repeat alcohol related attendances
to A&E, repeat alcohol related hospital admissions
 Sandwell Women’s Aid – victims or perpetrators of domestic violence where alcohol
is a factor
 West Midlands Fire Service - repeat call outs where alcohol is a factor – provision of
safety checks /risk management
 The Staffordshire and West Midlands Community Rehabilitation Company Limited –
offender management input
 National Probation Service – high risk offender management input
 IRiS Sandwell –dual diagnosis (substance misuse and mental health) management
input
2.2
Responsibilities
It will be the responsibility of these partners to make sure that:
[IL0: UNCLASSIFIED]
6





ethical standards are maintained;
a mechanism exists by which the flow of information can be controlled;
appropriate training is provided by each Party to those members of staff involved in
the sharing of information;
adequate arrangements exist to test adherence to the Agreement; and
data protection and other relevant legislative requirements are met.
3. INFORMATION TO BE SHARED
3.1
Personal Data
Personal data is protected by the provisions of the Data Protection Act 1998. It is recognised
that the nature of some of the information subject to this Agreement may be defined as
sensitive personal data under the provisions of the Data Protection Act 1998.
3.2
Personal data to be shared
The items of personal data to be shared are as follows: note the list below is exhaustive in
terms of what may be relevant to share
 Name and contact details
 Details of substance misuse and any associated medical conditions
 Medical history (physical and mental health)
 Criminal activity -providing that the offence is not considered spent under the
Rehabilitation of Offenders Act
 Accommodation status
 Carer / any associated informal support
 Parental status
 Education/employment status
 Details of risk or vulnerability arising from substance misuse
 Other agencies/ multi-disciplinary forums the individual is engaged with
3.3
Process for sharing the Information
Each Party determines which of their service users are eligible in application of selection
criteria covering both frequency of service demand and risk/vulnerability (levels are
determined according to each partner agency’s own thresholds).
The group meets and service users selected by each Party are crossed referenced against
service users identified by other Parties. A final list of those most frequent and risky users is
arrived at.
3.4
Format of Information to be shared
Copies of the Information will mainly be provided in electronic format. The multi-agency
care plan may be followed up verbally outside of the meeting between relevant Partners.
The names of individuals who are not relevant to the Agreed Purpose of the sharing will be
redacted.
[IL0: UNCLASSIFIED]
7
Where a request is made for Information regarding one specific individual, the
requesting Party will clearly describe on each occasion the legal basis (as outlined in clause 5
of this Agreement) for their request and how it is necessary for the lawful discharge of their
duties using Appendix A – Request for Information form.
3.5
4. AGREED PURPOSES
The purpose of this Agreement is to facilitate the disclosure of Information listed in
clause 3.2 above in order to ensure the safeguarding and management of change resistant
drinkers and to thereby reduce the impact that they are having on the community generally,
and on public services specifically.
4.1
This Agreement represents the administrative arrangements for the provision of
predetermined Information as described in Clause 3 of the present Agreement.
4.2
Personal data obtained under this Agreement may only be used for the Agreed
Purposes outlined in this clause of the Agreement and must not be further processed in any
manner incompatible with the identified Agreed Purpose(s).
4.3
No secondary use or other use may be made unless the consent of the disclosing
party is sought and granted in writing.
4.4
5. FAIR AND LAWFUL PROCESSING
5.1
The First Principle of the Data Protection Act 1998 states that:
“Personal data must be processed fairly and lawfully and in particular, shall not be
processed unless:
a) at least one of the conditions in schedule 2 (of the Act) is met; and
b) for sensitive personal data, one of the conditions in schedule 3 is also met.”
The partners to this agreement will meet the requirements of Schedule 2 of the Data
Protection Act 1998, for the processing of personal data by virtue of subsection 1 of
Schedule 2 of the Act as follows:
1) “The data subject has given his consent to the processing.”
In the case of sensitive personal data, the partners to this agreement also meet a
Schedule 3 condition by virtue of subsection 1 as follows:
1) The data subject has given his explicit consent to the processing of the personal
data.
[IL0: UNCLASSIFIED]
8
All Parties to the Agreement will undertake to seek and appropriately record consent
from the data subjects whose Information they wish to share. The Parties agree that no
Information regarding a data subject can be shared with the other Parties without the data
subject’s explicit consent.
5.2
All Parties undertake to ensure that any Information shared under this Agreement is
processed for purposes compatible to those that the Information was initially collected for.
Where consent is to be sought or privacy notices changed, it is each Party’s responsibility to
undertake this independently for their organisation and for the data subjects whose
Information they wish to share.
5.3
The Parties will undertake to seek consent from data subjects by using the consent
form (Appendix C6) within the Blue Light Terms of Reference and Operating
Procedures document (attached in Appendix C)
Each Party will pay due regard to the provisions of Article 8, Human Rights Act 1998,
which state that everyone has the right to respect for his private and family life, his home
and his correspondence. There shall be no interference by a public authority with the
exercise of this right except such as is in accordance with the law and is necessary in a
democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others.
5.4
Each Party will undertake to ensure that Information requested or shared under the
terms of this Agreement is relevant, necessary and proportionate in the given
circumstances. The Parties commit to processing Personal Data in full compliance with the
obligations placed upon them under the DPA.
5.5
6. OWNERSHIP OF THE INFORMATION
6.1
The Parties remain independent Data Controllers for the Information they hold.
Upon receipt of the Data, the Party requesting the Information will become the Data
Controller for any use that Party makes of the Information and will be responsible for
ensuring that the Information is held and used securely in accordance with the Agreed
Purpose, relevant legislation and this Information Sharing Agreement.
6.2
The Party disclosing the Information will retain no responsibility for the manner in
which the receiving Party processes the Information once the receiving Party has received
the Information.
6.3
7. TRANSMISSION OF PERSONAL DATA
The Parties will transfer Information via MoveIT or a secure e-mail address. All
Parties will ensure their relevant staff members and/or volunteers have set up a MoveIT
account or have access to a secure e-mail address e.g. NHS mail for the purposes of this
Agreement.
7.1
[IL0: UNCLASSIFIED]
9
8. DATA QUALITY
8.1 The Information deemed to be necessary for the Purpose is identified as above.
Where other Information is deemed to be relevant to the Purpose by any Party, each
case will be the object of a formal request using the Request for Information Form at
Appendix A. Each request for additional Information will be considered on its individual
merits and disclosure made where appropriate.
8.2
All Parties will endeavour to ensure to the best of their abilities that the Information
they provide to other Parties is accurate, up to date and complete.
8.3
Information discovered to be inaccurate, out of date or inadequate for the Purposes
should be promptly notified to the originating Party, who will be responsible for correcting
the data and notifying all other recipients of the Information who must ensure that the
correction is made.
8.4
Each Party will keep a record of all requests between Parties that are relevant to this
Agreement. Any request will clearly set out the purpose or purposes for which the
Information is requested. It will also specify as clearly as possible how failure to disclose
such Information would prejudice this purpose.
8.5
9. DATA RETENTION
Data should only be retained for the minimum period necessary in connection with
the Agreed Purposes. The Party who has requested the Information will be responsible for
safely disposing of any Information no longer necessary to achieve the Agreed Purposes.
9.1
In any case, no data shall be retained for longer than necessary and for the purpose
of the activities covered by this Agreement.
9.2
Following a formal closure of the multiagency care plan, the personal data held by all
Parties regarding a service user shall be deleted. The Parties may retain anonymised data
only for the purposes of evaluation which shall be used in a final cost-benefit analysis
report. Each Party will be responsible for correctly and securely anonymising the data it
holds.
9.3
10. DATA SECURITY
The Parties shall at all times be responsible for ensuring that all Data (including data
in any electronic format) is stored securely. The Parties shall take appropriate measures to
ensure the security of such data and guard against unauthorised access thereto or
disclosure thereof or loss or destruction while in its custody.
10.1
10.2
The Parties shall put in place:
[IL0: UNCLASSIFIED]
10
10.2.1 appropriate technical and organisational measures for the processing of any
Personal Data and against unauthorised, accidental or unlawful access to such
(having regard to the state of technological development and the costs of
implementing any such measures) as well as reasonable security programmes
and procedures for the purpose of ensuring that only authorised personnel have
access to the data processing equipment to be used to process such Personal
Data, and that any persons whom it authorises to have access to such Personal
Data shall respect and maintain all due confidentiality;
10.2.2 a level of security programmes and procedures which reflect:
10.2.2.1
the level of damage that might be suffered by a data subject
(as defined in the DPA) to whom the Personal Data relates as a result
of unauthorised or unlawful possession of the Personal Data or the
loss or destruction of or damage to the Personal Data; and
10.2.2.2
the state of technological developments and the cost of
implementing such programmes and procedures;
10.2.3 security programmes and procedures which specifically address the nature of the
Personal Data.
The Parties shall implement and comply with security standards at least equivalent to those
outlined in the SMBC Information Security Policy at Appendix B and shall ensure that
responsibility for compliance shall be clearly placed on a particular person or department
within their organisation. The Parties shall ensure that sufficient resources and facilities are
made available to enable that responsibility to be fulfilled.
The Parties shall ensure that access to any buildings or rooms within their premises
where Personal Data is stored and/or can be accessed is controlled and that casual passersby cannot read Information off screens or documents.
10.3
10.4
The Parties shall not keep any Personal Data for longer than is necessary.
The Parties agree that their staff or any other person in their control shall store or
process the Personal Data in accordance with the Data Protection Principles, and in
particular in accordance with the seventh Data Protection Principle.
10.5
Each Party will have in place appropriate security on external routes into their
organisation, for example internet firewalls and secure dial-in facilities.
10.6
Each Party shall ensure that any system whereby any Personal Data may be disclosed
over the telephone is protected by a procedure for authenticating identity prior to the
disclosure of that Personal Data.
10.7
Each Party’s computer systems must be password protected. Passwords must give
access only to Personal Data which an employee has a proper need to access and not to all
levels of the system.
10.8
[IL0: UNCLASSIFIED]
11
Each Party shall have a satisfactory procedure for cleaning media (such as tapes and
disks) before they are reused or new data written over old. Each Party shall ensure that
printed material is disposed of securely, for example by shredding.
10.9
10.10
The Parties confirm that the Personal Data will not be taken home for staff to work
on.
Each Party shall take adequate precautions against burglary, fire or natural disaster.
The Parties shall ensure that all Data is protected against corruption by viruses or other
forms of intrusion.
10.11
Each Party will ensure that only one copy of Personal Data is held at all times in each
organisation and that if Personal Data is transferred from one system to another, the
Personal Data held on the original system will be deleted. All parties will ensure they have in
place robust business continuity and disaster recovery plans.
10.12
Each Party shall ensure that proper weight is given to the discretion and integrity of
staff when they are being considered by each Party for employment or promotion or for a
move to an area of work where they will have access to Personal Data. The Parties shall
ensure their staff are aware of their responsibilities and given training with regards to data
protection and confidentiality to ensure their knowledge is up to date.
10.13
Each Party shall ensure that disciplinary rules and procedures take account of the
requirements of the DPA in their organisation. In the case of an employee of the one of the
Parties being found to be unreliable or unsuitable for access to Personal Data, the Party
employing the employee shall ensure that his or her access to Personal Data is withdrawn
immediately
10.14
Each Party shall ensure that its staff is aware that Personal Data should only be
accessed for the Agreed Purpose and not for their own private purposes.
10.15
Each Party shall ensure that any breaches of security are properly investigated and
remedied as soon as possible, particularly when damage or distress could be caused to an
individual. The Party uncovering the breach of security shall notify other Parties immediately
should such a breach occur.
10.16
11. SECURITY INCIDENTS
The Parties will advise one another of any potential or actual losses of the Data as
soon as possible and, in any event, within 24 hours of identification of any potential or
actual loss.
11.1
The Parties will notify one another as soon as possible of any breaches of security
which might potentially give rise to a risk to the security of the Data.
11.2
[IL0: UNCLASSIFIED]
12
12. DESTRUCTION OF DATA
Once the Data has been used for the Agreed Purpose, the Parties warrant that the
Data will be deleted securely (i.e. shredded to acceptable security standards, e.g. minimum
DIN 4 level).
12.1
Each Party will be responsible for the secure deletion of the Information they have
received for the Agreed Purposes of this Agreement.
12.2
13. SHARING WITH OTHER THIRD PARTIES
Subject to any relevant terms of a Data Sharing Request Form, Data must not be
shared by the receiving Party with any other person without the express written consent of
the other Party. This is without prejudice to Clause 14.2.
13.1
14. ASSIGNMENT AND SUBCONTRACTING
The Parties shall neither assign nor transfer, entirely or in part, the rights and
obligations derived herefrom. Any purported assignment is void.
14.1
The Parties may not hire subcontractors for the purposes of undertaking their
obligations under this Agreement.
14.2
15. TRANSFER OF DATA OUTSIDE THE EEA
The Parties shall not transfer Personal Data outside of the European Economic Area
in relation to the activities of this Agreement.
15.1
16. DATA PROTECTION REGISTRATION
The Parties shall undertake to maintain an accurate and up to date
registration/notification with the Information Commissioner’s Office, including for any
processing in relation with the Agreed Purposes of this Agreement.
16.1
Failure by any Party to provide a valid registration number and/or be registered for
the correct purposes (i.e. unless they are exempt from registration) will result in any
requests for the sharing of Personal Data with that Party being rejected.
16.2
17. DATA SUBJECT ACCESS RIGHTS
Individuals have a right to see what Personal Data is held about them, and to know
why and how it is processed.
17.1
17.2
Each Party will undertake to honour requests made to it under the terms of the DPA.
18.
FREEDOM OF INFORMATION
[IL0: UNCLASSIFIED]
13
18.1 Any Party subject to the provisions of the Freedom of Information Act shall be
responsible for responding to Freedom of Information requests submitted to it.
19.
DURATION
19.1 This Agreement shall be effective as of the day of its signature, and shall remain in
full force and effect for 2 years thereafter. The Agreement will be reviewed after an initial 6
months and on a yearly basis thereafter where Partners may decide to prolong its duration
at each yearly review.
19.2 The duration of the Agreement may be extended by mutual, written agreement of
the Parties.
20.
TERMINATION
20.1 If a Party commits a material breach or material default in the performance or
observance of any of its obligations under this Agreement, the non-breaching or nondefaulting Party shall have the right to terminate this Agreement five (5) working days after
delivery of written notice reasonably detailing such breach to the breaching or defaulting
Party.
21.
DISPUTE RESOLUTION
21.1 The Parties shall attempt to resolve any disagreement arising from this Agreement
informally and promptly by officers who have day-to-day responsibility for the operation of
this Agreement.
21.2 If the disagreement cannot be resolved further to Clause 21.1 within fourteen (14)
days of it arising, the matter shall be referred to the Chief Executives (or the corresponding
individuals) of the Parties.
22.
INDEMNITY AND LIABILITY
22.1 A Party (A) shall indemnify, keep indemnified and hold harmless any other Party or
Parties against all losses, claims, demands, liabilities, costs and expenses (including
reasonable legal costs and disbursements) incurred by that Party (B) in respect of any
breach of this Agreement by the Party (A) as well as any act or omission of the Party (A) in
connection therewith, including but not limited to:
22.1.1 Any claim made or brought by an individual or other legal person in respect of any
loss, damage or distress caused to that individual or other legal person; and/or
22.1.2 Any claim or enforcement proceedings brought against the Party (A) as a result of
the processing, unlawful processing, unauthorised disclosure or accidental loss of any
Personal Data Processed by the Party (A), its employees, or agents in the performance of
the Agreement or as otherwise agreed between the Parties.
23.
CONFIDENTIALITY
[IL0: UNCLASSIFIED]
14
23.1 Both Parties shall not, and shall ensure that their employees or agents shall not,
divulge or dispose of or part with possession custody or control of any confidential material
or Information provided by any other Party pursuant to this Agreement, or prepared or
obtained by a Party pursuant to this Agreement, other than in accordance with the express
written instructions of the other Party or in compliance with statutory requirements.
24.
WAIVER
24.1 The failure of either Party to insist on strict performance of any provision of this
Agreement or the failure of either Party to exercise any right or remedy to which it is
entitled shall not constitute a waiver thereof and shall not affect either Party’s obligations
under this Agreement. No waiver of any default shall constitute a waiver of any subsequent
default.
25.
LAW
25.1 The Parties accept the exclusive jurisdiction of the English courts and agree that this
Agreement is to be governed and construed according to English law.
DATE:
[IL0: UNCLASSIFIED]
15
SIGNATURES AND NAMES:
Organisation
Sandwell Metropolitan
Borough Council;
West Midlands
Ambulance Service NHS
Foundation Trust;
West Midlands Police;
Black Country
Partnership Foundation
Trust;
Swanswell Charitable
Trust
Sandwell and West
Birmingham Hospital
Trust;
Sandwell Women’s Aid;
West Midlands Fire
Service;
The Staffordshire and
West Midlands
Community
Rehabilitation Company
Limited;
National Probation
Service West Midlands
IRiS Sandwell
Signature
Job title/position
Date
[IL0: UNCLASSIFIED]
16
IL3: RESTRICTED [when complete]
APPENDIX A: DATA SHARING REQUEST FORM
Requesting Officer’s name/ position:
Disclosing Officer’s name/ position:
PART A – INFORMATION REQUESTED - (to be completed by requesting officer)
Information requested by:
Name/ signature:
Organisation/Department:
Email Address:
Contact phone number:
Information requested:
Describe the information required and the circumstance that have led to this request being made, including
any names, addresses and dates of birth.
Name:
Address:
DOB: (ddmmyyyy)
NHS Number:
Date information is
required (ddmmyyyy):
If urgent, please state
reason:
[IL0: UNCLASSIFIED]
17
IL3: RESTRICTED [when complete]
Have you obtained consent to share information? (Please ensure that you attached the
standardised ‘Consent Form’ available at Appendix 6 of the Operating Procedures).
YES/NO
If consent has not been obtained from the individual, please indicate for what purpose you require this
information? (Please tick the relevant boxes as appropriate)
Preventing serious harm to an
adult
–
including
through
prevention,
detection
and
prosecution of a serious crime
under the Crime and Disorder
Act 1998
Providing
urgent
treatment to an adult.
medical
There is a statutory obligation or
court order to share. Please
circle relevant item from list
below:

Court order

National Health Service
Acts 1977 and 2006

Crime and Disorder
Act 1998

Local Government Act
1972

Other (please list):
……………………………………
PART B - INFORMATION DISCLOSED – (to be completed by disclosing officer)
Disclosure Agreed:
Yes
No
Information attached to this form:
Yes
No
Reason for declining request (if
applicable):
[IL0: UNCLASSIFIED]
18
IL3: RESTRICTED [when complete]
Information disclosed (Continue on a separate sheet if necessary, and remember to attach any additional
sheets to this form):
Information disclosed by:
Name/ Position:
Department/Organisation:
Email Address:
Contact phone number:
Signature of disclosing officer: …………………………………………………………………………..
Date supplied:
…………………………………………………………………………..
[IL0: UNCLASSIFIED]
19
APPENDIX B: SMBC INFORMATION SECURITY POLICY
Information Management Unit
Information Security Policy
Document Type: Tier 1 Policy
Version: 1-0 FINAL
Date Issued: 2014
Document Control
Owning organisation
Title
Author
Protective Marking
Review Date
Sandwell Council
Information Security Policy
James Trickett
IL0: UNCLASSIFIED
May 2016
[IL0: UNCLASSIFIED]
20
Revision History
Revision Date
Editor
23rd April 2014
James Trickett
Previous
Version
n/a
Description of
Revision
Final version
Document Distribution
Please note – once printed, this documented is uncontrolled. The latest
version will always be found on the Council’s intranet.
Document Approvals
Approval required
JCP
Leader Decision Making
Session
Date approved
25th March 2014
23rd April 2014
[IL0: UNCLASSIFIED]
21
Contents
1.0
2.0
3.0
4.0
5.0
6.0
7.0
8.0
9.0
Introduction ......................................................................................................... 23
Scope and Definition............................................................................................ 24
Roles and Responsibilities ................................................................................... 25
Key policy purposes ............................................................................................. 26
Key Security Principles ......................................................................................... 27
Information Security Requirements.................................................................... 28
Training................................................................................................................. 30
Policy Compliance and Audit ............................................................................... 30
Information Security Policy Exemptions ............................................................. 31
[IL0: UNCLASSIFIED]
22
1.0
Introduction
1.1
Information is an asset. Like any other business asset it has a value and must be
protected. Systems that enable us to store, process and communicate this
information must also be protected in order to safeguard information assets.
‘Information systems’ is the collective term for our information and the systems we
use to store, process and communicate it. Information systems include paper /
manual and / or electronic / computer systems.
1.2
This policy is part of a set of information governance policies, Codes of Practice and
procedures that supports the delivery of the Information Governance Framework. It
should be read in conjunction with these associated policies.
1.3
Information security is an integral part of information sharing, which is becoming
increasingly important to achieving council aims and objectives – especially when
joint working with sectors such as health.
1.4
The purpose of our Information Security Policy is to protect the Council’s
information, manage information risk and reduce it to an acceptable level, while
facilitating reasonable use of information in supporting normal business activity and
that of our partners.
1.5
Information Security involves the protection of information and we are committed
to preserving the confidentiality, integrity and availability of our information assets:





1.6
This Policy has been developed using the internationally recognised standard for
information security known as ISO27001. This takes a risk based approach to
upholding the 3 key principles of information security:



1.7
For sound decision-making;
To deliver quality front line services;
To comply with the law;
To meet the expectations of our service users and partners;
To protect our reputation as a professional and trustworthy organisation.
Confidentiality
Integrity
Availability
Information is a generic term used throughout this Policy. It can take many forms
e.g. electronic, written or vocal. It would be wrong to assume that information in any
form warrants the highest level of protection or may never be disclosed as described
in this Policy. Local Authorities, like Central Government, are advised to adopt the
Government’s Protective Marking Scheme which classifies information dependent
on its attributes e.g. most people are familiar with the term ‘confidential’ which is
one of the 6 markings available. The Government’s protective marking system is
[IL0: UNCLASSIFIED]
23
designed to help individuals determine, and indicate to others, the levels of
protection required to help prevent the compromise of valuable or sensitive assets.
The markings signal quickly and unambiguously, the value of an asset and the level
of protection it needs.
1.8
Therefore in applying this Policy everyone handling information must take a
pragmatic and sensible approach e.g. a publically available newspaper or leaflet does
not warrant anything near the same protection as an extract from the Child
Protection Register and therefore the rules of not keeping it on an unattended desk
would be absurd. However the adoption of a clear desk policy helps to mitigate
against this risk
1.9
Therefore common sense and professional judgement must be applied taking into
account other demands such as the Freedom of Information Act. For the avoidance
of doubt, other supporting resources and contacts are available as described
throughout this Policy.
2.0
Scope and Definition
2.1
Information security is defined as safeguarding information from unauthorised
access or modification to ensure its:



Confidentiality – ensuring that the information is accessible only to those who
have access;
Integrity – safeguarding the accuracy and completeness of information by
protecting against unauthorised modification;
Availability – ensuring that authorised user have access to information and
associated assets where required.
2.2
This policy applies to everyone who has access to the council’s information,
information assets or ICT equipment. These people are referred to as ‘users’ in this
policy. This may include, but is not limited to employees of the council, members of
the council, temporary workers, partners and contractual third parties.
2.3
The Information Security Policy applies to information in all its forms, including, but
not limited to:









Paper
Electronic Documents
E-mails
Text messages
Blogs, social media and discussion groups
Visual images such as photographs and video
Scanned images
Microfiche and microfilm
Published web content – internet and intranet
[IL0: UNCLASSIFIED]
24


2.4
Audio and video recordings
Databases
Users of Council’s information assets will abide by UK and European legislation
relevant to information security including:









Data Protection Act 1998
Freedom of Information Act 2000
Computer Misuse Act 1990
Electronic Communications Act 2000
Copyright, Designs and Patents Act 1988
Human Rights Act 1998
Regulation of Investigatory Powers Act 2000
Telecommunications (Lawful Business Practice) Regulations 2000
Civil Contingencies Act 2004
This list is not exhaustive and may change over time.
2.5
This policy will also apply to any information created in any other format that may be
introduced or used in the future.
2.6
The policy includes information transmitted by post, by person, by electronic means
and by verbal communication, including telephone.
2.7
The policy applies throughout the lifecycle of the information from creation,
utilisation, storage and to its ultimate disposal.
2.8
With regard to electronic information systems, it applies to use of council owned
facilities and privately/externally owned systems when connected to the council
network directly or indirectly.
2.9
Information belonging to third party and partner organisations will be handled and
processed in line with this policy and in accordance with any requirements set out by
the third party which may include Information Sharing Protocols (ISPs) or a
Memorandum of Understanding (MoU).
3.0
Roles and Responsibilities
3.1
The Council’s Senior Information Risk Officer (SIRO) has responsibility for managing
information risk on behalf of the Chief Executive and Senior Management Board,
setting strategic direction and ensuring policies and processes are in place for the
safe management of information.
3.2
Directors have responsibility for understanding and addressing information risk
within their service areas, assigning ownership to Information Asset / System
Owners and ensuring that within their directorate appropriate arrangements are in
[IL0: UNCLASSIFIED]
25
place to manage information risk, and to provide assurance on the security and use
of those assets.
3.3
Information Asset / System Owners undertake information risk assessments,
implement appropriate controls, recognise actual or potential security incidents and
ensure that policies and procedures are followed.
4.0
Key policy purposes
4.1
The purpose of the policy is to provide a framework giving guidance for the
establishment of standards, baselines, sub-policies, procedures and guidelines for
implementing information security and reinforce the council’s commitment to
ensuring that its information assets are protected and secure.
4.2
It aims to:

Demonstrate assurance of the confidentiality, integrity and availability of
information held or processed by the Council;

Ensure that information risks are identified and managed appropriately;

Minimise the business impact and interruption caused by security incidents;

Ensure that all information and information systems upon which the council
depends are designed and protected with security applied to the required
standards;

Ensure that all users are made aware of their obligations and have a proper
awareness, concern and an adequate appreciation of their responsibilities for
information security and take appropriate measures to avoid loss,
misappropriation or misuse of information;

Ensure that all users have an awareness of their responsibilities for processing
personal information or any other information of commercial value;

To ensure that any sharing of information is lawful, properly controlled and the
Data protection rights of individuals are respected;

Ensure that all contractors and their employees, temporary workers and other
visitors likely to use and process council information have a proper awareness
and concern for the security of council information;

Meet the general objectives and support the principles of:


Cabinet Office Security Policy Framework (SPF);
ISO27001, International Standard on Information Security Management
Systems (ISMS);
[IL0: UNCLASSIFIED]
26





Payment Card Industry Data Security Standards (PCI-DSS);
Code of connection for the Public Sector Network (PSN);
Information Assurance Maturity Model;
LGA Data Handling Guidelines, and
NHS Information Governance toolkit.
5.0
Key Security Principles
5.1
The information lifecycle which is the creation, storage, maintenance, retention,
sharing and disposal processes should comply with the following principles of
information security:

Measures taken or installed are appropriate to the level of security required to
maintain the confidentiality, integrity and availability of information;

Appropriate technical controls shall be implemented to ensure the protection
and management of all electronic information;

Users should take appropriate measures to prevent unlawful or unauthorised
disclosure of information;

Users should take appropriate measures to prevent accidental or malicious
alteration or deletion of information;

Users should be able to access information for the effective performance of their
role;

Access to information should be on a ‘need to know’ basis;

Users will only be given access privileges which are absolutely essential to do
their work i.e. principle of least privilege;

Users must consider if they have now, in the past or in the foreseeable future,
any possible conflicts of interest relating to the information they are accessing
and, if so, should alert their line manager who must ensure there is a clear
segregation of duties;

Information security should not create a barrier to the flow of information across
the council, but should provide appropriate controls and permissions;

Users are accountable for their use of information, information assets and ICT
equipment;

Information security processes must comply with prevailing legislation e.g. Data
Protection Act, Freedom of Information Act;
[IL0: UNCLASSIFIED]
27

All Information in any format must be assigned and marked with an appropriate
classification in accordance with the Information Classification Scheme;

Data backup and recovery and business continuity plans are tested and
maintained to ensure that vital information services are available within defined
service levels;

Breaches of information security controls will be reported to and will be
investigated by an officer who has been assigned information compliance
responsibilities;

Users will not copy software or licensed products without the permission of the
owner of the copyright (under some circumstances such copying may be a
breach of the Copyright, Designs and Patents Act 1988;

Users will consider security when using and disposing of information and should:
• Refer to the Council’s guidance and procedures related to retention and
disposal;
• Ensure that all information is covered by an appropriate retention period;
• Follow established procedures for the safe and secure disposal of
information safely;
5.2
All council computer hardware must be disposed of in accordance with Council
guidance and procedures;
5.3
Users must take appropriate measures to prevent problems with Data quality.
6.0
Information Security Requirements
6.1
Sandwell Council has a significant investment in ICT and information. The Council is
dependent upon the information it holds and processes. The incorrect disclosure or
loss of information or loss of its ICT processing facilities could lead to significant
additional costs, loss of revenue and damage to the Council’s reputation as a result
of:





Business activities being fully or partially suspended (if the information is
personal Data, formal intervention from the Information Commissioner);
Having to recover information or ICT facilities and equipment;
Unauthorised disclosure of protected information relating to individuals being
made available to ‘interested parties’;
Vulnerable citizens being put at risk as a result of key information not being
available to the people who need it or being disclosed inappropriately;
Fraudulent manipulation of cash or goods.
[IL0: UNCLASSIFIED]
28
Always remember:







Information Security is your personal responsibility. All information will have an
owner or author. Know the rules for handling the information in your care. Stick
to those rules without exception;
Before making information available to anyone else, make certain you have the
authority, including the legal power, to release it;
Never access information unless it is part of your job and you have a business
need to do so;
Never give out information via the telephone or in any other way unless you are
absolutely sure who you are giving it to, that it is adequately protected whilst in
‘transit’ and that the recipient is entitled to receive it;
Remember - always take reasonable and practicable steps to protect the
information you store or process;
Ensure Data transfers are undertaken lawfully and legitimately using the correct
tools and processes at all times;
Do not disclose any details pertaining to the Council’s security systems or
processes – take particular care of “social engineering” where this method
maybe used to probe for weaknesses and hence launch some form of attack on
our systems.
When in the office:






Never leave information out on your desk when you are not present;
Adopt the clear desk policy;
Always ‘lock’ your computer or smart phone before leaving your desk or the
device unattended;
Lock and remove the keys from cabinets or other storage units if you leave the
office unattended – during the daytime or out of hours;
Choose your passwords carefully and never let anyone else know them;
Challenge anyone you see in the building who should not be there – do not allow
anyone to ‘tail gate’ you through security doors.
On the move:





Never take information out of the office unless you need to;
Keep your ICT equipment – laptops, telephone, smart phone and paperwork
secure at all times;
Never leave equipment, information or documents in a vehicle when it is
unattended and always travel with it locked securely and out of sight e.g. in the
boot;
When working in a public place, make sure you are not overheard and that
information cannot be seen by others;
Take care when using public or free networks – these may not be secure and
Data may be intercepted;
[IL0: UNCLASSIFIED]
29

When agile working ensure you take account of all the appropriate guidance –
this is equally important when working at home as in a Council office.
Transmitting information:






Ensure the information is being sent / transmitted to the correct person /
destination;
Always make sure you know what Protective Marking or sensitivity the
information you are using should have and always comply with that level of
protection;
Be certain you are sending only what you absolutely need to send and no more;
Ensure the method of transfer is appropriate to the protection of that
information and if in any doubt do not use it e.g. use of provided encryption tools
whenever available;
Data Processing Agreements and /or Protocols must be in place for any
information transferred to a third party and the Council remains as the
recognised Data Controller
Undertake Privacy Impact Assessments where necessary.
7.0
Training
7.1
Appropriate training will be made available for new and existing staff who have
responsibility for information governance duties;
7.2
All users will be made aware of their obligations for information governance through
effective communication programmes;
7.3
Each new employee will be made aware of their obligations for information
governance during their induction programme;
7.4
Training requirements will be reviewed on a regular basis to take account of the
needs of the individual, and to ensure that users are adequately trained.
8.0
Policy Compliance and Audit
8.1
Failure to observe the requirements set out in this policy may be regarded as serious
and any breach may render an employee liable to action under the council’s
disciplinary procedure.
8.2
Non-compliance with this policy could have a significant effect on the efficient
operation of the Council and may result in financial loss and an inability to provide
necessary services to our service users. The Council will undertake audits as required
to monitor compliance with its information governance policies and, where
necessary, will monitor users’ access to information for the purpose of detecting
breaches of this policy and/or other information governance policies and
procedures.
[IL0: UNCLASSIFIED]
30
8.3
It is the duty of all users to report, as soon as practicably possible, any actual or
suspected breaches in information security in accordance with the procedures
outlined on the Information Management Unit intranet.
8.4
Any user who does not understand the implications of this policy or how it may
apply to them, should seek advice from their immediate line manager and/or the
Information Management Unit.
9.0
Information Security Policy Exemptions
9.1
Exceptions will be granted only where there is a clear business case to do so, and
where there is evidence that a risk assessment has been undertaken and any
additional risks introduced by the exception are mitigated to an acceptable level. The
approval of the relevant Director is required, along with the approval of the
Information Management Unit.
End of document
[IL0: UNCLASSIFIED]
31
APPENDIX C: BLUE LIGHT TERMS OF REFERENCE AND OPERATING PROCEDURE
Terms of Reference and Operating Procedures for the Blue Light
multi-agency group in Sandwell
1. Introduction
The perception exists that if a problem drinker does not want to change, nothing can be
done to help until the person discovers some motivation. Alcohol Concern’s Blue Light
project has challenged this approach. It has shown that harm reduction, risk management
and motivation enhancement strategies exist and can be used with change resistant
drinkers. More importantly tackling this group will target some of the most risky, vulnerable
and costly individuals in society.
Sandwell MBC and its partners aim to work together to target the burden on our community
from change resistant problem drinkers.
2. A multi-agency group targeting the highest risk drinkers
An intensive response cannot be offered to the vast number of drinkers who are not
engaging with services. Alcohol Identification and Brief Advice and the offer of services are
a reasonable approach to a large swathe of these drinkers. However, a small group
require a more targeted approach.
The borough has set up a multi-agency framework for managing high risk change resistant
drinkers.
At the heart of this process is a multi-agency group which meets at least
monthly.
3. Aim
The aim of this group will be to:
 Improve the management of change resistant drinkers and thereby reduce the impact
that they are having on the community generally and public services specifically.
4. Membership
This will have core membership of:











Sandwell Metropolitan Borough Council
West Midlands Ambulance Service NHS Foundation Trust
West Midlands Police
Black Country Partnership Foundation Trust
Swanswell Charitable Trust
Sandwell and West Birmingham Hospital Trust
Sandwell Women’s Aid
West Midlands Fire Service
The Staffordshire and West Midlands Community Rehabilitation Company Limited
National Probation Service
IRiS Sandwell
A quorum of 5 members will be required for the meeting to proceed.
[IL0: UNCLASSIFIED]
32
5. Level of attendance
It is vital that the person representing each agency is of the appropriate level to engage with
this process, i.e. operational but with some seniority to ensure that actions are taken.
6. Identifying the clients
The group members will individually be responsible for identifying the change resistant
drinkers that they want to see being discussed at the meeting. A single definition of this
client group is not possible but the people to be managed by the group are likely to meet the
following definition:
i.
An alcohol problem

 Have an enduring pattern of problem drinking, dating back at least ten
years &
 Score 20+ on AUDIT or
 Be classified as dependent on SADQ (16-30 = moderate dependence/30 is
severe dependence range is 0-60) or
 Have other markers of dependence on alcohol (Ethanol levels or
biomarkers such as LFT scores may also be used)
ii.
A pattern of not engaging with or benefiting from alcohol treatment
Clients will:
 Have been subject to alcohol Identification and Brief Advice (IBA) &
 Have been referred to services, usually on more than two occasions, and
have not attended, attended and then disengaged or remained engaged
but not changed.
iii. A burden on public services
Clients will either directly, or via their effect on others e.g. their family, be placing a
burden on the following services:
 Health
 Social care including adults involved with children’s services
 Criminal Justice / ASB / Domestic violence Services
 Emergency services (999)
 Housing and homelessness agencies
The burden will be mainly due to:
 multiple use of individual services
but in a few cases may be due to placing an exceptional burden on these services
because of a single risk (e.g. a sex offender released from prison with a pattern of
problematic drinking.)
Appendix 1 sets out indicators of high burden clients which may indicate the type
of client to be tackled through this process.
Exception 1 – level of risk
An exception category will be required. For example, a person may meet the first
two criteria (dependence and non-engagement) but the burden on public services
is due to a single exceptional risk.
Exception 2 – engaged with other multi-agency groups
[IL0: UNCLASSIFIED]
33
If a person is already engaged with another multi-agency group e.g. MARAC or
MAPPA they will not be taken on by the Blue Group without a clear decision from
the other group. The assumption will usually be that management will remain with
the existing group.
It is recognised that this group can only manage a small number of high burden clients at
any one time. Therefore, as a check and control on the process:
 When a new client is presented to the meeting it will be down to the partner agencies
to agree that this is an appropriate and manageable referral at that point in time.
7. Chair and note taking
The chair of the meeting (and a deputy) will be agreed by the members of the group.
the sake of consistency the chair should remain the same from meeting to meeting.
For
Notes of the meeting will be in the form of a spreadsheet which will be updated each
meeting.
Each partner agency who is involved with the client will be expected to update their notes on
the client after each meeting.
8. Information sharing
This guidance is based on HM Government’s Seven golden rules for information sharing.
The phrases in bold below are quotes from the rules (See appendix 1).
The multi-agency group operates within a robust information sharing protocol. All
participating agencies must be signatories to this protocol.
Information cannot be shared about these clients unless the basis on which the sharing
occurs is clear and agreed by the members. This will be either because:
 Client consent has been secured; or
 The Data Protection Act recognises that public interest allows the sharing of
information, as do other laws such as the Human Rights Act. The public interest
generally lies in the prevention of abuse or harm, or the protection of others,
including the protection of public safety.i
Consent forms
The consent form attached at appendix 6 should be used.
Alternatively, many partners will have their own client consent forms.
These will be
acceptable to the group as long as it is clear that appropriate information sharing is permitted
with the group.
Confidential person-identifiable information that is disclosed in the public interest will be
proportionate and relevant and not excessive to the case concerned.
As a result, the following process is followed:
[IL0: UNCLASSIFIED]
34

Information will be ideally shared with consent: The referring agency will secure
consent to share information with the members of the multi-agency group.
If this is not possible:
 Outline but anonymous details of the client will be presented to the group in order to
consider safety and well-being concerns which might allow information sharing.
Discussion and agreement will take place as to whether: considerations of the safety
and well-being of the person and others who may be affected by their actions create
a public interest case can be made for sharing the information.
If this is agreed
 Keep a record: The agreement will be recorded in the minutes with the reason for
the decision and the relevant legal framework. The three key legal frameworks are
listed in appendix 3.
 Inform the service user who is the subject of that information of the decision to
disclose. This will happen even where their consent is not required, unless it would
not be safe to do so or would otherwise undermine the purpose of the disclosure e.g.
allow a perpetrator to avoid detection.
If there are any doubts about the legality of sharing a particular set of information further
advice should be sought from the relevant organisation’s Information Governance Lead or
Caldicott Guardian.
9. Security and data management
Confidentiality of data must be maintained when case details need to be circulated for panel
meetings.
At all stages of the exchange the principle that the information should be available only to
those who have a specific and legitimate need to see it must be maintained by all parties.
Data must only be sent if the means of transmission is secure and it can be established that
the appropriate recipient’s access to the transmission is equally secure. Only the original
paper copies of papers are retained by the coordinator. All other copies are returned and
destroyed.
Data must be stored securely, regularly reviewed and disposed of in accordance with the
receiving organisation’s Retention and Disposal policy and procedures when no longer
required for the purpose it was originally obtained.
10. Facilitating data collection and performance management
The performance of the group will be measured by looking at whether the process has
reduced the burden on public services. Therefore:
 at entry into the process, the referring agency will provide details on service usage
over the last 6-12 months e.g. number of arrests, ASB complaints, 999 calls, hospital
admissions. This will allow monitoring over time. It will also allow a judgement
about the appropriateness of the client for the group.
[IL0: UNCLASSIFIED]
35
11. Process
This section sets out a process for managing the multi-agency meeting.
►The chair of the meeting reminds all concerned of the protocols within the agreed sharing
of information document.
►The chair ensures the identity and agency of all people in the meeting is clear to ensure
that all are covered by the information-sharing protocol.
►New clients for the process will be presented.
►The chair will ensure the information-sharing permissions are in place for this person.
►The referring agency will present a short case history of the person. Other agencies will
share any available information on that person.
►The partner agencies will develop and agree a joint action/care plan for each individual.
Although this care plan will be jointly owned, lead responsibility will lie with the agency who
brought the client to the group. They will draft and store the care plan. A copy will be held
by the chair of the group and by other agencies who may be involved with this person.
They will retain the lead on this until the case is closed or it is passed to another agency in
the group.
►The care plan will use the Blue Light multi-agency group checklist in appendix 4 to provide
a framework for the plan and to ensure that the key opportunities are being addressed.
Two particular issues must be addressed:
►The partner agencies will ensure that, where relevant, their staff are aware that when this
service user is identified a specific response is required e.g.:
 Positive encouragement will be given to promote client self-belief.
 Harm reduction and risk management advice will be given.
This should draw on the approaches set out in the Blue Light manual.
►It should be clarified whether
 Signed permission for Swanswell to make contact has been secured. If not all
agencies who come into contact with this person should be seeking this consent.
►If consent is secured, Swanswell should be contacted within two working hours.
►If consent is not secured, the multi-agency meeting will ensure that agency staff continue
to seek opportunities to engage and the group will consider alternative approaches e.g.
 Barriers which may be preventing engagement in services.
 Alternative approaches to engaging the person.
 Other local resources, such as faith groups, which could be utilised to work with the
individual.
 Involving family members.
 Identifying incentives to engage the person in treatment.
 The possible use of compulsory powers.
►In some cases it will be decided that a small sub-group (or conference-call) will be set up
for an individual involving a group of workers more specific to that person. This will operate
under the same confidentiality / information-sharing protocol and will report back to the main
group.
[IL0: UNCLASSIFIED]
36
►In some cases this group will be responsible for identifying, recording and reporting unmet
need to commissioners. In the light of this data the SDAP will review whether specific
service development is required e.g. an expansion of outreach capacity.
►If appropriate, the group will:
 ask the borough to consider an expedited process to assess the person for
community care resources.
 consider the use of legal powers such as civil injunctions.
Swanswell role
Once Swanswell have consent to make contact
 They will offer an assertive response including a swift appointment, a home visit or a
meeting at a convenient location.
 Wherever possible the referring agency should undertake an initial joint visit.
 Swanswell will require the provision of relevant risk information.
 Swanswell will make assertive efforts to reduce risk and harm and engage the
person into service.
 Partner agencies will work in concert by reinforcing messages to the person about
harm reduction and encouraging change.
 All agencies involved with the person will report back to the monthly meeting on
progress and next steps.
►If consent is secured and Swanswell manage to engage the person, they will work within
their existing resources to:
 maintain engagement
 assess risk
 reduce harm and manage risk
 encourage engagement with general services such as primary care
 encourage engagement with specialist services.
►Where appropriate Swanswell will engage other agencies to support their work. This
involvement should be agreed wherever possible, e.g. the ambulance service jointly visiting
a client.
12. Terminating the process
The group’s oversight will be terminated:
 If the person is successfully engaged with specialist services and it is agreed by the
group that client’s behaviour is more stable.
 If the person is sentenced to prison or enters hospital as a long stay patient.
 If the person moves away from the area. However, in these circumstances, the
group will ensure that information has been shared, if appropriate, with local
agencies in the new area.
 In some cases a decision will be taken to remove the person from the group’s
consideration if it is felt that no further benefit will be gained from the process. In this
case the group needs to be sure that at least one agency has ongoing oversight.
If the person dies during the process, consideration will be given to whether an alcohol
related death review process should be recommended.
[IL0: UNCLASSIFIED]
37
13. Measuring the impact
The impact targets for this work are very straightforward and will encompass output and
outcome targets.
Output: The number of clients identified by the multi-agency group who are engaged and
the period of engagement
Outcome: The reduction in the behaviours which had brought the client to the attention of
the multi-agency group e.g. hospital attendances, arrests, 999 calls etc.
The key outcome target will be to reduce the cost burdens presented by the clients meeting
the definition and brought to the multi-agency group by 20% per annum.
14. Equality and diversity
The organisations participating in this process are committed to ensuring that it treats
service users fairly, equitably and reasonably and that it does not discriminate against
individuals or groups on the basis of their ethnic origin, physical or mental abilities, gender,
age, religious beliefs or sexual orientation.
15. Reviewing these arrangements
These arrangements will be reviewed after 6 months and annually thereafter. This review
will ensure the process is relevant and fit for purpose.
[IL0: UNCLASSIFIED]
38
Agreement to Terms of Reference
I confirm that our agency will be a partner to the Blue Light Multi-Agency
process and will adhere to the Terms of Reference above and the associated
information sharing protocol indicated.
For and on behalf of the Client
Signature
Name
On behalf of (Agency)
Date
Position
Address
Email
Telephone number
[IL0: UNCLASSIFIED]
39
Appendix C1 - HM Government - Seven golden rules for information sharing
1. Remember that the Data Protection Act is not a barrier to sharing information but provides
a framework to ensure that personal information about living persons is shared
appropriately.
2. Be open and honest with the person (and/or their family where appropriate) from the
outset about why, what, how and with whom information will, or could be shared, and seek
their agreement, unless it is unsafe or inappropriate to do so.
3. Seek advice if you are in any doubt, without disclosing the identity of the person where
possible.
4. Share with consent where appropriate and, where possible, respect the wishes of those
who do not consent to share confidential information. You may still share information without
consent if, in your judgement, that lack of consent can be overridden in the public interest.
You will need to base your judgement on the facts of the case.
5. Consider safety and well-being: Base your information sharing decisions on
considerations of the safety and well-being of the person and others who may be affected by
their actions.
6. Necessary, proportionate, relevant, accurate, timely and secure: Ensure that the
information you share is necessary for the purpose for which you are sharing it, is shared
only with those people who need to have it, is accurate and up-to-date, is shared in a timely
fashion, and is shared securely.
7. Keep a record of your decision and the reasons for it – whether it is to share information
or not. If you decide to share, then record what you have shared, with whom and for what
purpose.ii
[IL0: UNCLASSIFIED]
40
Appendix C2 – Caldicott Principles







Principle 1
Justify the purpose(s)
Every proposed use or transfer of patient-identifiable information within or from an organisation should
be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate
guardian.
Principle 2
Don’t use patient-identifiable information unless it is absolutely necessary
Patient-identifiable data items should not be used unless there is no alternative.
Principle 3
Use the minimum necessary patient-identifiable information
Where use of patient-identifiable information is considered to be essential, each individual item of
information should be justified with the aim of reducing identifiably.
Principle 4
Access to patient-identifiable information should be on a strict need to know basis
Only those individuals who need access to patient-identifiable information should have access to it,
and they should only have access to the information items that they need to see.
Principle 5
Everyone should be aware of their responsibilities
Action should be taken to ensure that those handling patient-identifiable information, (both clinical and
non-clinical staff) are made fully aware of their responsibilities and obligations to respect patient
confidentiality.
Principle 6
Understand and comply with the law
Every use of patient-identifiable information must be lawful. Someone in each organisation should be
responsible for ensuring that the organisation complies with legal requirements.
Principle 7
The duty to share information can be as important as the duty to protect patient confidentiality
Health and social care professionals should have the confidence to share information in the best
interests of their patients within the framework set out by these principles. They should be supported
by the policies of their employers, regulators and professional bodies.
[IL0: UNCLASSIFIED]
41
Appendix C3 - Frameworks within which information sharing may happen
Where there is concern that a child may be suffering, or is at risk of suffering harm, the
child’s safety and welfare must be the first consideration. In these circumstances the
Safeguarding Children Boards Child Protection Procedures, must be followed.
Where there is concern that a vulnerable adult may be suffering, or is at risk of suffering
harm, the individual’s safety and welfare must be the first consideration. In these
circumstances the local Multi Agency Safeguarding Policy and Procedure, must be followed.
If the purpose is
 primary or secondary health care use and
 the care and treatment of the patient is central to the purpose and
 the patient identifiable data is shared only between those responsible for the delivery
of that care and treatment
then consent can be reasonably implied.
Three pieces of legislation allow information sharing in different settings:
• The European Convention on Human Rights, incorporated into English law from
October 2000, by the Human Rights Act 1998: Article 8: Right to respect for private
and family life states that:
1. Everyone has the right to respect for his private and family life, his home and his
correspondence.
2. There shall be no interference by a public authority with the exercise of this right
except such as is in accordance with the law and is necessary in a democratic
society in the interests of national security, public safety or the economic well-being
of the country, for the prevention of disorder or crime, for the protection of health or
morals, or for the protection of the rights and freedoms of others.
•
The Crime and Disorder Act 1998 - Section 115 as amended by the Police Reform
Act 2002 gives power to any person to disclose information to police authorities and
chief constables, local authorities, probation committees, various health authorities,
various fire and emergency authorities, and (since 2005) registered social landlords,
or persons acting on their behalf so long as such disclosure is necessary for the
purposes of any provision of the CDA. These purposes include a range of measures,
such as: local crime audits, anti-social behaviour orders, sex offender orders and
local child curfew schemes. In addition, the CDA requires local authorities to exercise
their own functions with due regard to the need to do all that it reasonably can to
prevent crime and disorder in its area.
•
The Criminal Justice Act 2003 extended the scope of MAPPA by imposing a duty on
public bodies outside the criminal justice system, including NHS Trusts, to co-operate
with the responsible authority for MAPPA.
In practical terms this duty imposes the following obligations:
• A general duty to cooperate in the supply of information to other agencies in
relation to risk assessment and risk management.
•
A duty on professionals to consider, as part of the care planning process,
whether there is a need to share information about individuals who come within
the MAPPA criteria.
• The need to develop protocols between agencies for exchanging information and
other forms of cooperation.
[IL0: UNCLASSIFIED]
42
Appendix C4 - A process checklist
1
Have people been spoken to about agency concerns, the impact of their presenting
problems and been given relevant brief advice about changing their situation and
seeking help?
2
Have people been referred to relevant specialist services.
3
Has someone assessed the client to identify barriers to change and engagement. Are
there reasons why this person will find it difficult to change? These could include low
self-esteem, physical health problems, or peers who sabotage change.
4
Has someone undertaken a specific assessment of risks e.g. fire risks, trip hazards in
the home, noise nuisance.
5
Has the client had a physical health check with their GP and/or a dental or other
physical check.
6
Have motivational interventions or a motivational interviewing approach been used with
the person?
7
Has the client been offered ongoing enhanced personalised education, i.e. highlighting
the very specific risks?
8
Have efforts been made to promote self-efficacy, i.e. encouraging the client to believe
that change is possible?
9
Have efforts been made to involve family members, significant others or relevant
carers, where appropriate, in care planning?
10
Has contingency management been used, i.e. incentivising engagement with treatment
through the offer of food vouchers, or other small incentives?
11
Have efforts been made to reduce any potential harms to the client or other people e.g.
ensuring a smoke alarm is fitted, thinking about trip hazards in the home?
12
Has a single care coordinator been identified to manage and coordinate the care?
13
If the client shows motivation to change have arrangements been put in place to
enable a fast track into care?
14
Have community care resources been considered for purchasing outreach, befriending
or other support?
15
Have assertive outreach or peer support approaches been used?
make contact with this person?
16
Has consideration been given to whether anything is supporting the negative
behaviour, e.g. is a family member buying alcohol?
17
Are there legal powers which can be used to contain the behaviour?
Could a PCSO
[IL0: UNCLASSIFIED]
43
Appendix C5 Confidentiality Statement for meeting
Name of meeting:
Date/time:
Venue:
Confidentiality Statement: I agree that information shared at this meeting is only to be used in
relation to working with adults as outlined within the Sandwell Blue Light meeting terms of
reference. Information shared at this meeting will not be used outside of this group for any other
purpose than that agreed within this meeting. All personal information shared should be treated as
highly confidential and all data should be transported and stored in accordance with each agency’s
information security policy and procedures.
Name
Organisation
Contact details
Signature
Signature of the chair as witness to the above signatures
___________________________________________ Date________________________
[IL0: UNCLASSIFIED]
44
Appendix C6 Blue Light Multi-Agency Information Sharing Protocol - Consent Form
The professional stated below, believes that you may be at risk of harming yourself or other
people and is seeking your consent to make a referral to the Sandwell Blue Light multiagency management group.
If you agree to give your consent, some or all of the following information may be shared your personal details, information about your carers, your current environment and details of
the risk. This may be shared with a multi-agency group, which could include representatives
from health, police, emergency services, the local authority, housing providers and
substance misuse services.
These people are qualified and will consider the information put forward and make
recommendations on how the care you receive might be extended to support you further
with any difficulties you may be experiencing. The professionals involved are trained to
protect your rights to privacy and confidentiality and this will be respected at all times.
(If we believe you are at significant risk, or if other people are at risk, professionals can still
disclose information under common law “Duty of Confidence” without your consent, or if we
have a legal obligation to do so, such as under the Crime and Disorder act 1998)
Please provide the relevant information below:
Is this information about you?
Yes
No
If ‘No’, who is the information about?
Name of data subject:
Address:
DOB (ddmmyyyy):
Are you are acting as: Parent/Guardian/Carer
Other (please describe)
Have the reasons for requesting consent been explained to you?
Yes
No
I give (name of agency/person)……………………………………….. consent to process
information in relation to a safeguarding concerning the above named data subject.
To be filled out by the relevant professional the information is being obtained by.
Organisation:
Name of professional:
Professional’s role:
Contact details:
[IL0: UNCLASSIFIED]
45
If consent was not obtained please state why below: (e.g. not given, not practicable due to
risk, mental capacity)
i
The Public Interest test applies when consent cannot be obtained or has been sought and refused.
Circumstances that meet the public interest test are as follows:
 Promoting the welfare of children
 Protecting children or adults from significant harm
 The prevention, detection or prosecution of serious crime.
NB The Public Safety test applies when consent should not be sought The public safety test is met
when to seek consent, or delay the information sharing while consent is sought would heighten the
risk of significant harm to a child or adult at risk.
ii
HM Government – Information Sharing – Pocket Guide – 2008
[IL0: UNCLASSIFIED]
46
Appendix C7: Blue Light Operational Group: Information Sharing Decision Flowchart
End of Document
[IL0: UNCLASSIFIED]
47