8 INFORMATION SHARING, CONCORDAT AND PROTOCOLS
1 In 2001, an Expert Panel, chaired by Lady Cosgrove, published a report entitled Reducing the Risk: Improving the Response to Sex Offending. The Expert Panel recognised that a large number of agencies, including the police, prosecutors, courts, prison service, CJSW, as well as housing, health and education authorities play a role in managing the risk posed by sex offenders.
2 The Expert Panel concluded that these agencies (working with voluntary sector partners) have a duty to deliver the safer environment which communities expect and deserve but that there is a tendency for individual agencies to focus their attention on improving their internal procedures rather than working together. This results in gaps in the system which sex offenders can exploit.
3 The Expert Panel therefore called for a programme of action where:
- Each organisation has a clear understanding of its own role and responsibilities in relation to sex offenders;
- Agencies and organisations who work with sex offenders work together to overcome the risks which sex offenders present;
- Institutional barriers which prevent a more effective co-ordination of practices and integration of services are tackled; and
- The practical and operational difficulties which exist are addressed.
4 In particular, the Expert Panel highlighted the importance of sharing information.
National Concordat on Sharing Information on Sex Offenders
5 In order to fulfil the aspirations of the Expert Panel report, a multi-agency Information Sharing Steering Group took forward the information management recommendations of the report to ensure the effective and efficient flow of information between key agencies by developing protocols, guidance and strategies.
6 As a result the National Concordat on the Sharing of Information on Sex Offenders was developed and published. In signing the Concordat, agencies from all spectrums of the justice system and statutory and non statutory organisations involved in the management of sex offenders agreed to work to a set of principles and working arrangements. This was intended to improve the systems and procedures to ensure that public safety is given the highest priority by ensuring that all relevant information is shared within the tenet of existing legislation.
7 These agencies and bodies include the responsible authorities and many who are defined under the DTC.
8 Importantly, the Concordat requires all agencies involved to use agreed definitions and to develop detailed information sharing protocols under which the flow of information is to be managed. Protocols allow each agency to be clear about, and address their legal obligations, for sharing of information under the Data Protection Act 1998 and other legislation.
9 Guidance on the development and content of protocols can be found in the Scottish Executive Justice Department Circular 15/2005 issued in November 2005 to those agencies and bodies who signed the Concordat. This guidance also covers agencies that are not involved directly in the MAPPA arrangements.
10 Health also issued the Concordat guidance under cover of NHSHDL (2006) 9 issued in February 2006 to NHS boards and the State Hospital Board.
11 It should be recognised that most agencies will require to be involved in the development and operation of bi-lateral and multi-lateral protocols. Protocols are a major factor in the DTC and should be developed as part of the Memorandum under section 10(5) of the Management of Offenders etc. (Scotland) Act 2005.
12 In 2009, the multi-agency inspection report Assessing and managing high risk of harm offenders, Chapter 4, again reiterated the requirements for agencies to share information in respect of high risk of harm offenders and acknowledged the commitment of agencies to do so.
Communication, record keeping and action
13 The effective management of offenders who pose a risk of harm to the community requires a set of complex arrangements to be put in place by a number of agencies to address individual needs and circumstances and, most of all, to ensure that public protection is maintained.
14 Investigations into high-profile cases have identified poor communication and lack of continuity as major factors in contributing to the failure to properly assess risk and develop management plans at an early stage and to monitor and address changes in risk and adjust management of the offender, as required.
15 The Concordat, protocols and memorandum are intended to provide the basis on which each agency will agree to fulfil its role. These roles can only be delivered effectively if clear lines of communication are established between the responsible authority and DTC agencies.
16 Whether information should be shared and, if so, what information and to whom, must be decided on a case-by-case basis. That said, the presumption should be that in cases where there is a risk of harm to the public, information should be shared. The UK Information Commissioner's Office ( ICO) regulates the DPA and provides advice and guidance on data sharing. This includes a statutory Data Sharing Code of Practice which should be followed.
17 Confident, appropriate and effective sharing of information is a very important part of the DTC. The effectiveness of information sharing arrangements reflect the effectiveness of co-operation within the MAPPA as a whole. However, not all the information shared will be personal information, that is the information covered by privacy laws (the common law duty of confidentiality, the protection of personal information required by the Data Protection Act and Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms. This part of the Guidance relates only to sharing personal information.
Data Protection Act 1998
18 The Data Protection Act 1998 requires that personal information:
i. Must be fairly and lawfully processed
ii. Must be processed for limited purposes
iii. Must be adequate, relevant and not excessive
iv. Must be accurate and up to date
v. Must not be kept for longer than is necessary
vi. Shall be processed in line with the data subjects' rights vii. Must be secure
viii. Must not be transferred to other countries without adequate protection.
19 Critical to the justification of information sharing are the twin requirements of necessity and proportionality. The necessity criterion requires that there is a pressing public protection need. The proportionality criterion requires the information shared must be only that information necessary to achieve the purpose for which it is being shared. Further explanation of this is provided below.
20 To identify the purpose of sharing information and to ensure that the agencies' obligations to retain and use the information lawfully are fulfilled, it is helpful to keep the following in mind. The persons with whom information is shared must know:
- Is a Privacy Impact Assessment (PIA) required?
- Is the information personal or otherwise sensitive?
- Is the sharing of the information lawful and fair?
- Is there an existing data sharing agreement?
- Who is authorised to see the information (need to know)?
- Will the data sharing deliver benefits?
21 Clarity about these matters will help instil the confidence of the professionals representing the DTC agencies.
Management of Police Information ( MOPI)/information security
22 Detailed guidance on the management of police information and information sharing with partner organisations can be found within the Management of Police Information (MOPI) Partners version.
23 It is vital that information is shared and stored securely as much of the information within the MAPPA process will be of a sensitive nature.
Government Protective Marking Scheme ( GPMS)
24 The GPMS sets out common standards for the protection of sensitive documents and other material, including data held on computer and electronic recording systems, against accidental or deliberate compromise. It defines different security classifications and all protectively marked documents should be labelled on the top and bottom of each page with the classification.
25 MAPPA notification and referral forms, minutes and risk management plan documents should be protectively marked as restricted in terms of the GPMS. Dependent on the nature of the information contained on the documents it may be appropriate on occasion to have them marked as 'Confidential' in terms of GPMS.
26 MAPPA documents should not be marked with a classification of secret or top secret. A description of GPMS can be found at Annex 2.
Information sharing - health considerations
27 If MAPPA documents are marked as 'restricted' in terms of GPMS then NHS net can be used to transmit documents between the NHS and other agencies. Within the NHS, MAPPA documents must be stored in accordance with GPMS either physically or electronically. Within the hospital environment, MAPPA records are held separately from the patients records, however, if considered appropriate, a summary, containing relevant information, may be included within the patients records. This is recognised as good practice and should be reflected in the processes employed by General Practitioners. Documents or letters outlining key points may be useful ways to ensure that relevant information is made available to appropriate health service staff where this is necessary without transmitting full MAPPA documents.
28 If MAPPA documents are shared with staff who do not have access to a method of storing documents in keeping with GPMS, then after the documents have been read they should be destroyed.
Jobcentre Plus ( JCP)/Department for Work and Pensions ( DWP) and the Child Maintenance and Enforcement Commission ('the Commission').
29 There are reciprocal arrangements between the Secretary of State and the responsible authorities in relation to the sharing of information. Albeit the DWP and the Commission are notDTC agencies in Scotland, there is legislation which allows information to be shared in relation to the management of offenders under the terms of section 10 of the 2005 Act. This sharing of information is facilitated by The Management of Offenders etc. (Scotland) Act 2005 (Disclosure of Information) Order 2010 and circular JD 5/2010.
30 In practice, there are three ways by which the responsible authorities can obtain information from JCP/ DWP, namely:
31 Each piece of legislation has its own defined uses and the appropriate legislation should be used when circumstances dictate.