Risks, requirements, protocols and legalities
How do you identify and assess the risks and benefits of sharing information?
Sharing information brings risks and benefits which may impact upon your organisation, the partnerships that you engage in, and your customers or clients. While our role at the Centre is focused on the cultural aspects to information sharing, and we ask our friends at the Information Commissioner's Office and the Information Governance Alliance to help with the legal queries, we do appreciate it's important that risks associated with sharing information are fully understood and embedded within wider risk management strategies. It is also important to understand the benefits that sharing information appropriately can bring to your organisation, partnership or customers. The following document helps to identify five risk categories:
How do you identify and assess risks to privacy?
A privacy impact assessment (PIA) is a technique that may be used to identify the privacy risks and issues associated with any new initiative that involves the use of personal information. PIAs are widely used around the world and allow stakeholders to identify and foresee potential privacy impacts so solutions can be designed into an initial project or programme.Although there is no legal requirement to conduct a PIA when embarking on a new initiative in this country, the process is strongly promoted and advocated by the Information Commissioner’s Office. It is seen as a useful method for understanding the risks that activities may pose to individual privacy and the subsequent risks to the reputation, finances and operations of an organisation.A review of Privacy Impact Assessment Reports details PIAs that have been conducted on large-scale national initiatives or legislation changes. However, they are equally applicable for projects that are initiated within public authority services, partnership activities, policy development and implementation proposals, system design or changes to data collection and management.In short, any activity that may have an impact on individual privacy should have a PIA carried out before its implementation.Things to think about:
- do you need to do a PIA?
- what scale of PIA do you need to do?
- what preparation do you need to do?
- how will you conduct the PIA and involve your stakeholders?
- how will you ensure identified risks are managed appropriately?
- how will you feedback your results?
- Privacy impact assessment – Information Commissioner’s Office
- Privacy impact assessment code of practice – Information Commissioner’s Office
- Privacy impact assessment overview - Information Commissioner's Office
Tools to support the identification, assessment and management of information sharing risks:
- Information sharing risk management key questions
- Identifying information sharing risks checklist
- Identifying information sharing risks: impact and action
- Identifying information sharing risks: action planning template
- Workshop activity: identifying risks
Tool to support the identification of the benefits of information sharing:
- DCLG research into the benefits associated with personal data sharing at local partnership level
- Appendices to DCLG research into the benefits associated with personal data sharing at local partnership level
For general guidance on risk management:
How do you agree an information sharing protocol?
It is necessary for all partners to work together in order to function effectively and deliver the partnership’s stated purpose.Effective information sharing is a key component to the successful functioning of a partnership, but is often made difficult by different organisational approaches. In order to start the information sharing process, it is important that all partners are able to commit to the sharing of their information.An information sharing protocol aims to provide a high level, multi-agency framework for the sharing of information for a defined purpose.By clearly defining why information sharing is required, the principles that will govern the sharing and how it will support the functions of the partnership, a protocol can provide the foundations for partners to agree, in principle, to share information.The function of an information sharing protocol should only include the level of information necessary to achieve agreement in principle. It should not aim to detail every data sharing requirement between named agencies as it will later be underpinned by agreements which set out these further specifics.The tools in this section will help you address the following questions:
- Do we need an information sharing protocol?
- How do I develop an information sharing protocol with my partners?
- How do we implement and maintain an information sharing protocol?
- Guidance for developing an information sharing protocol
- Information sharing protocol tier two template
- Checklist for developing an information sharing protocol
Writing your privacy notice or consent statement
When working to provide a service as a partnership, it is important to be consistent when communicating with your service users. The following principles have been developed through working with a number of services in Leicestershire and should provide you with some ideas as you develop your own approach.
- Be consistent, not uniform
- Understand the process
- Cover why, who and what
- What does it mean for me?
- Keep the user in mind
- Make it readable
- Make it understandable
- Some points to note if you are seeking consent
- Privacy notices code of practice – Information Commissioner’s Office
- Design principles – Government Digital Service
Recording information sharing decisions
The data sharing code of practice from the Information Commissioner’s Office (ICO) provides a series of points to consider when recording an information sharing decision, including:
Recording your data sharing decision and your reasoning (regardless if you shared information)
If you did share information, recording:
- what information was shared and for what purpose;
- who it was shared with;
- when it was shared;
- your justification for sharing; and
- if the information was shared with or without consent.
The Department for Education has already provided guidance on how to record decisions, which includes a template. This guidance represents current government advice on good practice and was produced as part of the Every Child Matters initiative.