Data Sharing Policy

To ensure fairness and transparency, privacy notices are published on the council’s website.

These notices explain how personal data is processed by the council and provide information about who we share personal data with and why.

The council will on occasion share data sets or types of data routinely for established purposes.

Written Information Sharing Agreements (ISA’s) between the council and the other organisation(s) govern such routine sharing. ISA’s ensure that personal data remains adequately protected with proper security.

Copies of ISA’s are stored in the Information Asset Register. They should be signed by the relevant Information Asset Owner, as defined within the council’s Information Governance Policy.

The Data Protection Officer shall be notified of any changes made to or terminations of any ISA.

Where required by law or other specified urgent reasons, data is shared without the need for an ISA, and without an individuals knowledge or consent.

Examples include emergency situations, crime prevention, and tax collection.

An emergency includes:

• preventing serious physical harm to a person
• preventing loss of human life
• protection of public health
• safeguarding vulnerable adults or children
• responding to a civil emergency
• an immediate need to protect national security

The council will share personal data without an individual’s knowledge or consent in limited circumstances. For example:

• the prevention or detection of crime
• the apprehension or prosecution of offenders
• the assessment or collection of tax or duty

When sharing with police and enforcement agencies we will require a written request detailing the reason why the disclosure is necessary to achieve the purpose in accordance with the limited grounds as set out above.

All the circumstances of the individual case will be considered when exercising professional judgment in balancing what is required to achieve a legitimate purpose with any interference with the individual’s right to respect for private and family life.

Any decision to disclose should be justified and proportionate, and the minimum amount of data required to achieve the aim of the sharing.

A record will be made of each individual decision to share personal data.

This record shall be made and retained by the officer making the disclosure in accordance with arrangements agreed with the Information Asset Owner. Such records shall be available for inspection by the council’s Data Protection Officer.

It may not always be possible to document the sharing in an emergency or time dependent situation however a record will be made as soon as possible.

Sharing children’s data carries higher risks compared to processing adults’ data.

We share children’s data only when there’s a compelling reason, considering the child’s best interests.

In high-risk cases, the council will conduct a Data Protection Impact Assessment (DPIA) to assess and mitigate risks to children’s rights and freedoms resulting from systematic data sharing.

High-risk cases involve sensitive data or specific circumstances where a child is exposed to significant harm.

To ensure due diligence, the council will perform checks on recipients before sharing children’s data. If we foresee detrimental or unfair use of the data, we refrain from sharing.

When planning systematic data sharing, we will assess whether a DPIA is necessary by utilising the DPIA screening tool.

If data sharing involves situations where an individual is at high risk of significant harm, we will conduct a DPIA.

 

When sharing data for law enforcement purposes, such as preventing, investigating, detecting, or prosecuting criminal offenses related to trading standards, fire safety risks, highway matters, planning contraventions, non-school attendance, and waste disposal, we follow the guidelines outlined in Part 3 of the Data Protection Act 2018 (DPA 2018).

We share data only with consent or when necessary for task performance.

If the shared data includes special category data, we adhere to our policy and share it only with individual consent or when strictly necessary for law enforcement purposes, meeting the conditions specified in Schedule 8 of the DPA 2018.

 

 

All staff and council workers

Will have due regard to data protection matters, and liaise with line management and, where necessary, the Information Asset Owner, when establishing data sharing arrangements.

All staff and council workers will ensure that they undertake their mandatory data protection training on an annual basis.

Information asset owners

These individuals are responsible for implementing secure data sharing procedures within their services.

They must ensure proper information security and compliance.

Strategic Information Governance Board

Will develop and share policies, procedures and best practice.

The Board will monitor compliance with this policy.

The Board may delegate such responsibilities to its operational working groups.

Data Protection Officer (DPO)

The DPO has operational responsibility for monitoring data sharing matters across the council.

Elected members

If an elected member accesses and processes personal information on behalf of the council, they must comply with the council’s registration and this policy.

Policy owner: Marc Eyre, Service Manager for Assurance (Chair of Operational Information Governance Group).

Date approved: Strategic Information Governance Board – 19 September 2024.

Review date: September 2027.