DATA SHARING AGREEMENT for the Sandwell Blue Light Approach Partners to Agreement: Sandwell Metropolitan Borough Council West Midlands Ambulance Service NHS Foundation Trust West Midlands Police Black Country Partnership Foundation Trust Swanswell Charitable Trust Sandwell and West Birmingham Hospital Trust Sandwell Women’s Aid West Midlands Fire Service The Staffordshire and West Midlands Community Rehabilitation Company Limited National Probation Service IRiS Sandwell Date agreement comes into force: Add date the contract was signed by all parties Date of Agreement Review: Twelve months after date comes into force and annually thereafter. Agreement Owner: Sandwell Drug and Alcohol Partnership Version control: Version no. Amendments made Authorisation [IL0: UNCLASSIFIED] 1 TABLE OF CONTENTS 1 DEFINITIONS AND INTERPRETATION 2 PARTNER AND PARTNER RESPONSIBILITIES 3 PROCESSING ONLY FOR AGREED PURPOSES 4 SHARING WITH OTHER THIRD PARTIES 5 FAIR AND LAWFUL PROCESSING 6 INFORMATION TO BE SHARED 7 OWNERSHIP OF THE INFORMATION 8 DATA QUALITY 9 TRANSMISSION OF PERSONAL DATA 10 DATA RETENTION, REVIEW AND DISPOSAL 11 DATA PROTECTION REGISTRATION 12 DATA SECURITY 13 SECURITY INCIDENTS 14 DESTRUCTION OF DATA 15 ASSIGNMENT AND SUBCONTRACTING 16 DATA SUBJECT ACCESS RIGHTS 17 TRANSFER OF DATA OUTSIDE THE EEA 18 FREEDOM OF INFORMATION 19 DURATION 20 TERMINATION 21 DISPUTE RESOLUTION 22 INDEMNITY AND LIABILITY 23 WAIVER 24 CONFIDENTIALITY 25 LAW 26 SIGNATORIES TO THE AGREEMENT APPENDIX A DATA SHARING REQUEST FORM [IL0: UNCLASSIFIED] 2 APPENDIX B SMBC INFORMATION SECURITY POLICY APPENDIX C BLUE OPERATING PROCEDURE LIGHT PROJECT TERMS OF REFERENCE AND [IL0: UNCLASSIFIED] 3 INTRODUCTION This Information Sharing Agreement has been developed to facilitate information sharing between Sandwell Metropolitan Borough Council and West Midlands Ambulance Service; West Midlands Police; Black Country Partnership Foundation Trust; Swanswell Charitable Trust (Community Alcohol Service); Sandwell and West Birmingham Hospital Trust; Sandwell Women’s Aid; West Midlands Fire Service; The Staffordshire and West Midlands Community Rehabilitation Company Limited; National Probation Service; Iris (Community drug service). This document replaces any former agreements by the parties named for the described Purpose(s). Sandwell’s Blue Light Approach: Using the Department of Health’s Alcohol Ready Reckoner and the 2011 census we estimate that Sandwell has 10,680 harmful/higher risk drinkers and 9,187 dependent drinkers. The perception exists that if a problem drinker does not want to change, nothing can be done to help until the person discovers some motivation. Sandwell’s Blue Light project aims to challenge this view by using harm reduction, risk management and motivation enhancement strategies. More importantly tackling this group will target some of the most risky, vulnerable and costly individuals in the community. Sandwell Metropolitan Borough Council and its partners aim to work together to target the burden on our community from change resistant problem drinkers. A multi-agency framework has been set up to manage high risk change resistant drinkers. At the heart of this process is a multi-agency group which meets regularly - aiming to improve the management of change resistant drinkers and thereby reduce the impact they have on the community generally and public services specifically. 1. DEFINITIONS AND INTERPRETATION 1.1 The definitions are as follows: “Agreed Purpose(s)” means the purpose(s) for which the Parties are authorised to use the Data as set out in Clause 4; “Agreement” means the following document and its Appendixes; “Data” (same meaning as Information) means all Personal Data provided by a Party to one or several other Patries for the Agreed Purposes under the terms of this Agreement; “Data Protection Principles” means the eight principles set out in Schedule 1 of the Data Protection Act 1998; “DPA” means the Data Protection Act 1998; [IL0: UNCLASSIFIED] 4 “FOIA” means the Freedom of Information Act 2000; “Information” (same meaning as “Data”) means all Personal Data provided by a Party to one or several other Patries for the Agreed Purposes under the terms of this Agreement; “Parties” means organisations listed under Clause 2.1 ‘Partners to this Agreement’ “Personal Data” as defined in the DPA and which, for the avoidance of doubt, includes Sensitive Personal Data; “Security Policy” means each Parties’ respective Information Security Policy – or if this is not applicable Sandwell Metropolitan Borough Council’s (SMBC) Information Security Policy to be used as a minimum standard, as attached to Appendix B; “Sensitive Personal Data” as defined in the DPA; and “Working Day” means any day (other than a Saturday or Sunday) on which banks are open for domestic business. 1.2 In this Agreement (except where the context otherwise requires): use of the singular includes the plural (and vice versa) and use of any gender includes the other genders; a reference to a Party shall include that Party's personal representatives, successors or permitted assignees; a reference to persons includes natural persons, firms, partnerships, bodies corporate and corporations, and associations, organisations, governments, states, foundations, trusts and other unincorporated bodies (in each case whether or not having separate legal personality and irrespective of their jurisdiction of origin, incorporation or residence); a reference to a Clause is to the relevant clause of this Agreement; any reference to a statute, order, regulation or other similar instrument shall be construed as a reference to the statute, order, regulation or instrument together with all rules and regulations made under it as from time to time amended, consolidated or re-enacted by any subsequent statute, order, regulation or instrument; general words are not to be given a restrictive meaning because they are followed by particular examples, and any words introduced by the terms "including", "include", "in particular" or any similar expression will be construed as illustrative and the words following any of those terms will not limit the sense of the words preceding those terms;and headings to clauses are for the purpose of information and identification only and shall not be construed as forming part of this Agreement. [IL0: UNCLASSIFIED] 5 2. PARTNER AND PARTNER RESPONSIBILITIES Partners 2.1 The Partners to this Agreement are: Sandwell Metropolitan Borough Council West Midlands Ambulance Service NHS Foundation Trust West Midlands Police Black Country Partnership Foundation Trust Swanswell Charitable Trust Sandwell and West Birmingham Hospital Trust Sandwell Women’s Aid West Midlands Fire Service The Staffordshire and West Midlands Community Rehabilitation Company Limited National Probation Service IRiS Sandwell Role /relevance of the above parties within the Blue Light approach Sandwell Metropolitan Borough Council – housing, social care, anti-social behaviour and victim support input West Midlands Ambulance Service NHS Foundation Trust – frequent /high risk ambulance call outs where alcohol is a factor West Midlands Police – repeat offenders where alcohol is the major contributing factor to offending behaviour Black Country Partnership Foundation Trust – individuals whose mental health is affected by alcohol – provision of assessment and identified relevant support Swanswell Charitable Trust – alcohol community treatment services Sandwell and West Birmingham Hospital Trust – repeat alcohol related attendances to A&E, repeat alcohol related hospital admissions Sandwell Women’s Aid – victims or perpetrators of domestic violence where alcohol is a factor West Midlands Fire Service - repeat call outs where alcohol is a factor – provision of safety checks /risk management The Staffordshire and West Midlands Community Rehabilitation Company Limited – offender management input National Probation Service – high risk offender management input IRiS Sandwell –dual diagnosis (substance misuse and mental health) management input 2.2 Responsibilities It will be the responsibility of these partners to make sure that: [IL0: UNCLASSIFIED] 6 ethical standards are maintained; a mechanism exists by which the flow of information can be controlled; appropriate training is provided by each Party to those members of staff involved in the sharing of information; adequate arrangements exist to test adherence to the Agreement; and data protection and other relevant legislative requirements are met. 3. INFORMATION TO BE SHARED 3.1 Personal Data Personal data is protected by the provisions of the Data Protection Act 1998. It is recognised that the nature of some of the information subject to this Agreement may be defined as sensitive personal data under the provisions of the Data Protection Act 1998. 3.2 Personal data to be shared The items of personal data to be shared are as follows: note the list below is exhaustive in terms of what may be relevant to share Name and contact details Details of substance misuse and any associated medical conditions Medical history (physical and mental health) Criminal activity -providing that the offence is not considered spent under the Rehabilitation of Offenders Act Accommodation status Carer / any associated informal support Parental status Education/employment status Details of risk or vulnerability arising from substance misuse Other agencies/ multi-disciplinary forums the individual is engaged with 3.3 Process for sharing the Information Each Party determines which of their service users are eligible in application of selection criteria covering both frequency of service demand and risk/vulnerability (levels are determined according to each partner agency’s own thresholds). The group meets and service users selected by each Party are crossed referenced against service users identified by other Parties. A final list of those most frequent and risky users is arrived at. 3.4 Format of Information to be shared Copies of the Information will mainly be provided in electronic format. The multi-agency care plan may be followed up verbally outside of the meeting between relevant Partners. The names of individuals who are not relevant to the Agreed Purpose of the sharing will be redacted. [IL0: UNCLASSIFIED] 7 Where a request is made for Information regarding one specific individual, the requesting Party will clearly describe on each occasion the legal basis (as outlined in clause 5 of this Agreement) for their request and how it is necessary for the lawful discharge of their duties using Appendix A – Request for Information form. 3.5 4. AGREED PURPOSES The purpose of this Agreement is to facilitate the disclosure of Information listed in clause 3.2 above in order to ensure the safeguarding and management of change resistant drinkers and to thereby reduce the impact that they are having on the community generally, and on public services specifically. 4.1 This Agreement represents the administrative arrangements for the provision of predetermined Information as described in Clause 3 of the present Agreement. 4.2 Personal data obtained under this Agreement may only be used for the Agreed Purposes outlined in this clause of the Agreement and must not be further processed in any manner incompatible with the identified Agreed Purpose(s). 4.3 No secondary use or other use may be made unless the consent of the disclosing party is sought and granted in writing. 4.4 5. FAIR AND LAWFUL PROCESSING 5.1 The First Principle of the Data Protection Act 1998 states that: “Personal data must be processed fairly and lawfully and in particular, shall not be processed unless: a) at least one of the conditions in schedule 2 (of the Act) is met; and b) for sensitive personal data, one of the conditions in schedule 3 is also met.” The partners to this agreement will meet the requirements of Schedule 2 of the Data Protection Act 1998, for the processing of personal data by virtue of subsection 1 of Schedule 2 of the Act as follows: 1) “The data subject has given his consent to the processing.” In the case of sensitive personal data, the partners to this agreement also meet a Schedule 3 condition by virtue of subsection 1 as follows: 1) The data subject has given his explicit consent to the processing of the personal data. [IL0: UNCLASSIFIED] 8 All Parties to the Agreement will undertake to seek and appropriately record consent from the data subjects whose Information they wish to share. The Parties agree that no Information regarding a data subject can be shared with the other Parties without the data subject’s explicit consent. 5.2 All Parties undertake to ensure that any Information shared under this Agreement is processed for purposes compatible to those that the Information was initially collected for. Where consent is to be sought or privacy notices changed, it is each Party’s responsibility to undertake this independently for their organisation and for the data subjects whose Information they wish to share. 5.3 The Parties will undertake to seek consent from data subjects by using the consent form (Appendix C6) within the Blue Light Terms of Reference and Operating Procedures document (attached in Appendix C) Each Party will pay due regard to the provisions of Article 8, Human Rights Act 1998, which state that everyone has the right to respect for his private and family life, his home and his correspondence. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic wellbeing of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. 5.4 Each Party will undertake to ensure that Information requested or shared under the terms of this Agreement is relevant, necessary and proportionate in the given circumstances. The Parties commit to processing Personal Data in full compliance with the obligations placed upon them under the DPA. 5.5 6. OWNERSHIP OF THE INFORMATION 6.1 The Parties remain independent Data Controllers for the Information they hold. Upon receipt of the Data, the Party requesting the Information will become the Data Controller for any use that Party makes of the Information and will be responsible for ensuring that the Information is held and used securely in accordance with the Agreed Purpose, relevant legislation and this Information Sharing Agreement. 6.2 The Party disclosing the Information will retain no responsibility for the manner in which the receiving Party processes the Information once the receiving Party has received the Information. 6.3 7. TRANSMISSION OF PERSONAL DATA The Parties will transfer Information via MoveIT or a secure e-mail address. All Parties will ensure their relevant staff members and/or volunteers have set up a MoveIT account or have access to a secure e-mail address e.g. NHS mail for the purposes of this Agreement. 7.1 [IL0: UNCLASSIFIED] 9 8. DATA QUALITY 8.1 The Information deemed to be necessary for the Purpose is identified as above. Where other Information is deemed to be relevant to the Purpose by any Party, each case will be the object of a formal request using the Request for Information Form at Appendix A. Each request for additional Information will be considered on its individual merits and disclosure made where appropriate. 8.2 All Parties will endeavour to ensure to the best of their abilities that the Information they provide to other Parties is accurate, up to date and complete. 8.3 Information discovered to be inaccurate, out of date or inadequate for the Purposes should be promptly notified to the originating Party, who will be responsible for correcting the data and notifying all other recipients of the Information who must ensure that the correction is made. 8.4 Each Party will keep a record of all requests between Parties that are relevant to this Agreement. Any request will clearly set out the purpose or purposes for which the Information is requested. It will also specify as clearly as possible how failure to disclose such Information would prejudice this purpose. 8.5 9. DATA RETENTION Data should only be retained for the minimum period necessary in connection with the Agreed Purposes. The Party who has requested the Information will be responsible for safely disposing of any Information no longer necessary to achieve the Agreed Purposes. 9.1 In any case, no data shall be retained for longer than necessary and for the purpose of the activities covered by this Agreement. 9.2 Following a formal closure of the multiagency care plan, the personal data held by all Parties regarding a service user shall be deleted. The Parties may retain anonymised data only for the purposes of evaluation which shall be used in a final cost-benefit analysis report. Each Party will be responsible for correctly and securely anonymising the data it holds. 9.3 10. DATA SECURITY The Parties shall at all times be responsible for ensuring that all Data (including data in any electronic format) is stored securely. The Parties shall take appropriate measures to ensure the security of such data and guard against unauthorised access thereto or disclosure thereof or loss or destruction while in its custody. 10.1 10.2 The Parties shall put in place: [IL0: UNCLASSIFIED] 10 10.2.1 appropriate technical and organisational measures for the processing of any Personal Data and against unauthorised, accidental or unlawful access to such (having regard to the state of technological development and the costs of implementing any such measures) as well as reasonable security programmes and procedures for the purpose of ensuring that only authorised personnel have access to the data processing equipment to be used to process such Personal Data, and that any persons whom it authorises to have access to such Personal Data shall respect and maintain all due confidentiality; 10.2.2 a level of security programmes and procedures which reflect: 10.2.2.1 the level of damage that might be suffered by a data subject (as defined in the DPA) to whom the Personal Data relates as a result of unauthorised or unlawful possession of the Personal Data or the loss or destruction of or damage to the Personal Data; and 10.2.2.2 the state of technological developments and the cost of implementing such programmes and procedures; 10.2.3 security programmes and procedures which specifically address the nature of the Personal Data. The Parties shall implement and comply with security standards at least equivalent to those outlined in the SMBC Information Security Policy at Appendix B and shall ensure that responsibility for compliance shall be clearly placed on a particular person or department within their organisation. The Parties shall ensure that sufficient resources and facilities are made available to enable that responsibility to be fulfilled. The Parties shall ensure that access to any buildings or rooms within their premises where Personal Data is stored and/or can be accessed is controlled and that casual passersby cannot read Information off screens or documents. 10.3 10.4 The Parties shall not keep any Personal Data for longer than is necessary. The Parties agree that their staff or any other person in their control shall store or process the Personal Data in accordance with the Data Protection Principles, and in particular in accordance with the seventh Data Protection Principle. 10.5 Each Party will have in place appropriate security on external routes into their organisation, for example internet firewalls and secure dial-in facilities. 10.6 Each Party shall ensure that any system whereby any Personal Data may be disclosed over the telephone is protected by a procedure for authenticating identity prior to the disclosure of that Personal Data. 10.7 Each Party’s computer systems must be password protected. Passwords must give access only to Personal Data which an employee has a proper need to access and not to all levels of the system. 10.8 [IL0: UNCLASSIFIED] 11 Each Party shall have a satisfactory procedure for cleaning media (such as tapes and disks) before they are reused or new data written over old. Each Party shall ensure that printed material is disposed of securely, for example by shredding. 10.9 10.10 The Parties confirm that the Personal Data will not be taken home for staff to work on. Each Party shall take adequate precautions against burglary, fire or natural disaster. The Parties shall ensure that all Data is protected against corruption by viruses or other forms of intrusion. 10.11 Each Party will ensure that only one copy of Personal Data is held at all times in each organisation and that if Personal Data is transferred from one system to another, the Personal Data held on the original system will be deleted. All parties will ensure they have in place robust business continuity and disaster recovery plans. 10.12 Each Party shall ensure that proper weight is given to the discretion and integrity of staff when they are being considered by each Party for employment or promotion or for a move to an area of work where they will have access to Personal Data. The Parties shall ensure their staff are aware of their responsibilities and given training with regards to data protection and confidentiality to ensure their knowledge is up to date. 10.13 Each Party shall ensure that disciplinary rules and procedures take account of the requirements of the DPA in their organisation. In the case of an employee of the one of the Parties being found to be unreliable or unsuitable for access to Personal Data, the Party employing the employee shall ensure that his or her access to Personal Data is withdrawn immediately 10.14 Each Party shall ensure that its staff is aware that Personal Data should only be accessed for the Agreed Purpose and not for their own private purposes. 10.15 Each Party shall ensure that any breaches of security are properly investigated and remedied as soon as possible, particularly when damage or distress could be caused to an individual. The Party uncovering the breach of security shall notify other Parties immediately should such a breach occur. 10.16 11. SECURITY INCIDENTS The Parties will advise one another of any potential or actual losses of the Data as soon as possible and, in any event, within 24 hours of identification of any potential or actual loss. 11.1 The Parties will notify one another as soon as possible of any breaches of security which might potentially give rise to a risk to the security of the Data. 11.2 [IL0: UNCLASSIFIED] 12 12. DESTRUCTION OF DATA Once the Data has been used for the Agreed Purpose, the Parties warrant that the Data will be deleted securely (i.e. shredded to acceptable security standards, e.g. minimum DIN 4 level). 12.1 Each Party will be responsible for the secure deletion of the Information they have received for the Agreed Purposes of this Agreement. 12.2 13. SHARING WITH OTHER THIRD PARTIES Subject to any relevant terms of a Data Sharing Request Form, Data must not be shared by the receiving Party with any other person without the express written consent of the other Party. This is without prejudice to Clause 14.2. 13.1 14. ASSIGNMENT AND SUBCONTRACTING The Parties shall neither assign nor transfer, entirely or in part, the rights and obligations derived herefrom. Any purported assignment is void. 14.1 The Parties may not hire subcontractors for the purposes of undertaking their obligations under this Agreement. 14.2 15. TRANSFER OF DATA OUTSIDE THE EEA The Parties shall not transfer Personal Data outside of the European Economic Area in relation to the activities of this Agreement. 15.1 16. DATA PROTECTION REGISTRATION The Parties shall undertake to maintain an accurate and up to date registration/notification with the Information Commissioner’s Office, including for any processing in relation with the Agreed Purposes of this Agreement. 16.1 Failure by any Party to provide a valid registration number and/or be registered for the correct purposes (i.e. unless they are exempt from registration) will result in any requests for the sharing of Personal Data with that Party being rejected. 16.2 17. DATA SUBJECT ACCESS RIGHTS Individuals have a right to see what Personal Data is held about them, and to know why and how it is processed. 17.1 17.2 Each Party will undertake to honour requests made to it under the terms of the DPA. 18. FREEDOM OF INFORMATION [IL0: UNCLASSIFIED] 13 18.1 Any Party subject to the provisions of the Freedom of Information Act shall be responsible for responding to Freedom of Information requests submitted to it. 19. DURATION 19.1 This Agreement shall be effective as of the day of its signature, and shall remain in full force and effect for 2 years thereafter. The Agreement will be reviewed after an initial 6 months and on a yearly basis thereafter where Partners may decide to prolong its duration at each yearly review. 19.2 The duration of the Agreement may be extended by mutual, written agreement of the Parties. 20. TERMINATION 20.1 If a Party commits a material breach or material default in the performance or observance of any of its obligations under this Agreement, the non-breaching or nondefaulting Party shall have the right to terminate this Agreement five (5) working days after delivery of written notice reasonably detailing such breach to the breaching or defaulting Party. 21. DISPUTE RESOLUTION 21.1 The Parties shall attempt to resolve any disagreement arising from this Agreement informally and promptly by officers who have day-to-day responsibility for the operation of this Agreement. 21.2 If the disagreement cannot be resolved further to Clause 21.1 within fourteen (14) days of it arising, the matter shall be referred to the Chief Executives (or the corresponding individuals) of the Parties. 22. INDEMNITY AND LIABILITY 22.1 A Party (A) shall indemnify, keep indemnified and hold harmless any other Party or Parties against all losses, claims, demands, liabilities, costs and expenses (including reasonable legal costs and disbursements) incurred by that Party (B) in respect of any breach of this Agreement by the Party (A) as well as any act or omission of the Party (A) in connection therewith, including but not limited to: 22.1.1 Any claim made or brought by an individual or other legal person in respect of any loss, damage or distress caused to that individual or other legal person; and/or 22.1.2 Any claim or enforcement proceedings brought against the Party (A) as a result of the processing, unlawful processing, unauthorised disclosure or accidental loss of any Personal Data Processed by the Party (A), its employees, or agents in the performance of the Agreement or as otherwise agreed between the Parties. 23. CONFIDENTIALITY [IL0: UNCLASSIFIED] 14 23.1 Both Parties shall not, and shall ensure that their employees or agents shall not, divulge or dispose of or part with possession custody or control of any confidential material or Information provided by any other Party pursuant to this Agreement, or prepared or obtained by a Party pursuant to this Agreement, other than in accordance with the express written instructions of the other Party or in compliance with statutory requirements. 24. WAIVER 24.1 The failure of either Party to insist on strict performance of any provision of this Agreement or the failure of either Party to exercise any right or remedy to which it is entitled shall not constitute a waiver thereof and shall not affect either Party’s obligations under this Agreement. No waiver of any default shall constitute a waiver of any subsequent default. 25. LAW 25.1 The Parties accept the exclusive jurisdiction of the English courts and agree that this Agreement is to be governed and construed according to English law. DATE: [IL0: UNCLASSIFIED] 15 SIGNATURES AND NAMES: Organisation Sandwell Metropolitan Borough Council; West Midlands Ambulance Service NHS Foundation Trust; West Midlands Police; Black Country Partnership Foundation Trust; Swanswell Charitable Trust Sandwell and West Birmingham Hospital Trust; Sandwell Women’s Aid; West Midlands Fire Service; The Staffordshire and West Midlands Community Rehabilitation Company Limited; National Probation Service West Midlands IRiS Sandwell Signature Job title/position Date [IL0: UNCLASSIFIED] 16 IL3: RESTRICTED [when complete] APPENDIX A: DATA SHARING REQUEST FORM Requesting Officer’s name/ position: Disclosing Officer’s name/ position: PART A – INFORMATION REQUESTED - (to be completed by requesting officer) Information requested by: Name/ signature: Organisation/Department: Email Address: Contact phone number: Information requested: Describe the information required and the circumstance that have led to this request being made, including any names, addresses and dates of birth. Name: Address: DOB: (ddmmyyyy) NHS Number: Date information is required (ddmmyyyy): If urgent, please state reason: [IL0: UNCLASSIFIED] 17 IL3: RESTRICTED [when complete] Have you obtained consent to share information? (Please ensure that you attached the standardised ‘Consent Form’ available at Appendix 6 of the Operating Procedures). YES/NO If consent has not been obtained from the individual, please indicate for what purpose you require this information? (Please tick the relevant boxes as appropriate) Preventing serious harm to an adult – including through prevention, detection and prosecution of a serious crime under the Crime and Disorder Act 1998 Providing urgent treatment to an adult. medical There is a statutory obligation or court order to share. Please circle relevant item from list below: Court order National Health Service Acts 1977 and 2006 Crime and Disorder Act 1998 Local Government Act 1972 Other (please list): …………………………………… PART B - INFORMATION DISCLOSED – (to be completed by disclosing officer) Disclosure Agreed: Yes No Information attached to this form: Yes No Reason for declining request (if applicable): [IL0: UNCLASSIFIED] 18 IL3: RESTRICTED [when complete] Information disclosed (Continue on a separate sheet if necessary, and remember to attach any additional sheets to this form): Information disclosed by: Name/ Position: Department/Organisation: Email Address: Contact phone number: Signature of disclosing officer: ………………………………………………………………………….. Date supplied: ………………………………………………………………………….. [IL0: UNCLASSIFIED] 19 APPENDIX B: SMBC INFORMATION SECURITY POLICY Information Management Unit Information Security Policy Document Type: Tier 1 Policy Version: 1-0 FINAL Date Issued: 2014 Document Control Owning organisation Title Author Protective Marking Review Date Sandwell Council Information Security Policy James Trickett IL0: UNCLASSIFIED May 2016 [IL0: UNCLASSIFIED] 20 Revision History Revision Date Editor 23rd April 2014 James Trickett Previous Version n/a Description of Revision Final version Document Distribution Please note – once printed, this documented is uncontrolled. The latest version will always be found on the Council’s intranet. Document Approvals Approval required JCP Leader Decision Making Session Date approved 25th March 2014 23rd April 2014 [IL0: UNCLASSIFIED] 21 Contents 1.0 2.0 3.0 4.0 5.0 6.0 7.0 8.0 9.0 Introduction ......................................................................................................... 23 Scope and Definition............................................................................................ 24 Roles and Responsibilities ................................................................................... 25 Key policy purposes ............................................................................................. 26 Key Security Principles ......................................................................................... 27 Information Security Requirements.................................................................... 28 Training................................................................................................................. 30 Policy Compliance and Audit ............................................................................... 30 Information Security Policy Exemptions ............................................................. 31 [IL0: UNCLASSIFIED] 22 1.0 Introduction 1.1 Information is an asset. Like any other business asset it has a value and must be protected. Systems that enable us to store, process and communicate this information must also be protected in order to safeguard information assets. ‘Information systems’ is the collective term for our information and the systems we use to store, process and communicate it. Information systems include paper / manual and / or electronic / computer systems. 1.2 This policy is part of a set of information governance policies, Codes of Practice and procedures that supports the delivery of the Information Governance Framework. It should be read in conjunction with these associated policies. 1.3 Information security is an integral part of information sharing, which is becoming increasingly important to achieving council aims and objectives – especially when joint working with sectors such as health. 1.4 The purpose of our Information Security Policy is to protect the Council’s information, manage information risk and reduce it to an acceptable level, while facilitating reasonable use of information in supporting normal business activity and that of our partners. 1.5 Information Security involves the protection of information and we are committed to preserving the confidentiality, integrity and availability of our information assets: 1.6 This Policy has been developed using the internationally recognised standard for information security known as ISO27001. This takes a risk based approach to upholding the 3 key principles of information security: 1.7 For sound decision-making; To deliver quality front line services; To comply with the law; To meet the expectations of our service users and partners; To protect our reputation as a professional and trustworthy organisation. Confidentiality Integrity Availability Information is a generic term used throughout this Policy. It can take many forms e.g. electronic, written or vocal. It would be wrong to assume that information in any form warrants the highest level of protection or may never be disclosed as described in this Policy. Local Authorities, like Central Government, are advised to adopt the Government’s Protective Marking Scheme which classifies information dependent on its attributes e.g. most people are familiar with the term ‘confidential’ which is one of the 6 markings available. The Government’s protective marking system is [IL0: UNCLASSIFIED] 23 designed to help individuals determine, and indicate to others, the levels of protection required to help prevent the compromise of valuable or sensitive assets. The markings signal quickly and unambiguously, the value of an asset and the level of protection it needs. 1.8 Therefore in applying this Policy everyone handling information must take a pragmatic and sensible approach e.g. a publically available newspaper or leaflet does not warrant anything near the same protection as an extract from the Child Protection Register and therefore the rules of not keeping it on an unattended desk would be absurd. However the adoption of a clear desk policy helps to mitigate against this risk 1.9 Therefore common sense and professional judgement must be applied taking into account other demands such as the Freedom of Information Act. For the avoidance of doubt, other supporting resources and contacts are available as described throughout this Policy. 2.0 Scope and Definition 2.1 Information security is defined as safeguarding information from unauthorised access or modification to ensure its: Confidentiality – ensuring that the information is accessible only to those who have access; Integrity – safeguarding the accuracy and completeness of information by protecting against unauthorised modification; Availability – ensuring that authorised user have access to information and associated assets where required. 2.2 This policy applies to everyone who has access to the council’s information, information assets or ICT equipment. These people are referred to as ‘users’ in this policy. This may include, but is not limited to employees of the council, members of the council, temporary workers, partners and contractual third parties. 2.3 The Information Security Policy applies to information in all its forms, including, but not limited to: Paper Electronic Documents E-mails Text messages Blogs, social media and discussion groups Visual images such as photographs and video Scanned images Microfiche and microfilm Published web content – internet and intranet [IL0: UNCLASSIFIED] 24 2.4 Audio and video recordings Databases Users of Council’s information assets will abide by UK and European legislation relevant to information security including: Data Protection Act 1998 Freedom of Information Act 2000 Computer Misuse Act 1990 Electronic Communications Act 2000 Copyright, Designs and Patents Act 1988 Human Rights Act 1998 Regulation of Investigatory Powers Act 2000 Telecommunications (Lawful Business Practice) Regulations 2000 Civil Contingencies Act 2004 This list is not exhaustive and may change over time. 2.5 This policy will also apply to any information created in any other format that may be introduced or used in the future. 2.6 The policy includes information transmitted by post, by person, by electronic means and by verbal communication, including telephone. 2.7 The policy applies throughout the lifecycle of the information from creation, utilisation, storage and to its ultimate disposal. 2.8 With regard to electronic information systems, it applies to use of council owned facilities and privately/externally owned systems when connected to the council network directly or indirectly. 2.9 Information belonging to third party and partner organisations will be handled and processed in line with this policy and in accordance with any requirements set out by the third party which may include Information Sharing Protocols (ISPs) or a Memorandum of Understanding (MoU). 3.0 Roles and Responsibilities 3.1 The Council’s Senior Information Risk Officer (SIRO) has responsibility for managing information risk on behalf of the Chief Executive and Senior Management Board, setting strategic direction and ensuring policies and processes are in place for the safe management of information. 3.2 Directors have responsibility for understanding and addressing information risk within their service areas, assigning ownership to Information Asset / System Owners and ensuring that within their directorate appropriate arrangements are in [IL0: UNCLASSIFIED] 25 place to manage information risk, and to provide assurance on the security and use of those assets. 3.3 Information Asset / System Owners undertake information risk assessments, implement appropriate controls, recognise actual or potential security incidents and ensure that policies and procedures are followed. 4.0 Key policy purposes 4.1 The purpose of the policy is to provide a framework giving guidance for the establishment of standards, baselines, sub-policies, procedures and guidelines for implementing information security and reinforce the council’s commitment to ensuring that its information assets are protected and secure. 4.2 It aims to: Demonstrate assurance of the confidentiality, integrity and availability of information held or processed by the Council; Ensure that information risks are identified and managed appropriately; Minimise the business impact and interruption caused by security incidents; Ensure that all information and information systems upon which the council depends are designed and protected with security applied to the required standards; Ensure that all users are made aware of their obligations and have a proper awareness, concern and an adequate appreciation of their responsibilities for information security and take appropriate measures to avoid loss, misappropriation or misuse of information; Ensure that all users have an awareness of their responsibilities for processing personal information or any other information of commercial value; To ensure that any sharing of information is lawful, properly controlled and the Data protection rights of individuals are respected; Ensure that all contractors and their employees, temporary workers and other visitors likely to use and process council information have a proper awareness and concern for the security of council information; Meet the general objectives and support the principles of: Cabinet Office Security Policy Framework (SPF); ISO27001, International Standard on Information Security Management Systems (ISMS); [IL0: UNCLASSIFIED] 26 Payment Card Industry Data Security Standards (PCI-DSS); Code of connection for the Public Sector Network (PSN); Information Assurance Maturity Model; LGA Data Handling Guidelines, and NHS Information Governance toolkit. 5.0 Key Security Principles 5.1 The information lifecycle which is the creation, storage, maintenance, retention, sharing and disposal processes should comply with the following principles of information security: Measures taken or installed are appropriate to the level of security required to maintain the confidentiality, integrity and availability of information; Appropriate technical controls shall be implemented to ensure the protection and management of all electronic information; Users should take appropriate measures to prevent unlawful or unauthorised disclosure of information; Users should take appropriate measures to prevent accidental or malicious alteration or deletion of information; Users should be able to access information for the effective performance of their role; Access to information should be on a ‘need to know’ basis; Users will only be given access privileges which are absolutely essential to do their work i.e. principle of least privilege; Users must consider if they have now, in the past or in the foreseeable future, any possible conflicts of interest relating to the information they are accessing and, if so, should alert their line manager who must ensure there is a clear segregation of duties; Information security should not create a barrier to the flow of information across the council, but should provide appropriate controls and permissions; Users are accountable for their use of information, information assets and ICT equipment; Information security processes must comply with prevailing legislation e.g. Data Protection Act, Freedom of Information Act; [IL0: UNCLASSIFIED] 27 All Information in any format must be assigned and marked with an appropriate classification in accordance with the Information Classification Scheme; Data backup and recovery and business continuity plans are tested and maintained to ensure that vital information services are available within defined service levels; Breaches of information security controls will be reported to and will be investigated by an officer who has been assigned information compliance responsibilities; Users will not copy software or licensed products without the permission of the owner of the copyright (under some circumstances such copying may be a breach of the Copyright, Designs and Patents Act 1988; Users will consider security when using and disposing of information and should: • Refer to the Council’s guidance and procedures related to retention and disposal; • Ensure that all information is covered by an appropriate retention period; • Follow established procedures for the safe and secure disposal of information safely; 5.2 All council computer hardware must be disposed of in accordance with Council guidance and procedures; 5.3 Users must take appropriate measures to prevent problems with Data quality. 6.0 Information Security Requirements 6.1 Sandwell Council has a significant investment in ICT and information. The Council is dependent upon the information it holds and processes. The incorrect disclosure or loss of information or loss of its ICT processing facilities could lead to significant additional costs, loss of revenue and damage to the Council’s reputation as a result of: Business activities being fully or partially suspended (if the information is personal Data, formal intervention from the Information Commissioner); Having to recover information or ICT facilities and equipment; Unauthorised disclosure of protected information relating to individuals being made available to ‘interested parties’; Vulnerable citizens being put at risk as a result of key information not being available to the people who need it or being disclosed inappropriately; Fraudulent manipulation of cash or goods. [IL0: UNCLASSIFIED] 28 Always remember: Information Security is your personal responsibility. All information will have an owner or author. Know the rules for handling the information in your care. Stick to those rules without exception; Before making information available to anyone else, make certain you have the authority, including the legal power, to release it; Never access information unless it is part of your job and you have a business need to do so; Never give out information via the telephone or in any other way unless you are absolutely sure who you are giving it to, that it is adequately protected whilst in ‘transit’ and that the recipient is entitled to receive it; Remember - always take reasonable and practicable steps to protect the information you store or process; Ensure Data transfers are undertaken lawfully and legitimately using the correct tools and processes at all times; Do not disclose any details pertaining to the Council’s security systems or processes – take particular care of “social engineering” where this method maybe used to probe for weaknesses and hence launch some form of attack on our systems. When in the office: Never leave information out on your desk when you are not present; Adopt the clear desk policy; Always ‘lock’ your computer or smart phone before leaving your desk or the device unattended; Lock and remove the keys from cabinets or other storage units if you leave the office unattended – during the daytime or out of hours; Choose your passwords carefully and never let anyone else know them; Challenge anyone you see in the building who should not be there – do not allow anyone to ‘tail gate’ you through security doors. On the move: Never take information out of the office unless you need to; Keep your ICT equipment – laptops, telephone, smart phone and paperwork secure at all times; Never leave equipment, information or documents in a vehicle when it is unattended and always travel with it locked securely and out of sight e.g. in the boot; When working in a public place, make sure you are not overheard and that information cannot be seen by others; Take care when using public or free networks – these may not be secure and Data may be intercepted; [IL0: UNCLASSIFIED] 29 When agile working ensure you take account of all the appropriate guidance – this is equally important when working at home as in a Council office. Transmitting information: Ensure the information is being sent / transmitted to the correct person / destination; Always make sure you know what Protective Marking or sensitivity the information you are using should have and always comply with that level of protection; Be certain you are sending only what you absolutely need to send and no more; Ensure the method of transfer is appropriate to the protection of that information and if in any doubt do not use it e.g. use of provided encryption tools whenever available; Data Processing Agreements and /or Protocols must be in place for any information transferred to a third party and the Council remains as the recognised Data Controller Undertake Privacy Impact Assessments where necessary. 7.0 Training 7.1 Appropriate training will be made available for new and existing staff who have responsibility for information governance duties; 7.2 All users will be made aware of their obligations for information governance through effective communication programmes; 7.3 Each new employee will be made aware of their obligations for information governance during their induction programme; 7.4 Training requirements will be reviewed on a regular basis to take account of the needs of the individual, and to ensure that users are adequately trained. 8.0 Policy Compliance and Audit 8.1 Failure to observe the requirements set out in this policy may be regarded as serious and any breach may render an employee liable to action under the council’s disciplinary procedure. 8.2 Non-compliance with this policy could have a significant effect on the efficient operation of the Council and may result in financial loss and an inability to provide necessary services to our service users. The Council will undertake audits as required to monitor compliance with its information governance policies and, where necessary, will monitor users’ access to information for the purpose of detecting breaches of this policy and/or other information governance policies and procedures. [IL0: UNCLASSIFIED] 30 8.3 It is the duty of all users to report, as soon as practicably possible, any actual or suspected breaches in information security in accordance with the procedures outlined on the Information Management Unit intranet. 8.4 Any user who does not understand the implications of this policy or how it may apply to them, should seek advice from their immediate line manager and/or the Information Management Unit. 9.0 Information Security Policy Exemptions 9.1 Exceptions will be granted only where there is a clear business case to do so, and where there is evidence that a risk assessment has been undertaken and any additional risks introduced by the exception are mitigated to an acceptable level. The approval of the relevant Director is required, along with the approval of the Information Management Unit. End of document [IL0: UNCLASSIFIED] 31 APPENDIX C: BLUE LIGHT TERMS OF REFERENCE AND OPERATING PROCEDURE Terms of Reference and Operating Procedures for the Blue Light multi-agency group in Sandwell 1. Introduction The perception exists that if a problem drinker does not want to change, nothing can be done to help until the person discovers some motivation. Alcohol Concern’s Blue Light project has challenged this approach. It has shown that harm reduction, risk management and motivation enhancement strategies exist and can be used with change resistant drinkers. More importantly tackling this group will target some of the most risky, vulnerable and costly individuals in society. Sandwell MBC and its partners aim to work together to target the burden on our community from change resistant problem drinkers. 2. A multi-agency group targeting the highest risk drinkers An intensive response cannot be offered to the vast number of drinkers who are not engaging with services. Alcohol Identification and Brief Advice and the offer of services are a reasonable approach to a large swathe of these drinkers. However, a small group require a more targeted approach. The borough has set up a multi-agency framework for managing high risk change resistant drinkers. At the heart of this process is a multi-agency group which meets at least monthly. 3. Aim The aim of this group will be to: Improve the management of change resistant drinkers and thereby reduce the impact that they are having on the community generally and public services specifically. 4. Membership This will have core membership of: Sandwell Metropolitan Borough Council West Midlands Ambulance Service NHS Foundation Trust West Midlands Police Black Country Partnership Foundation Trust Swanswell Charitable Trust Sandwell and West Birmingham Hospital Trust Sandwell Women’s Aid West Midlands Fire Service The Staffordshire and West Midlands Community Rehabilitation Company Limited National Probation Service IRiS Sandwell A quorum of 5 members will be required for the meeting to proceed. [IL0: UNCLASSIFIED] 32 5. Level of attendance It is vital that the person representing each agency is of the appropriate level to engage with this process, i.e. operational but with some seniority to ensure that actions are taken. 6. Identifying the clients The group members will individually be responsible for identifying the change resistant drinkers that they want to see being discussed at the meeting. A single definition of this client group is not possible but the people to be managed by the group are likely to meet the following definition: i. An alcohol problem Have an enduring pattern of problem drinking, dating back at least ten years & Score 20+ on AUDIT or Be classified as dependent on SADQ (16-30 = moderate dependence/30 is severe dependence range is 0-60) or Have other markers of dependence on alcohol (Ethanol levels or biomarkers such as LFT scores may also be used) ii. A pattern of not engaging with or benefiting from alcohol treatment Clients will: Have been subject to alcohol Identification and Brief Advice (IBA) & Have been referred to services, usually on more than two occasions, and have not attended, attended and then disengaged or remained engaged but not changed. iii. A burden on public services Clients will either directly, or via their effect on others e.g. their family, be placing a burden on the following services: Health Social care including adults involved with children’s services Criminal Justice / ASB / Domestic violence Services Emergency services (999) Housing and homelessness agencies The burden will be mainly due to: multiple use of individual services but in a few cases may be due to placing an exceptional burden on these services because of a single risk (e.g. a sex offender released from prison with a pattern of problematic drinking.) Appendix 1 sets out indicators of high burden clients which may indicate the type of client to be tackled through this process. Exception 1 – level of risk An exception category will be required. For example, a person may meet the first two criteria (dependence and non-engagement) but the burden on public services is due to a single exceptional risk. Exception 2 – engaged with other multi-agency groups [IL0: UNCLASSIFIED] 33 If a person is already engaged with another multi-agency group e.g. MARAC or MAPPA they will not be taken on by the Blue Group without a clear decision from the other group. The assumption will usually be that management will remain with the existing group. It is recognised that this group can only manage a small number of high burden clients at any one time. Therefore, as a check and control on the process: When a new client is presented to the meeting it will be down to the partner agencies to agree that this is an appropriate and manageable referral at that point in time. 7. Chair and note taking The chair of the meeting (and a deputy) will be agreed by the members of the group. the sake of consistency the chair should remain the same from meeting to meeting. For Notes of the meeting will be in the form of a spreadsheet which will be updated each meeting. Each partner agency who is involved with the client will be expected to update their notes on the client after each meeting. 8. Information sharing This guidance is based on HM Government’s Seven golden rules for information sharing. The phrases in bold below are quotes from the rules (See appendix 1). The multi-agency group operates within a robust information sharing protocol. All participating agencies must be signatories to this protocol. Information cannot be shared about these clients unless the basis on which the sharing occurs is clear and agreed by the members. This will be either because: Client consent has been secured; or The Data Protection Act recognises that public interest allows the sharing of information, as do other laws such as the Human Rights Act. The public interest generally lies in the prevention of abuse or harm, or the protection of others, including the protection of public safety.i Consent forms The consent form attached at appendix 6 should be used. Alternatively, many partners will have their own client consent forms. These will be acceptable to the group as long as it is clear that appropriate information sharing is permitted with the group. Confidential person-identifiable information that is disclosed in the public interest will be proportionate and relevant and not excessive to the case concerned. As a result, the following process is followed: [IL0: UNCLASSIFIED] 34 Information will be ideally shared with consent: The referring agency will secure consent to share information with the members of the multi-agency group. If this is not possible: Outline but anonymous details of the client will be presented to the group in order to consider safety and well-being concerns which might allow information sharing. Discussion and agreement will take place as to whether: considerations of the safety and well-being of the person and others who may be affected by their actions create a public interest case can be made for sharing the information. If this is agreed Keep a record: The agreement will be recorded in the minutes with the reason for the decision and the relevant legal framework. The three key legal frameworks are listed in appendix 3. Inform the service user who is the subject of that information of the decision to disclose. This will happen even where their consent is not required, unless it would not be safe to do so or would otherwise undermine the purpose of the disclosure e.g. allow a perpetrator to avoid detection. If there are any doubts about the legality of sharing a particular set of information further advice should be sought from the relevant organisation’s Information Governance Lead or Caldicott Guardian. 9. Security and data management Confidentiality of data must be maintained when case details need to be circulated for panel meetings. At all stages of the exchange the principle that the information should be available only to those who have a specific and legitimate need to see it must be maintained by all parties. Data must only be sent if the means of transmission is secure and it can be established that the appropriate recipient’s access to the transmission is equally secure. Only the original paper copies of papers are retained by the coordinator. All other copies are returned and destroyed. Data must be stored securely, regularly reviewed and disposed of in accordance with the receiving organisation’s Retention and Disposal policy and procedures when no longer required for the purpose it was originally obtained. 10. Facilitating data collection and performance management The performance of the group will be measured by looking at whether the process has reduced the burden on public services. Therefore: at entry into the process, the referring agency will provide details on service usage over the last 6-12 months e.g. number of arrests, ASB complaints, 999 calls, hospital admissions. This will allow monitoring over time. It will also allow a judgement about the appropriateness of the client for the group. [IL0: UNCLASSIFIED] 35 11. Process This section sets out a process for managing the multi-agency meeting. ►The chair of the meeting reminds all concerned of the protocols within the agreed sharing of information document. ►The chair ensures the identity and agency of all people in the meeting is clear to ensure that all are covered by the information-sharing protocol. ►New clients for the process will be presented. ►The chair will ensure the information-sharing permissions are in place for this person. ►The referring agency will present a short case history of the person. Other agencies will share any available information on that person. ►The partner agencies will develop and agree a joint action/care plan for each individual. Although this care plan will be jointly owned, lead responsibility will lie with the agency who brought the client to the group. They will draft and store the care plan. A copy will be held by the chair of the group and by other agencies who may be involved with this person. They will retain the lead on this until the case is closed or it is passed to another agency in the group. ►The care plan will use the Blue Light multi-agency group checklist in appendix 4 to provide a framework for the plan and to ensure that the key opportunities are being addressed. Two particular issues must be addressed: ►The partner agencies will ensure that, where relevant, their staff are aware that when this service user is identified a specific response is required e.g.: Positive encouragement will be given to promote client self-belief. Harm reduction and risk management advice will be given. This should draw on the approaches set out in the Blue Light manual. ►It should be clarified whether Signed permission for Swanswell to make contact has been secured. If not all agencies who come into contact with this person should be seeking this consent. ►If consent is secured, Swanswell should be contacted within two working hours. ►If consent is not secured, the multi-agency meeting will ensure that agency staff continue to seek opportunities to engage and the group will consider alternative approaches e.g. Barriers which may be preventing engagement in services. Alternative approaches to engaging the person. Other local resources, such as faith groups, which could be utilised to work with the individual. Involving family members. Identifying incentives to engage the person in treatment. The possible use of compulsory powers. ►In some cases it will be decided that a small sub-group (or conference-call) will be set up for an individual involving a group of workers more specific to that person. This will operate under the same confidentiality / information-sharing protocol and will report back to the main group. [IL0: UNCLASSIFIED] 36 ►In some cases this group will be responsible for identifying, recording and reporting unmet need to commissioners. In the light of this data the SDAP will review whether specific service development is required e.g. an expansion of outreach capacity. ►If appropriate, the group will: ask the borough to consider an expedited process to assess the person for community care resources. consider the use of legal powers such as civil injunctions. Swanswell role Once Swanswell have consent to make contact They will offer an assertive response including a swift appointment, a home visit or a meeting at a convenient location. Wherever possible the referring agency should undertake an initial joint visit. Swanswell will require the provision of relevant risk information. Swanswell will make assertive efforts to reduce risk and harm and engage the person into service. Partner agencies will work in concert by reinforcing messages to the person about harm reduction and encouraging change. All agencies involved with the person will report back to the monthly meeting on progress and next steps. ►If consent is secured and Swanswell manage to engage the person, they will work within their existing resources to: maintain engagement assess risk reduce harm and manage risk encourage engagement with general services such as primary care encourage engagement with specialist services. ►Where appropriate Swanswell will engage other agencies to support their work. This involvement should be agreed wherever possible, e.g. the ambulance service jointly visiting a client. 12. Terminating the process The group’s oversight will be terminated: If the person is successfully engaged with specialist services and it is agreed by the group that client’s behaviour is more stable. If the person is sentenced to prison or enters hospital as a long stay patient. If the person moves away from the area. However, in these circumstances, the group will ensure that information has been shared, if appropriate, with local agencies in the new area. In some cases a decision will be taken to remove the person from the group’s consideration if it is felt that no further benefit will be gained from the process. In this case the group needs to be sure that at least one agency has ongoing oversight. If the person dies during the process, consideration will be given to whether an alcohol related death review process should be recommended. [IL0: UNCLASSIFIED] 37 13. Measuring the impact The impact targets for this work are very straightforward and will encompass output and outcome targets. Output: The number of clients identified by the multi-agency group who are engaged and the period of engagement Outcome: The reduction in the behaviours which had brought the client to the attention of the multi-agency group e.g. hospital attendances, arrests, 999 calls etc. The key outcome target will be to reduce the cost burdens presented by the clients meeting the definition and brought to the multi-agency group by 20% per annum. 14. Equality and diversity The organisations participating in this process are committed to ensuring that it treats service users fairly, equitably and reasonably and that it does not discriminate against individuals or groups on the basis of their ethnic origin, physical or mental abilities, gender, age, religious beliefs or sexual orientation. 15. Reviewing these arrangements These arrangements will be reviewed after 6 months and annually thereafter. This review will ensure the process is relevant and fit for purpose. [IL0: UNCLASSIFIED] 38 Agreement to Terms of Reference I confirm that our agency will be a partner to the Blue Light Multi-Agency process and will adhere to the Terms of Reference above and the associated information sharing protocol indicated. For and on behalf of the Client Signature Name On behalf of (Agency) Date Position Address Email Telephone number [IL0: UNCLASSIFIED] 39 Appendix C1 - HM Government - Seven golden rules for information sharing 1. Remember that the Data Protection Act is not a barrier to sharing information but provides a framework to ensure that personal information about living persons is shared appropriately. 2. Be open and honest with the person (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so. 3. Seek advice if you are in any doubt, without disclosing the identity of the person where possible. 4. Share with consent where appropriate and, where possible, respect the wishes of those who do not consent to share confidential information. You may still share information without consent if, in your judgement, that lack of consent can be overridden in the public interest. You will need to base your judgement on the facts of the case. 5. Consider safety and well-being: Base your information sharing decisions on considerations of the safety and well-being of the person and others who may be affected by their actions. 6. Necessary, proportionate, relevant, accurate, timely and secure: Ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those people who need to have it, is accurate and up-to-date, is shared in a timely fashion, and is shared securely. 7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.ii [IL0: UNCLASSIFIED] 40 Appendix C2 – Caldicott Principles Principle 1 Justify the purpose(s) Every proposed use or transfer of patient-identifiable information within or from an organisation should be clearly defined and scrutinised, with continuing uses regularly reviewed by an appropriate guardian. Principle 2 Don’t use patient-identifiable information unless it is absolutely necessary Patient-identifiable data items should not be used unless there is no alternative. Principle 3 Use the minimum necessary patient-identifiable information Where use of patient-identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiably. Principle 4 Access to patient-identifiable information should be on a strict need to know basis Only those individuals who need access to patient-identifiable information should have access to it, and they should only have access to the information items that they need to see. Principle 5 Everyone should be aware of their responsibilities Action should be taken to ensure that those handling patient-identifiable information, (both clinical and non-clinical staff) are made fully aware of their responsibilities and obligations to respect patient confidentiality. Principle 6 Understand and comply with the law Every use of patient-identifiable information must be lawful. Someone in each organisation should be responsible for ensuring that the organisation complies with legal requirements. Principle 7 The duty to share information can be as important as the duty to protect patient confidentiality Health and social care professionals should have the confidence to share information in the best interests of their patients within the framework set out by these principles. They should be supported by the policies of their employers, regulators and professional bodies. [IL0: UNCLASSIFIED] 41 Appendix C3 - Frameworks within which information sharing may happen Where there is concern that a child may be suffering, or is at risk of suffering harm, the child’s safety and welfare must be the first consideration. In these circumstances the Safeguarding Children Boards Child Protection Procedures, must be followed. Where there is concern that a vulnerable adult may be suffering, or is at risk of suffering harm, the individual’s safety and welfare must be the first consideration. In these circumstances the local Multi Agency Safeguarding Policy and Procedure, must be followed. If the purpose is primary or secondary health care use and the care and treatment of the patient is central to the purpose and the patient identifiable data is shared only between those responsible for the delivery of that care and treatment then consent can be reasonably implied. Three pieces of legislation allow information sharing in different settings: • The European Convention on Human Rights, incorporated into English law from October 2000, by the Human Rights Act 1998: Article 8: Right to respect for private and family life states that: 1. Everyone has the right to respect for his private and family life, his home and his correspondence. 2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others. • The Crime and Disorder Act 1998 - Section 115 as amended by the Police Reform Act 2002 gives power to any person to disclose information to police authorities and chief constables, local authorities, probation committees, various health authorities, various fire and emergency authorities, and (since 2005) registered social landlords, or persons acting on their behalf so long as such disclosure is necessary for the purposes of any provision of the CDA. These purposes include a range of measures, such as: local crime audits, anti-social behaviour orders, sex offender orders and local child curfew schemes. In addition, the CDA requires local authorities to exercise their own functions with due regard to the need to do all that it reasonably can to prevent crime and disorder in its area. • The Criminal Justice Act 2003 extended the scope of MAPPA by imposing a duty on public bodies outside the criminal justice system, including NHS Trusts, to co-operate with the responsible authority for MAPPA. In practical terms this duty imposes the following obligations: • A general duty to cooperate in the supply of information to other agencies in relation to risk assessment and risk management. • A duty on professionals to consider, as part of the care planning process, whether there is a need to share information about individuals who come within the MAPPA criteria. • The need to develop protocols between agencies for exchanging information and other forms of cooperation. [IL0: UNCLASSIFIED] 42 Appendix C4 - A process checklist 1 Have people been spoken to about agency concerns, the impact of their presenting problems and been given relevant brief advice about changing their situation and seeking help? 2 Have people been referred to relevant specialist services. 3 Has someone assessed the client to identify barriers to change and engagement. Are there reasons why this person will find it difficult to change? These could include low self-esteem, physical health problems, or peers who sabotage change. 4 Has someone undertaken a specific assessment of risks e.g. fire risks, trip hazards in the home, noise nuisance. 5 Has the client had a physical health check with their GP and/or a dental or other physical check. 6 Have motivational interventions or a motivational interviewing approach been used with the person? 7 Has the client been offered ongoing enhanced personalised education, i.e. highlighting the very specific risks? 8 Have efforts been made to promote self-efficacy, i.e. encouraging the client to believe that change is possible? 9 Have efforts been made to involve family members, significant others or relevant carers, where appropriate, in care planning? 10 Has contingency management been used, i.e. incentivising engagement with treatment through the offer of food vouchers, or other small incentives? 11 Have efforts been made to reduce any potential harms to the client or other people e.g. ensuring a smoke alarm is fitted, thinking about trip hazards in the home? 12 Has a single care coordinator been identified to manage and coordinate the care? 13 If the client shows motivation to change have arrangements been put in place to enable a fast track into care? 14 Have community care resources been considered for purchasing outreach, befriending or other support? 15 Have assertive outreach or peer support approaches been used? make contact with this person? 16 Has consideration been given to whether anything is supporting the negative behaviour, e.g. is a family member buying alcohol? 17 Are there legal powers which can be used to contain the behaviour? Could a PCSO [IL0: UNCLASSIFIED] 43 Appendix C5 Confidentiality Statement for meeting Name of meeting: Date/time: Venue: Confidentiality Statement: I agree that information shared at this meeting is only to be used in relation to working with adults as outlined within the Sandwell Blue Light meeting terms of reference. Information shared at this meeting will not be used outside of this group for any other purpose than that agreed within this meeting. All personal information shared should be treated as highly confidential and all data should be transported and stored in accordance with each agency’s information security policy and procedures. Name Organisation Contact details Signature Signature of the chair as witness to the above signatures ___________________________________________ Date________________________ [IL0: UNCLASSIFIED] 44 Appendix C6 Blue Light Multi-Agency Information Sharing Protocol - Consent Form The professional stated below, believes that you may be at risk of harming yourself or other people and is seeking your consent to make a referral to the Sandwell Blue Light multiagency management group. If you agree to give your consent, some or all of the following information may be shared your personal details, information about your carers, your current environment and details of the risk. This may be shared with a multi-agency group, which could include representatives from health, police, emergency services, the local authority, housing providers and substance misuse services. These people are qualified and will consider the information put forward and make recommendations on how the care you receive might be extended to support you further with any difficulties you may be experiencing. The professionals involved are trained to protect your rights to privacy and confidentiality and this will be respected at all times. (If we believe you are at significant risk, or if other people are at risk, professionals can still disclose information under common law “Duty of Confidence” without your consent, or if we have a legal obligation to do so, such as under the Crime and Disorder act 1998) Please provide the relevant information below: Is this information about you? Yes No If ‘No’, who is the information about? Name of data subject: Address: DOB (ddmmyyyy): Are you are acting as: Parent/Guardian/Carer Other (please describe) Have the reasons for requesting consent been explained to you? Yes No I give (name of agency/person)……………………………………….. consent to process information in relation to a safeguarding concerning the above named data subject. To be filled out by the relevant professional the information is being obtained by. Organisation: Name of professional: Professional’s role: Contact details: [IL0: UNCLASSIFIED] 45 If consent was not obtained please state why below: (e.g. not given, not practicable due to risk, mental capacity) i The Public Interest test applies when consent cannot be obtained or has been sought and refused. Circumstances that meet the public interest test are as follows: Promoting the welfare of children Protecting children or adults from significant harm The prevention, detection or prosecution of serious crime. NB The Public Safety test applies when consent should not be sought The public safety test is met when to seek consent, or delay the information sharing while consent is sought would heighten the risk of significant harm to a child or adult at risk. ii HM Government – Information Sharing – Pocket Guide – 2008 [IL0: UNCLASSIFIED] 46 Appendix C7: Blue Light Operational Group: Information Sharing Decision Flowchart End of Document [IL0: UNCLASSIFIED] 47
© Copyright 2025 Paperzz