Information Sharing Policy

  1. Introduction
    1.1 Sharing information across professional boundaries can bring many
    advantages, not least to ensure effective co-ordination and there is a need for a joint
    approach in the creation of robust frameworks within which information can be
    shared effectively, lawfully and securely.
    1.2 Information sharing does of course, present risks and these need to be
    managed correctly. The Trust needs to ensure that Information Sharing is carried out
    fairly and lawfully and in adherence with the General Data Protection Regulation
    (GDPR) and Data Protection Act 2018.
  2. Purpose and Scope
    2.1 This policy details the overarching framework specifically for the sharing of
    personal information, or “personal data” (defined as, any information relating to an
    identified or identifiable natural person (‘data subject’); an identifiable natural person
    is one who can be identified, directly or indirectly, in particular by reference to an
    identifier such as a name, an identification number, location data, an online identifier
    or to one or more factors specific to the physical, physiological, genetic, mental,
    economic, cultural or social identity of that natural person), shared between the Trust
    and other partners, public, private or voluntary sector organisations. The policy
    focuses on the requirements for sharing “personal data” about service users in a
    safe and appropriate way.
    2.2 This document is applicable to all staff (including but not limited to employees,
    contractors, agency workers, consultants, and interims) who have been permitted
    access by the Trust to use or access Trust data on its behalf.
  3. What is Information Sharing?
    3.1 Information sharing means the disclosure of information from one or more
    organisation to a third party organisation or organisations, or the sharing of
    information internally.
    3.2 Information sharing can take the form of:
  • A reciprocal exchange of information
  • Several organisations pooling information and making it available to each
    other
  • Several organisations pooling information and making it available to a third
    party or parties
  • Exceptional, one-off disclosures of information in unexpected or in emergency
    situations

4. Deciding to share personal data
4.1 Personal data sharing is not an automatic assumption and there must be:

  • a clear objective or set of objectives as to what the sharing is meant to
    achieve
  • a legal basis
  • some form of active communication where the individual knowingly indicates
    consent
  • a valid information sharing agreement in place unless exceptional
    circumstances apply
    4.2 Information sharing must only be done in adherence with the General Data
    Protection Regulation and Data Protection Act 2018 in line with the Information
    Commissioner’s Data Sharing Code of Practice
    4.3 Sharing information without an individual’s knowledge is permitted for:
  • the prevention or detection of crime
  • the apprehension or prosecution of offenders; or
  • the assessment or collection of tax or duty

5. Benefits of Information Sharing Agreements
5.1 Information Sharing Agreements provide the following benefits:

  • Helps to promote information sharing – by setting standards agreed by all
    parties an information sharing agreement (ISA) will help remove barriers
    which often hinder effective information sharing. It will allow the Trust to
    deliver high quality integrated services and make the Trust more effective in
    the way the Trust work.
    8
  • Inspiring public trust by helping to ensure compliance with legislation
    and guidance – organisations who sign up to an ISA are confirming that they
    will comply with the procedures which accompany it whenever information is
    shared and that they will abide by the monitoring arrangements set within it.
    This not only ensures compliance with legislation but also improves the
    public’s confidence that legally required safeguards are in place and
    information will be correctly processed and protected.
  • Avoiding duplication of agreements and guidance – this policy and any
    associated ISA’s provides detailed guidance around all information sharing
    arrangements. This means that there is no need to duplicate information when
    drafting specific agreements. By signing up to the ISA, organisations agree to
    ensure that all agreements established between organisations sharing
    information for a common purpose are consistent with the agreed ISA and
    template agreement.
  • Transparency – demonstrates the willingness of signatory organisations to
    be transparent in their information sharing practices.
  • Reduced reputational risk – by ensuring the Trust have the correct
    processes in place the Trust limit inappropriate or insecure sharing of
    personal data.
  • Increases understanding – with clear information sharing agreements
    people will gain a better understanding of knowing when it is or isn’t
    acceptable to share information. This also minimises the risk of a breach
    occurring and possible enforcement action from the ICO.
  • Details the specific arrangements who the Trust need to share information
    for a common purpose or project. This is important as it provides all parties
    with clear instructions and information as to how the sharing will work and
    what the legal restrictions are.
  • Formalise the decision taken to share and ensure that all Data Protection
    requirements have been accounted for.

6. Data Protection Impact Assessments (DPIA’s)
6.1 It is good practice to carry out a data protection impact assessment before
entering any data sharing arrangement. This will assist in identifying and reducing
the privacy risks. A DPIA enables the Trust to systematically and thoroughly analyse
how a particular project or system will affect the privacy of the individuals involved
and identify and mitigate risks at an early stage.
6.2 A DPIA should be considered as part of any information sharing agreement.

7. Process
7.1 All ISA’s should be drafted using the Trust’s standard Information Sharing
Agreement Template and approved by the DPO (Appendix 1). The DPO should be
consulted when it is believed an ISA is required.
7.2 You must ensure when entering into any regular information sharing
arrangements that an Information Sharing Agreement is in place and that it states a
clear and lawful legal basis to allow the sharing to take place and it is agreed by all
parties and approved by the DPO.

8. Policy Review
8.1 This policy will be reviewed by the DPO. In addition, changes to legislation,
codes of practice or commissioner advice may trigger interim reviews.

9. Links with other Policies
9.1 This Information Sharing policy is linked to the Trusts:

  • Data Protection Policy
  • Security Incident and Data Breach Policy
  • Data Protection Impact Assessment Policy
  • Information Security Policy
  • Safeguarding policy
  • Privacy Notices
    9.2 The ICO also provides a free helpdesk that can be used by anyone and a
    website containing a large range of resources and guidance on all aspects of
    Information Law for use by organisations and the public. See www.ico.org.uk

APPENDIX 1
Construction Youth Trust Data Sharing Agreement

  1. Purpose of this Agreement
    1.1 The purpose of this agreement is to:
  • —————————————–
    1.2 This document is not a legally binding document, it aims to provide the basis
    for an agreement between those listed in section 2 and engaged in facilitation of the –
    —- programme to facilitate and govern the efficient, effective, and secure sharing of
    good quality information. It sets out:
  • The principles underpinning information sharing
  • The general purposes for information sharing
  • The responsibilities and commitments of partners to this agreement
    1.3 This agreement aligns with any other agreement to which partners may already
    be signatories and does not in any way supersede those existing agreements.
    1.4 It is not intended that this agreement be definitive or exhaustive, it is recognised
    that as policy develops and implementation arrangements mature, this agreement will
    need to be reviewed and amended considering new information sharing requirements
    to ensure that it is ‘fit for purpose’.

2. Partners
2.1 This agreement is between the following partners:

  1. Powers
    3.1 This agreement fulfils the requirement of the following:
  • General Data Protection Regulation 2016/679
  • Data Protection Act 2018
    3.2 As stated above this agreement covers the sharing of information between all
    partners listed in section 2 above.

4. Process
4.1 This agreement has been formulated to facilitate the exchange of information
between partners. It is, however incumbent on all partners to recognise that any
information shared must be justified on the merits of each case.

5. Types of information to be shared
5.1 The following are the types of data that may be proportionate, relevant and
necessary to share between partners for the purposes listed below.
Data use under this agreement
the subject matter:
the lawful basis for sharing data:
the type of personal data purpose of the processing

6. Constraints on the information to be shared
6.1 The information shared must not be disclosed to any third party, other than
those partners signed up to this agreement, without the written consent of the Data
Subject(s).
6.2 All partners signed up to this agreement must store the information securely
and delete when it is no longer required for the purpose for which it is provided.
6.3 The Specific Personal information shared may only be shared for the purpose
of this agreement. This information must not be shared with other parties not signed
up to this agreement without the express permission of the data subject.
6.4 ‘Personal Data’ means any information relating to an identified or identifiable
natural person (‘data subject’); an identifiable natural person is one who can be
identified, directly or indirectly, in particular by reference to an identifier such as a
name, an identification number, location data, an online identifier or to one or more
factors specific to the physical, physiological, genetic, mental, economic, cultural or
social identity of that natural person.

7. Roles and responsibilities under this agreement
INSERT EACH PARTNERS ROLES AND RESPONSIBILITIES
Each Partner maintains responsibility for Freedom of Information Requests and
Subject Access Requests.

8. Review, retention & disposal
8.1 Partners to this agreement undertake that personal data shared will only be
used for the specific purpose for which it is requested. The recipient of the information
is required to keep it securely stored and will dispose of it when it is no longer required.
Partners may request a copy of information security policies when sensitive personal
data is to be shared.
8.2 The recipient will not release the information to any third party without obtaining
the express written authority of the partner who provided the information.

9. Signatures
9.1 By signing this agreement, all signatories accept responsibility for its execution
and agree to ensure that staff are trained so that requests for information and the
process of sharing itself is sufficient to meet the purpose of this agreement.
9.2 Signatories must also ensure that they comply with all the relevant legislation.
Organisation:
Name:
Signature:
Organisation:
Name:
Signature: