Publication - Advice and guidance

Preparing Scotland: resilience guidance

"Core" guidance on resilience, covering resilience philosophy, principles, structures and regulatory duties

90 page PDF

3.1 MB

90 page PDF

3.1 MB

Contents
Preparing Scotland: resilience guidance
vi DUTY TO SHARE INFORMATION

90 page PDF

3.1 MB

vi DUTY TO SHARE INFORMATION

Mandatory requirements - Category 1 and Category 2 responders must:
1 Comply with a request for information from another responder in respect of a duty or other function relating to an emergency - Regulations 43(1) & 41. ( There are limitations to this duty, set out in the Regulations and highlighted at No 3).
2 Comply with a request for information within a reasonable timescale, at a reasonable place and to the address specified by the requesting responder - Regulation 44.
3 Not comply with a request for information if the receiving responder is satisfied that the request for information relates to sensitive information, i.e.:
  • Information the disclosure of which to the public would, or would be likely to, adversely affect national security or public safety - Regulations 39(1)(a) & (b)
  • Information, disclosure of which to the public would, or would be likely to, prejudice the commercial interests of the person to whom that information relates - Regulation 39(1)(c)
  • Information which is personal data, within the meaning of the Data Protection Act 1998 and would contravene any of the data protection principles or would be likely to cause damage or distress - Regulation 39(1)(d)
  • disclosure to the requesting responder would, or would be likely to, adversely affect national security or the confidentiality of the information - Regulation 43(2)(a) & (b).
4 Give reasons for not complying with a request for information, as above and, if necessary, obtain consent for disclosure from a body which deals with security matters - Regulation 43(4).
5 When making a request for information from another responder, the requesting responder must be satisfied that:
  • it reasonably requires the information in connection with the performance of a duty under section 2(1)(a) to (d) or section 4(1), or in connection with the performance of another function which relates to an emergency
  • it (the requesting responder) does not hold the information already
  • the information cannot be reasonably accessed by other means (e.g. informal means or by means established under other legislation) - Regulations 41(2) & (3).
6 When making a request for information from another responder, the requesting responder must send a legible written request, which may be electronic, for the information required. The written request must state the name of your organisation, an address for correspondence, describe the information requested, explain why it is required and be capable of being used for subsequent reference - Regulation 42.
7 Only use sensitive information for the purpose of performing the function for which the information was requested - Regulation 46(1).
8 If a responder wishes to use sensitive information for any other purpose from that relating to the original request then consent must be obtained from the relevant person or organisation. This person/organisation is:
  • In the case of information as specified in Regulation 39(1)(a) or (b) - the originator or a member of the Scottish Government
  • In the case of information as specified in Regulation 39(1)(c) or (d) - the person to whom the information relates - Regulation 46(2)
In this regulation, "use" does not include publication or disclosure.
9 Have arrangements in place for ensuring the confidentiality of sensitive information. This includes ensuring that:
  • sensitive information is clearly identified as such
  • only persons involved in the performance of a duty or function relating to an emergency, and who need to have access to the information, are able to have access to it
  • sensitive information is stored in a secure manner
  • sensitive information is transferred (including by electronic transfer) in a secure manner - Regulation 47.

Issues to consider and recommended best practice (duty to share information):
10 Working closely with Scottish Government colleagues, sharing information in support of the national resilience effort.
11 Considering whether the information you want to request is available by other means (e.g. through other legislative arrangements, through normal business arrangements or on the internet).
12 Data protection does not prohibit the collection and sharing of personal data.
13 Considering as a starting point the risks and potential harm that may arise if they do not share information.
14 Balancing the potential damage to the individual against the public interest in sharing information.
15 In emergencies, the public interest consideration will generally be more significant than during day to day business.
16 Always checking whether the objective can still be achieved by passing less personal data.
17 Category 1 and 2 responders should be robust in asserting their power to share personal data lawfully in emergency planning, response and recovery situation.
18 The consent of the data subject is not always a necessary pre-condition to lawful data-sharing.
19 Seeking advice when in doubt, though prepare on the basis that decisions may be necessary without formal advice during an emergency.
20 When communicating with the public or sharing information with other organisations, it is important that terminology is clear and consistent. The Cabinet Office's Resilience Lexicon, to which the Scottish Government has contributed, is a helpful reference tool: http://www.cabinetoffice.gov.uk/sites/default/files/resources/cp-lexicon2.0.1-18012011.xls.

Indicators of good practice:
21 Where possible, channelling formal information requests through as small as possible a number of known routes, to avoid confusion and duplication.
22 Having a systematic process for tracking information flows and logging information requests and being able to deal with multiple requests for information as part of your normal business processes.
23 Collectively developing an information sharing protocol within your SCG.

Contact