Publication - Advice and guidance

Multi-Agency Public Protection Arrangements (MAPPA):national guidance 2016

Published: 3 Mar 2016
Safer Communities Directorate
Part of:
Law and order

Ministerial guidance to responsible authorities on the discharge of their obligations under section 10 of the Management of Offenders etc. (Scotland) Act 2005.

Multi-Agency Public Protection Arrangements (MAPPA):national guidance 2016
12. Information Sharing

12. Information Sharing


12.1 This chapter provides guidance on the sharing of information between agencies under MAPPA. These agencies are the Responsible Authorities, duty to cooperate agencies, and other bodies with an interest in the management of these cases.

12.2 Information that is shared under MAPPA remains the responsibility of the agency that owns it. For example, local authorities own information regarding their statutory supervision of the offender, and the police own information regarding their management of a registered sexual offender. It will be for the relevant agency to deal with Subject Access Requests under the Data Protection Act 1998. MAPPA as such is not an organisation, but a set of statutory arrangements for managing the risks posed by high-risk offenders. It therefore cannot be the owning agency for any information on MAPPA offenders.

12.3 This guidance should be read alongside the Data Sharing Code of Practice issued by the Information Commissioner in May 2011. It is available from the website of the Information Commissioner's Office (" ICO") which is at The code of practice deals with a number of important issues such as Data Sharing and the Law; Fairness and Transparency; Security; Governance; and Individuals' Rights. It is a statutory code. Although it is not binding, it can be used in evidence in legal proceedings.

Principles of Information Sharing

12.4 The purpose of sharing information about individuals ("data subjects") is to enable the relevant agencies to work more effectively together in assessing risks and considering how to manage them. This points towards sharing all the available information that is relevant, so that nothing is overlooked and public protection is not compromised.

12.5 On the other hand, agencies must respect the rights of data subjects, which will tend to limit what can be shared. In order to strike the right balance, agencies need a clear understanding of the law in this area. The most relevant legislation is the Data Protection Act 1998 (" DPA 1998") and the Human Rights Act 1998 (" HRA 1998"). The principles derived from this legislation may be summarised as follows.

Information Sharing Must be Lawful

12.6 This means, first, that the sharing of information must be in accordance with the law. As far as the MAPPA agencies are concerned, there should be a statutory basis for sharing information. This exists for the agencies who make up the Responsible Authority or who have a duty to co-operate with it. Section 1(2)(a) of the 2005 Act expressly permits the sharing of information between these agencies for MAPPA purposes.

12.7 The Responsible Authorities and the duty to co-operate agencies are routinely and regularly involved in the management of MAPPA offenders, but, from time to time, other agencies can contribute significantly to the Risk Management Plan. Information-sharing between the MAPPA agencies and these third parties does not benefit from section 1(2)(a) of the 2005 Act. In general, non-statutory bodies are able to share information provided this does not breach the law. They are bound by the common law duty of confidence.

12.8 The key principle of the duty of confidence is that information provided should not be used or disclosed further in an identifiable form, except as originally understood by the provider, or with his or her subsequent permission. However, case law has established a defence to breach of confidence where an individual breaches the confidence in the public interest.

12.9 The prevention, detection, investigation and punishment of serious crime and the prevention of abuse or serious harm will usually be sufficiently strong public interests to override the duty.

12.10 Second, the information-sharing must comply with the eight Data Protection Principles set out in the DPA 1998 and reproduced in the ICO Code of Practice. Among other things this means that the information shared must be accurate and up-to-date; it must be stored securely; and it must not be retained any longer than necessary.

Information Sharing Must be Necessary

12.11 Article 8 of the European Convention on Human Rights, given domestic effect by the HRA, provides a right to respect for private and family life, home and correspondence. Any interference with this right by a public authority (such as a criminal justice agency) must be:

"necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

12.12 The sharing of information by MAPPA agencies for MAPPA purposes satisfies these conditions in that it is clearly aimed at preventing disorder or crime or administering justice. Provided the information shared is only used for MAPPA purposes the necessity test will be met, as information-sharing by way of MAPPA is not an excessive or unreasonable way of assessing and managing these risks.

Information Sharing Must be Proportionate

12.13 In human rights law, the concept of proportionality means doing no more than is necessary to achieve a lawful and reasonable result.

12.14 The third Data Protection Principle provides that personal data must be relevant, and not excessive in relation to the purpose for which it is being shared.

12.15 For MAPPA agencies, this essentially means ensuring that information about the data subject is relevant to assessing and managing risk and that no more information is shared than is needed to manage that risk. For example, if what is actually needed is the names and addresses of individuals, sharing their race and religion as well would be likely to be disproportionate.

12.16 Standard is that each Strategic Oversight Group should develop an Information-Sharing Protocol.

12.17 Each agency should follow its own data protection policies in sharing information with other agencies under MAPPA. There may be differences on points of detail. Cooperation between agencies will be easier if there is a shared understanding of each- others policies. For this reason, the Strategic Oversight Group for the MAPPA agencies in each area should develop an Information-Sharing Protocol setting out how they will share information with each other, so that they are following a common set of rules and security standards as far as possible.

12.18 Sections 8 and 14 of the ICO Code of Practice are concerned with the issues that an information-sharing protocol should cover. These include what information is to be shared, with whom, and why; the quality and security of the information; the circumstances governing the length of time for which the information is retained; and what happens if the agreement is breached.

12.19 Although the exchange of information with non- MAPPA agencies has to be considered on a case-by-case basis, formal protocols or agreements should be in place in advance if possible. These agreements should pay particular attention to ensuring the safety and security of the personal information shared.

Information Sharing - Health Considerations

12.20 If MAPPA documents are marked appropriately in terms of the Government Security Classification then NHS net can be used to transmit documents between the NHS and other agencies. Within the NHS, MAPPA documents must be stored in accordance with the classification, either physically or electronically. Within the hospital environment, MAPPA records are held separately from the patient's records, however, if considered appropriate, a summary, containing relevant information, may be included within the patient's records.

12.21 This is recognised as good practice and should be reflected in the processes employed by General Practitioners. Documents or letters outlining key points may be useful ways to ensure that relevant information is made available to appropriate health service staff where this is necessary without transmitting full MAPPA documents.

12.22 If MAPPA documents are shared with staff that do not have access to a method of storing documents in keeping with the security classifications, then after the documents have been read they should be destroyed.

Department for Work and Pensions ( DWP)

12.23 The Management of Offenders etc. (Scotland) Act 2005 (Disclosure of Information) Order 2010 sets out the conditions under which information may be disclosed between the Secretary of State for Work and Pensions (Department for Work and Pensions), the responsible authorities and duty to cooperate agencies in the MAPPA - albeit that the DWP is not itself a duty to cooperate agency.

12.24 In practice, there are three ways by which the responsible authorities can obtain information from DWP, namely:

  • A Section 29 notice under the terms of the Data Protection Act 1998. This is the means by which the police routinely access DWP information for the prevention and detection of crime;
  • The DWP/ ACPOS Memorandum of Understanding in relation to tracing missing sex offenders; and
  • Notifications under the terms of The Management of Offenders etc. (Scotland) Act 2005 (Disclosure of Information) Order 2010. This piece of legislation is intended to restrict the placing of offenders in inappropriate employment or training and to provide a legislative mechanism by which the DWP can make the responsible authorities aware of employment and training information which may affect the risk assessment of an offender subject to MAPPA.

12.25 Each piece of legislation has its own defined uses and the appropriate legislation should be used when circumstances dictate.