Data sharing is an exchange of data between two or more parties. This might involve the exchange of information on a case by case or bulk basis in support of joined-up service delivery, or the matching of datasets for authentication, service entitlement or statistical purposes. It might also include disclosures of data from one or more bodies to another agency, department or local service provider.
No. The Government's view is that public services, and their customers, can and do benefit from the better use of personal data already held within the public sector. However, the Government also recognises that the sharing of personal data must be done in accordance with recognised standards and good practice and in a manner consistent with open government. Any sharing of personal data must also be consistent with the principles of both data protection and human rights legislation.
No. There is no need to always rely on express powers (often referred to as information gateways) to enable data sharing. Data sharing is usually incidental to the exercise of a function; it is a tool that helps achieve a designated activity. If the powers are there to carry out a function or activity, then it is likely that a power to share data can be implied (as long as the data sharing is clearly for the purposes of achieving that function). Conversely, if there are no powers to carry out the function or activity itself, the further stage of data sharing will not be reached.
There are some instances where public bodies cannot imply powers to disclose to or share data with another public body. Therefore gateways are enacted in legislation to provide for disclosure or sharing of information for particular purposes.
No. The Data Protection Act (DPA) does not provide a power to share data. The Act requires data to be processed fairly and lawfully (the first data protection principle) but does not, however, specify the means by which processing is to be regarded as "lawful". You must, therefore, be certain that you have a lawful basis for the data sharing/processing in question (whether by virtue of legislation, the common law, or under Crown prerogative).
Not necessarily. The second principle states that personal data should not be further processed in any manner incompatible with the original purpose for which it was obtained. In our view, the requirement of compatibility does not have to mean "identical to" and provided the further processing is for a purpose that is not contradictory to the original purpose or purposes, it will be consistent with the second principle. Compliance advice can be found on the Information Commissioner's website at www.dataprotection.gov.uk
No. The Data Protection Act does not provide public bodies with the vires or powers to share data. There are certain exemptions from certain of its requirements, in areas such as crime prevention and processing for statistical purposes, but the processing itself must still be lawful.
Information which carries with it a duty of confidence is usually information which is not readily available from another source, has been given for specified purposes only and which includes personal information that individuals would not expect to be disclosed. Public authorities ought to have clear procedures for how confidential information should be handled and the circumstances in which it can be shared.
If public bodies have the vires, or powers, to share information, and that the processing is both DPA and HRA compliant, and not in breach of confidence, then public bodies need not assume that they also require consent to share data. In terms of DPA compliance, consent is just one of several Schedule 2 and 3 conditions on which public bodies can process data legitimately.
No. Data sharing agreements must operate within the principles established by the DPA (and additionally the Human Rights Act 1998 and the common law duty of confidence). The establishing of any agreement will not make unlawful processing lawful. The reasons for such arrangements are to clear up uncertainty about what is and what is not permissible, ensure openness and transparency and to ensure consistency throughout the Public Sector.
Protocols make sure that everyone is clear about their data exchange responsibilities and liabilities. They promote trust between partner organisations and the public. You don't need a separate protocol for each area of work. You can have one protocol that deals with all circumstances where information is exchanged.
As with all data sharing issues, the first point to consider is whether vires (legal powers) exist for the activity in question, including any data sharing which is a necessary part of that activity. There is no specific legislation for one-stop shops or CRM systems, but s2 of the Local Government Act 2000 provides local authorities with the power to do anything (unless otherwise barred in law from doing so) to promote or improve the economic, social or environmental well-being of their area. This power is likely to provide the lawful basis for such systems, but issues of Human Rights, confidentiality and compliance with the provisions of the Data Protection Act 1998 will still need to be considered.