It is also essential to protect children and young people from suffering harm from abuse or neglect and to prevent them from offending. The information sharing guidance for practitioners providing services to children, young people, parents and carers offers more detailed guidance about when and how to share information legally and professionally. Information Sharing Guidance [kb]. This page sets out some key points around information sharing. Information sharing should always be necessary, proportionate, relevant, accurate, timely and secure.
A record should be kept of what has been shared, with whom and for what purpose and the reasoning behind it. Practitioners should also be alert to sharing important information about any adults with whom that child has contact, which may impact on the child's safety or welfare. Information sharing is essential for the identification of patterns of behaviour for example when a child is at risk of going missing or has gone missing, when multiple children appear associated to the same context or locations of risk, or in relation to children in the secure estate where there may be multiple local authorities involved in a child's care.
All practitioners should be particularly alert to the importance of sharing information when a child moves from one local authority into another, due to the risk that knowledge pertinent to keeping a child safe could be lost. It will be for local safeguarding partners to consider how they will build positive relationships with other local areas to ensure that relevant information is shared in a timely and proportionate way. Those providing services to adults and children, GPs for example, may be concerned about the need to balance their duties to protect children from harm against their general duty of care towards their patient or service user, e.
Some practitioners face the added dimension of being involved in caring for or supporting more than one family member - the abused child, siblings, and an alleged abuser. However, the Children Act determines that where there are concerns that a child is, or may be, at risk of significant harm, the overriding consideration is the welfare of the child.
Practitioners must have due regard to the relevant data protection principles which allow them to share personal information. It is important however, that practitioners understand the data protection principles which allow them to share personal information.
All organisations handling personal data must ensure they have comprehensive and proportionate arrangements for collecting, storing, and sharing information. This also includes arrangements on informing service users about the information they will collect and how this may be shared. Special category data - Under the UK GDPR, special category data relates to information about individuals which is particularly sensitive and so needs greater protection before it is shared.
This includes for example, information about a person's race and ethnic origin, their health and sexual orientation. It is not necessary to seek consent to share information for the purposes of safeguarding and promoting the welfare of a child, providing there is a lawful basis for the sharing. Consent is also a lawful basis in UK GDPR and would cover sharing where the individual has given clear consent for you to process their personal data for a specific purpose; e.
The UK GDPR sets a high standard for consent to share information, and requires that it must be specific, time limited and able to be withdrawn.
Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement. Consent is one lawful basis for processing information, but there are five others. You must always choose the lawful basis that most closely reflects the true nature of your relationship with the individual and the purpose of the processing. The UK GDPR does not contain specific provisions on capacity to consent, but issues of capacity are bound up in the concept of 'informed' consent.
Generally, you can assume that adults have the capacity to consent unless you have reason to believe the contrary. Organisations should consider the purpose for sharing the personal information. Additionally, the purpose needs to be specific to ensure that the information is not used for a broad range of purposes that go beyond the scope of the information sharing initiative.
The purpose of sharing must also not breach a secrecy or confidentiality provision. A local council received a request from a Department for the names and addresses of ratepayers in an area so as to consult with them about a road project. In assessing the request, the council considered whether its residents would reasonably expect it to pass their personal information to the Department for these purposes.
It decided that, given the proposed broad range of uses, its residents would not reasonably expect their information to be disclosed to the Department. The council decided, instead, to promote the public consultation on behalf of the Department by placing a notice on its website. Organisations should establish that they are permitted to disclose, and collect, personal information. This may be determined by enabling legislation, specific information sharing legislation, privacy law or a combination of these.
The disclosing organisation needs to be certain that it has a lawful basis for disclosing the personal information. Similarly, the recipient organisation needs to be certain that it collects personal information in a lawful manner, in line with what is necessary for its functions or activities. Further guidance on collecting personal information is available in the Guidelines to the Information Privacy Principles.
Organisations should first consider their enabling legislation to determine whether they are permitted to share personal information for the specified purpose. If their enabling legislation does not contain any relevant provisions, and there is no specific information sharing scheme that authorises the sharing such as the FVISS or the Victorian Data Sharing Act VDS Act then organisations can consider whether privacy legislation, such as the PDP Act, authorises the information sharing.
Enabling legislation may also expressly prohibit or restrict the sharing of certain information such as information that is subject to secrecy provisions or confidentiality provisions. Organisations will need to ensure that information is handled in accordance with these provisions, despite other authorities under privacy legislation. The Use and Disclosure principle IPP 2 in the PDP Act prohibits organisations from using and disclosing personal information for a purpose other than the primary purpose of collecting that information, unless one of the eight permitted secondary purposes applies.
A school received a request from a Department for personal information about an individual for an unidentified purpose. The school believed that the request was in relation to a family violence incident.
In responding to the request, the school considered its legal authority to share the personal information. Personal information may be used or disclosed for a purpose other than the primary purpose if such use or disclosure is required or authorised by or under law, as set out in IPP 2. Further, an organisation may use or disclose personal information where it reasonably believes the use or disclosure is reasonably necessary for any of five specified purposes undertaken by or on behalf of a law enforcement agency as set out in IPP 2.
If an organisation is disclosing personal information under IPP 2. The PDP Act does not specify the content of the record, but it should include information that explains why the information was disclosed and should record the circumstances of the disclosure.
The school also recorded the disclosure as required by IPP 2. Where organisations decide to seek consent from individuals to share their personal information with other organisations, they must ensure that the consent is valid. For consent to be valid, the individual must have capacity to consent. Additionally, the consent must be voluntary, informed, specific and current. However, where organisations intend to disclose personal information under an alternative legal authority, it is not appropriate to seek consent from individuals, as the individuals would not have genuine choice as to whether or not their information is shared.
In this case, it would be more appropriate for organisations to provide notice to individuals of the intention to disclose their information to other organisations. A council received a request to share personal information with a utility provider who needed to decommission a utility on a specified property.
The council authority considered whether the individual would reasonably expect it would pass their personal information on to the utility provider, or whether it should seek consent from the individual to disclose their phone number. The council decided to seek consent from the individual to disclose the information to the utility provider.
Organisations must consider human rights when they make decisions, deliver services, develop policies and projects, manage risks and manage complaints. Organisations should also consider their adherence to other IPPs that are relevant to an information sharing initiative. Organisations should undertake a risk assessment when deciding whether to share personal information. The outcome of the risk assessment will help organisations decide whether it is appropriate to share personal information and identify any risk mitigation strategies required to enable information sharing.
For example, each organisation involved in an information sharing initiative should undertake a Privacy Impact Assessment PIA to identify any privacy risks associated with the initiative.
Organisations may identify different risks depending on their role in the information sharing initiative. It may be useful for organisations to undertake a joint PIA to form a holistic view of the risks involved in sharing the information. A PIA is not an authorising or decision-making document, but rather a tool designed to help organisations develop risk mitigation strategies for any privacy risks identified while undertaking the PIA.
The PIA will need to be reviewed and updated periodically, particularly if elements of the information sharing initiative change for example, if new parties are added to the initiative. Organisations should also undertake a security risk assessment before deciding to share information.
Organisations should seek legal advice if there is uncertainty about either whether they are authorised to disclose or collect personal information. Organisations should identify whether their systems can support the information sharing initiative.
As mentioned above, interoperability can be a barrier to sharing information. Organisations should be able to share information securely and ideally audit unit level access to the information. Organisations should address any interoperability issues before sharing information with other organisations. Some organisations are required to comply with protective data security obligations in Part 4 of the PDP Act. Organisations should ensure they consider each of these security domains when identifying the security requirements for their information sharing initiative.
An important element of managing personal information appropriately is effective record keeping. The Public Records Act , administered by the Public Record Office Victoria, sets out standards for the efficient management of public records. Organisations must ensure that their record keeping practices are in line with these standards.
There are also record keeping obligations under the PDP Act. Specifically, IPP 3 and IPP 4, which outline requirements for the quality and the security of the information held by organisations. It is good practice to document all information sharing initiatives whether they are ad-hoc or ongoing. Documentation will also enable organisations to properly review and evaluate their information sharing practices.
If organisations intend to share personal information on an ongoing basis, they should set out the terms of the information sharing initiative in a written document. An ISA sets out all the core elements of the information sharing arrangement and must be approved and signed by all participating organisations.
An ISA helps ensure that all elements of an information sharing initiative are considered and documented. Organisations must ensure that all terms of the ISA are upheld and that, in practice, the ISA facilitates effective and responsible information sharing.
ISAs and MOUs generally do not create new legal obligations for organisations, but outline the particulars of the arrangement within existing legal frameworks. The content of an ISA will depend on factors such as the nature of the information sharing initiative, the type of information being shared, and the risks involved in sharing that information.
There is no one-size-fits-all approach to an ISA so they should be customised to suit each information sharing initiative. This is not an exhaustive list of what should be documented in an ISA.
At a minimum, an ISA needs to clearly set out the obligations of each organisation involved in the information sharing initiative. Data breaches occur when public sector data held by organisations often including personal information is misused, lost or subject to unauthorised access, modification or disclosure.
Some common causes of data breaches include human error, ineffective information management processes and systems, or inadequate employee training. Data breaches can cause significant harm to the individuals whose information is impacted by the breach and to the organisation involved. Organisations should have a data breach management process to ensure that any data breaches affecting information sharing initiatives are responded to efficiently.
If a data breach occurs, organisations should take immediate steps to minimise the risk of harm that may arise from the breach.
Under the Information Security Incident Notification Scheme, organisations are required to notify OVIC within 30 days of information security incidents that compromise the confidentiality, integrity or availability of public sector data, which includes personal information.
0コメント