Safer Slough Partnership

Approved copy September
2013
Thames Valley Police
Reviewed February 2015
Partner Review Pending 2015
Safer Slough Partnership
JOINT PROTOCOL ON
INFORMATION EXCHANGE
1
THE CRIME AND DISORDER ACT 1998
JOINT PROTOCOL ON INFORMATION EXCHANGE
1.
INTRODUCTION
Actions taken as a consequence of this policy will be applied in an impartial and fair way having due
regard for natural justice and human rights.
This protocol has the potential to engage the following Articles:
Article 3 Freedom from Torture or inhuman or degrading treatment

Article 5 Right to Liberty

Article 8 Right to Respect for Private and Family Life

Article 11 Right to Freedom of Assembly and Association

Article 14 Prohibition of Discrimination

1.1
Protocol 1, Article 1 Protection of Property
Review of the Protocol
This Protocol will be reviewed annually. The review will take account of the following criteria :-
1.2

Changes in legislation

Human rights challenges in domestic and Human rights Courts

Changes to ACPO and DCLG guidance

Representations made in relation to this document (appropriate authorities,
nongovernmental organisations and individuals)
Review of the Protocol as at May 2008
The Government announced a review of the partnership provisions of the Crime and Disorder Act
1998 in the police reform White Paper - Building Communities, Beating Crime - in November
2004. This review had an impact on this protocol in two ways:
The Review recommended extending the role of CDRPs by placing a duty on responsible
authorities to prevent and reduce crime and disorder, anti-social behaviour, behaviour
adversely affecting the environment and substance misuse in their local area.
2
The Review recommended strengthening section 115 of the Crime and Disorder Act, which
gives relevant agencies the power to disclose information, and place a duty on responsible
authorities to share depersonalised data which are relevant for community safety purposes and
already held in a depersonalised format. This duty will apply to data already collected by
partner agencies in a depersonalised format.
2.
2.1
PARTIES TO THIS PROTOCOL
The parties to this Protocol are listed in Appendix A. It will be the responsibility of these parties
to ensure that;
2.2

Realistic expectations prevail from the outset

Ethical standards are maintained

A mechanism exists by which the flow of information can be controlled

Appropriate training is provided
The parties agree that other organisations and groups in the voluntary and community sector may
also become parties to the protocol where this is necessary or expedient for the purposes of the
Crime & Disorder Act. No such organisation or group may join the Protocol without the prior
consent of all existing parties. Any additional party joining the Protocol shall agree in writing to
abide by the terms of this Protocol and shall provide an indemnity to each of the parties to the
Protocol in the form set out in Appendix D. Until such time as an agreement has been signed and
indemnity provided, no personal or sensitive information will be disclosed.
2.3
Further, after the date of any such agreement, this Protocol shall be read so that references to the
parties shall include references to any such organisation or group. These organisations and indeed
the individual housing associations will not be ‘Relevant Authorities’ as defined by the Crime &
Disorder Act and they will therefore need to decide on what basis they are participating in the
Protocol.
The Data Protection Act 1998, First Data Protection Principle requires that data
controllers have a legitimate basis for their processing. This means that they must be able to
satisfy one or more of the criteria in Schedule 2 of the Data Protection Act 1998.
3
2.4
It is useful to note that whilst Section 115 of Crime and Disorder Act 1998 ensures agencies have
a power to disclose it does not impose a requirement on them to exchange information, and so
control over disclosure remains with the agency which holds the data. Information exchange,
whether carried out under the power in section 115 or under any other common law or statutory
power, is therefore controlled by the normal data protection regime and common law (see Annex
A to Section Five of “Guidance on Statutory Crime and Disorder Partnerships - Crime and
Disorder Act 1998”, Home Office, 1998.).
3.
PURPOSE.
3.1 Purpose
The purpose of this protocol is to facilitate the exchange of data in order to comply with the
statutory duty on chief police officers and local authorities to work together to develop and
implement a strategy to reduce crime and disorder, anti-social behaviour, behaviour adversely
affecting the environment and substance misuse in the local area.
3.2
The protocol explains the principles that must be followed when exchanging information. This
will apply to:

any Order under the Crime and Disorder Act.

the exchange of personal information following a conviction by a Court. For example:
o Drug Treatment and Testing Orders,
o Reparation Orders,
o Action Plan Orders,
o Supervision Orders,
o Detention and Training Orders,
o Parenting Orders,
o PVP Register (Potential Violent Persons)
3.3
The exchange of information intended to support any action for the purposes of the Act, namely
the reduction or prevention of crime and disorder whether under this Act or otherwise. E.g. the
exchange of information to support proceedings under the Housing Acts. The parties recognise
that the section 115 of the Crime and Disorder Act can only be used to disclose information to an
4
individual or group where that disclosure is necessary or expedient to support of the local strategy
to reduce crime and disorder, anti-social behaviour, behaviour adversely affecting the
environment and substance misuse in the local area. Section 115 does not apply to providing
information to private companies or voluntary organisations, unless they are formally providing
services on behalf of a Responsible Authority. (If providing information to private companies or
voluntary organisations within the Partnership, another legal basis for this sharing should be
sought).
Information will not be shared where disclosure would prejudice ongoing proceedings or sensitive
cases unless there is an overriding public safety requirement to do so.
Thames Valley Police is required to make additional information sharing considerations as stated
in the Code of Practice on the Management of Police Information and Authorised Professional
Practice. Thames Valley Police will only be able to share policing information with partners
where one or more of the following policing purposes are satisfied:
Protecting life and property,
Preserving order,
Preventing the commission of offences,
Bringing offenders to justice,
Duty under common or statute law.
4.
4.1
DEFINITIONS.
In this protocol:

Crime: is defined as any act, default, or conduct prejudicial to the community, the
commission of which, by law, renders the person responsible liable to punishment by a fine,
imprisonment, or other penalty.

Anti-social behaviour: means acting in a manner which causes or is likely to cause
harassment, alarm or distress to one or more persons not of the same household as himself.
5

Disorder: is an expression which refers to the level or pattern of anti-social behaviour within a
particular area.

Personal data means data that relates to a living individual who can be identified either :
from the data, or

from the data and any other information which is in the possession of, or is likely to come
into the possession of the data holder;
Maintenance of good order is defined as: The maintenance of a state of security and
tranquillity that should exist in a civilised society
Depersonalised information is information which does not identify a data subject. If the data
can be so categorised, it may be regarded as outside the purview of the Data Protection Act
1998 and hence this guidance and any protocol based upon it. However, the benefits of a
protocol even for this type of information should always be considered.
Designated officers means the person or persons whom either jointly or alone determine the
purposes for which personal information is processed;
Relevant authority means:

the chief officer of police

a Police and Crime Commissioner, in accordance with the Police Reforms and
Social Responsibility Act 2011

a local authority, that is to say, in relation to England, a county council, a district
council, a London borough or the Common Council of the City of London;

a Probation committee in England and Wales;

A Health authority (including East Berkshire Primary Care Trust).

A Youth Offending Team

Registered Social Landlords (Housing Associations registered with Housing
Corporation ) for the purposes of Antisocial Behaviour Orders vide Section 1 of the
Crime and Disorder Act, 1998 as amended by the Police reform Act, 2002.
5.
DESIGNATED OFFICERS.
5.1
The following are designated to assume responsibility for data protection (including notification if
appropriate); security and confidentiality; and compliance with legislation. Each party to the
protocol will nominate one or more Designated Officers to process, or initiate requests for personal
6
information and conviction data. A list of those officers so nominated in each party agency will be
attached at Appendix A. All persons nominated as ‘Designated Officers‘ should be familiar with
the terms of this Protocol. It will be Best Practice for each party to the Protocol to ensure that each
of their own Designated Officers receives an appropriate level of training and information to allow
him/her to carry out his role in data exchange.
o
Any request for information must be made by and to designated officers in each agency. The
request for information should be recorded using the forms approved, (copies may be found at
Appendix B). When information is disclosed it must be stored securely and destroyed when it is no
longer required for the purpose for which it was initially provided.
All requests should be
acknowledged within 10 working days and should be dealt with within 20 working days. Where
any request cannot be dealt within these time limits the data owner shall notify the requesting party
immediately the delay is known. When making the application the requesting party shall notify the
data owner of any time restrictions on the supply of data, e.g. Court dates.
6.
INFORMATION EXCHANGE.
6.1
Each party to the protocol will be responsible for ensuring that they are properly registered with the
Data Protection Commissioner to exchange personal information under this protocol. The parties
will also comply with the principles set out in the Data Protection Act. 1998 and Human Rights Act
1998.
6.2
Any information being shared must be proportionate and necessary for the purpose for which it is
being shared.
7.PERSONAL DATA.
7.1
Section 115 of the Crime and Disorder Act provides a lawful power to exchange information
including personal information. It does not impose a duty on them to do so. The parties envisage
that exchange will be made in response to a request wherever lawfully possible and where this is
7
necessary or expedient for the purposes of that Act. Control however remains with the disclosing
party.
If failure to share personal information would mean that the stated objectives of the
requesting party cannot be achieved, then each party should consider whether they have power to
disclose.
7.2
Any disclosure of personal data must have regard to both common law and statute. More
detailed guidance is given on this aspect in the Guidance Notes for Designated Officers attached at
Appendix F. In addition, the principles of data protection must be complied with unless and to the
extent that any exemption under the Data Protection Act 1998 applies. Further guidance on these
principles may be found in Appendix F.
7.3
The underlying principle of this protocol is that a party will always retain ownership of personal
information it discloses. It is therefore essential that the identity of the originator must be recorded
against the relevant data. A recipient of disclosed information can only use it for the stated purpose
and must obtain the consent of the original data owner before making a further disclosure. In
respect of this requirement each department of a party will be treated as a separate agency.
Requests for secondary or further use of the information should be made using the appropriate from.
A copy of that form is attached at Appendix C
7.4
The identity of the originator must be recorded against the relevant data. No secondary use or
other use may be made unless the consent of the disclosing party to that secondary use is sought and
granted. Disclosure must be compatible with the second data protection principle: 'Personal data
shall be obtained only for one or more specified and lawful purposes, and shall not be further
processed in any manner incompatible with that purpose or those purposes.
7.5
Although section 115 provides a lawful power to exchange information, the presumption of
confidentiality will still apply.
This means that designated officers must make an objective
assessment of all the available information to determine whether the public interest justifies
disclosure. In making that decision, the following alternative powers should be considered:-
8
7.6
Information discovered to be inaccurate or inadequate for the purpose will be notified to the
data owner who will be responsible for correcting the data and notifying all other recipients of the
data who must ensure that the correction is made.
7.6.1 Conviction Data.
Details of relevant convictions recorded on the Police National Computer, or retained on file by
the parties to this protocol can be released to another designated officer to support proceedings
under the Crime and Disorder Act. However, it is recognised that care must be exercised in the
disclosure of conviction data and a designated officer must ensure that the information is accurate
and relevant to an enquiry before it is released.
7.6.2 Review and Weeding Data.
Parties to the protocol must ensure that all data obtained from any other agency is only retained for
the minimum period required to achieve the objectives of the project after which the data will be
returned to the originator or destroyed as agreed. The recipient of the information is required to
keep it stored securely and will destroy it in a secure manner or return when no longer necessary for
that purpose. It will be the responsibility of the recipient to ensure that all data is relevant, accurate
and up to date. In any case the review and weeding of data must be in accordance with policy and
procedures agreed by the parties.
7.6.3 Consent.
Many of the data protection issues surrounding the disclosure can be avoided if the consent of the
individual has been sought and obtained. No details of victims, witnesses or complainants should
be disclosed without their written consent. Consent should be obtained using the form attached at
Appendix E.
8.
PUBLIC INTEREST.
8.1 If informed consent has not been sought or sought and withheld the agency must consider if there is
an overriding public interest of justification for the disclosure. In making this decision the following
questions should be considered.
9
• Is the disclosure necessary for the prevention or detection of crime, prevention of disorder, to protect
public safety, or to protect the rights and freedoms of others?
• Is the disclosure necessary for the protection of young or other vulnerable people?
• What risk to others is posed by this individual?
• What is the vulnerability of those who may be at risk?
• What will be the impact of the disclosure on the offender?
• Is the disclosure proportionate to the intended aim?
• Is there an equally effective but less intrusive alternative means of achieving that aim?
9.
NON DISCLOSURE EXEMPTIONS.
9.1 The Data Protection Act 1998 maintains the crime prevention exemptions of the Data Protection Act
1984. Disclosure maybe made where it is for the purpose of the prevention or detection of crime,
apprehension or prosecution of offenders, and where failure to disclose would be likely to prejudice
those objectives, decisions must be made on a case by case basis, s29(3).
Any request for information whose purpose is the prevention or detection of crime should specify as
clearly as possible how failure to disclose would prejudice this objective. The request should make
clear:
•
why the information is necessary, e.g. why proceedings might fail without the information; and
•
why it is envisaged that a successful action would prevent crime, e.g. what is the projected effect
of successful proceedings.
10.
HUMAN RIGHTS
10.1 For details on Human Rights See Appendix I.
11.
YOUTH OFFENDING TEAMS.
11.1 Relevant information can be disclosed to the members of a youth offending team (YOT) either post
conviction or following a police reprimand, final warning or caution. This will allow a
10
comprehensive action plan to be developed which addresses all the risk factors associated with the
person concerned.
11.2 Following the initial referral, designated officers attached to the team will be responsible for the
further disclosure of relevant personal information and conviction data.
There may be occasions
when it is necessary or expedient for members of the youth offending team to disclose personal
information to another agency or group. In such circumstances the following guidelines must be
followed:

a secondary disclosure of personal information must be authorised by the original data owner,

the disclosure must support action under the Crime and Disorder Act,

the public interest must outweigh any duty of confidentiality,

the information must be processed fairly.

the youth offending team manager will be responsible for ensuring that personal information
provided to the team is processed in accordance with the Data Protection Act 1998.
12. ABANDONED VEHICLES
12.1
Abandoned vehicles constitute a crime risk (e.g. damage, theft, arson) and by their presence
contribute to a downward spiral in the overall security, confidence and order of a locality. For the
purposes of their prompt removal by or on behalf of Slough Borough Council, the Thames Valley
Police will endeavour to supply keeper details on request. The unit/section/officer of the Council
which will receive the details is named in the list of nominated officers. The unit/section/officer
of the Police Area which will provide the details is named in the list of nominated officers.
Requests for details will be recorded in a register to be held on the Police Area in the CIMU, and
subject to external audit.
12.2
The signatories to this protocol hereby acknowledge that any information exchanged for the
purpose of dealing with abandoned vehicle shall not be disclosed other than for the following
reasons:

to support joint agency approaches to identifying and managing the risk of crime and disorder;
11

to enable the parties to pool their expertise in assessing the nature and level of risk posed by
potential offenders;

to enable the parties to co-operate in averting identified risks of crime and disorder and its
consequences;
13.

to reduce risk and fear experienced by staff, identified individuals and the public at large;

assist strategic planning;

help implement the provisions of the Crime and Disorder Act;
DE-PERSONALISED INFORMATION.
13.1 If the purposes of the Act can be achieved using depersonalised information then this should be the
preferred method. The exchange of depersonalised information should be considered where this
can be used to:

facilitate strategic planning;

identify areas of high crime or disorder;

measure the impact of CCTV or other preventative schemes;

determine whether the local crime reduction strategy is delivering best value.
14.
PARTIES TO THE PROTOCOL
14.1
The parties to this protocol agree to share depersonalised information from the following indices.
This is not an exhaustive list and other indices may be agreed between the parties.
14.2
14.3
Police:

crime statistics detected, reported and recorded,

incidents reported to the police,

calls for police assistance (Command and Control data),

characteristics of offenders,

characteristics of victims,

road traffic accident data,
Local authorities, Housing ALMO and Housing Associations:
12

criminal damage and graffiti removal,

derelict and empty property,

emergency out of hours calls,

nuisance families,

resident complaints,

racial, homophobic and domestic violence incidents,

registered homeless, rehoused homeless, victims, offenders,

turnover of tenants,

street lighting,

licences issued by the local authority,

noise levels and nuisance neighbours,

dog related nuisance complaints,

elderly resident locations,

families on benefit,

vulnerable persons,

children involved in crime,

children on the child protection register,

population data and property values,

leisure, youth and playground facilities,

school exclusions,

truancy,

educational attainments,

Information from Youth Offending Teams, including,
o Youth offending profiles
o Characteristics of offender
o Crime Data
o Assessment Data
o Risk of Harm Data
14.4
Health:

Accident and Emergency admissions,

registered alcoholics and drug users characteristics,
13
14.5
15.
15.1

facilities available to alcoholics and drug users,

vulnerable persons including mentally ill patient information,

ambulance control and despatch calls,
Probation:

offender profiles,

children at risk.
GUIDANCE ON DE-PERSONALISED INFORMATION
The following guidance must be followed in relation to depersonalised information:

no attempt must be made to identify an individual through the provision of depersonalised
information;
16.
16.1

data sets must not be released to those who have a commercial interest in their use;

arrangements must be made for the secure storage of all depersonalised data;

information must be destroyed when no longer required.
USE OF INFORMATION
The products produced by analysing depersonalised information can be used to:

demonstrate the findings of the review of crime and disorder;

inform the consultation process which follows;

justify the final strategy.
However, maps and other visual images must not be published without prior consultation with the
original data owner(s).
17.
SECURITY
"The purpose of information security is to enable business continuity and
minimise business damage by preventing and minimising the impact of
security
incidents.
Information
security
14
management
enables
information to be shared, while ensuring the protection of information
and computing assets."
(Guide to British Standard Code of Practice for Information Security Management - BSI).
17.1
All parties should ensure that they have appropriate security arrangements in place. Parties aim
to meet the British Standards Code of Practice for Information Security Management (BS 77991995 version), but in any event should ensure that their systems meet basic information security
principles. These are:

Confidentiality - protecting sensitive information from unauthorised disclosure or intelligible
interception;

Integrity - safeguarding the accuracy and completeness of information and computer
software;

Availability - ensuring that information and vital services are available to users when
required;
17.2
All public authorities are under a common expectation to comply with the Government Protective
Marking Scheme (GPMS) and to note that some IL (Information Level) security levels may
require additional security measure s to be in place. Thames Valley Police will only transfer the
following police information by encrypted means such as secure email (for example PNN, GSI,
GSX, NHS(n3), GSE, GCSX, NHS.net, CJSM descriptors) : information GPMS classified as
RESTRICTED, sensitive personal information and personal information shared for a policing
purpose. Transfer by fax will not be used unless required in the case of an operational emergency.
Security requirements are detailed at Annex H.
18. INDEMNITY
Details of Indemnities are attached at Appendix D
19. DOCUMENTATION
15
19.1
Disclosures and requests for information must be made in writing on the approved form
(Appendix B) and must be retained by the designated officer. Decisions on any disclosures
reached at meetings must be minuted. This information will provide evidence if the disclosure is
challenged or a formal complaint is made.
All information exchanged should be classified
according to its security level and should be treated accordingly (e.g. restricted, confidential,
secret etc.)
20. COMPLAINTS AND BREACHES
20.1
Complaints and breaches of the protocol should be dealt with by utilising the established policies
and procedures for breaches and complaints made in relation to the legislation in connection with
information exchange.
21.
21.1
SUBJECT ACCESS
If an agency receives a subject access application and personal data is identified as belonging to
another agency, it will be the responsibility of the receiving agency to contact the data owner to
determine whether the latter wishes to claim an exemption under the provision of the Data
Protection Act. Where a designated officer cannot comply with the request without disclosing
information relating to another individual who can be identified from that information s/he is not
obliged to comply with the request unless:

the other individual has consented to the disclosure in writing of the information to the person
making the request, or

it is reasonable in all the circumstances to comply with the request without the consent of the
individual. In determining whether it is reasonable, regard shall be had in particular to:

any duty of confidence owed to the other individual

any steps taken by the data controller with a view to seeking the consent of the other
individual

whether the other individual is capable of giving consent

any express refusal of consent by the other individual

Where disclosure is proposed under the subject access it must be done in accordance with the
Data Protection Act 1998
16
22. FREEDOM OF INFORMATION ACT REQUESTS
22.1
If a party receives a request for information under the Freedom of Information Act 2000 and the
Information requested is identified as belonging to another Organisation, it will be the
responsibility of the receiving agency to contact the data owner to determine whether the latter
wishes to rely on any statutory exemption under the provisions of the Freedom of Information Act
and to identify any perceived harm.
23. MEDIA STRATEGY
23.1
The parties to this protocol will subscribe to the following principles when discussing with the
media issues which have arisen from the initial review of crime and disorder, the summary
produced for the purpose of public consultation or the final crime reduction strategy:
any information provided to the public will be accurate honest and fair;

each organisation, in its dealings with the media, will respect the professionalism and integrity
of its partners;

any data released from a Police source should only be released in accordance with the ACPO
Media Strategy Group guidelines; and

where there are differences of opinion between organisations these should not be commented
on publicly without prior notice and discussion.

Press and public relations staff in each organisation should have working knowledge of the
structure, key issues and staff in other partner organisations. Opportunities for the placement
of stories in organisational publications should be encouraged.
24. ACCOUNTABILITY
24.1
Any disclosure of information by an employee, which is done in bad faith, or for motives of
personal gain will be the subject of an inquiry and be treated as a serious matter. Each party will
be accountable for any misuse of the information supplied to it and the consequences of such
misuse by its employees servants or agents.
17
APPENDIX A
LIST OF DESIGNATED OFFICERS The following persons listed are nominated by the respective parties as Designated Officers. The parties
authorise them to request and disclose information to the Parties to this Protocol in accordance with the provisions of the Crime and Disorder Act 1998 and the
Data Protection acts 1984 and 1998, during the time that they are in the employ of the nominating party or are acting on its behalf.
Any authorisation given by a party to a Designated Officer listed below shall automatically end upon the Designated Officer ceasing to be employed by the party
who appointed him.
Any change in the officers designated by a party must be immediately notified to all of the other parties to the Protocol and no information shall be disclosed to
any other person until such time as the appropriate notification has been received by the Parties.
Organisation
Contact name
Signature /
Date
Job Title
Slough Borough
Council
Community Safety Manager
Paradigm Housing
Group
Anti Social Behaviour Advisor –
East
Paradigm Housing
Group
Chief Executive
September
2013
Paradigm Housing
Group
East Region Team Manager
September
2013
September
2013
18
September
2013
Contact Details
Thames Valley
Probation
Chief Executive Officer
September
2013
Thames Valley
Probation
Director, East Berkshire LDU &
Approved Premises
September
2013
Thames Valley
Probation
Designated Officer
September
2013
Home Group
Customer Services Manager
September
2013
Home Group
Head of Customer Services
(SE/SW)
September
2013
Ability Housing
Chief Executive
September
2013
Ability Housing
Housing Services Officer
September
2013
Slough CVS
Chief Executive Officer
September
2013
Slough CVS
Designated Officer
September
2013
19
Catalyst Housing Ltd
Neighbourhood Manager
September
2013
Catalyst Housing Ltd
Regional Manager
September
2013
Alma Supported
Lodgings
Manager
September
2013
Alma Supported
Lodgings
Deputy Manager
September
2013
Thames Valley
Housing
Association
Thames Valley
Housing
Association
One Housing Group
Area Housing Manager
September
2013
Housing Officer
September
2013
Chief Executive Officer
September
2013
One Housing Group
Regional Neighbourhood Manager
September
2013
Sovereign Housing
Association Limited
Chief Executive Officer
September
2013
20
Sovereign Housing
Association Limited
Sovereign Housing
Association Limited
Anti Social Behaviour Advisor
September
2013
Head of Anti Social Behaviour
September
2013
Sanctuary Housing
Head of Housing Operations
(South West)
September
2013
Sanctuary Housing
Area Housing Manager
September
2013
The Buckinghamshire
Housing Association
Ltd
Senior Housing Manager
September
2013
The Buckinghamshire
Housing Association
Ltd
Royal Berkshire Fire
and Rescue Service
Chief Executive
September
2013
Designated Officer
September
2013
Slough Homeless Our
Concern
Designated Officer
September
2013
Slough Homeless Our
Concern
Designated Officer
September
2013
21
Turning Point and CRI
Director of substance misuse
September
2013
Turning Point and CRI
Designated Officer
September
2013
Health – CCG
Clinical Director for Slough
September
2013
Berkshire Health Care
Trust
Chief Executive
September
2013
LPA Commander
September
2013
Police and Crime Commissioner
September
2013
Policy Advisor
September
2013
Thames Valley Police
Police and Crime
Commissioner
Police and Crime
Commissioner
22
APPENDIX B
RECORD OF REQUEST/DISCLOSURE
This form should only be signed by one of the nominated persons shown at appendix A of the protocol
PART A - REQUEST
Ref. No
Partner requesting information
Partner information requested
from
SUBJECT DETAILS
Surname
Forename(s)
DoB
Sex
M/F
Ethnicity
Height
Address
State fully the purpose the information is required for (e.g. ASBO, Crime Audit, Sex Offender Order, Prevention or Detection
of Crime etc.)
Nature of information required
The above requested information will be subject to the provisions of the Data Protection Act 1998 and the general
rules of confidentiality. The information must not be used for any purpose other than that for which it is requested
and must not be disclosed to an unauthorised person. There is an obligation upon you to ensure appropriate
security measures are in place in respect of it. Once the information has served its required purpose and /or the
end of the retention period is reached it must be destroyed in accordance with this protocol.
Signed
Name
Date
23
RECORD OF REQUEST/DISCLOSURE
This form should only be signed by one of the nominated persons shown at appendix A of the protocol
PART B – DISCLOSURE
Grounds for disclosure
Information disclosed
Reason given should be one of those given in this protocol. Full explanation is required if the
reason given is ; Public Interest , or the Prevention and detection of crime or the apprehension
and prosecution of offenders.
Continue on a separate sheet, if necessary, endorsed with the above reference number. On Part
A of this form
The above given information is be subject to the provisions of the Data Protection Act 1998 and the general rules
of confidentiality. The information must not be used for any purpose other than that for which it is requested and
must not be disclosed to an unauthorised person. There is an obligation upon you to ensure appropriate security
measures are in place in respect of it. Once the information has served its required purpose and /or the end of the
retention period is reached it must be destroyed in accordance with this protocol.
Signed
Name
Date
24
APPENDIX C
REQUEST FOR SECONDARY DISCLOSURE
This form should only be signed by one of the nominated persons shown at appendix A of the protocol
Request for Secondary Disclosure.
Original
Ref. No
(This request should include the original form (APP B) To which the information
relates or the reference on that form and should be sent to the original owner of the
data.)
Partner requesting authority
Partner authority requested from
SUBJECT DETAILS
Surname
Forename(s)
DoB
Sex
M/F
Ethnicity
Height
Address
With regard to the information contained within the above document, I request authority to make
additional disclosure of this information to ……………………………………………………..
State fully the purpose the information is required for (e.g. ASBO, Crime Audit, Sex Offender Order, Prevention or Detection
of Crime etc.)
The above requested information will be subject to the provisions of the Data Protection Act 1998 and the general
rules of confidentiality. The information must not be used for any purpose other than that for which it is requested
and must not be disclosed to an unauthorised person. There is an obligation upon you to ensure appropriate
security measures are in place in respect of it. Once the information has served its required purpose and /or the
end of the retention period is reached it must be destroyed in accordance with this protocol. Conditions of
indemnity as outlined in the Protocol will apply .
Signed
Name
Date
Secondary Disclosure re the above is Approved/ Not Approved. Conditions of
indemnity as per the Protocol will apply.
Signed
Name
Partner
Date
25
APPENDIX D
THE CRIME AND DISORDER ACT 1998
JOINT PROTOCOL ON INFORMATION EXCHANGE
FORM OF INDEMNITY
In consideration of the provision of information in accordance with this protocol any party to this
protocol who receives information under this protocol (“the Receiver”) from any other party (“the
Supplier”) undertakes to indemnify the Supplier against any liability which may be incurred by the
Supplier arising from or in any way connected with the following acts or omissions on the part of the
Receiver. Within the partnership the receivers of shared information will accept total liability for the
loss or compromise of shared information whilst it is under their custody or control.
The parties to this Protocol undertake to fully indemnify any of the persons or any authority referred
to below against any liability, damages or costs of civil action which may be incurred by such a
person or authority arising from or in any way connected with the following acts or omissions on the
part of the person or authority granting the indemnity:
Requests for information for purposes other than those specified in the Joint Protocol.

Use of the information for purposes other than those specified in the Joint Protocol.

Disclosure of the information to a third party except as is specified in the Joint Protocol.

Wilful misconduct or negligence in the handling, keeping or disposal of the information.
Under this indemnity the following persons may claim the benefit of this indemnity are :

Any local authority (including Chief Executive of Slough Borough Council)

Chief Officer, Berkshire Probation Service

Head of Slough Youth Offending Team

Any Police Authority.*

Any Chief Officer of Police, including the Chief Constable of Thames Valley Police, and
the Slough Local Police Area Commander

Any serving or former member of a Police Force.
26

Any serving or former civilian employee of a Police Authority.

The National Identification Bureau.

Any member or former member of the Thames Valley Police Civil Staff.

East Berkshire Primary Care Trust (including Director, Slough Primary Care Trust)

Housing Associations (as listed in Appendix A)

Any other party who joins this agreement

Any employee or former employee of any of the parties
* in this paragraph the expressions "police authority", "chief officer of police" and "police
force" have the same meaning as in section 101 of the Police Act 1996.
27
APPENDIX E CONSENT TO DISCLOSURE OF INFORMATION.
I, (name). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
of (address). . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
............................................................
consent to (Disclosing Party eg.Thames Valley Police) . . . . . . . . . . . . . . . . . . . . . . . . .
............................................................
disclosing the information set out below to any organisation or group who are Parties to
the ‘Joint Protocol for Information Exchange under the Crime and Disorder Act 1998’
(the 1998 Act) to which (e.g. Thames Valley Police) . . . . . . . . . . . . . . . . . . . . . . . . . . . .
. . . . . . . . . .are members for the purposes of the 1998 Act.
I understand that wherever possible I will be told that the information is to be disclosed
before its disclosure, to whom it is to be disclosed and for what reason. I understand
that I may withdraw my consent at any time but that this information may still be
disclosed if it is necessary for any of the purposes of the 1998 Act and the principles of
the Data Protection Acts 1984 and 1998 have been met.
This consent is given freely and unconditionally.
INFORMATION TO WHICH THIS CONSENT APPLIES
Signed:………….................................…………………………………….
(Print name)………………………….................................……………….
Dated:…………………........................……….200....................
28
APPENDIX F GUIDANCE NOTES FOR DESIGNATED OFFICERS
The Crime & Disorder Act 1998 provides parties with the ability to share data, however it does not
entitle them to enter into wholesale data sharing or matching. Any sharing of information under the
Act must be for the aims of the Act, namely the reduction of crime and the fear of crime
When presented with a request for disclosure a designated officer must ask two fundamental
questions.
1.Do I have the legal power to disclose this information?, and,
2.If so, am I proposing to do so properly with due regard to both common and statute law,
including the common law duty of confidence and the statutory data protection principles?
The parties to the Joint Protocol on Information Exchange have the power under section 115 of the
Crime and Disorder Act 1998 to disclose information to the relevant authorities where it is necessary
and expedient for the purposes of any of the provision of Act.
The purposes of the Act may include local crime audits, Youth Offending Teams, anti social
behaviour orders, sex offender orders and local child curfew schemes. In addition, section 117 of the
Crime & Disorder Act 1998 places a statutory duty on every local authority to exercise its various
functions with due regard to the need to do all that it reasonably can to prevent crime and disorder in
its area.
However, section 115 does not override an individual’s right to privacy, confidentiality and
reputation. These should be balanced against the likely harm if the information is not disclosed. In
deciding whether or not data should be disclosed, it is suggested that designated officer considers the
following checklist: 1. What is the purpose of the information sharing arrangement?
The purpose of the arrangement must be clearly defined. This is because if personal data is to
be disclosed, then the disclosure must be registered the Data Protection Registrar and the data
protection principles will take effect.
2. Will it be necessary to share personal information in order to fulfil that purpose?
Depersonalised information is presented in such a way that individuals cannot be identified from
it. If this type of information can be used to achieve the purpose, then it should be used rather
than disclosing personal information. If the objective cannot be reached without the use of
personalised information then the following questions should be considered:
3. Do the parties concerned have power to disclose personal information for that purpose?
Section 115 provides the power to disclose information to any of the relevant authorities. It
does not provide any power for those bodies or any other person or organisation to disclose
personal information to anyone else including individual voluntary and community groups.
29
If section 115 cannot be used, then you will need to establish whether the parties have any other
statutory powers permitting disclosure.
4. How much information will need to be shared in order to achieve the objectives of the
arrangement?
Parties may hold a lot of information about individuals. Not all of this information may be
relevant to the particular purpose for which the request was made. Care will need to be taken to
ensure that only information which is actually relevant to that purpose is disclosed. To do
otherwise might be to overstep the boundaries of the power available.
5. Should the consent of the individual be sought before disclosure is made?
If possible this should be obtained in each case. Many of the issues surrounding disclosure can
be avoided if consent is sought and obtained. This is particularly the case in relation to victims
or witnesses. In these case no information should be disclosed without their prior consent.
It is however recognised that consent will not always be given and indeed in some case it maybe
inappropriate to seek consent in the first place. In those circumstances, consideration must be
given as to whether information can be disclosed lawfully and fairly.
6. If consent is sought but is withheld, should the information be disclosed?
You will need to consider whether personal information is held under a duty of confidence.
If so, you can only disclose that information if you have the individual’s consent OR there is an
overriding public interest or justification for doing so.
PLEASE NOTE - IT WILL NOT ALWAYS BE THE CASE THAT THE PREVENTION
AND DETECTION OF CRIME OR PUBLIC SAFETY CONSTITUTES AN
OVERRIDING PUBLIC INTEREST FOR THIS PURPOSE.
Even if the information is not subject to a duty of confidence, you must still consider whether
and how the information can be disclosed fairly. You must therefore balance the public interest
against the possible resulting prejudice to the interests of the individual concerned.
7. Does the non-disclosure exemption apply?
Both the Data Protection Act 1984 and 1998 contain general non-disclosure provisions.
However, there are several specific exemptions one of which states that personal information
may be disclosed for the purposes of the prevention and detection of crime or the apprehension
and prosecution of offenders in cases where the failure to disclose would be likely to prejudice
those objectives.
8. Have the other data protection principles been complied with?

only the minimum information necessary should be shared

the information should be checked for accuracy
30

how long will the information be kept by the recipient ?
you should ensure that before disclosure takes place you know and have recorded how
long the recipient of the information intends to keep the information.

access for the individual

how will the data be stored ?
you should ensure that the recipient has a secure storage system for the information to
be shared under this protocol.
9. The data protection principles require that such information is obtained and processed fairly
and lawfully; is only disclosed in appropriate circumstances; is accurate, relevant, and not
held longer than necessary; and is kept securely.
The Human Rights Act 1998 gives further effect in domestic law to certain Articles of the
European Convention on Human Rights (ECHR). The Act requires all domestic law to read
compatibly with the Convention Articles. It also places a legal obligation on all public
authorities to act in a manner compatible with the Convention. Should a public authority fail
to do this then it may be subject of a legal action under section 7. This obligation should not
solely be seen in terms of an obligation not to violate Convention Rights but also as a
positive obligation to uphold these rights.
The sharing of information between agencies has the potential to infringe a number of
Convention Rights. In particular, Article 3 (Freedom from torture or inhuman or degrading
treatment), Article 8 (Right to private and family life), and Article 1 of Protocol 1
(Protection of Property). In addition all Convention Rights must be secured without
discrimination on a wide variety of grounds under Article 14.
The Convention does allow limited interference with certain Convention rights by public
authorities under broadly defined circumstances known as legitimate aims. However, mere
reliance on a legal power may not alone provide sufficient justification and the following
principles should be considered:
•
•
•
Is there a legal basis for the action being taken?
Does it pursue a legitimate aim (as outlined in the particular Convention article)?
Is the action taken proportionate and the least intrusive method of achieving that aim?
(See paragraph 3.3.1)
A brief summary of the Articles of the Human Rights Act 1998 is attached as appendix A.
Article 8 is covered in more detail below but other articles may apply in specific
circumstances.
31
APPENDIX H
BASELINE SECURITY REQUIREMENTS FOR INFORMATION
SHARING AGREEMENTS
All Chief Constables are committed to compliance with the ACPO Community Security Policy, which
is based on the British Standard for Information Security Management (BS7799).
The basic requirements for an Information Sharing Agreement are specified below. Additional
safeguards may be specified according to the sensitivity and classification of the data and the
circumstances of the multi-agency partnership.
Section 1 Information Security Policy
A written statement of Information Security Policy should be available for all organizations
involved in the partnership.

Please attach a copy of your organisation's Information Security Policy.
Section 2 Information Security Organisation
Responsibility for information security should be allocated to an individual within the organisation.
That individual should be operating within a management framework that initiates and controls the
implementation of information security.

Please advise who has designated responsibility for information security
within your organisation and describe the management framework within
which they operate.
Section 3 Asset Classification and Control
It is important to maintain appropriate protection of the computer and information assets
used by the partnership.

Please list below the hardware, software and information, which will be used
for the partnership.

What accountability for these assets is in place? Who will be the nominated
System Owner of these assets for the purposes of the partnership?
32
Section 4 Personnel Security
The Chief Constable will need to ensure the reliability of any persons having access to data.

How has the reliability of all persons subject to this agreement been
assessed?

Any persons having access to data as part of this agreement may be required
to give consent to background enquiries in accordance with Force policy.
Please provide written consent as required.

Please confirm that all persons connected with this project have received
training and awareness in Data Protection and Information Security. A
confidentiality clause will be included in the Information Sharing Agreement
which all persons involved will be required to sign.

Please confirm that all persons involved with this project are made aware of
the procedure for reporting any security breaches, threats, weaknesses or
malfunctions that might impact on the security of the data.
Section 5 Physical and Environmental Security
Appropriate measures should be in place to prevent unauthorised access or unlawful processing,
accidental loss, destruction or damage.
Please advise details of the premises used for this purpose and in relation to each
named premises:
What access controls are there to the buildings?

What access controls are there to the rooms?

Are the windows lockable when accessible from the outside?

Is the door lockable where the information is stored?

Is information secured in a lockable cabinet when not in use?

Is there a clear desk policy in relation to this information?

Do outside contractors/maintenance staff have access to the room?

Is the information visible to unauthorised individuals e.g. through windows,
from corridors etc.

Is there any intention to use portable computers for this purpose? If so, what
special control measures will be deployed to protect data?
33

Section 6 Computer and Network Management
In addition to the physical security outlined above, please provide details of the
following:
Is the computer a stand-alone? If not, what measures are taken to prevent
unauthorised access via your network or from external networks?

Is there a policy and procedure for the disposal of confidential material
(computer or otherwise)? What procedure is in place to ensure that data is
cleansed from computer media as it becomes obsolete for whatever reason?

Are system security procedures regularly audited?

Are there documented rules for the use of this system available for all users?

What control measures are in place to prevent the introduction of malicious

software to the system (e.g. computer viruses)?
Section 7 System Access Controls

Are there controls on the system to prevent unauthorised access (i.e. is there
a mechanism for the identification and authorisation of individual users, e.g.
user ID and password)?

Is there an automatic log-out after an appropriate time interval?

Is there a warning at log-on to forbid unauthorised use of the system?

Is there an audit trail to identify who has accessed the system including time,
date and which records were accessed?
Section 8 Systems Development and Maintenance
All information systems used as part of this agreement should be designed from the outset with
information security in mind to cover, as a minimum, the control measures contained in this
document.
Section 9 Business Continuity Planning

Is there an effective backup and recovery mechanism to secure the data?

What security surrounds these back-up facilities?
Section 10 Compliance
Agreements must be must comply with appropriate legal requirements and the prevailing policies of
all organisations involved.
34
APPENDIX I Example

Article 3 Freedom from Torture or inhuman or degrading treatment
No one person shall be subjected to torture or to inhuman or degrading treatment or
punishment

Article 5 Right to Liberty
Everyone has the right to liberty and security of person. No one shall be deprived of his
liberty save in the following cases and in accordance with a procedure prescribed in law.

Lawful detention after conviction by a competent court
 Lawful arrest or detention for non-compliance with the lawful order of a court or in
order to secure the fulfillment of any obligation prescribed by law.
 Lawful arrest or detention of a person for the purpose of bringing him before a
competent legal authority on reasonable suspicion of having committed or to prevent
committing an offence or fleeing after having done so.
 The detention of a minor by lawful order for the purpose of educational supervision or
for the purpose of bringing him before the competent legal authority.
Lawful detention of persons for prevention of spreading of infectious diseases, persons
of an unsound mind, drug addicts, alcoholics or vagrants.

Article further gives instruction on how arrested person is to be dealt with.

Article 8 Right to Respect for Private and Family Life
Article 8 of the Human Rights Act 1998 states that everyone has the right to respect for his
private and family life, his home and his correspondence and that there shall be no interference
by a public authority with this right except as in accordance with the law: -


In the interests of national security

Public safety

Economic well being of the country

The prevention of crime or disorder

The protection of health or morals

The protection of the rights or freedoms of others

The protocol should identify which of these legitimate aims is applicable.
Article 11 Right to Freedom of Assembly and Association
35
Everyone has the right to freedom of peaceful assembly and freedom of association with others

Article 14 Prohibition of Discrimination
The enjoyment of the rights and freedoms of the convention shall be secured without
discrimination on any ground such as

Sex
Race
Colour
Language
Religion
Political or other opinion
National or social origin
Association with a national minority
Property , birth or other status

Protocol 1 Article 1








Protection of Property

Every natural or legal person is entitled to the peaceful enjoyment of his possessions. No one
shall be deprived of his possessions except in the public interest and subject to the conditions
provided for by law and by the general principles of international law.

The preceding provisions shall not, however, in any way impair the right of a state to enforce
such laws as it deems necessary to control the use of property in accordance with the general
interest or to secure the payment of taxes or other contributions or penalties.
36