E

Appendix

Data Protection Registrar's Checklist

Data Protection Registrar's Checklist for Setting up Information Sharing Arrangements (abridged version)

(i) What is the purpose of the information sharing arrangement?

1. It is important in data protection terms that the purpose of any information sharing arrangement is clearly defined. This is because if personal information is to be disclosed, then disclosures must be registered with the Data Protection Registrar and the data protection principles will take effect. These principles themselves relate directly to the purpose or purposes for which personal information is held. For example, information must be adequate, relevant, and not excessive in relation to the purpose for which it is held, and must not be held longer than is necessary for that purpose.

2. Parties to any arrangement should be aware that under the Data Protection Act 1998 they will need to have a 'legitimate basis' for disclosing sensitive personal data. The introduction of special controls on the processing of sensitive data (including holding and disclosing them) is one of the major innovations of the new Act. Under section 2, 'sensitive data' include information as to the commission, or alleged commission, by the data subject of any offence; and criminal proceedings involving the data subject as the accused, and their disposal. The definition of 'sensitive data' also includes information about the data subject's sexual life. It should also be made clear to all parties that information received under the arrangement is to be used only for the specified purpose(s). Thus, there should be a restriction on secondary use of personal data received under any information sharing arrangement unless the consent of the disclosing party to that secondary use is sought and granted.

(ii) Will it be necessary to share personal information in order to fulfil that purpose?

3. Depersonalised information is information presented in such a way that individuals cannot be identified. If depersonalised information can be used to achieve the purpose, then there will be no data protection implications. Consideration should therefore always be given to whether the purpose can be achieved using depersonalised information; 'would failure to share personal information mean that the objectives of the arrangement could not be achieved?'

(iii) Do the parties to the arrangement have the power to disclose personal information for that purpose?

4. If the purpose cannot be achieved without sharing personal information, then each party to the arrangement will need to consider whether they have the power to disclose information for this purpose. This is particularly significant for public sector bodies or agencies whose powers and responsibilities are defined by statute or administrative law. If a public body acts ultra vires or outside its powers, then it may, at the same time, breach the lawfulness requirement of the first data protection principle. Section 115 of the Crime and Disorder Act 1998 may provide the parties with the lawful power they need provided the requirements of that section are met. This provides that any person can lawfully disclose information, where necessary or expedient for the purposes of any provision of the (1998) Act, to a chief officer of police, a police authority, local authorities, Probation Service or health authority, even if they do not otherwise have this power. This power also covers disclosure to people acting on behalf of any of the above named bodies. The 'purposes' of the Act referred to in Section 115 include a range of measures such as local crime audits, youth offending teams, anti-social behaviour orders, sex offender orders, and local child curfew schemes. It should also be noted that Section 17 of the Act places a statutory duty on every local authority to exercise its various functions . . .with due regard to . . . the need to do all that it reasonably can to prevent . . . crime and disorder in its area.

(iv) How much personal information will need to be shared in order to achieve the objectives of the arrangement?

5. Consideration must be given to the extent of any personal information disclosed. Some agencies may hold a lot of personal information on individuals but not all of this may be relevant to the purpose of the information sharing arrangement, so it may not be right to disclose it all. This is a matter for consideration by the agency holding the information.

(v) Should the consent of the individual be sought before disclosure is made?

6. When disclosing personal information, many of the data protection issues surrounding disclosure can be avoided if the consent of the individual has been sought and obtained. This is particularly significant if the personal information to be shared identified victims or witnesses where consideration should be given to any effects of disclosure of their personal data on third parties.

(vi) What if the consent of the individual is not sought, or is sought but withheld?

7. Consideration must be given to whether the personal information can be disclosed lawfully and fairly. In terms of lawfulness, an agency will need to consider whether personal information is held under a duty of confidence. If it is, then it may only be disclosed:

(a) with the individual's consent; or

(b) where there is an overriding public interest or justification for doing so.

It will not always be the case that the prevention and detection of crime or public safety constitutes an overriding public interest for the exchange of personal information.

8. As regards fairness, even if the personal information held is not subject to a duty of confidence, the agency will still need to consider how the disclosure can be made fairly. In data protection terms, in order to obtain and process personal data fairly, the individual should be informed of any non-obvious uses (including disclosure) of their personal data, and be given the opportunity to consent to those uses. If consent is therefore not obtained, consideration will have to be given to how the disclosure can be made fairly. This might involve arguments of public interest, but these would have to be balanced against any potential resulting prejudice to the interests of the individual concerned.

(vii) How does the non-disclosure exemption apply?

9. The Data Protection Acts 1984 and 1998 contain general 'non-disclosure provisions', but allow a number of specific exemptions. There is an exemption in both Acts which states that personal information may be disclosed for the purposes of the prevention or detection of crime, or the apprehension or prosecution of offenders, in cases where failure to disclose would be likely to prejudice those objectives. A party seeking to rely on this exemption needs to make a judgement as to whether, in the particular circumstances of an individual case, there would be a substantial chance that one or both of those objectives would be noticeably damaged if the personal information was withheld.

(viii) How do you ensure compliance with the other data protection principles?

10. Any information sharing arrangement should also address the following issues:

• how will it be ensured that only the minimum personal information necessary is shared and held for the purpose(s) of the arrangement?
  
  
• how will the accuracy of the personal information be maintained? One party to the arrangement may know that there has been a change in personal information which they have disclosed: how does that party ensure that all recipients of that personal information are kept informed of developments, so that they can keep their records up to date?
  
  
• for how long will personal information be retained? It would be anomalous if the disclosing agency were to remove the personal information from its systems, but the other parties continued to hold it.
  
  
• how will individuals be given access to personal information held about them? Under data protection legislation, individuals have a right of access to any information held about them. This right may be denied in certain limited circumstances, which include where access would prejudice the prevention or detection of crime. This could be significant, if, for example, a police force wished to disclose personal data to another party, but for operational reasons did not want the individual concerned to know the disclosure had been made. On the other hand, it is not sufficient to deny subject access merely because the information is held for crime prevention purposes. Mechanisms must therefore be in place to ensure that the wishes of the disclosing party are considered.
  
  
• how will the personal data be stored? The more sensitive the personal data shared, the more security measures should be taken by each party receiving that personal data. This is not limited to physical security of the equipment on which it is held, but extends to technological security (for example, limited staff access, appropriate levels of staff access) and to staff security (staff with authorised access should be aware of its purpose and extent).

Prepared 29 March 2000