Multi Agency Public Protection (MAPPA) National Guidance 2014

8 Information Sharing, Concordat and Protocols

1 In 2001, an Expert Panel, chaired by Lady Cosgrove, published a report entitled Reducing the Risk: Improving the Response to Sex Offending. The Expert Panel recognised that a large number of agencies, including the police, prosecutors, the court service, Scottish Prison Service, Criminal Justice Social Work, as well as housing, health and education authorities play a role in managing the risk posed by sex offenders.

2 The panel concluded that these agencies (working with voluntary sector partners) have a duty to deliver the safer environment which communities expect and deserve but that there is a tendency for individual agencies to focus their attention on improving their internal procedures rather than working together. This can result in vulnerabilities in the system.

3 The panel therefore called for a programme of action where:

• Each organisation has a clear understanding of its own role and responsibilities in relation to sex offenders;
• Agencies and organisations who work with sex offenders work together to overcome the risks which sex offenders present;
• Institutional barriers which prevent a more effective coordination of practices and integration of services are tackled; and
• The practical and operational difficulties which exist are addressed.

4 In particular, the panel highlighted the importance of sharing information.

National Concordat on Sharing Information on Sex Offenders

5 In order to fulfil the aspirations of the panel report, a multi-agency Information Sharing Steering Group took forward the information management recommendations of the report to ensure the effective and efficient flow of information between key agencies by developing protocols, guidance and strategies.

6 As a result the National Concordat on the Sharing of Information on Sex Offenders was developed and published. In signing the Concordat, agencies from all spectrums of the justice system and statutory and non-statutory organisations involved in the management of sex offenders agreed to work to a set of principles and working arrangements. This was intended to improve the systems and procedures to ensure that public safety is given the highest priority by ensuring that all relevant information is shared within the tenet of existing legislation.

7 These agencies and bodies include the responsible authorities and those defined under the duty to cooperate (DTC).

Protocols

8 Importantly, the Concordat requires all agencies involved to use agreed definitions and to develop detailed information sharing protocols under which the flow of information is to be managed. Protocols allow each agency to be clear about, and address their legal obligations, for sharing of information under the Data Protection Act 1998 (DPA) and other legislation.

9 Guidance on the development and content of protocols can be found in the Scottish Executive Justice Department Circular 15/2005 issued in November 2005 to those agencies and bodies who signed the Concordat. This guidance also covers agencies that are not involved directly in the MAPPA arrangements.

10 Health also issued the Concordat guidance under cover of NHS HDL (2006) 9 issued in February 2006 to NHS boards and the State Hospital Board.

11 It should be recognised that most agencies will require to be involved in the development and operation of bi-lateral and multi-lateral protocols. Protocols are a major factor in the DTC and should be developed as part of the Memorandum under section 10(5) of the Management of Offenders etc. (Scotland) Act 2005.

12 In 2009, the multi-agency inspection report Assessing and managing high risk of harm offenders again reiterated the requirements for agencies to share information in respect of high risk of harm offenders and acknowledged the commitment of agencies to do so.

Communication, record keeping and action

13 The effective management of offenders who pose a risk of harm to the community requires a set of complex arrangements to be put in place by a number of agencies to address individual needs and circumstances and, most of all, to ensure that public protection is maintained.

14 Investigations into high-profile cases have identified poor communication and lack of continuity as major factors in contributing to the failure to properly assess risk and develop management plans at an early stage and to monitor and address changes in risk and adjust management of the offender, as required.

15 The Concordat, protocols and memorandum are intended to provide the basis on which each agency will agree to fulfil its role. These roles can only be delivered effectively if clear lines of communication are established between the responsible authority and DTC agencies.

16 Whether information should be shared and, if so, what information and to whom, must be decided on a case-by-case basis. That said, the presumption should be that in cases where there is a risk of harm to the public, information should be shared. The UK Information Commissioner's Office (ICO) regulates the DPA and provides advice and guidance on data sharing. This includes a statutory Data Sharing Code of Practice.

17 Confident, appropriate and effective sharing of information is a very important part of the DTC. The effectiveness of information sharing arrangements reflect the effectiveness of cooperation within the MAPPA as a whole. However, not all the information shared will be personal information, that is the information covered by privacy laws; the common law duty of confidentiality; the protection of personal information required by the DPA, and Article 8 of the Convention for the Protection of Human Rights and Fundamental Freedoms. This part of the Guidance relates only to sharing personal information.

Data Protection Act 1998

18 The Data Protection Act 1998 requires that personal information:

i. Must be fairly and lawfully processed

ii. Must be processed for limited purposes

iii. Must be adequate, relevant and not excessive

iv. Must be accurate and up to date

v. Must not be kept for longer than is necessary

vi. Shall be processed in line with the data subjects' rights vii. Must be secure

viii. Must not be transferred to other countries without adequate protection.

19 Critical to the justification of information sharing are the twin requirements of necessity and proportionality. The necessity criterion requires that there is a pressing public protection need. The proportionality criterion requires the information shared must be only that information necessary to achieve the purpose for which it is being shared. Further explanation of this is provided below.

20 To identify the purpose of sharing information and to ensure that the agencies' obligations to retain and use the information lawfully are fulfilled, it is helpful to keep the following in mind. The persons with whom information is shared must know:

• Is a Privacy Impact Assessment (PIA) required?
• Is the information personal or otherwise sensitive?
• Is the sharing of the information lawful and fair?
• Is there an existing data sharing agreement?
• Who is authorised to see the information (need to know)?
• Will the data sharing deliver benefits?

Management of Police Information (MOPI)/information security

21 Guidance on the management of police information and information sharing with partner organisations can be found within the Management of Police Information (MOPI) Partners version.

22 It is vital that information is shared and stored securely as much of the information within the MAPPA process will be of a sensitive nature.

Government Security Classifications

23 The Government Security Classifications replace the previous Government Protective Marking Scheme from April 2014. The new classifications are a simplified approach with increased emphasis on risk management and judgement. They set out common standards for the protection of documents and other material, including data held on computer and electronic recording systems, against accidental or deliberate compromise. It defines different security classifications and all relevant documents should be labelled on the top and bottom of each page with the relevant classification. See annex 2 for further details.

24 MAPPA notification and referral forms, minutes and risk management plan documents should be protectively marked as appropriate.

25 MAPPA documents should not be marked with a classification of secret or top secret. A description of the classification and further links can be found at Annex 2.

Information sharing - health considerations

26 If MAPPA documents are marked appropriately in terms of the Government Security Classification then NHS net can be used to transmit documents between the NHS and other agencies. Within the NHS, MAPPA documents must be stored in accordance with the classification, either physically or electronically. Within the hospital environment, MAPPA records are held separately from the patients records, however, if considered appropriate, a summary, containing relevant information, may be included within the patients records. This is recognised as good practice and should be reflected in the processes employed by General Practitioners. Documents or letters outlining key points may be useful ways to ensure that relevant information is made available to appropriate health service staff where this is necessary without transmitting full MAPPA documents.

27 If MAPPA documents are shared with staff who do not have access to a method of storing documents in keeping with the security classifications, then after the documents have been read they should be destroyed.

Department for Work and Pensions (DWP) (JobcentrePlus)/and the Child Maintenance and Enforcement Commission ('the Commission').

28 The Management of Offenders etc. (Scotland) Act 2005 (Disclosure of Information) Order 2010 and circular JD 5/2010 sets out the conditions under which information may be disclosed between the Secretary of State for Work and Pensions, (DWP) (Jobcentre Plus), the Child Maintenance and Enforcement Commission (the Commission), the responsible authorities and duty to cooperate agencies in the MAPPA. Albeit the DWP and the Commission are not DTC agencies.

29 In practice, there are three ways by which the responsible authorities can obtain information from JCP/DWP, namely:

• A Section 29 notice under the terms of the Data Protection Act 1998. This is the means by which the police routinely access JCP/DWP information for the prevention and detection of crime;
• The DWP/ACPOS Memorandum of Understanding in relation to tracing missing sex offenders; and
• Notifications under the terms of The Management of Offenders etc. (Scotland) Act 2005 (Disclosure of Information) Order 2010. This piece of legislation is intended to restrict the placing of offenders in inappropriate employment or training and to provide a legislative mechanism by which the JCP/DWP can make the responsible authorities aware of employment and training information which may affect the risk assessment of an offender subject to the SONR.

30 Each piece of legislation has its own defined uses and the appropriate legislation should be used when circumstances dictate.