Approved copy September 2013 Thames Valley Police Reviewed February 2015 Partner Review Pending 2015 Safer Slough Partnership JOINT PROTOCOL ON INFORMATION EXCHANGE 1 THE CRIME AND DISORDER ACT 1998 JOINT PROTOCOL ON INFORMATION EXCHANGE 1. INTRODUCTION Actions taken as a consequence of this policy will be applied in an impartial and fair way having due regard for natural justice and human rights. This protocol has the potential to engage the following Articles: Article 3 Freedom from Torture or inhuman or degrading treatment Article 5 Right to Liberty Article 8 Right to Respect for Private and Family Life Article 11 Right to Freedom of Assembly and Association Article 14 Prohibition of Discrimination 1.1 Protocol 1, Article 1 Protection of Property Review of the Protocol This Protocol will be reviewed annually. The review will take account of the following criteria :- 1.2 Changes in legislation Human rights challenges in domestic and Human rights Courts Changes to ACPO and DCLG guidance Representations made in relation to this document (appropriate authorities, nongovernmental organisations and individuals) Review of the Protocol as at May 2008 The Government announced a review of the partnership provisions of the Crime and Disorder Act 1998 in the police reform White Paper - Building Communities, Beating Crime - in November 2004. This review had an impact on this protocol in two ways: The Review recommended extending the role of CDRPs by placing a duty on responsible authorities to prevent and reduce crime and disorder, anti-social behaviour, behaviour adversely affecting the environment and substance misuse in their local area. 2 The Review recommended strengthening section 115 of the Crime and Disorder Act, which gives relevant agencies the power to disclose information, and place a duty on responsible authorities to share depersonalised data which are relevant for community safety purposes and already held in a depersonalised format. This duty will apply to data already collected by partner agencies in a depersonalised format. 2. 2.1 PARTIES TO THIS PROTOCOL The parties to this Protocol are listed in Appendix A. It will be the responsibility of these parties to ensure that; 2.2 Realistic expectations prevail from the outset Ethical standards are maintained A mechanism exists by which the flow of information can be controlled Appropriate training is provided The parties agree that other organisations and groups in the voluntary and community sector may also become parties to the protocol where this is necessary or expedient for the purposes of the Crime & Disorder Act. No such organisation or group may join the Protocol without the prior consent of all existing parties. Any additional party joining the Protocol shall agree in writing to abide by the terms of this Protocol and shall provide an indemnity to each of the parties to the Protocol in the form set out in Appendix D. Until such time as an agreement has been signed and indemnity provided, no personal or sensitive information will be disclosed. 2.3 Further, after the date of any such agreement, this Protocol shall be read so that references to the parties shall include references to any such organisation or group. These organisations and indeed the individual housing associations will not be ‘Relevant Authorities’ as defined by the Crime & Disorder Act and they will therefore need to decide on what basis they are participating in the Protocol. The Data Protection Act 1998, First Data Protection Principle requires that data controllers have a legitimate basis for their processing. This means that they must be able to satisfy one or more of the criteria in Schedule 2 of the Data Protection Act 1998. 3 2.4 It is useful to note that whilst Section 115 of Crime and Disorder Act 1998 ensures agencies have a power to disclose it does not impose a requirement on them to exchange information, and so control over disclosure remains with the agency which holds the data. Information exchange, whether carried out under the power in section 115 or under any other common law or statutory power, is therefore controlled by the normal data protection regime and common law (see Annex A to Section Five of “Guidance on Statutory Crime and Disorder Partnerships - Crime and Disorder Act 1998”, Home Office, 1998.). 3. PURPOSE. 3.1 Purpose The purpose of this protocol is to facilitate the exchange of data in order to comply with the statutory duty on chief police officers and local authorities to work together to develop and implement a strategy to reduce crime and disorder, anti-social behaviour, behaviour adversely affecting the environment and substance misuse in the local area. 3.2 The protocol explains the principles that must be followed when exchanging information. This will apply to: any Order under the Crime and Disorder Act. the exchange of personal information following a conviction by a Court. For example: o Drug Treatment and Testing Orders, o Reparation Orders, o Action Plan Orders, o Supervision Orders, o Detention and Training Orders, o Parenting Orders, o PVP Register (Potential Violent Persons) 3.3 The exchange of information intended to support any action for the purposes of the Act, namely the reduction or prevention of crime and disorder whether under this Act or otherwise. E.g. the exchange of information to support proceedings under the Housing Acts. The parties recognise that the section 115 of the Crime and Disorder Act can only be used to disclose information to an 4 individual or group where that disclosure is necessary or expedient to support of the local strategy to reduce crime and disorder, anti-social behaviour, behaviour adversely affecting the environment and substance misuse in the local area. Section 115 does not apply to providing information to private companies or voluntary organisations, unless they are formally providing services on behalf of a Responsible Authority. (If providing information to private companies or voluntary organisations within the Partnership, another legal basis for this sharing should be sought). Information will not be shared where disclosure would prejudice ongoing proceedings or sensitive cases unless there is an overriding public safety requirement to do so. Thames Valley Police is required to make additional information sharing considerations as stated in the Code of Practice on the Management of Police Information and Authorised Professional Practice. Thames Valley Police will only be able to share policing information with partners where one or more of the following policing purposes are satisfied: Protecting life and property, Preserving order, Preventing the commission of offences, Bringing offenders to justice, Duty under common or statute law. 4. 4.1 DEFINITIONS. In this protocol: Crime: is defined as any act, default, or conduct prejudicial to the community, the commission of which, by law, renders the person responsible liable to punishment by a fine, imprisonment, or other penalty. Anti-social behaviour: means acting in a manner which causes or is likely to cause harassment, alarm or distress to one or more persons not of the same household as himself. 5 Disorder: is an expression which refers to the level or pattern of anti-social behaviour within a particular area. Personal data means data that relates to a living individual who can be identified either : from the data, or from the data and any other information which is in the possession of, or is likely to come into the possession of the data holder; Maintenance of good order is defined as: The maintenance of a state of security and tranquillity that should exist in a civilised society Depersonalised information is information which does not identify a data subject. If the data can be so categorised, it may be regarded as outside the purview of the Data Protection Act 1998 and hence this guidance and any protocol based upon it. However, the benefits of a protocol even for this type of information should always be considered. Designated officers means the person or persons whom either jointly or alone determine the purposes for which personal information is processed; Relevant authority means: the chief officer of police a Police and Crime Commissioner, in accordance with the Police Reforms and Social Responsibility Act 2011 a local authority, that is to say, in relation to England, a county council, a district council, a London borough or the Common Council of the City of London; a Probation committee in England and Wales; A Health authority (including East Berkshire Primary Care Trust). A Youth Offending Team Registered Social Landlords (Housing Associations registered with Housing Corporation ) for the purposes of Antisocial Behaviour Orders vide Section 1 of the Crime and Disorder Act, 1998 as amended by the Police reform Act, 2002. 5. DESIGNATED OFFICERS. 5.1 The following are designated to assume responsibility for data protection (including notification if appropriate); security and confidentiality; and compliance with legislation. Each party to the protocol will nominate one or more Designated Officers to process, or initiate requests for personal 6 information and conviction data. A list of those officers so nominated in each party agency will be attached at Appendix A. All persons nominated as ‘Designated Officers‘ should be familiar with the terms of this Protocol. It will be Best Practice for each party to the Protocol to ensure that each of their own Designated Officers receives an appropriate level of training and information to allow him/her to carry out his role in data exchange. o Any request for information must be made by and to designated officers in each agency. The request for information should be recorded using the forms approved, (copies may be found at Appendix B). When information is disclosed it must be stored securely and destroyed when it is no longer required for the purpose for which it was initially provided. All requests should be acknowledged within 10 working days and should be dealt with within 20 working days. Where any request cannot be dealt within these time limits the data owner shall notify the requesting party immediately the delay is known. When making the application the requesting party shall notify the data owner of any time restrictions on the supply of data, e.g. Court dates. 6. INFORMATION EXCHANGE. 6.1 Each party to the protocol will be responsible for ensuring that they are properly registered with the Data Protection Commissioner to exchange personal information under this protocol. The parties will also comply with the principles set out in the Data Protection Act. 1998 and Human Rights Act 1998. 6.2 Any information being shared must be proportionate and necessary for the purpose for which it is being shared. 7.PERSONAL DATA. 7.1 Section 115 of the Crime and Disorder Act provides a lawful power to exchange information including personal information. It does not impose a duty on them to do so. The parties envisage that exchange will be made in response to a request wherever lawfully possible and where this is 7 necessary or expedient for the purposes of that Act. Control however remains with the disclosing party. If failure to share personal information would mean that the stated objectives of the requesting party cannot be achieved, then each party should consider whether they have power to disclose. 7.2 Any disclosure of personal data must have regard to both common law and statute. More detailed guidance is given on this aspect in the Guidance Notes for Designated Officers attached at Appendix F. In addition, the principles of data protection must be complied with unless and to the extent that any exemption under the Data Protection Act 1998 applies. Further guidance on these principles may be found in Appendix F. 7.3 The underlying principle of this protocol is that a party will always retain ownership of personal information it discloses. It is therefore essential that the identity of the originator must be recorded against the relevant data. A recipient of disclosed information can only use it for the stated purpose and must obtain the consent of the original data owner before making a further disclosure. In respect of this requirement each department of a party will be treated as a separate agency. Requests for secondary or further use of the information should be made using the appropriate from. A copy of that form is attached at Appendix C 7.4 The identity of the originator must be recorded against the relevant data. No secondary use or other use may be made unless the consent of the disclosing party to that secondary use is sought and granted. Disclosure must be compatible with the second data protection principle: 'Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 7.5 Although section 115 provides a lawful power to exchange information, the presumption of confidentiality will still apply. This means that designated officers must make an objective assessment of all the available information to determine whether the public interest justifies disclosure. In making that decision, the following alternative powers should be considered:- 8 7.6 Information discovered to be inaccurate or inadequate for the purpose will be notified to the data owner who will be responsible for correcting the data and notifying all other recipients of the data who must ensure that the correction is made. 7.6.1 Conviction Data. Details of relevant convictions recorded on the Police National Computer, or retained on file by the parties to this protocol can be released to another designated officer to support proceedings under the Crime and Disorder Act. However, it is recognised that care must be exercised in the disclosure of conviction data and a designated officer must ensure that the information is accurate and relevant to an enquiry before it is released. 7.6.2 Review and Weeding Data. Parties to the protocol must ensure that all data obtained from any other agency is only retained for the minimum period required to achieve the objectives of the project after which the data will be returned to the originator or destroyed as agreed. The recipient of the information is required to keep it stored securely and will destroy it in a secure manner or return when no longer necessary for that purpose. It will be the responsibility of the recipient to ensure that all data is relevant, accurate and up to date. In any case the review and weeding of data must be in accordance with policy and procedures agreed by the parties. 7.6.3 Consent. Many of the data protection issues surrounding the disclosure can be avoided if the consent of the individual has been sought and obtained. No details of victims, witnesses or complainants should be disclosed without their written consent. Consent should be obtained using the form attached at Appendix E. 8. PUBLIC INTEREST. 8.1 If informed consent has not been sought or sought and withheld the agency must consider if there is an overriding public interest of justification for the disclosure. In making this decision the following questions should be considered. 9 • Is the disclosure necessary for the prevention or detection of crime, prevention of disorder, to protect public safety, or to protect the rights and freedoms of others? • Is the disclosure necessary for the protection of young or other vulnerable people? • What risk to others is posed by this individual? • What is the vulnerability of those who may be at risk? • What will be the impact of the disclosure on the offender? • Is the disclosure proportionate to the intended aim? • Is there an equally effective but less intrusive alternative means of achieving that aim? 9. NON DISCLOSURE EXEMPTIONS. 9.1 The Data Protection Act 1998 maintains the crime prevention exemptions of the Data Protection Act 1984. Disclosure maybe made where it is for the purpose of the prevention or detection of crime, apprehension or prosecution of offenders, and where failure to disclose would be likely to prejudice those objectives, decisions must be made on a case by case basis, s29(3). Any request for information whose purpose is the prevention or detection of crime should specify as clearly as possible how failure to disclose would prejudice this objective. The request should make clear: • why the information is necessary, e.g. why proceedings might fail without the information; and • why it is envisaged that a successful action would prevent crime, e.g. what is the projected effect of successful proceedings. 10. HUMAN RIGHTS 10.1 For details on Human Rights See Appendix I. 11. YOUTH OFFENDING TEAMS. 11.1 Relevant information can be disclosed to the members of a youth offending team (YOT) either post conviction or following a police reprimand, final warning or caution. This will allow a 10 comprehensive action plan to be developed which addresses all the risk factors associated with the person concerned. 11.2 Following the initial referral, designated officers attached to the team will be responsible for the further disclosure of relevant personal information and conviction data. There may be occasions when it is necessary or expedient for members of the youth offending team to disclose personal information to another agency or group. In such circumstances the following guidelines must be followed: a secondary disclosure of personal information must be authorised by the original data owner, the disclosure must support action under the Crime and Disorder Act, the public interest must outweigh any duty of confidentiality, the information must be processed fairly. the youth offending team manager will be responsible for ensuring that personal information provided to the team is processed in accordance with the Data Protection Act 1998. 12. ABANDONED VEHICLES 12.1 Abandoned vehicles constitute a crime risk (e.g. damage, theft, arson) and by their presence contribute to a downward spiral in the overall security, confidence and order of a locality. For the purposes of their prompt removal by or on behalf of Slough Borough Council, the Thames Valley Police will endeavour to supply keeper details on request. The unit/section/officer of the Council which will receive the details is named in the list of nominated officers. The unit/section/officer of the Police Area which will provide the details is named in the list of nominated officers. Requests for details will be recorded in a register to be held on the Police Area in the CIMU, and subject to external audit. 12.2 The signatories to this protocol hereby acknowledge that any information exchanged for the purpose of dealing with abandoned vehicle shall not be disclosed other than for the following reasons: to support joint agency approaches to identifying and managing the risk of crime and disorder; 11 to enable the parties to pool their expertise in assessing the nature and level of risk posed by potential offenders; to enable the parties to co-operate in averting identified risks of crime and disorder and its consequences; 13. to reduce risk and fear experienced by staff, identified individuals and the public at large; assist strategic planning; help implement the provisions of the Crime and Disorder Act; DE-PERSONALISED INFORMATION. 13.1 If the purposes of the Act can be achieved using depersonalised information then this should be the preferred method. The exchange of depersonalised information should be considered where this can be used to: facilitate strategic planning; identify areas of high crime or disorder; measure the impact of CCTV or other preventative schemes; determine whether the local crime reduction strategy is delivering best value. 14. PARTIES TO THE PROTOCOL 14.1 The parties to this protocol agree to share depersonalised information from the following indices. This is not an exhaustive list and other indices may be agreed between the parties. 14.2 14.3 Police: crime statistics detected, reported and recorded, incidents reported to the police, calls for police assistance (Command and Control data), characteristics of offenders, characteristics of victims, road traffic accident data, Local authorities, Housing ALMO and Housing Associations: 12 criminal damage and graffiti removal, derelict and empty property, emergency out of hours calls, nuisance families, resident complaints, racial, homophobic and domestic violence incidents, registered homeless, rehoused homeless, victims, offenders, turnover of tenants, street lighting, licences issued by the local authority, noise levels and nuisance neighbours, dog related nuisance complaints, elderly resident locations, families on benefit, vulnerable persons, children involved in crime, children on the child protection register, population data and property values, leisure, youth and playground facilities, school exclusions, truancy, educational attainments, Information from Youth Offending Teams, including, o Youth offending profiles o Characteristics of offender o Crime Data o Assessment Data o Risk of Harm Data 14.4 Health: Accident and Emergency admissions, registered alcoholics and drug users characteristics, 13 14.5 15. 15.1 facilities available to alcoholics and drug users, vulnerable persons including mentally ill patient information, ambulance control and despatch calls, Probation: offender profiles, children at risk. GUIDANCE ON DE-PERSONALISED INFORMATION The following guidance must be followed in relation to depersonalised information: no attempt must be made to identify an individual through the provision of depersonalised information; 16. 16.1 data sets must not be released to those who have a commercial interest in their use; arrangements must be made for the secure storage of all depersonalised data; information must be destroyed when no longer required. USE OF INFORMATION The products produced by analysing depersonalised information can be used to: demonstrate the findings of the review of crime and disorder; inform the consultation process which follows; justify the final strategy. However, maps and other visual images must not be published without prior consultation with the original data owner(s). 17. SECURITY "The purpose of information security is to enable business continuity and minimise business damage by preventing and minimising the impact of security incidents. Information security 14 management enables information to be shared, while ensuring the protection of information and computing assets." (Guide to British Standard Code of Practice for Information Security Management - BSI). 17.1 All parties should ensure that they have appropriate security arrangements in place. Parties aim to meet the British Standards Code of Practice for Information Security Management (BS 77991995 version), but in any event should ensure that their systems meet basic information security principles. These are: Confidentiality - protecting sensitive information from unauthorised disclosure or intelligible interception; Integrity - safeguarding the accuracy and completeness of information and computer software; Availability - ensuring that information and vital services are available to users when required; 17.2 All public authorities are under a common expectation to comply with the Government Protective Marking Scheme (GPMS) and to note that some IL (Information Level) security levels may require additional security measure s to be in place. Thames Valley Police will only transfer the following police information by encrypted means such as secure email (for example PNN, GSI, GSX, NHS(n3), GSE, GCSX, NHS.net, CJSM descriptors) : information GPMS classified as RESTRICTED, sensitive personal information and personal information shared for a policing purpose. Transfer by fax will not be used unless required in the case of an operational emergency. Security requirements are detailed at Annex H. 18. INDEMNITY Details of Indemnities are attached at Appendix D 19. DOCUMENTATION 15 19.1 Disclosures and requests for information must be made in writing on the approved form (Appendix B) and must be retained by the designated officer. Decisions on any disclosures reached at meetings must be minuted. This information will provide evidence if the disclosure is challenged or a formal complaint is made. All information exchanged should be classified according to its security level and should be treated accordingly (e.g. restricted, confidential, secret etc.) 20. COMPLAINTS AND BREACHES 20.1 Complaints and breaches of the protocol should be dealt with by utilising the established policies and procedures for breaches and complaints made in relation to the legislation in connection with information exchange. 21. 21.1 SUBJECT ACCESS If an agency receives a subject access application and personal data is identified as belonging to another agency, it will be the responsibility of the receiving agency to contact the data owner to determine whether the latter wishes to claim an exemption under the provision of the Data Protection Act. Where a designated officer cannot comply with the request without disclosing information relating to another individual who can be identified from that information s/he is not obliged to comply with the request unless: the other individual has consented to the disclosure in writing of the information to the person making the request, or it is reasonable in all the circumstances to comply with the request without the consent of the individual. In determining whether it is reasonable, regard shall be had in particular to: any duty of confidence owed to the other individual any steps taken by the data controller with a view to seeking the consent of the other individual whether the other individual is capable of giving consent any express refusal of consent by the other individual Where disclosure is proposed under the subject access it must be done in accordance with the Data Protection Act 1998 16 22. FREEDOM OF INFORMATION ACT REQUESTS 22.1 If a party receives a request for information under the Freedom of Information Act 2000 and the Information requested is identified as belonging to another Organisation, it will be the responsibility of the receiving agency to contact the data owner to determine whether the latter wishes to rely on any statutory exemption under the provisions of the Freedom of Information Act and to identify any perceived harm. 23. MEDIA STRATEGY 23.1 The parties to this protocol will subscribe to the following principles when discussing with the media issues which have arisen from the initial review of crime and disorder, the summary produced for the purpose of public consultation or the final crime reduction strategy: any information provided to the public will be accurate honest and fair; each organisation, in its dealings with the media, will respect the professionalism and integrity of its partners; any data released from a Police source should only be released in accordance with the ACPO Media Strategy Group guidelines; and where there are differences of opinion between organisations these should not be commented on publicly without prior notice and discussion. Press and public relations staff in each organisation should have working knowledge of the structure, key issues and staff in other partner organisations. Opportunities for the placement of stories in organisational publications should be encouraged. 24. ACCOUNTABILITY 24.1 Any disclosure of information by an employee, which is done in bad faith, or for motives of personal gain will be the subject of an inquiry and be treated as a serious matter. Each party will be accountable for any misuse of the information supplied to it and the consequences of such misuse by its employees servants or agents. 17 APPENDIX A LIST OF DESIGNATED OFFICERS The following persons listed are nominated by the respective parties as Designated Officers. The parties authorise them to request and disclose information to the Parties to this Protocol in accordance with the provisions of the Crime and Disorder Act 1998 and the Data Protection acts 1984 and 1998, during the time that they are in the employ of the nominating party or are acting on its behalf. Any authorisation given by a party to a Designated Officer listed below shall automatically end upon the Designated Officer ceasing to be employed by the party who appointed him. Any change in the officers designated by a party must be immediately notified to all of the other parties to the Protocol and no information shall be disclosed to any other person until such time as the appropriate notification has been received by the Parties. Organisation Contact name Signature / Date Job Title Slough Borough Council Community Safety Manager Paradigm Housing Group Anti Social Behaviour Advisor – East Paradigm Housing Group Chief Executive September 2013 Paradigm Housing Group East Region Team Manager September 2013 September 2013 18 September 2013 Contact Details Thames Valley Probation Chief Executive Officer September 2013 Thames Valley Probation Director, East Berkshire LDU & Approved Premises September 2013 Thames Valley Probation Designated Officer September 2013 Home Group Customer Services Manager September 2013 Home Group Head of Customer Services (SE/SW) September 2013 Ability Housing Chief Executive September 2013 Ability Housing Housing Services Officer September 2013 Slough CVS Chief Executive Officer September 2013 Slough CVS Designated Officer September 2013 19 Catalyst Housing Ltd Neighbourhood Manager September 2013 Catalyst Housing Ltd Regional Manager September 2013 Alma Supported Lodgings Manager September 2013 Alma Supported Lodgings Deputy Manager September 2013 Thames Valley Housing Association Thames Valley Housing Association One Housing Group Area Housing Manager September 2013 Housing Officer September 2013 Chief Executive Officer September 2013 One Housing Group Regional Neighbourhood Manager September 2013 Sovereign Housing Association Limited Chief Executive Officer September 2013 20 Sovereign Housing Association Limited Sovereign Housing Association Limited Anti Social Behaviour Advisor September 2013 Head of Anti Social Behaviour September 2013 Sanctuary Housing Head of Housing Operations (South West) September 2013 Sanctuary Housing Area Housing Manager September 2013 The Buckinghamshire Housing Association Ltd Senior Housing Manager September 2013 The Buckinghamshire Housing Association Ltd Royal Berkshire Fire and Rescue Service Chief Executive September 2013 Designated Officer September 2013 Slough Homeless Our Concern Designated Officer September 2013 Slough Homeless Our Concern Designated Officer September 2013 21 Turning Point and CRI Director of substance misuse September 2013 Turning Point and CRI Designated Officer September 2013 Health – CCG Clinical Director for Slough September 2013 Berkshire Health Care Trust Chief Executive September 2013 LPA Commander September 2013 Police and Crime Commissioner September 2013 Policy Advisor September 2013 Thames Valley Police Police and Crime Commissioner Police and Crime Commissioner 22 APPENDIX B RECORD OF REQUEST/DISCLOSURE This form should only be signed by one of the nominated persons shown at appendix A of the protocol PART A - REQUEST Ref. No Partner requesting information Partner information requested from SUBJECT DETAILS Surname Forename(s) DoB Sex M/F Ethnicity Height Address State fully the purpose the information is required for (e.g. ASBO, Crime Audit, Sex Offender Order, Prevention or Detection of Crime etc.) Nature of information required The above requested information will be subject to the provisions of the Data Protection Act 1998 and the general rules of confidentiality. The information must not be used for any purpose other than that for which it is requested and must not be disclosed to an unauthorised person. There is an obligation upon you to ensure appropriate security measures are in place in respect of it. Once the information has served its required purpose and /or the end of the retention period is reached it must be destroyed in accordance with this protocol. Signed Name Date 23 RECORD OF REQUEST/DISCLOSURE This form should only be signed by one of the nominated persons shown at appendix A of the protocol PART B – DISCLOSURE Grounds for disclosure Information disclosed Reason given should be one of those given in this protocol. Full explanation is required if the reason given is ; Public Interest , or the Prevention and detection of crime or the apprehension and prosecution of offenders. Continue on a separate sheet, if necessary, endorsed with the above reference number. On Part A of this form The above given information is be subject to the provisions of the Data Protection Act 1998 and the general rules of confidentiality. The information must not be used for any purpose other than that for which it is requested and must not be disclosed to an unauthorised person. There is an obligation upon you to ensure appropriate security measures are in place in respect of it. Once the information has served its required purpose and /or the end of the retention period is reached it must be destroyed in accordance with this protocol. Signed Name Date 24 APPENDIX C REQUEST FOR SECONDARY DISCLOSURE This form should only be signed by one of the nominated persons shown at appendix A of the protocol Request for Secondary Disclosure. Original Ref. No (This request should include the original form (APP B) To which the information relates or the reference on that form and should be sent to the original owner of the data.) Partner requesting authority Partner authority requested from SUBJECT DETAILS Surname Forename(s) DoB Sex M/F Ethnicity Height Address With regard to the information contained within the above document, I request authority to make additional disclosure of this information to …………………………………………………….. State fully the purpose the information is required for (e.g. ASBO, Crime Audit, Sex Offender Order, Prevention or Detection of Crime etc.) The above requested information will be subject to the provisions of the Data Protection Act 1998 and the general rules of confidentiality. The information must not be used for any purpose other than that for which it is requested and must not be disclosed to an unauthorised person. There is an obligation upon you to ensure appropriate security measures are in place in respect of it. Once the information has served its required purpose and /or the end of the retention period is reached it must be destroyed in accordance with this protocol. Conditions of indemnity as outlined in the Protocol will apply . Signed Name Date Secondary Disclosure re the above is Approved/ Not Approved. Conditions of indemnity as per the Protocol will apply. Signed Name Partner Date 25 APPENDIX D THE CRIME AND DISORDER ACT 1998 JOINT PROTOCOL ON INFORMATION EXCHANGE FORM OF INDEMNITY In consideration of the provision of information in accordance with this protocol any party to this protocol who receives information under this protocol (“the Receiver”) from any other party (“the Supplier”) undertakes to indemnify the Supplier against any liability which may be incurred by the Supplier arising from or in any way connected with the following acts or omissions on the part of the Receiver. Within the partnership the receivers of shared information will accept total liability for the loss or compromise of shared information whilst it is under their custody or control. The parties to this Protocol undertake to fully indemnify any of the persons or any authority referred to below against any liability, damages or costs of civil action which may be incurred by such a person or authority arising from or in any way connected with the following acts or omissions on the part of the person or authority granting the indemnity: Requests for information for purposes other than those specified in the Joint Protocol. Use of the information for purposes other than those specified in the Joint Protocol. Disclosure of the information to a third party except as is specified in the Joint Protocol. Wilful misconduct or negligence in the handling, keeping or disposal of the information. Under this indemnity the following persons may claim the benefit of this indemnity are : Any local authority (including Chief Executive of Slough Borough Council) Chief Officer, Berkshire Probation Service Head of Slough Youth Offending Team Any Police Authority.* Any Chief Officer of Police, including the Chief Constable of Thames Valley Police, and the Slough Local Police Area Commander Any serving or former member of a Police Force. 26 Any serving or former civilian employee of a Police Authority. The National Identification Bureau. Any member or former member of the Thames Valley Police Civil Staff. East Berkshire Primary Care Trust (including Director, Slough Primary Care Trust) Housing Associations (as listed in Appendix A) Any other party who joins this agreement Any employee or former employee of any of the parties * in this paragraph the expressions "police authority", "chief officer of police" and "police force" have the same meaning as in section 101 of the Police Act 1996. 27 APPENDIX E CONSENT TO DISCLOSURE OF INFORMATION. I, (name). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . of (address). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . ............................................................ consent to (Disclosing Party eg.Thames Valley Police) . . . . . . . . . . . . . . . . . . . . . . . . . ............................................................ disclosing the information set out below to any organisation or group who are Parties to the ‘Joint Protocol for Information Exchange under the Crime and Disorder Act 1998’ (the 1998 Act) to which (e.g. Thames Valley Police) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .are members for the purposes of the 1998 Act. I understand that wherever possible I will be told that the information is to be disclosed before its disclosure, to whom it is to be disclosed and for what reason. I understand that I may withdraw my consent at any time but that this information may still be disclosed if it is necessary for any of the purposes of the 1998 Act and the principles of the Data Protection Acts 1984 and 1998 have been met. This consent is given freely and unconditionally. INFORMATION TO WHICH THIS CONSENT APPLIES Signed:………….................................……………………………………. (Print name)………………………….................................………………. Dated:…………………........................……….200.................... 28 APPENDIX F GUIDANCE NOTES FOR DESIGNATED OFFICERS The Crime & Disorder Act 1998 provides parties with the ability to share data, however it does not entitle them to enter into wholesale data sharing or matching. Any sharing of information under the Act must be for the aims of the Act, namely the reduction of crime and the fear of crime When presented with a request for disclosure a designated officer must ask two fundamental questions. 1.Do I have the legal power to disclose this information?, and, 2.If so, am I proposing to do so properly with due regard to both common and statute law, including the common law duty of confidence and the statutory data protection principles? The parties to the Joint Protocol on Information Exchange have the power under section 115 of the Crime and Disorder Act 1998 to disclose information to the relevant authorities where it is necessary and expedient for the purposes of any of the provision of Act. The purposes of the Act may include local crime audits, Youth Offending Teams, anti social behaviour orders, sex offender orders and local child curfew schemes. In addition, section 117 of the Crime & Disorder Act 1998 places a statutory duty on every local authority to exercise its various functions with due regard to the need to do all that it reasonably can to prevent crime and disorder in its area. However, section 115 does not override an individual’s right to privacy, confidentiality and reputation. These should be balanced against the likely harm if the information is not disclosed. In deciding whether or not data should be disclosed, it is suggested that designated officer considers the following checklist: 1. What is the purpose of the information sharing arrangement? The purpose of the arrangement must be clearly defined. This is because if personal data is to be disclosed, then the disclosure must be registered the Data Protection Registrar and the data protection principles will take effect. 2. Will it be necessary to share personal information in order to fulfil that purpose? Depersonalised information is presented in such a way that individuals cannot be identified from it. If this type of information can be used to achieve the purpose, then it should be used rather than disclosing personal information. If the objective cannot be reached without the use of personalised information then the following questions should be considered: 3. Do the parties concerned have power to disclose personal information for that purpose? Section 115 provides the power to disclose information to any of the relevant authorities. It does not provide any power for those bodies or any other person or organisation to disclose personal information to anyone else including individual voluntary and community groups. 29 If section 115 cannot be used, then you will need to establish whether the parties have any other statutory powers permitting disclosure. 4. How much information will need to be shared in order to achieve the objectives of the arrangement? Parties may hold a lot of information about individuals. Not all of this information may be relevant to the particular purpose for which the request was made. Care will need to be taken to ensure that only information which is actually relevant to that purpose is disclosed. To do otherwise might be to overstep the boundaries of the power available. 5. Should the consent of the individual be sought before disclosure is made? If possible this should be obtained in each case. Many of the issues surrounding disclosure can be avoided if consent is sought and obtained. This is particularly the case in relation to victims or witnesses. In these case no information should be disclosed without their prior consent. It is however recognised that consent will not always be given and indeed in some case it maybe inappropriate to seek consent in the first place. In those circumstances, consideration must be given as to whether information can be disclosed lawfully and fairly. 6. If consent is sought but is withheld, should the information be disclosed? You will need to consider whether personal information is held under a duty of confidence. If so, you can only disclose that information if you have the individual’s consent OR there is an overriding public interest or justification for doing so. PLEASE NOTE - IT WILL NOT ALWAYS BE THE CASE THAT THE PREVENTION AND DETECTION OF CRIME OR PUBLIC SAFETY CONSTITUTES AN OVERRIDING PUBLIC INTEREST FOR THIS PURPOSE. Even if the information is not subject to a duty of confidence, you must still consider whether and how the information can be disclosed fairly. You must therefore balance the public interest against the possible resulting prejudice to the interests of the individual concerned. 7. Does the non-disclosure exemption apply? Both the Data Protection Act 1984 and 1998 contain general non-disclosure provisions. However, there are several specific exemptions one of which states that personal information may be disclosed for the purposes of the prevention and detection of crime or the apprehension and prosecution of offenders in cases where the failure to disclose would be likely to prejudice those objectives. 8. Have the other data protection principles been complied with? only the minimum information necessary should be shared the information should be checked for accuracy 30 how long will the information be kept by the recipient ? you should ensure that before disclosure takes place you know and have recorded how long the recipient of the information intends to keep the information. access for the individual how will the data be stored ? you should ensure that the recipient has a secure storage system for the information to be shared under this protocol. 9. The data protection principles require that such information is obtained and processed fairly and lawfully; is only disclosed in appropriate circumstances; is accurate, relevant, and not held longer than necessary; and is kept securely. The Human Rights Act 1998 gives further effect in domestic law to certain Articles of the European Convention on Human Rights (ECHR). The Act requires all domestic law to read compatibly with the Convention Articles. It also places a legal obligation on all public authorities to act in a manner compatible with the Convention. Should a public authority fail to do this then it may be subject of a legal action under section 7. This obligation should not solely be seen in terms of an obligation not to violate Convention Rights but also as a positive obligation to uphold these rights. The sharing of information between agencies has the potential to infringe a number of Convention Rights. In particular, Article 3 (Freedom from torture or inhuman or degrading treatment), Article 8 (Right to private and family life), and Article 1 of Protocol 1 (Protection of Property). In addition all Convention Rights must be secured without discrimination on a wide variety of grounds under Article 14. The Convention does allow limited interference with certain Convention rights by public authorities under broadly defined circumstances known as legitimate aims. However, mere reliance on a legal power may not alone provide sufficient justification and the following principles should be considered: • • • Is there a legal basis for the action being taken? Does it pursue a legitimate aim (as outlined in the particular Convention article)? Is the action taken proportionate and the least intrusive method of achieving that aim? (See paragraph 3.3.1) A brief summary of the Articles of the Human Rights Act 1998 is attached as appendix A. Article 8 is covered in more detail below but other articles may apply in specific circumstances. 31 APPENDIX H BASELINE SECURITY REQUIREMENTS FOR INFORMATION SHARING AGREEMENTS All Chief Constables are committed to compliance with the ACPO Community Security Policy, which is based on the British Standard for Information Security Management (BS7799). The basic requirements for an Information Sharing Agreement are specified below. Additional safeguards may be specified according to the sensitivity and classification of the data and the circumstances of the multi-agency partnership. Section 1 Information Security Policy A written statement of Information Security Policy should be available for all organizations involved in the partnership. Please attach a copy of your organisation's Information Security Policy. Section 2 Information Security Organisation Responsibility for information security should be allocated to an individual within the organisation. That individual should be operating within a management framework that initiates and controls the implementation of information security. Please advise who has designated responsibility for information security within your organisation and describe the management framework within which they operate. Section 3 Asset Classification and Control It is important to maintain appropriate protection of the computer and information assets used by the partnership. Please list below the hardware, software and information, which will be used for the partnership. What accountability for these assets is in place? Who will be the nominated System Owner of these assets for the purposes of the partnership? 32 Section 4 Personnel Security The Chief Constable will need to ensure the reliability of any persons having access to data. How has the reliability of all persons subject to this agreement been assessed? Any persons having access to data as part of this agreement may be required to give consent to background enquiries in accordance with Force policy. Please provide written consent as required. Please confirm that all persons connected with this project have received training and awareness in Data Protection and Information Security. A confidentiality clause will be included in the Information Sharing Agreement which all persons involved will be required to sign. Please confirm that all persons involved with this project are made aware of the procedure for reporting any security breaches, threats, weaknesses or malfunctions that might impact on the security of the data. Section 5 Physical and Environmental Security Appropriate measures should be in place to prevent unauthorised access or unlawful processing, accidental loss, destruction or damage. Please advise details of the premises used for this purpose and in relation to each named premises: What access controls are there to the buildings? What access controls are there to the rooms? Are the windows lockable when accessible from the outside? Is the door lockable where the information is stored? Is information secured in a lockable cabinet when not in use? Is there a clear desk policy in relation to this information? Do outside contractors/maintenance staff have access to the room? Is the information visible to unauthorised individuals e.g. through windows, from corridors etc. Is there any intention to use portable computers for this purpose? If so, what special control measures will be deployed to protect data? 33 Section 6 Computer and Network Management In addition to the physical security outlined above, please provide details of the following: Is the computer a stand-alone? If not, what measures are taken to prevent unauthorised access via your network or from external networks? Is there a policy and procedure for the disposal of confidential material (computer or otherwise)? What procedure is in place to ensure that data is cleansed from computer media as it becomes obsolete for whatever reason? Are system security procedures regularly audited? Are there documented rules for the use of this system available for all users? What control measures are in place to prevent the introduction of malicious software to the system (e.g. computer viruses)? Section 7 System Access Controls Are there controls on the system to prevent unauthorised access (i.e. is there a mechanism for the identification and authorisation of individual users, e.g. user ID and password)? Is there an automatic log-out after an appropriate time interval? Is there a warning at log-on to forbid unauthorised use of the system? Is there an audit trail to identify who has accessed the system including time, date and which records were accessed? Section 8 Systems Development and Maintenance All information systems used as part of this agreement should be designed from the outset with information security in mind to cover, as a minimum, the control measures contained in this document. Section 9 Business Continuity Planning Is there an effective backup and recovery mechanism to secure the data? What security surrounds these back-up facilities? Section 10 Compliance Agreements must be must comply with appropriate legal requirements and the prevailing policies of all organisations involved. 34 APPENDIX I Example Article 3 Freedom from Torture or inhuman or degrading treatment No one person shall be subjected to torture or to inhuman or degrading treatment or punishment Article 5 Right to Liberty Everyone has the right to liberty and security of person. No one shall be deprived of his liberty save in the following cases and in accordance with a procedure prescribed in law. Lawful detention after conviction by a competent court Lawful arrest or detention for non-compliance with the lawful order of a court or in order to secure the fulfillment of any obligation prescribed by law. Lawful arrest or detention of a person for the purpose of bringing him before a competent legal authority on reasonable suspicion of having committed or to prevent committing an offence or fleeing after having done so. The detention of a minor by lawful order for the purpose of educational supervision or for the purpose of bringing him before the competent legal authority. Lawful detention of persons for prevention of spreading of infectious diseases, persons of an unsound mind, drug addicts, alcoholics or vagrants. Article further gives instruction on how arrested person is to be dealt with. Article 8 Right to Respect for Private and Family Life Article 8 of the Human Rights Act 1998 states that everyone has the right to respect for his private and family life, his home and his correspondence and that there shall be no interference by a public authority with this right except as in accordance with the law: - In the interests of national security Public safety Economic well being of the country The prevention of crime or disorder The protection of health or morals The protection of the rights or freedoms of others The protocol should identify which of these legitimate aims is applicable. Article 11 Right to Freedom of Assembly and Association 35 Everyone has the right to freedom of peaceful assembly and freedom of association with others Article 14 Prohibition of Discrimination The enjoyment of the rights and freedoms of the convention shall be secured without discrimination on any ground such as Sex Race Colour Language Religion Political or other opinion National or social origin Association with a national minority Property , birth or other status Protocol 1 Article 1 Protection of Property Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one shall be deprived of his possessions except in the public interest and subject to the conditions provided for by law and by the general principles of international law. The preceding provisions shall not, however, in any way impair the right of a state to enforce such laws as it deems necessary to control the use of property in accordance with the general interest or to secure the payment of taxes or other contributions or penalties. 36
© Copyright 2026 Paperzz