Information Sharing & Consent
- 7 Golden Rules for Information Sharing
- Principles of Information Sharing and Consent
- What is the Legal Framework that supports information sharing?
- Consent from a Young Person (Gillick Competence and Fraser Guidelines of Consent)
Appendix 1 – Data Protection Act 2018 Principles of Information Sharing
Appendix 2 – Information Sharing Flow Chart
In order to ensure that safeguarding decisions are made with timely, necessary and proportionate interventions and support, decision makers require full information concerning children, their parents, carers and their circumstances to be available to them. Information viewed alone or in silos is unlikely to give the full picture or identify the true risks.
All relevant information from various agencies involved in their care or support, needs to be available and accessible in one place. A Multi-Agency Safeguarding Hub (MASH) helps ensure this and aids communication between all safeguarding partners, thus ensuring that the team quickly identifies those who are subject to or at risk of harm.
Information should only be shared within the MASH for the purposes of safeguarding and promoting the welfare of children, and for the prevention and detection of related crime.
HM Government advice on Information Sharing (March 2015) states that:
“Sharing information is an intrinsic part of any front-line practitioner’s job when working with children and young people. The decisions about how much information to share, with whom and when, can have a profound impact on individuals’ lives. It could ensure that an individual receives the right services at the right time and prevent a need from becoming more acute and difficult to meet. At the other end of the spectrum it could be the difference between life and death.”
Poor or non-existent information sharing is a factor repeatedly flagged up as an issue in Serious Case Reviews carried out following the death of, or serious injury to, a child.
Fears about sharing information cannot be allowed to stand in the way of the need to safeguard and promote the welfare of children at risk of abuse or neglect. No practitioner should assume that someone else will pass on information which may be critical to keeping a child safe.
A public authority such as Lewisham Council has some legal power enabling it to share the information. We must consider on a case by case basis whether information will be shared with or without consent, through considering what is reasonable, necessary and proportionate.
7 Golden Rules
Personal Information/Data is:
- Information/Data which relates to a living, individual who can be identified from the data or other data/information that the organisation holds.
- Could be single elements or a combination e.g. names, addresses, occupation, date of birth etc.it could also include opinions about them and intentions towards them.
Sensitive Personal Information/Data is:
- Physical or mental health, racial or ethnic origin, political opinions, TU membership, sexual life, criminal allegations or record.
Principles of Information Sharing & Consent
The principles set out below are intended to help practitioners working with children, young people, parents and carers share information between organisations. Practitioners should use their judgement when making decisions on what information to share and when and should follow organisation procedures or consult with their manager if in doubt. The most important consideration is whether sharing information is likely to safeguard and protect a child.
Necessary and proportionate
When taking decisions about what information to share, you should consider how much information you need to release. The Data Protection Act 1998 requires you to consider the impact of disclosing information on the information subject and any third parties. Any information shared must be proportionate to the need and level of risk.
Only information that is relevant to the purposes should be shared with those who need it. This allows others to do their job effectively and make sound decisions.
Information should be adequate for its purpose. Information should be of the right quality to ensure that it can be understood and relied upon.
Information should be accurate and up to date and should clearly distinguish between fact and opinion. If the information is historical then this should be explained.
Information should be shared in a timely fashion to reduce the risk of harm. Timeliness is key in emergency situations and it may not be appropriate to seek consent for information sharing if it could cause delays and therefore harm to a child. Practitioners should ensure that sufficient information is shared, as well as consider the urgency with which to share it.
Information should be shared in the most secure way available. Practitioners must always follow their organisation’s policy on security for handling personal information.
Information sharing decisions should be recorded whether or not the decision is taken to share. If the decision is to share, reasons should be cited including what information has been shared and with whom, in line with organisational procedures. If the decision is not to share, it is good practice to record the reasons for this decision and discuss them with the requester. Information should be kept In line with each organisation’s retention policy.
What Information can I share?
Share the information which is necessary for your purpose. It may not be necessary to give all agencies access to all the information you hold. Make sure what you provide is up to date, accurate and relevant.
When and how to share information
When asked to share information, you should consider the following questions to help you decide if and when to share. If the decision is taken to share, you should consider how best to effectively share the information.
Q: Is there a clear and legitimate purpose for sharing information?
- Yes – see next question
- No – do not share information
Q: Does the information enable an individual to be identified?
- Yes – see next question
- No – you can share but should consider how
Q: Is the information confidential?
- Yes – see next question
- No – you can share but should consider how
Q: Do you have consent?
- Yes – you can share but should consider how
- No – see next question
Q: Is there another reason to share information such as to fulfil a public function or to protect the vital interests of the individual?
- Yes – you can share but should consider how
- No – do not share
- Which agencies need to be involved in the sharing?
- Who do we need information about in order to make the decision – child, parent, carer, others? Is it sensitive personal information? Do we have their consent?
- Ensure you are giving the right information to the right person, and that it is shared securely.
- Identify how much information to share
- Distinguish fact from opinion
- Ensure that you are giving the right information to the right person
- Inform the individual that the information has been shared if they were not aware of this, as long as this would not create or increase risk of harm
Consent to Share Information
Check you have consent from all people whose information is to be shared unless the safeguarding concerns put the child at risk of significant harm or would prevent the child from being harmed. Ensure information shared is relevant and proportionate.
Agencies should be advised where possible to obtain consent before referring a case to the Customer Service Centre. If this happens, individuals will have an understanding and expectation of how their information is going to be used, with whom and why. Where consent has not been obtained, reasons for this will be documented on both the agency and MASH records.
Where sensitive personal information is being shared explicit consent is expected, this may be written e.g. consent form or a clear record of verbal consent obtained stating the date, time and what information is to be held/shared.
In some cases, the work of the MASH might be obstructed if Partners were to seek consent. In such cases the disclosing Partner must consider other lawful basis for processing the information.
The decision whether or not to share information must be recorded by each partner agency.
Consider the following before sharing information - if in doubt seek advice from a manager
Do you have consent to share this information for this purpose? Consent is particularly important for sensitive personal information. The Privacy Notice (a statement that indicates consent to hold and share information see consent form) relating to the collection of information should identify the purposes for which it was collected. Does this say it would be shared? Otherwise consent should be obtained wherever possible before sharing information.
Where consent has been given to share information with some, but not all, agencies, does this include the agency you want to share it with? If you do have consent, then the paragraph above applies. If you do not have consent, then the paragraph below applies.
Sharing without consent
If you are not seeking consent, the reason must be proportionate and you must weigh up the important legal duty to seek consent and the damage that might be caused by sharing the information. This should be balanced against the type and extent of any harm that might be caused (or not prevented) by seeking consent. It is good practice to obtain consent before sharing information. If consent is not obtained, the decision should always be reasonable, necessary and proportionate, and should always be recorded together with the rationale.
If the need to share is urgent, and seeking consent will lead to unjustified delay in making enquiries about allegations of significant harm to a child, or if safeguarding is paramount, take immediate action and share the information without consent, but remember to record the reason for the decision.
Sharing information when consent has been refused
There may be times when consent is sought and refused. This does not mean that information cannot be shared. The refusal of consent should be considered in conjunction with other concerns and, if it is considered justifiable, then information can and MUST be shared. If professionals consider it justifiable to override the refusal in the interests of the welfare of the child then they can do so. This decision must be proportionate to the harm that may be caused by proceeding without consent.
It is possible to disclose personal information without consent if this is in the defined category of “Public Interest”. The principles of the DPA [Section 2 above] would still apply in such cases.
The Public Interest Criteria include the:
- Protection of vulnerable members of the community
- Administration of justice
- Maintaining of public safety
- Apprehension of offenders
- Prevention of crime and disorder
- Detection of crime
- Protection of vulnerable members of the community
When judging the public interest, it is necessary to consider the following:
- Is the intended disclosure proportionate to the intended aim?
- What is the vulnerability of those who are at risk?
- What is the impact of disclosure likely to be on the individual to whom the shared information pertains?
- Is there another equally effective means of achieving the same aim?
- Is the disclosure necessary to prevent or detect crime and uphold the rights and freedoms of the public?
- Is it necessary to disclose the information, to protect others?
The rule of proportionality should be applied to ensure that a fair balance is achieved between the public interest and the rights of the individual’s information.
What is the Legal Framework that supports information sharing?
The main legal framework relating to the protection of personal information is set out in:
There is no general power to obtain, hold or process information and there is no statutory power to share information. Where information is held it should be processed in accordance with the Data Protection Act principles.
However, some Acts of Parliament do give statutory public bodies express or implied statutory powers to share information under some circumstances. There are a number of pieces of legislation. Some of these are relevant to all members of the Family Safeguarding Teams. Others relate to specific organisations.
Legislation allows the lawful sharing of personal information and is covered in this guide using the following legislative frameworks.
Working Together 2018 states that:-
- Effective sharing of information between practitioners and local organisations and agencies is essential for early identification of need, assessment and service provision to keep children safe. Serious Case Reviews (SCRs) have highlighted that missed opportunities to record, understand the significance of and share information in a timely manner can have severe consequences for the safety and welfare of children.
- Practitioners should be proactive in sharing information as early as possible to help identify, assess and respond to risks or concerns about the safety and welfare of children, whether this is when problems are first emerging, or where a child is already known to local authority Children's Social Care (e.g. they are being supported as a child in need or have a child protection plan). Practitioners should be alert to sharing important information about any adults with whom that child has contact, which may impact the child's safety or welfare.
- Information sharing is also essential for the identification of patterns of behaviour where a child has gone missing, where multiple children appear associated to the same context or locations of risk, or in relation to children in the secure estate where there may be multiple local authorities involved in a child's care. It will be for local safeguarding partners to consider how they will build positive relationships with other local areas to ensure that relevant information is shared in a timely and proportionate way.
- Fears about sharing information must not be allowed to stand in the way of the need to promote the welfare, and protect the safety, of children, which must always be the paramount concern. To ensure effective safeguarding arrangements:
- All organisations and agencies should have arrangements in place that set out clearly the processes and the principles for sharing information. The arrangement should cover how information will be shared within their own organisation/agency and with others who may be involved in a child's life.
- All practitioners should not assume that someone else will pass on information that they think may be critical to keeping a child safe. If a practitioner has concerns about a child's welfare and considers that they may be a child in need or that the child has suffered or is likely to suffer significant harm, then they should share the information with local authority children's social care and/or the police. All practitioners should be particularly alert to the importance of sharing information when a child moves from one local authority to another, due to the risk that knowledge pertinent to keeping a child safe could be lost.
- All practitioners should aim to gain consent to sharing information, but should be mindful of situations where to do so would place a child at increased risk of harm. Information may be shared without consent if a practitioner has reason to believe that there is a good reason to do so, and that the sharing of information will enhance the safeguarding of a child in a timely manner. When decisions are made to share or withhold information, practitioners should record who has been given the information and why.
- Practitioners must have due regard to the relevant data protection principles which allow them to share personal information, as provided for the Data Protection Act 2018 and the General Data Protection Regulation (GDPR). To share information effectively:
- all practitioners should be confident of the processing conditions under the Data Protection Act 2018 and the GDPR which allow them to store and share information for safeguarding purposes, including information which is sensitive and personal, and should be treated as 'special category personal data'.
- Where practitioners need to share special category personal data, they should be aware that the Data Protection Act 2018 contains safeguarding of children and individuals at risk as a processing condition that allows practitioners to share information. This includes allowing practitioners to share information without consent, if it is not possible to gain consent. It cannot be reasonably expected that a practitioner gains consent, or if to gain consent would place a child at risk
Myth Busting Guide
Sharing information enables practitioners and agencies to identify and provide appropriate services that safeguard and promote the welfare of children. Below are common myths that may hinder effective information sharing:-
Data Protection legislation is a barrier to sharing information
- NO. The Data Protection Act 2018 and GDPR do not prohibit the collection and sharing of personal information, but rather provides a framework to ensure that personal information is shared appropriately. In particular, the Data Protection Act 2018 balances the rights of the information subject (the individual whom the information is about) and the possible need to sharing information about them.
Consent is always needed to share personal information
NO You do not necessarily need consent to share personal information. Wherever possible, you should seek consent and be open and honest with the individual from the outset as to why, what, how, and with whom, their information will be shared. You should seek consent where an individual may not expect their information to be passed on. When you gain consent to share information, it must be explicit, and freely given. There may be some circumstances where it is not appropriate to seek consent, or because to gain consent would put a child’s or young person’s safety at risk.
Personal information collected by one organisation / agency cannot be disclosed further
NO This is not the case, unless the information is to be used for a purpose incompatible with the purpose to which it was originally collected. In the case of children in need, or children at risk of significant harm, it is difficult to foresee circumstances where information law would be a barrier to sharing personal information with other practitioners. Practitioners looking to share information should consider which processing condition in the Data Protection Act 2018 is most appropriate for use in the particular circumstances of the case. This may be the safeguarding processing condition or another relevant provision.
The common law duty of confidence and the Human Rights Act 1998 prevent the sharing of personal information
NO This is not the case. In addition to the Data Protection Act 2018 and GDPR, practitioners need to balance the common law duty of confidence and the Human Rights Act 1998 against the effect on individuals and others of not sharing the information.
IT systems are often a barrier to effective information sharing
NO IT systems, such as the Child Protection Information Sharing project (CP_IS), can be useful for information sharing. IT systems are most valuable when practitioners use the shared data to make more informed decisions about how to support and safeguard a child.
Data Protection Act 2018
Everyone responsible for using personal data has to follow strict rules called ‘data protection principles’. They must make sure the information is:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
There is stronger legal protection for more sensitive information, such as:
- ethnic background
- political opinions
- religious beliefs
- trade union membership
- biometrics (where used for identification)
- sex life or orientation
There are separate safeguards for personal data relating to criminal convictions and offences.
Data Protection Act (DPA) 2018: The principles of the DPA 2018 provide a framework within which to consider the lawful basis for sharing information under this agreement. Data Protection Act Key Principles can be read by CLICKING HERE or viewed on Appendix A at the end of this page.
Each partner agency may have a different reason for holding and processing the information it needs to fulfil its legal duties. Some common considerations have been included here, but it is impossible to cover all possible situations. Partner agencies must obtain their own assurance and be satisfied that they have a lawful basis for sharing the information they hold.
DPA Section 29 This section provides certain exemptions when personal information is used for the prevention and detection of crime and/or for the apprehension and prosecution of offenders. For example, telling individuals how their information will be processed or shared could prejudice the purpose. Note that information processed for this purpose is exempt from disclosure in response to a Subject Access Request.
Children Act 2004
Sections 10 and 11 of the Children Act 2004 place obligations upon agencies including local authorities, police, clinical commissioning groups and NHS England to co-operate with other partners in promoting the welfare of children and ensuring that they act safeguard and promote the welfare of children in their area.
Well‐being is defined by the Act as relating to a child’s:
- Physical and mental health and emotional well‐being
- Protection from harm and neglect
- Education, training and recreation
- The contribution made by them to society
- Social and economic well‐being
‘Children’ in terms of the scope of this Act means those up to the age of eighteen.
Children Act 1989
For children and young people, the nature of the information that will be shared within the MASH may fall below a statutory threshold of Section 47 (children in need of protection) or even Section 17 (children in need of services).
Crime and Disorder Act 1998
Provides a legal basis for sharing information with a relevant authority where the disclosure is necessary or expedient for the purposes of any provision of the Crime and Disorder Act 1998. Relevant authorities include: Police, Probation, Local Authorities, CCGs and certain NHS statutory bodies
Human Rights Act 1998
Gives force to the European Convention on Human Rights and, amongst other things, places an obligation on public authorities to protect people’s “right to life” and “right to be free from torture or degrading treatment”.
There needs to be a balance between the desire to share and a person’s right to privacy under “the right to respect for private and family life, home and correspondence”. The local authority cannot interfere with this right except such as is necessary in the interests of national security, public safety or for the prevention of disorder or crime, for the protection of health and wellbeing, or for the protection of the rights and freedoms of others.
The Mental Capacity Act (MCA) 2005.
Under the Mental capacity Act 2005 staff are required to apply five principles in their assessments to decide whether to share information without consent in a person’s best interests.
The MCA Code of Practice states that “it is important to balance people's right to make a decision with their right to safety and protection when they can't make decisions to protect themselves. The starting assumption must always be that an individual has the capacity, until there is proof that they do not”.
Under the Mental Capacity Act 2005 there would have to be good reasons not to undertake an assessment of mental capacity regarding the decision to share information without consent. These reasons would need to be documented carefully.
Counter-Terrorism and Boarder Security Act 2019
The Counter Terrorism and Security Act 2015 places a duty on “specified authorities” to have “due regard to the need to prevent people from being drawn into terrorism”. Specified authorities include County and District/Borough Councils, Schools; Police; National Probation Service and Community Rehabilitation Companies; NHS Trusts and NHS Foundation Trusts.
Prevent Duty Guidance
The Prevent Strategy has three specific strategic objectives:
- respond to the ideological challenge of terrorism and the threat we face from those who promote it;
- prevent people from being drawn into terrorism and ensure that they are given appropriate advice and support; and
- Work with sectors and institutions where there are risks of radicalisation that we need to address.
There is an expectation that authorities will work in partnership and share information where appropriate, for example to ensure someone at risk of radicalisation is supported.
Duty of Confidence Information shared by agencies as part of the MASH assessment process may have been gathered where a Duty of Confidence is owed. A duty of confidence arises when one person discloses information to another in circumstances where it is reasonable to expect that the information will not be further disclosed. Duty of Confidence is not an absolute bar to disclosure, as information can be shared where there is a strong enough public interest to do so.
When overriding the Duty of Confidence in the absence of consent, MASH must seek the views of the person representing the organisation that holds the Duty of Confidence and take these into account in relation to breaching the confidence. The originating Partner will be the final arbiter as to whether information is disclosed or not. The Partner may wish to seek specialist or legal advice if there is lack of clarity around justifiable disclosure of information. All disclosures must be relevant and proportionate to the intended aim of the disclosure and must be fully documented as an unjustified disclosure could lead to a claim for damages against the disclosing party.
All staff must be particularly mindful of their professional and ethical obligations and the public interest of confidence in the confidentiality of their services.
It may be necessary to seek advice on professional conduct as well as legal advice before sharing information without consent, especially for information related to the treatment of mental illness. All staff should ensure the need to protect children takes into account the children’s rights as well as those of the adults concerned. Decisions will be reported to the MASH Executive Group for periodic review.
Gillick competency and Fraser guidelines help people who work with children to balance the need to listen to the children’s wishes with the responsibility to keep them safe.
When practitioners are trying to decide whether a child is mature enough to make decisions about things that affect them, they often talk about whether the child is “Gillick competent” or whether they need the “Fraser guidelines”.
Although the two terms are frequently used together and originate from the same legal case, there are distinct differences between them.
Both Gillick competency and Fraser guidelines refer to a legal case from the 1980s which looked at whether doctors should be able to give contraceptive advice or treatment to the young people under 16-years-old without parental consent.
Applying Gillick competence and Fraser Guidelines
The Fraser guidelines still apply to advice and treating relating to contraception and sexual health. But Gillick competency is often used in a wider context to help assess whether a child has the maturity to make their own decisions and to understand the implications of those decisions. Practitioners should always encourage a child to tell their parents or carers about the decisions they are making. If they don’t want to do this, you should explore why and, if appropriate, discuss ways you could help them inform their parents or carers. For example, you could talk to the young person’s parents or carers on their behalf.
If the young person still wants to go ahead without their parents’ or carers’ knowledge or consent, you should consider the Gillick and Fraser guidelines.
Gillick competency applies mainly to medical advice but it is also used by practitioners in other settings. For example, if a child or young person:-
- Would like to have counselling or therapeutic support but doesn’t want their parents or carers to know about it.
- Is seeking confidential support for substance misuse.
- Has strong wishes about their future living arrangements which may conflict with their parents’ or carers’ views.
Medical professionals need to consider Gillick competency if a young person under the age of 16 wishes to receive treatment without their parents’ or carers’ consent or, in some cases, knowledge.
If the young person has informed their parents of the treatment they wish to receive but their parents do not agree with their decision, treatment can still proceed if the child has been assessed as Gillick competent.
Assessing Gillick Competence
There is not set of defined questions to assess Gillick competency. Professionals need to consider several things when assessing a child’s capacity to consent, including:
- The child’s age, maturity and mental capacity
- Their understanding of the issue and what it involves – including advantages, disadvantages and potential long-term impact.
- Their understanding of the risks, implications and consequences that may arise from their decision.
- How well they understand any advice or information they have been given.
- Their understanding of any alternative options, if available.
- Their ability to explain a rationale around their reasoning and decision making.
Remember that consent is not valid if a young person is pressured or influenced by someone else.
Children’s capacity to consent may be affected by different factors, for example stress, mental health conditions and the complexities of the decision they are making. The same child may be considered Gillick competent to make one decision but not competent to make a different decision.
If you don’t think a child is Gillick competent or there are inconsistencies in their understanding, you should seek consent from their parents or carers before proceeding.
In complex medical cases, such as those involving disagreements about treatment, you may wish to seek the opinion of a colleague about a child’s capacity to consent (Care Quality Commission 2019)
Young people also have the right to seek a second opinion from another medical professional (General Medical Council, 2020).
Refusal of Medical Treatment
Gillick competency can be used when young people wish to use medical treatment. However, if a young person refuses medical treatment which may lead to their death or severe permanent harm, their decision can be overruled. More information about this is available in the Guidance for Medical Professionals in each UK nation – see case history and legislation on the NSPCC website.
Child Protection Concerns
The child’s safety and wellbeing is paramount.
When you are assessing Gillick competency if you have any concerns about the safety of the young person you should check whether previous child protection concerns have been raised, and explore any factors that could put them at risk of abuse.
You must always share child protection concerns with the relevant agencies, even if this goes against a child’s wishes. (Find out more on Recognising & Responding to Abuse, NSPCC).
The Fraser guidelines apply specifically to advice and treatment about contraception and sexual health. They may be used by a range of healthcare professionals when working with under 16 year-olds, including doctors and nurse practitioners.
Following a legal ruling in 2006, Fraser guidelines can also be applied to advice and treatment for sexually transmitted infections and the termination of pregnancy (Axton v the Secretary of Stage for Health, 2006).
Using the Fraser guidelines
Practitioners using the Fraser guidelines should be satisfied of the following:
- The young person cannot be persuaded to inform their parents or carers that they are seeking this advice or treatment (or to allow the practitioner to inform their parents or carers).
- The young person understands the advice being given.
- The young person’s physical or mental health or both are likely to suffer unless they receive the advice or treatment.
- It is in the young person’s best interests to receive the advice, treatment or both without their parents’ or carers’ consent.
- The young person is very likely to continue having sex with or without contraceptive treatment.
Child Protection Concerns
When using Fraser guidelines for issues relating to sexual health, you should always consider any potential child protection concerns:
- Underage sexual activity is a possible indicator of child sexual exploitation and children who have been groomed may not realise they are being abused.
- Sexual activity with a child under 13 should always result in a child protection referral.
- If a young person presents repeatedly about sexually transmitted infections or the termination of pregnancy this may be an indicator of child sexual abuse or exploitation.
Professionals should always consider any previous concerns that may have been raised about the young person and explore whether there are any factors that may present a risk to their safety and wellbeing.
You must always share child protection concerns with the relevant agencies, even if a child or young person asks you not to.
Appendix 1 – Data Protection Act 2018 Principles of Information Sharing
CHAPTER 2 Principles Overview and general duty of controller
(1)This Chapter sets out the six data protection principles as follows—
(a) section 35(1) sets out the first data protection principle (requirement that processing be lawful and fair);
(b) Section 36(1) sets out the second data protection principle (requirement that purposes of processing be specified, explicit and legitimate);
(c) Section 37 sets out the third data protection principle (requirement that personal data be adequate, relevant and not excessive);
(d) Section 38(1) sets out the fourth data protection principle (requirement that personal data be accurate and kept up to date);
(e) Section 39(1) sets out the fifth data protection principle (requirement that personal data be kept for no longer than is necessary);
(f) Section 40 sets out the sixth data protection principle (requirement that personal data be processed in a secure manner).
(2) In addition—
(a) Each of sections 35, 36, 38 and 39 makes provision to supplement the principle to which it relates, and
(b) Sections 41 and 42 make provision about the safeguards that apply in relation to certain types of processing.
(3) The controller in relation to personal data is responsible for, and must be able to demonstrate, compliance with this Chapter.
The first data protection principle
(1) The first data protection principle is that the processing of personal data for any of the law enforcement purposes must be lawful and fair.
(2) The processing of personal data for any of the law enforcement purposes is lawful only if and to the extent that it is based on law and either—
(a) The data subject has given consent to the processing for that purpose, or
(b) The processing is necessary for the performance of a task carried out for that purpose by a competent authority.
(3) In addition, where the processing for any of the law enforcement purposes is sensitive processing, the processing is permitted only in the two cases set out in subsections (4) and (5).
(4) The first case is where—
(a) The data subject has given consent to the processing for the law enforcement purpose as mentioned in subsection (2)(a), and
(b) At the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
(5) The second case is where—
(a) The processing is strictly necessary for the law enforcement purpose,
(b) The processing meets at least one of the conditions in Schedule 8, and
(c) At the time when the processing is carried out, the controller has an appropriate policy document in place (see section 42).
(6) The Secretary of State may by regulations amend Schedule 8—
(a) By adding conditions;
(b) By omitting conditions added by regulations under paragraph (a).
(7) Regulations under subsection (6) are subject to the affirmative resolution procedure.
(8) In this section, “sensitive processing” means—
(a) The processing of personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership;
(b) The processing of genetic data, or of biometric data, for the purpose of uniquely identifying an individual;
(c) The processing of data concerning health;
(d) The processing of data concerning an individual’s sex life or sexual orientation.
The second data protection principle
(1)The second data protection principle is that—
(a) The law enforcement purpose for which personal data is collected on any occasion must be specified, explicit and legitimate, and
(b) Personal data so collected must not be processed in a manner that is incompatible with the purpose for which it was collected.
(2) Paragraph (b) of the second data protection principle is subject to subsections (3) and (4).
(3) Personal data collected for a law enforcement purpose may be processed for any other law enforcement purpose (whether by the controller that collected the data or by another controller) provided that—
(a) The controller is authorised by law to process the data for the other purpose, and
(b) The processing is necessary and proportionate to that other purpose.
(4) Personal data collected for any of the law enforcement purposes may not be processed for a purpose that is not a law enforcement purpose unless the processing is authorised by law.
The third data protection principle
The third data protection principle is that personal data processed for any of the law enforcement purposes must be adequate, relevant and not excessive in relation to the purpose for which it is processed.
The fourth data protection principle
(1) The fourth data protection principle is that—
(a) Personal data processed for any of the law enforcement purposes must be accurate and, where necessary, kept up to date, and
(b) Every reasonable step must be taken to ensure that personal data that is inaccurate, having regard to the law enforcement purpose for which it is processed, is erased or rectified without delay.
(2) In processing personal data for any of the law enforcement purposes, personal data based on facts must, so far as possible, be distinguished from personal data based on personal assessments.
(3) In processing personal data for any of the law enforcement purposes, a clear distinction must, where relevant and as far as possible, be made between personal data relating to different categories of data subject, such as—
(a) Persons suspected of having committed or being about to commit a criminal offence;
(b) Persons convicted of a criminal offence;
(c) Persons who are or may be victims of a criminal offence;
(d) Witnesses or other persons with information about offences.
(4) All reasonable steps must be taken to ensure that personal data which is inaccurate, incomplete or no longer up to date is not transmitted or made available for any of the law enforcement purposes.
(5) For that purpose—
(a) The quality of personal data must be verified before it is transmitted or made available,
(b) In all transmissions of personal data, the necessary information enabling the recipient to assess the degree of accuracy, completeness and reliability of the data and the extent to which it is up to date must be included, and
(c) If, after personal data has been transmitted, it emerges that the data was incorrect or that the transmission was unlawful, the recipient must be notified without delay.
The fifth data protection principle
(1) The fifth data protection principle is that personal data processed for any of the law enforcement purposes must be kept for no longer than is necessary for the purpose for which it is processed.
(2) Appropriate time limits must be established for the periodic review of the need for the continued storage of personal data for any of the law enforcement purposes.
The sixth data protection principle
The sixth data protection principle is that personal data processed for any of the law enforcement purposes must be so processed in a manner that ensures appropriate security of the personal data, using appropriate technical or organisational measures (and, in this principle, “appropriate security” includes protection against unauthorised or unlawful processing and against accidental loss, destruction or damage).
(1) This section applies in relation to the processing of personal data for a law enforcement purpose where the processing is necessary
(a) For archiving purposes in the public interest,
(b) For scientific or historical research purposes, or
(c) For statistical purposes.
(2) The processing is not permitted if—
(a) It is carried out for the purposes of, or in connection with, measures or decisions with respect to a particular data subject, or
(b) It is likely to cause substantial damage or substantial distress to a data subject.
42Safeguards: sensitive processing
(1) This section applies for the purposes of section 35(4) and (5) (which require a controller to have an appropriate policy document in place when carrying out sensitive processing in reliance on the consent of the data subject or, as the case may be, in reliance on a condition specified in Schedule 8).
(2) The controller has an appropriate policy document in place in relation to the sensitive processing if the controller has produced a document which—
(a) Explains the controller’s procedures for securing compliance with the data protection principles (see section 34(1)) in connection with sensitive processing in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, and
(b) Explains the controller’s policies as regards the retention and erasure of personal data processed in reliance on the consent of the data subject or (as the case may be) in reliance on the condition in question, giving an indication of how long such personal data is likely to be retained.
(3) Where personal data is processed on the basis that an appropriate policy document is in place, the controller must during the relevant period—
(a) Retain the appropriate policy document,
(b) Review and (if appropriate) update it from time to time, and
(c) Make it available to the Commissioner, on request, without charge.
(4) The record maintained by the controller under section 61(1) and, where the sensitive processing is carried out by a processor on behalf of the controller, the record maintained by the processor under section 61(3) must include the following information—
(a) Whether the sensitive processing is carried out in reliance on the consent of the data subject or, if not, which condition in Schedule 8 is relied on,
(b) How the processing satisfies section 35 (lawfulness of processing), and
(c) Whether the personal data is retained and erased in accordance with the policies described in subsection (2)(b) and, if it is not, the reasons for not following those policies.
(5) In this section, “relevant period”, in relation to sensitive processing in reliance on the consent of the data subject or in reliance on a condition specified in Schedule 8, means a period which—
(a) Begins when the controller starts to carry out the sensitive processing in reliance on the data subject’s consent or (as the case may be) in reliance on that condition, and
(b) Ends at the end of the period of 6 months beginning when the controller ceases to carry out the processing.
Appendix 2 – Information Sharing Flow Chart