Information sharing between NHS Scotland boards and Police Scotland: consultation

Information Sharing Agreement Template

Information Sharing Agreement

Victims of Rape and Sexual Assault

This Information Sharing Agreement sets out the arrangements for the sharing of information between NHS [insert board] and the Police Service of Scotland to support the service provision for victims of rape, sexual assault and sexual abuse.

[Relevant Date]

Contents

Introduction

1 Parties, Scope and Purpose
1.1 Name and details of the parties who agree to share information
1.2 Business and legislative drivers for sharing data.
1.2.1 Purpose(s) of the information sharing
1.2.2 Legal basis for the processing and constraints

2 Description of the information to be shared

3 Description and manner of information sharing
3.1 Data flows
3.2 How data/information is to be accessed, processed and used
3.3 Summary of how decisions are going to be made with regards to the manner of the processing.

4 Impact assessments and preparatory work

5 Privacy information (transparency requirement)

6 Accuracy of the information

7 Data retention and secure disposal

8 The rights of individuals

9 Security, risk and impact of the processing
9.1 Agreed standards, codes of conduct and certifications

10 International transfers of personal data
10.1 List of countries where the data will be transferred to (if applicable).

11 Implementation of the information sharing agreement
11.1 Dates when information sharing commences/ends
11.2 Training and communications
11.3 Information sharing instructions and security controls
11.4 Non-routine information sharing and exceptional circumstances
11.5 Monitoring, review and continuous improvement

12 Sign-off

13 Appendix 1: List of Work instructions, policies and procedures

14 Appendix 2: Data items and adequacy

Introduction 

This Information Sharing Agreement (ISA) has been prepared to support appropriate sharing of information between NHS [insert board] and the Police Service of Scotland.  (Hereafter referred to as the “parties”).  A Data Protection Impact Assessment (DPIA) has also been developed and should be read prior to this for clarity on the process.  The Police Service of Scotland will become the controller for the samples, copy health records and professional clinical statement when handed over to them, and will determine when this information can be shared and with whom.   A data sharing agreement is currently in place within NHS [Insert Board] for sharing information with social work.

The aim of this document is to facilitate consistent, person-centred, trauma informed healthcare and forensic medical services with access to relevant services for anyone who has experienced rape, sexual assault or sexual abuse in Scotland.  In addition, the ISA will encourage integrated working with agencies to improve outcomes for patients, service users, carers and their families.

Scottish NHS Boards will also need to work in partnership with local authorities, social care, education, the voluntary sector and other key agencies to ensure that services meet the needs of individuals who have been raped, sexually assaulted or experienced sexual abuse, to improve quality care and outcomes for that individual regardless of age or gender.

This document sets out the rules to be applied by the Health Board when sharing information with the other agencies noted in this agreement.

1 Parties, Scope and Purpose

1.1 Name and details of the parties who agree to share information

Trading name of parties subject to the ISA and Head Office address	Short name of the party	Role in this agreement : Controller or Processor (*)	ICO Registration
NHS [Insert Board] [Insert Address]	The Board	Controller	[Insert]
The Police Service of Scotland [Insert Address]	The Police	Controller	[Insert]

The aim of this ISA is to:

Facilitate the sharing of information between parties.   When information has been shared from the NHS to the Police Service of Scotland, the Police Service of Scotland will then be the controller for that instance of the information.

Put in place a framework which will allow this information to be processed by the parties and exchanged in ways, which respect the rights and freedoms of individuals and in compliance with the law.  Those individuals may include third parties for example current partner, family members, alleged perpetrator, and/or any relevant associates to support the prevention or detection of crime or the apprehension or prosecution of offenders.

1.2 Business and legislative drivers for sharing data

In March 2017, Her Majesty’s Inspectorate of Constabulary in Scotland (HMICS) published a report that provided a strategic overview of forensic medical and healthcare services for victims of sexual crime.  The report identified significant gaps and variation in the quality of services and made a number of recommendations to improve this.  The report, the Chief Medical Officer for Scotland (CMO) was asked by the Cabinet Secretary for Health and Sport and the Cabinet Secretary for Justice, to chair a Taskforce to provide national leadership and oversight to help improve service provision in this area.

This Information Sharing Agreement template and supporting documentation has been developed by the Taskforce with the aim of facilitating the sharing of information between agencies responsible for the welfare of individuals who have been victims of sexual crime is increasingly important to improve safe and effective service provision and outcomes for victims.  Proportionate and necessary information sharing is essential to the operation of a comprehensive system which has patients at its centre, allowing a level of consistency across Scotland. 

1.2.1 Purpose(s) of the information sharing

Indicate how the controllers will decide upon changes in the purpose(s) of the information sharing	Jointly or independently
	Jointly

For the duration of the short life Information Governance Delivery Group, the Chief Medical Officer Taskforce will facilitate management of the information governance documentation which supports this agreement.  Appropriate Information Governance experts from all agencies will be called upon to contribute to changes as and when necessary.   

1.2.2 Legal basis for the processing and constraints  

Without detriment of any other legal basis that may be applicable (e.g. criminal investigation, etc.) the following are the core legal basis for each of the parties to process the data in this agreement:

Data Protection Principles

The Parties have entered this Agreement to assist them with processing personal data in accordance with the data processing principles.  Those principles are, in summary:

Personal data shall be:

(a)  processed lawfully, fairly and in a transparent manner 
(b)  collected for specified, explicit and legitimate purposes 
(c)  adequate, relevant and limited to what is necessary 
(d) accurate and, where necessary, kept up to date 
(e)  kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed 
(f)  processed in a manner that ensures appropriate security of the personal data, 

Accountability is central to General Data Protection Regulation: controllers are responsible for compliance with the principles and must be able to demonstrate this to data subjects and the regulator. 

Constraints to Processing

As well as having to adhere to Data Protection principles, NHS Scotland also needs to take into consideration Caldicott Principles and the common law duty of confidentiality which can constrain what information can be shared and with whom.  The personal data is shared with the Police Service of Scotland for the purposes of the prevention and detection of crime or the apprehension or prosecution of offenders, which in most cases will override the constraints to processing.

Caldicott Principles

The Parties acknowledge that the Caldicott Principles must be applied to the processing of personal data to ensure that the information is only shared for justified purposes.

Principle 1 - Justify the purpose(s) for using confidential information
Principle 2 - Only use it when absolutely necessary
Principle 3 - Use the minimum that is required
Principle 4 - Access should be on a strict need-to-know basis
Principle 5 - Everyone must understand his or her responsibilities
Principle 6 - Understand and comply with the law
Principle 7 - The duty to share information can be as important as the duty to protect patient confidentiality 

Common Law Duty of Confidentiality

The Parties also acknowledge that they owe a duty of confidentiality to all individuals.  The General Medical Council’s describes the duty of confidentiality in the following terms: 

“Information acquired by doctors in their professional capacity will generally be confidential under the common law. This duty is derived from a series of court judgments, which have established the principle that information given or obtained in confidence, should not be used or disclosed further except in certain circumstances. This means a doctor must not disclose confidential information, unless there is a legal basis for doing so.”

It is generally accepted that the common law allows disclosure of confidential information if:

a) the patient consents
b) it is required by law, or in response to a court order
c) it is justified in the public interest.

The common law cannot be considered in isolation. Even if a disclosure of confidential information is permitted under the common law, the disclosure must still satisfy the requirements of GDPR/Data Protection Act 2018.

Legal basis

Party

General Data Protection Regulation 6(1)(e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;  6 (1)(c) processing is necessary for compliance with a legal obligation to which the controller is subject; (court order) 6 (1)(d) processing is necessary in order to protect the vital interests of the data subject or of another natural person. 9 (2)(c) processing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent; 9 (2)(g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject; Preventing or detecting unlawful acts Data Protection Act 2018, Schedule 1, Part 2, 10  (1)This condition is met if the processing— (a)is necessary for the purposes of the prevention or detection of an unlawful act, (b)must be carried out without the consent of the data subject so as not to prejudice those purposes, and (c) is necessary for reasons of substantial public interest. (2) if the processing consists of the disclosure of personal data to a competent authority, or is carried out in preparation for such disclosure, the condition in sub-paragraph (1) is met even if, when the processing is carried out, the controller does not have an appropriate policy document in place (see paragraph 5 of this Schedule). (3)In this paragraph— “act” includes a failure to act; “competent authority” has the same meaning as in Part 3 of this Act (see section 30). Crime and taxation: general Data Protection Act 2018, Schedule 2 (2)  (1)The listed GDPR provisions and Article 34(1) and (4) of the GDPR (communication of personal data breach to the data subject) do not apply to personal data processed for any of the following purposes— (a)the prevention or detection of crime, (b)the apprehension or prosecution of offenders, or (c)the assessment or collection of a tax or duty or an imposition of a similar nature, to the extent that the application of those provisions would be likely to prejudice any of the matters mentioned in paragraphs (a) to (c). (2)Sub-paragraph (3) applies where— (a)personal data is processed by a person (“Controller 1”) for any of the purposes mentioned in sub-paragraph (1)(a) to (c), and (b)another person (“Controller 2”) obtains the data from Controller 1 for the purpose of discharging statutory functions and processes it for the purpose of discharging statutory functions. (3)Controller 2 is exempt from the obligations in the following provisions of the GDPR— (a)Article 13(1) to (3) (personal data collected from data subject: information to be provided), (b)Article 14(1) to (4) (personal data collected other than from data subject: information to be provided), (c)Article 15(1) to (3) (confirmation of processing, access to data and safeguards for third country transfers), and (d)Article 5 (general principles) so far as its provisions correspond to the rights and obligations provided for in the provisions mentioned in paragraphs (a)to (c), to the same extent that Controller 1 is exempt from those obligations by virtue of sub-paragraph (1). The Data Protection Act 2018 35(2)(b) the processing is necessary for the performance of a task carried out for that purpose by a competent authority. 35(5) The second case is where— (a) the processing is strictly necessary for the law enforcement purpose, (b) the processing meets at least one of the conditions in Schedule 8, and (c) at the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42). Statutory etc purposes Data Protection Act 2018, Schedule 8 (1) This condition is met if the processing— (a) is necessary for the exercise of a function conferred on a person by an enactment or rule of law, and (b) is necessary for reasons of substantial public interest. Administration of justice Data Protection Act 2018, Schedule 8 (2) This condition is met if the processing is necessary for the administration of justice. Protecting individual’s vital interests Data Protection Act 2018, Schedule 8 (3) This condition is met if the processing is necessary to protect the vital interests of the data subject or of another individual. Safeguarding of children and individuals at risk Data Protection Act 2018, Schedule 8 (4) (1) This condition is met if— (a) the processing is necessary for the purposes of— (i) protecting an individual from neglect or physical, mental or emotional harm, or (ii) protecting the physical, mental or emotional well-being of an individual, (b) the individual is— (i) aged under 18, or (ii) aged 18 or over and at risk, (c) the processing is carried out without the consent of the data subject for one of the reasons listed in sub-paragraph (2), and (d) the processing is necessary for reasons of substantial public interest. (2) The reasons mentioned in sub-paragraph (1)(c) are— (a) in the circumstances, consent to the processing cannot be given by the data subject; (b) in the circumstances, the controller cannot reasonably be expected to obtain the consent of the data subject to the processing; (c) the processing must be carried out without the consent of the data subject because obtaining the consent of the data subject would prejudice the provision of the protection mentioned in sub-paragraph (1)(a). (3) For the purposes of this paragraph, an individual aged 18 or over is “at risk” if the controller has reasonable cause to suspect that the individual— (a) has needs for care and support, (b) is experiencing, or at risk of, neglect or physical, mental or emotional harm, and (c) as a result of those needs is unable to protect himself or herself against the neglect or harm or the risk of it. (4) In sub-paragraph (1)(a), the reference to the protection of an individual or of the well-being of an individual includes both protection relating to a particular individual and protection relating to a type of individual. Legal Claims Data Protection Act 2018, Schedule 8 (6) This condition is met if the processing— (a) is necessary for the purpose of, or in connection with, any legal proceedings(including prospective legal proceedings), (b) is necessary for the purpose of obtaining legal advice, or (c) is otherwise necessary for the purposes of establishing, exercising or defending legal rights. DPA 2018 Sched 2, Pt 1, Para 2, the Police Service of Scotland Form 052-003A will be submitted by Officers requesting submissions via these Legal Gateways where ‘vital interests’ are concerned and where non-disclosure “would be likely to prejudice the prevention or detection of crime or the apprehension or prosecution of offenders.” This would be required where consent was not given or could not be obtained.  This may be where the victim is deceased or otherwise incapable of giving consent. In cases where consent is provided and police require to seize certain items whether it be samples, medical records etc. then the Police Service of Scotland could utilise a Force Form along the lines of the current Police Service of Scotland’s Form 052-007 entitled Authorisation for the Recovery of Sensitive Records.  This is currently used to seize specific records from victims in regard their particular investigation and is intended to stop Police taking possession of wholesale records. The form would stipulate what particular item Police wished to seize and a signed copy left with the relevant health authority.

NHS Board The Police Service of Scotland

2 Description of the information to be shared

Data category	Controller(s)	PD*
Data items and categories will be listed in the Data Protection Impact Assessment for consistency.	NHS	PD

(*) PD – refers to Personal Data in the sense given within the EU General Data Protection Regulation (GDPR) and the Data Protection (UK, 2018) Act.

3 Description and manner of information sharing

3.1 Data flows 

Data flows are detailed by data category in the Data Protection Impact Assessment for this agreement for the purposes of version control.

3.2 How data/information is to be accessed, processed and used

Processing (descriptor)	Associated standard operating procedure, policy or procedure (listed in Appendix 1) If applicable
The data to be processed is described in the Data Protection Impact Assessment for this agreement.

3.3 Summary of how decisions are going to be made with regards to the manner of the processing.

The manner of processing is detailed within the clinical guidelines for Clinical Pathways and Guidance for Healthcare Professionals Working to Support Adults who Present Having Experienced Rape or Sexual Assault in Scotland, and Clinical Pathway for Children and Young People who have Disclosed Sexual Abuse.

4 Impact assessments and preparatory work

The CMO Taskforce Information Governance Delivery Group developed Data Protection Impact Assessment supports this Information Sharing Agreement. 

Mandatory statement:
The parties acknowledge that any actions and countermeasures agreed as part of the Data Protection Impact Assessment reviews must be implemented by the responsible party. Deadlines and follow up to progress on those actions will be established as part of the DPIA review process.

5 Privacy information (transparency requirement)

A tiered approach to transparency will be followed in line with current guidance from the Information Commissioner’s Office.  All parties have a Data Protection Notice displayed on their website.

https://www.nhslanarkshire.scot.nhs.uk/data-protection-notice/
https://www.scotland.police.uk/access-to-information/data-protection/privacy-notices

The parties agree that further privacy notices may be produced as required for particular methods of processing in order to ensure appropriate transparency with the data subjects.  The parties will take the advice of their DPO or DPOs in this regard.

Information will also be available from NHS Inform.

6 Accuracy of the information

As outlined in section 1.2.2, all parties are responsible for ensuring information, including personal data, is complete, accurate, relevant, accessible and timely.

The parties will ensure all staff using information shared by another party understand the limitations of such extracts and take all reasonable steps to confirm the accuracy of the information.  This will involve confirming the accuracy of the information with the patient where possible.  

It is the responsibility of all parties to ensure that their staff know how to respond to the identification of an actual or possible inaccuracy in information.  The response to an inaccuracy should be managed according to a policy with procedures based on professional guidance. 

 It is the responsibility of the party identifying the inaccuracy to ensure that the controller of the record from which the information originated is informed about the inaccuracy.

As controllers, all parties have the responsibility for managing records, rectifying inaccuracies, and communicating updates with all other relevant parties.  

7 Data retention and secure disposal

Data must be retained in accordance with the Scottish Government Records Management NHS Code of Practice (Scotland) which states Forensic Medical Records should be retained for 30 years. 

Data which is no longer required must be disposed of in accordance with the Scottish Government Records Management NHS Code of Practice (Scotland) the NHS Scotland Information Security Policy Framework and each partner’s policies and procedures.

The Police Service of Scotland follow their Record Retention Standard Operating Procedure (SOP) and Secure Destruction and Disposal of Data SOP.  

8 The rights of individuals

Details of individual’s rights are available in the Data Protection Impact Assessment and Data Protection Notice for the purpose of version control. 

9 Security, risk and impact of the processing [each board is responsible for sections 9-13] Sections 9-13 will be completed by each Health Board as part of their formal risk assessment process.  Whilst the aim is to align the process for victims across Scotland, each board may have different systems and policies in place.  Therefore, local completion is essential.

[X] All relevant Security Policies applicable to the parties and systems used in this proposal are available and listed in Appendix 1. 

[X] A qualified Information Security Officer has reviewed the adequacy of the attached Security Policies and has advised on the technical and organisational security risk level.

[X] A suitable process to document and monitor the security risk described in the Information Security and Governance Policies listed in Appendix 1.

[X] A Data Protection Impact Assessment has been produced and is available as listed in Appendix 1. Collaborative 

[X] A competent, independent and free of conflicts of interests Data Protection Officer has been designated to inform the Controllers on the adequacy of this agreement and the corresponding compliance and any residual risks documented in the Data Protection Impact Assessment.

The security measures put in place across the parties ensure that:

[X] Wherever special categories of data are processed, the data will be encrypted at rest and in transit.

[X] Wherever special categories of data are transmitted over the internet, encryption protocols, such as Transport Layer Security (TLS) will be applied. Exceptions will be documented in the DPIA and any residual risk will require approval by the Senior Information Risk Owner (SIRO) of each organisation prior to processing such data.

[X] Only authorised individuals can access, alter, disclose or destroy data. This is achieved through work instructions, policies and procedures. 

[X] Authorised individuals act only within the scope of their authority. This is achieved through the following work instructions, policies and procedures.

[X] If personal data is accidentally lost, altered or destroyed, it can be recovered to prevent any damage or distress to the individuals concerned. This is achieved through the following work instructions, policies and procedures (also listed in Appendix 1): 

The security controls for the transmission of data applicable by each organisation will be:	X	Jointly agreed between the parties
		Independently decided by each party

 

The security controls applicable to locally held data by each organisation will be:		Jointly agreed between the parties
	X	Independently decided by each party

9.1 Agreed standards, codes of conduct and certifications 

10 International transfers of personal data

Personal data shared in line with this agreement will be transferred to:

	EEA countries only
	Out with EEA
X	Will not be transferred outside the UK

10.1 List of countries where the data will be transferred to (if applicable).

N/A

11 Implementation of the information sharing agreement

11.1 Dates when information sharing commences

January 2020

11.2 Training and communications

All parties will have a Data Privacy Notice which will be provided to the data subject at the first point of contact.  Third party data subjects will not be provided a data privacy notice in line with Schedule 2 (1)(2) of the Data Protection Act 2018.

The Police Service of Scotland will disseminate the content of this ISA by way of Force Memorandum and details will also be distributed via the Police Service of Scotland’s Intranet.  A copy of the final ISA between the NHS and the Police Service of Scotland will be held within the Policy Until.

11.3 There will be no requirement to conduct formal training of staff.  Information sharing instructions and security controls

All relevant information sharing instructions, including but not exclusively any work instructions, policies or procedures, are listed in Appendix 1 and accepted by all parties. 

Security is discussed at Section 9.  PS employ the Government Security Classification (GSC) system of protective marking on all media types.

11.4 Non-routine information sharing and exceptional circumstances

NHS [insert board] will review requests to share information on a case by case basis, taking advice from the DPO, Senior Management, SIRO, and Caldicott Guardian.  

The sharing of ‘non routine’ information in ‘exceptional circumstances’ will be assessed on a case by case basis taking into account the requirements of the prevention and detection of crime or the apprehension and prosecution of offenders where consent has not been obtained.  The route taken will depend on whether consent has been obtained or not.  This may lead to production of a warrant from COPFS or DPA Form (052-003A).

11.5 Monitoring, review and continuous improvement

NHS [insert board] holds an Information Sharing Agreement Register which is monitored and amended by the Data Protection Officer at regular intervals and tabled at the Information Governance Committee.  ISA’s will be amended in line with changes of legislation and reviewed at least yearly.  A review can be triggered by any parties by contacting the CMO Taskforce who will convene a meeting of the Information Governance Reference Group to consider appropriate changes.  

Any amendments should be taken to the Information Governance Forum for Scotland by the relevant DPO in order that the change can be escalated through the appropriate governance route above.

12 Sign-off 

"We the undersigned agree to the details recorded in this Information Sharing Agreement; are satisfied that our representatives have carried out the preparatory work set out in the Information Sharing Tool-kit for Scotland and are committed to the ongoing monitoring and review of the scope, purpose and manner of the information sharing."

Additional paragraph for large numbers of parties delegating powers to a single signatory [DELETE THIS HEADING FROM FINAL VERSION BUT KEEP THE PARAGRAPH BELOW IF NEEDED]

The signatory has delegated sign off powers on behalf of: 

• [party name]

Parties are required to sign off individually using the Multi Party Sign Off Form included in the toolkit.

13 Appendix 1: List of Work instructions, policies and procedures

The above table should list all:

• Instructions for reaching agreement on any changes to the purpose of the sharing.
• All applicable and relevant Information Security and Governance Policies 
• All Data Protection Impact assessments

14 Appendix 2: Data items and adequacy

The above table should contain:

The list of all relevant data items/fields, which it has been agreed, can be shared under this ISA, indicating the source and the recipients, and any relevant supporting statement for information that may raise questions on data minimisation.