WSCP - Information Sharing Protocol and Agreement
Protocol and Agreement for the Sharing of Information to Safeguard Children and Young People
Published: July 2020
Review Date: July 2021
Author: D Robbins WSCP Manager
Page 1- Information Sharing Protocol and Agreement
This document should be read in conjunction with:
• Information sharing Advice for practitioners providing safeguarding services to children, young people, parents and carers. HM Government (2018)
• Working Together to Safeguard Children. HM Government (2018)
This protocol and Information Sharing Agreement (ISA) are issued by the Wirral Safeguarding Children Partnership. All relevant agencies (included at Appendix One) are required to comply with it.
The guidance is compliant with Government guidance and the provision of the Data Protection Act (2018) and General Data Protection Regulations (GDPR).
Contents
Introduction Page 2
Legislative Framework Page 2
Principles Page 3
Data Protection and GDPR Page 4
Consent Page 4
When and How to Share Information Page 5
The Seven Golden Rules of Information Sharing Page 7
Caldicott Principles Page 8
Myth-Busting Guide Page 9
Appendix One—Relevant Agencies Page 10
Appendix Two—WSCP Information Sharing Agreement Page 11
Page 2- Information Sharing Protocol and Agreement Introduction
This WSCP guidance and Information Sharing Agreement (ISA) is for all frontline practitioners, professionals and managers working with children, young people, parents and carers who have to make decisions about sharing personal information on a case-by -case basis. It also applies and will be helpful for practitioners working with adults who are responsible for children who may be in need.
Information sharing is essential for effective safeguarding and promoting the welfare of children and young people. It is a key factor identified in many serious case reviews (SCRs) -now called child safeguarding practice reviews (CSPR’s)-, where poor information sharing has resulted in missed opportunities to take action that keeps children and young people safe.
Legislative Framework and Legal Basis for Sharing Information
The legal basis for sharing information is underpinned by the following legislation, statutory and policy guidance:
• The Children and Social Work Act 2017, under which the local authority, Merseyside Police and Wirral Clinical Commissioning Group have an equal and shared duty to work together (in partnership with other relevant agencies) to make arrangements to safeguard and promote the welfare of all children in a local area
• The Children Act 2004, sections 11 and 16E
• The Data Protection Act 2018 and The General Data Protection Regulation • Crime and Disorder Act 1998, section 115
• The Human Rights Act 1998
• The Criminal Justice Act 2003, section 325
• Domestic Violence, Crime and Victims Act 2004
• Working Together to Safeguard Children statutory guidance July 2018
• Information Sharing Advice to practitioners providing safeguarding services to children, young people, parents and carers July 2018
• Caldicott Review of Information Governance 2013
Page 3- Information Sharing Protocol and Agreement Principles for Information Sharing
The principles set out below are intended to help practitioners working with children, young people, parents and carers share information between organisations. Practitioners should use their judgement when making decisions about what information to share, and should follow organisation procedures or consult with their manager if in doubt.
The most important consideration is whether sharing information is likely to support the safeguarding and protection of a child.
• Necessary and proportionate When taking decisions about what information to share, you should consider how much information you need to release. Not sharing more data than is necessary to be of use is a key element of the GDPR and Data Protection Act 2018, and you should consider the impact of disclosing information on the information subject and any third parties. Information must be proportionate to the need and level of risk.
• Relevant Only information that is relevant to the purposes should be shared with those who need it. This allows others to do their job effectively and make informed decisions.
• Adequate Information should be adequate for its purpose. Information should be of the right quality to ensure that it can be understood and relied upon.
• Accurate Information should be accurate and up to date and should clearly distinguish between fact and opinion. If the information is historical then this should be explained.
• Timely Information should be shared in a timely fashion to reduce the risk of missed opportunities to offer support and protection to a child. Timeliness is key in emergency situations and it may not be appropriate to seek consent for information sharing if it could cause delays and therefore place a child or young person at increased risk of harm. Practitioners should ensure that sufficient information is shared, as well as consider the urgency with which to share it.
• Secure Wherever possible, information should be shared in an appropriate, secure way. Practitioners must always follow their organisation’s policy on security for handling personal information.
• Record Information sharing decisions should be recorded, whether or not the
Page 4- Information Sharing Protocol and Agreement
decision is taken to share. If the decision is to share, reasons should be cited including what information has been shared and with whom, in line with organisational procedures. If the decision is not to share, it is good practice to record the reasons for this decision and discuss them with the requester. In line with each organisation’s own retention policy, the information should not be kept any longer than is necessary. In some rare circumstances, this may be indefinitely, but if this is the case, there should be a review process scheduled at regular intervals to ensure data is not retained where it is unnecessary to do so.
Data Protection and GDPR
Practitioners must have due regard to the relevant data protection principles which allow them to share personal information, as provided for in the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). To share information effectively:
• all practitioners should be confident of the processing conditions under the Data Protection Act 2018 and the GDPR which allow them to store and share information for safeguarding purposes, including information which is sensitive and personal, and should be treated as ‘special category personal data’
• where practitioners need to share special category personal data, they should be aware that the Data Protection Act 2018 contains ‘safeguarding of children and individuals at risk’ as a processing condition that allows practitioners to share information. This includes allowing practitioners to share information without consent, if it is not possible to gain consent, it cannot be reasonably expected that a practitioner gains consent, or if to gain consent would place a child at risk
Consent
Wherever possible, you should seek consent and be open and honest with the individual from the outset as to why, what, how and with whom, their information will be shared. You should seek consent where an individual may not expect their information to be passed on. When you gain consent to share information, it must be explicit, and freely given. There may be some circumstances where it is not appropriate to seek consent, because the individual cannot give consent, or it is not reasonable to obtain consent, or because to gain consent would put a child’s or young person’s safety at risk
Page 5- Information Sharing Protocol and Agreement When and How to Share Information
When asked to share information, you should consider the following questions to help you decide if, and when, to share. If the decision is taken to share, you should consider how best to effectively share the information. All information sharing decisions and reasons must be recorded in line with your organisations procedures. If at any stage you are unsure about how or when to share information, you should seek advice on this. You should also ensure that the outcome of the discussion is recorded.
When:
Is there a clear and legitimate purpose for sharing information?
• Yes – see next question
• No – do not share
Do you have consent to share?
• Yes – you can share but should consider how
• No – see next question
Does the information enable an individual to be identified?
• Yes – see next question
• No – you can share but should consider how
Have you identified a lawful reason to share information without consent?
• Yes – you can share but should consider how
• No – do not share
How
• Identify how much information to share
• Distinguish fact from opinion
• Ensure that you are giving the right information to the right individual • Ensure where possible that you are sharing the information securely • Where possible, be transparent with the individual, informing them that that the
information has been shared, as long as doing so does not create or increase the risk of harm to the individual.
Page 6- Information Sharing Protocol and Agreement Flowchart for the Sharing of Information
You can
share
Page 7- Information Sharing Protocol and Agreement
The Seven Golden Rules of Information Sharing
1. Remember that the General Data Protection Regulation (GDPR), Data Protection Act 2018 and human rights law are not barriers to justified information sharing, but provide a framework to ensure that personal information about living individuals is shared appropriately.
2. Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be shared, and seek their agreement, unless it is unsafe or inappropriate to do so.
3. Seek advice from other practitioners, or your information governance lead, if you are in any doubt about sharing the information concerned, without disclosing the identity of the individual where possible.
4. Where possible, share information with consent, and where possible, respect the wishes of those who do not consent to having their information shared. Under the GDPR and Data Protection Act 2018 you may share information without consent if, in your judgement, there is a lawful basis to do so, such as where safety may be at risk. You will need to base your judgement on the facts of the case. When you are sharing or requesting personal information from someone, be clear of the basis upon which you are doing so. Where you do not have consent, be mindful that an individual might not expect information to be shared.
5. Consider safety and well-being: base your information sharing decisions on considerations of the safety and well-being of the individual and others who may be affected by their actions.
6. Necessary, proportionate, relevant, adequate, accurate, timely and secure: ensure that the information you share is necessary for the purpose for which you are sharing it, is shared only with those individuals who need to have it, is accurate and upto-date, is shared in a timely fashion, and is shared securely (see principles).
7. Keep a record of your decision and the reasons for it – whether it is to share information or not. If you decide to share, then record what you have shared, with whom and for what purpose.
Page 8- Information Sharing Protocol and Agreement Caldicott Principles
The Caldicott principles apply to health and social care organisations’ use of personal information; these organisations are required to observe the following principles when using personal information. The original Caldicott Review was published in 1997 and reviewed by Dame Fiona Caldicott in 2013 and included an additional principle to emphasise the need to give greater focus to information sharing.
The revised list of Caldicott principles are as follows:
1 Justify the purpose(s) for needing the personal confidential information 2 Do not use personal confidential information unless it is absolutely necessary 3 Use the minimum necessary of personal confidential information 4 Access to personal confidential data should be on a strict need- to- know basis
5 Everyone with access to personal confidential data should be aware of their responsibilities
6 Comply with the law
7 The duty to share information can be as important as the duty to protect patient confidentiality
Page 9- Information Sharing Protocol and Agreement Myth-Busting Guide
Below are common myths that may hinder effective information sharing. Data protection legislation is a barrier to sharing information
No – the Data Protection Act 2018 and GDPR do not prohibit the collection and sharing of personal information, but rather provide a framework to ensure that personal information is shared appropriately. In particular, the Data Protection Act 2018 balances the rights of the information subject (the individual whom the information is about) and the possible need to
share information about them.
Consent is always needed to share personal information
No – you do not necessarily need consent to share personal information. Wherever possible, you should seek consent and be open and honest with the individual from the outset as to why, what, how and with whom, their information will be shared. You should seek consent where an individual may not expect their information to be passed on. When you gain consent to share information, it must be explicit, and freely given. There may be some circumstances where it is not appropriate to seek consent, because the individual cannot give consent, or it is not reasonable to obtain consent, or because to gain consent would put a child’s or young person’s safety at risk.
Personal information collected by one organisation/agency cannot be disclosed to another
No – this is not the case, unless the information is to be used for a purpose incompatible with the purpose for which it was originally collected. In the case of children in need, or children at risk of significant harm, it is difficult to foresee circumstances where information law would be a barrier to sharing personal information with other practitioners
The common law duty of confidence and the Human Rights Act 1998 prevent the sharing of personal information
No – this is not the case. In addition to the Data Protection Act 2018 and GDPR, practitioners need to balance the common law duty of confidence and the Human Rights Act 1998 against the effect on individuals or others of not sharing the information.
IT Systems are often a barrier to effective information sharing
No – IT systems, such as the Child Protection Information Sharing project (CP-IS), can be useful for information sharing. IT systems are most valuable when practitioners use the shared data to make more informed decisions about how to support and safeguard a child.
Page 10- Information Sharing Protocol and Agreement Appendix One—WSCP Relevant Agencies
The Relevant agencies named below are those organisations and agencies required to work with the WSCP to safeguard and promote the welfare of children in Wirral. This document applies in its entirety to all relevant agencies.
• All schools and colleges including academies, independent, special and alternate provision • Wirral Metropolitan College and Birkenhead 6th Form College and all providers of 16-18 education and training
• All early year’s provision including Children’s Centres, childcare providers and nurseries in cluding child minders
• Residential Providers
• Independent Fostering and Adoption Agencies
• NHS England
• Adult Social Services –where their activity relates to children
• Housing Providers
• Wirral University Teaching Hospital NHS Foundation Trust
• Wirral Community Health and Care NHS Foundation Trust
• The Clatterbridge Cancer Centre NHS Foundation Trust
• Wirral and Cheshire Partnership NHS Foundation Trust
• Youth Justice Service
• National Probation Service and Community Rehabilitation Company
• Border Force and Immigration Services
• British Transport Police
• Merseyside Fire and Rescue Service
• CAFCASS
• Wirral Local Authority
• Career Connect
• All providers of Sports involving Children including those providing oversight • All providers of extra-curricular activities to Children including clubs
• All religious organisations in Wirral
• Any agency or member of the Voluntary, Community and Faith Sector (including charities) who provide services to children or families including providers of sport and leisure activities • All agencies/persons commissioned by any safeguarding partner or relevant agency to provide services to children
Page 11- Information Sharing Protocol and Agreement
Appendix Two—WSCP Information Sharing Agreement 1. Introduction
1.1 Appropriate and timely sharing of relevant information is a vital part of identifying need and providing safeguarding services to children, young people and families in Wirral. Sharing appropriate information at the right time improves outcomes for all and can help prevent situations escalating into becoming more serious as well as identifying children who require protection from harm.
1.2 This Information Sharing Agreement sets out the framework for the sharing of personal data between Safeguarding Partners and Relevant Agencies (referred to in this ISA as Partner Agencies) and as controllers (within the meaning of the Data Protection Legislation). The Partner Agencies acknowledge that each Partner Agency will regularly disclose to another Partner Agency or agencies for the Purpose of this Information Sharing Agreement (“Shared Personal Data”).
2. Parties to this Agreement and Statutory Framework
2.1 This information Sharing Agreement has been approved by the statutory partners and applies to all relevant agencies named in this document (page 10). It also is underpinned by the legislation, statutory and policy guidance listed on page 2.
3. Purpose
3.1 The “Purpose” of this Information Sharing Agreement is to provide a framework to facilitate the appropriate sharing of information between Partner Agencies in order to safeguard and promote the welfare of children and young people in Wirral and to protect them from harm.
3.2 This Information Sharing Agreement recognises that the General Data Protection Regulation (“GDPR”) and the Data Protection Act 2018 (together, the “Data Protection Legislation”) are not barriers to justified information sharing, as set out in the guidance accompanying this ISA, but rather ensure that information sharing is necessary, proportionate, relevant, adequate, accurate, timely and secure.
3.3 This Information Sharing Agreement recognises that information sharing decisions should be recorded by the disclosing Partner Agency.
Page 12 Information Sharing Protocol and Agreement
3.4 This Information Sharing Agreement:
• recognises that nothing is more important than children’s welfare;
• recognises that information sharing is essential for effective safeguarding and promoting the welfare of children and young people;
• recognises that Serious Case Reviews (SCRs), Child Safeguarding Practice Reviews, and local Learning Reviews have repeatedly highlighted that missed opportunities to record, understand the significance of, and share information in a timely manner can have severe consequences for the safety and welfare of children;
• Recognises that the timely and effective sharing of information can improve decision-making and protect the best interests of a child;
• Has regard to the seven golden rules to sharing information (detailed on page 7 of this guidance) set out by HM Government, which in summary state:
◊ The Data Protection Legislation and human rights laws are not barriers to justified information sharing but a framework to ensure it is shared appropriately;
◊ Be open and honest with the individual (and/or their family where appropriate) from the outset about why, what, how and with whom information will, or could be, shared, and seek their agreement, unless it is unsafe or inappropriate to do so;
◊ Seek advice where in any doubt about sharing the information concerned;
◊ Where possible, share information with consent and, where possible, respect the wishes of those who do not consent to share confidential information unless it is in the interests of safety or in the public interest;
◊ Consider safety and wellbeing: base information-sharing decisions on considerations of the safety and wellbeing of the person and others who may be affected by their actions;
◊ Necessary, proportionate, relevant, accurate, timely and secure: ensure that the information shared is necessary for the purpose for which it is shared, is shared only with those people who need to have it, is accurate and up to date, is shared in a timely fashion, and is shared securely
◊ Keep a record of the decision and the reasons for it – whether it is to share information or not. If information is shared, then record what was shared, with whom and for what purpose.
Page 13- Information Sharing Protocol and Agreement
3.5 In relation and children and young people the purposes of this ISA are to:
• support the functioning of the Integrated Front Door as the point of referral into Local Authority Children’s Services
• identify the safeguarding and protection needs of children, and ensure the right support and services are provided in a timely manner
• facilitate the collaboration between Partner Agencies to achieve improved outcomes for vulnerable children and those at risk of harm;
• facilitate the identification and analysis of new safeguarding issues and emerging threats;
• facilitate the promotion and embedding of learning;
• facilitate the commissioning and publication of child safeguarding practice reviews;
• facilitate rapid reviews of cases, local and national child safeguarding practice reviews, local multi-agency learning reviews, complex case investigations and any other reviews to aid local learning and improvement in safeguarding services;
• conduct Multi-Agency Audits.
3.6 This ISA recognises the importance of the Integrated Front Door (IFD) as the central point for the multi-agency sharing of information to safeguard and protect children from harm. All Partner Agencies will ensure the prompt sharing of relevant information with the IFD and will prioritise requests from the IFD for information to secure the safeguarding of children and young people.
3.7 The IFD will ensure there is a clear purpose for information shared with it by Partner Agencies and may refuse information that has been incorrectly or illegally gathered or shared without appropriate consent.
3.8 Requests for information or checks made to the IFD will similarly be scrutinised to establish the purpose and to ensure key information is not missed. All requests will be:
• recorded and the purpose will be clearly defined
• scrutinised to ensure appropriate consent is obtained
• where appropriate parents will be informed of the request
Page 14- Information Sharing Protocol and Agreement 4. Data Protection
4.1 The Partner Agencies acknowledge that each Agency will regularly disclose to another Agency or Agencies personal data for the purpose of this Information Sharing Agreement (“Shared Personal Data”).
4.2 Each Partner Agency shall comply with all the obligations imposed on a controller under the Data Protection Legislation.
4.3 Each Partner Agency shall:
• process Shared Personal Data fairly, lawfully and transparently;
• process the Shared Personal Data only for the Purpose of this Information Sharing Agreement;
• ensure that personal data to be shared is accurate and up-to-date;
• ensure that it has in place appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Shared Personal Data and against accidental loss or destruction of, or damage to, Shared Personal Data, this shall include ensuring that any information shared via email is shared in an encrypted manner, shared between secure email domains or shared using an encrypted email service;
• ensure that individuals are informed about the collection and use of their personal data and are provided with the privacy information required by the Data Protection Legislation;
• respect its obligations to comply with data subject access requests under the Data Protection Legislation and information requests under the Freedom of Information Act 2000 (or Environmental Information Regulations 2004 as applicable) and provide reasonable assistance to each other Partner Agency to comply with their obligations;
• not transfer any Shared Personal Data received from another Partner Agency outside the European Economic Area;
• notify the other Partner Agencies without undue delay on becoming aware of any breach of the Data Protection Legislation and provide reasonable assistance to each other Partner Agency as is necessary to facilitate the handling of any personal data breach in an expeditious and compliant manner;
Page 15- Information Sharing Protocol and Agreement
• provide the other Partner Agencies with contact details of at least one employee as a single point of contact (“SPoC”) and responsible manager for all issues arising out of the Data Protection Legislation;
• keep a record of what Shared Personal Data has been shared, with which Partner Agency (Agencies) and the reasons or Purpose why it was shared and keep a record of decisions not to share information and the reasons why it was not shared; and
• keep the Shared Personal Data for no longer than is necessary for the Purpose or that Partner Agency’s statutory functions.
4.4 The Partner Agencies acknowledge that the Shared Personal Data will regularly be special category data within the meaning of the Data Protection Legislation. Special category data will be shared only where there is an additional special category condition within the meaning of the Data Protection Legislation. That special category condition is likely to be:
• the explicit consent of the data subject has been obtained where possible and appropriate. It may not be appropriate to seek consent where the information needs to be shared to prevent harm;
• the sharing is necessary to protect the vital interests of the data subject or of another natural person where the data subject is physically or legally incapable of giving consent;
• the processing is necessary for the establishment, exercise or defence of legal claims; or
• the processing is necessary for reasons of substantial public interest.
5. Monitoring, review and indemnity
5.1 Each Partner Agency shall ensure that its lead officer/ strategic safeguarding lead or SPoC maintains oversight of this Information Sharing Agreement.
5.2 The content of this Information Sharing Agreement will be reviewed annually by the statutory safeguarding partners to ensure compliance with legislation and to review the effectiveness of this data sharing initiative.
Page 16- Information Sharing Protocol and Agreement
5.3 Any changes to this Information Sharing Agreement must be agreed by the statutory safeguarding partners.
5.4 Where a Partner Agency has decided not to share information that has been requested by another Partner Agency, that Partner Agency will provide its record of the reasons for the decision not to share the information, including the consideration of the safety and well-being of the affected individual. Any such decision is subject to scrutiny by the statutory safeguarding partners.
5.5 Each Partner Agency undertakes and agrees to pursue a positive approach towards resolving any dispute which maintains a strong working relationship between the Partner Agencies. Each Partner Agency’s SPoC or lead officer will use all reasonable endeavours to identify a mutually acceptable solution.
5.6 Each Partner Agency will keep each of the other Partner Agencies fully indemnified against any and all costs, expenses and claims arising out of any breach of this agreement.
5.7 All individual agencies as receivers of information covered under this agreement will accept total liability for a breach of this Information Sharing Agreement should legal pro ceedings or monetary penalties be served in relation to any alleged breach or contra vention.
5.8 Where a data loss incident occurs involving information shared under the terms of this Agreement, the organisation that loses the data must immediately inform the Partner Agency to whom the information belongs. The organisation that owns the data that is lost must lead the investigation into the breach, using their own data breach procedure with the full co-operation of the partner agency that lost the data.
5.9 Should the data breach be of significant risk the Information Commissioner’s Office (ICO) will need to be informed. All parties must work together to produce a risk assess ment in order to grade the severity of the breach. It will then be the responsibility of the partner that is the data controller for them to inform the ICO.
6. Data Security and Management
6.1 It is important that information is shared safely and only shared with the intended re cipient. The information should show the originator’s details, including organisation name (where applicable) and date.
Page 17- Information Sharing Protocol and Agreement
6.2 Email – this is by far the most widely used method to exchange information therefore care should be taken to anonymise any identifying information, e.g. by using initials.
6.3 Where an organisation has access to a Government secure email/online or equivalent facility, it must be used for sharing information.
7. Rights of Access
7.1 In order to access Personal Data all relevant staff within each organisation must have had the required organisational checks.
7.2 All personal information on all individuals will be treated in accordance with the “Common Law Duty of Confidence” and only accessed by those working with the individual or by those monitoring statistical or quality standards or by those otherwise having a need to know in connection with any parties’ statutory functions.
7.3 Each organisation must ensure that they have adequate notification and Privacy Notices in place to ensure their data subjects (people to whom the information relates) would reasonably expect this sharing to take place.
7.4 Each organisation must risk assess the privacy impact of the sharing of personal information and must not sign this agreement and must not share personal information until they have in place controls to mitigate these risks
7.5 All information shared under the terms of this agreement must be stored on secure case management systems. Wirral Council will be the Data Controller for information col lected for use by the Integrated Front Door.
7.6 All staff based in the Integrated Front Door will be given clear guidance around confidentiality and consent arrangements and other relevant operational procedures. The statutory safeguarding partners will expect staff in all agencies involved in the sharing of information pertaining to the safeguarding of children will have received similar guid ance and be aware of their legal responsibilities.
8. Review, Retention and Disposal of Information
8.1 Partners to this agreement undertake that information shared under the agreement will only be used for the specific purpose for which it was shared.
Page 18- Information Sharing Protocol and Agreement
It must not be shared for any other purpose outside of this agreement and will be securely disposed of when it has served the purpose for which it was requested.
8.2 The retention and disposal of information must be managed in accordance with agencies own policies and any statutory guidance. Guidance for appropriate retention periods for safeguarding information is available on the WSCP website.
9. Monitoring
9.1 Compliance with this document will be monitored via the WSCP Executive Group and will be subject to independent scrutiny.
9.2 The WSCP Business Manager is responsible for the monitoring, revision and updating of this document.
10. Equality Impact Assessment
10.1 The publication of this document forms part of the WSCP’s commitment to identify, challenge and remove or discriminatory practice in relation to the protected characteris tics (race, disability, gender, sexual orientation, age, religious or other belief, marriage and civil partnership, gender reassignment and pregnancy and maternity), as well as to promote positive practice and value the diversity of all individuals and communities.
10.2 As part of its development this document and its impact on equality has been ana lysed and no detri- ment identified.