Multi Agency Assessment Panels Data Protection Protocol

Transcription

1 Multi Agency Assessment Panels Data Protection Protocol 1. Introduction 1a. What is Data Protection? Data Protection is important when dealing with information about living individuals. The 1998 Data Protection Act covers any processing of such information, by computer or manual filing system. 1b. What are the requirements of the Act? The Act requires all organisations that decide how and why personal data are processed to notify with the Information Commissioner. Notification involves completing a form stating what your data processing involves. For more information, visit Any organisation participating in the multi-agency assessment panel must ensure their notification includes this transfer of personal data to the other participating agencies. The processing of Personal Data must comply with the eight data protection principles. These require data to be: 1. Fairly and lawfully processed 2. Processed for limited purposes 3. Adequate, relevant and not excessive 4. Accurate 5. Not kept longer than necessary 6. Processed in accordance with the Data Subject s rights 7. Secure 8. Not transferred between countries without adequate protection The Protocol is an agreement to ensure that the work of (insert town/city/area) Multi-Agency Assessment Panel complies with the Act. Responsibility for compliance with the Data Protection Act in other areas of the organisations work is the responsibility of the individual organisations themselves. Guidance and information may be obtained at

2 (insert name of town/city) Multi-Agency Assessment Panel Data Protection Protocol 1. Purpose The purpose of this protocol is to protect people with multiple needs by facilitating the exchange of data in order that the various agencies and organisations working with the (insert name of town/city) Multi-Agency Assessment Panel can support the implementation of resettlement and care plans through a co-ordinated and planned multi-agency approach. The protocol is used to establish conditions in respect of the disclosure of information held by the member of the (insert name of town/city) Multi-Agency Assessment Panel as well as the receipt of information provided by other agencies through reciprocal arrangement. 1a. Strategic Planning and Local Partnerships The protocol provides guidance in respect of the sharing of personal or depersonalised information by the member agencies in support of: Strategic planning process with established partners Local partnerships engaged in the implementation of local homelessness strategies Please note: Personal Data means data which relates to a living individual who can be identified either, from the data, or from the data and any other information which is in the possession of, or is likely to come in to the possession of the data holder. Depersonalised information is defined as information from a database that is provided to another agency in a format where it is no longer possible to identify an individual. There are no restrictions on the disclosure of information that does not identify individuals. 1b. Use of Data Protection Protocol This Data Protection Protocol should be used in conjunction with the following documents which relate to multi-agency assessment panels: Confidentiality Policy Client Consent Form Terms of Reference 2. Personal Data 1. It will be the responsibility of individual agencies to ensure that they are properly registered to exchange personal data under this protocol. The signatories will also comply with the principles set out in the Data Protection Act.

3 2. An underlying principle of the protocol is that an agency will always retain ownership of the personal information it disclosed to another member of the panel. A recipient of such information must therefore obtain the consent of the original data owner before making further decisions regarding the clients resettlement and care plan. 3. Personal information relating to a client should only be disclosed with the consent of the person concerned therefore a signed release MUST be obtained. However, in cases where consent cannot be given or cannot reasonably be expected to be obtained, sensitive personal data can be processed if it is in the substantial public interest and it is necessary for the provision of counselling, advice or support (Statutory Instrument 417 (2000)). In such instances, it is important for the data controller to clearly record on file that the processing is taking place under the terms of this Statutory Instrument. 4. Only sufficient personal information will be disclosed to enable the recipient to carry out the relevant purpose. 5. The identity of the originator must be recorded against the relevant data. No secondary use or other use may be made unless the consent of the disclosing party to that secondary use is sought and granted. Disclosure must be compatible with the second data protection principle personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes. 6. In order to comply with the Data Protection Act principle no. 3 data processed should be adequate relevant and not excessive. In order to comply with this information exchanged will be reviewed by the data protection officials of the participating agencies to ascertain if the objective for which information was released has been achieved or is still pertinent. Such review will consider whether the information is retained by the partner agency or deleted from agency records. 7. Data protection officials representing the relevant agencies will liaise to ensure compliance with this protocol. Please see No. 1 above. 8. Information discovered to be inaccurate or inadequate for the purpose will be notified to the data owner who will be responsible for correcting the data and notifying all other recipients of the data who must ensure that the correction is made. 3. Depersonalised Data 1. The exchange of depersonalised or aggregated information should be considered where it could be used to facilitate strategic planning processes with established partner agencies. 2. Information must be accurate and complete before it is made available to members of the panel. 3. The results produced by analysing depersonalised information can be used to: Demonstrate the findings of (insert town/city) audits/mappings Inform the consultation process which follows Help target and develop strategic approaches

4 4. In respect of depersonalised information the following will apply: No attempt must be made to identify an individual through the provision of depersonalised information Data must not be released to those with a commercial interest in its use Arrangements must exist for the secure storage of all depersonalised information Information must be destroyed when it is no longer required. 4. Security 1. Member agencies should ensure that they have appropriate security arrangements in place. A statement of these including such points as who can access what information, who makes disclosure decisions, where information is stored etc., should be included in the protocol to prevent unauthorised access to and disclosure of personal data. 2. Member agencies will nominate Designated Officers to process requests for personal information from clients. A response to a request for information will be made within 5 working days. 3. Decisions on disclosure reached at meetings must be minuted. (Please see Appendix A for further information)

5 5. Information to be Shared in this Partnership The information to be shared be the members of the panel who are directly involved with the individual case will consist of: Section A Key information Name National Insurance Number Also known as Keyworker completing interview Organisation Telephone number Contact person in case of emergency Name Address Telephone number Section B About the client Date of birth Gender. Sexuality. Ethnic Origin. Section C Origins Were you born in this area? Where did you last stay and for how long? Why did you leave? Section D Housing/homelessness history Reasons for current homelessness situation. Length of current homelessness situation. Detailed description of housing history prior to homelessness. Section E Care History Details of periods in care? Age upon leaving care. Details of recent periods in care. Affects of living in care on ability to live independently.

6 Section F Benefits and Finance Which benefits are currently being claimed? Details of benefits agency office and personal. Details of any problems claiming. Details of Identification possessed. Details of debt, how much is owed and to whom? Details of current sources of income and main expenditures. Section G Legal Issues Details of any problems with the law. Details of key contact in Probation Service. Details of Solicitor. Details of any legal issues pending. Section H General Physical Health Details of GP registration. Last date GP seen. Details of medication being taken. Details of current prescription and when this was last reviewed. Details of health services used in last year. Is the client disabled? Is the client registered disabled. Details of current/past health problems. Section I Mental Health Clients detailed assessment of their mental health over past 3 months. Details of previous mental health problems/history. Details of involvement with mental health services. Details of medication being taken. Section J Drug Use Do you take any drugs to help you get through the day. Do you think drugs stop you getting on with your life. Clients assessment of drug use and its effects over the past 3 months. Amount of money spent on drugs each week. Details of type and amount of drugs taken. Length of time drugs have been taken. Details of how drugs are taken e.g. injection, smoking. Details of previous treatments. Details of current and past contact with drug agencies.

7 Section K Alcohol Use Do you drink to get you through the day? Does alcohol stop you from getting on with your life? Details of clients assessment of their alcohol use and its effects over the past 3 months. Amount of money spent on alcohol each week. Type and amount of alcohol drunk. Length of time client has been drinking. Details of treatment current and in the past. Section M Education and Employment Details of achievements and difficulties experienced in education. Details of employment history (type of work, length of employment). Section N Clients own assessment of needs Details of services not mentioned above that client is in touch with. Section O Action Plan Details of needs identified/areas for action. Details of person/people responsible. Details of date of completion of tasks/actions. Details of outcomes of task/actions.

8 6. Signature This protocol must be signed by a senior representative from each of the partner agencies and include the name of the Designated Officer (as specified in paragraph 2 of the Security section above). I, the undersigned, on behalf of my agency, agree to support the implementation of the (insert name of town/city/area) Multi-Agency Assessment Panel through the provision and safekeeping of exchanged data in accordance with the conditions detailed in this protocol. Signed Date Name (block capitals Position Agency Address Designated Officer Please return this declaration to: (insert name and address of appointed person)

9 Appendix A 1. Security of Data The following guidance is taken from the Information Commissioners own legal guidance. It is a requirement of the protocol for the participating agencies to agree on appropriate security arrangements to protect their processing of personal data. Seventh Principle Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data. The Act gives some further guidance on matters which should be taken into account in deciding whether security measures are appropriate. These are as follows:- (i) Taking into account the state of technological development at any time and the cost of implementing any measures, the measures must ensure a level of security appropriate to: (a) (b) the harm that might result from a breach of security; and the nature of the data to be protected. (ii) The data controller must take reasonable steps to ensure the reliability of staff having access to the personal data. With regard to the technical and organisational measures to be taken by data controllers, the Directive states that such measures should be taken both at the time of the design of the processing system and at the time of the processing itself, particularly in order to maintain security and thereby to prevent any unauthorised processing. Data controllers are, therefore, encouraged to consider the use of privacy enhancing techniques as part of their obligations under the Seventh Principle. It is clear from (i) above that there can be no standard set of security measures that is required for compliance with the Seventh Principle. The Commissioner s view is that what is appropriate will depend on the circumstances, in particular, on the harm that might result from, for example, an unauthorised disclosure of personal data, which in itself might depend on the nature of the data. The data controller, therefore, needs to adopt a risk-based approach to determining what measures are appropriate. (In fact, the Directive refers to a level of security appropriate to the risks represented by the processing ). Management and organisational measures are as important as technical ones. Standard risk assessment and risk management techniques involve identifying potential threats to the system, the vulnerability of the system to those threats and the countermeasures to put in place to reduce and manage the risk. In many cases, a simple consideration of these matters will be sufficient. On the other hand, there are wellestablished formal methodologies which will assist any data controller to assess and manage the security risks to the system. Some of the security controls that the data controller is likely to need to consider are set out below. (This is not a comprehensive list but is illustrative only.)

10 Security management: does the data controller have a security policy setting out management commitment to information security within the organisation? is responsibility for the organisation s security policy clearly placed on a particular person or department? are sufficient resources and facilities made available to enable that responsibility to be fulfilled? Controlling access to information: is access to the building or room controlled or can anybody walk in? can casual passers-by read information off screens or documents? are passwords known only to authorised people and are the passwords changed regularly? do passwords give access to all levels of the system or only to those personal data with which that employee should be concerned? is there a procedure for cleaning media (such as tapes and disks) before they are reused or are new data merely written over old? In the latter case is there a possibility of the old data reaching somebody who is not authorised to receive it? (e.g. as a result of the disposal of redundant equipment). is printed material disposed of securely, for example, by shredding? is there a procedure for authenticating the identity of a person to whom personal data may be disclosed over the telephone prior to the disclosure of the personal data? is there a procedure covering the temporary removal of personal data from the data controller s premises, for example, for staff to work on at home? What security measures are individual members of staff required to take in such circumstances? are responsibilities for security clearly defined between a data processor and its customers? Ensuring business continuity: are the precautions against burglary, fire or natural disaster adequate? is the system capable of checking that the data are valid and initiating the production of back-up copies? If so, is full use made of these facilities? are back-up copies of all the data stored separately from the live files? is there protection against corruption by viruses or other forms of intrusion? Staff selection and training:

11 is proper weight given to the discretion and integrity of staff when they are being considered for employment or promotion or for a move to an area where they will have access to personal data? are the staff aware of their responsibilities? Have they been given adequate training and is their knowledge kept up to date? do disciplinary rules and procedures take account of the requirements of the Act? Are these rules enforced? does an employee found to be unreliable have his or her access to personal data withdrawn immediately? are staff made aware that data should only be accessed for business purposes and not for their own private purposes? Detecting and dealing with breaches of security: do systems keep audit trails so that access to personal data is logged and can be attributed to a particular person? are breaches of security properly investigated and remedied; particularly when damage or distress could be caused to an individual? Further advice may be found in BS 7799 and 1S0/IEC Standard It is important to note that the Seventh Principle relates to the security of the processing as a whole and the measures to be taken by data controllers to provide security against any breaches of the Act rather than just breaches of security.