The following agreement defines the information that will be shared and transferred between the organisations listed and arrangements for assisting compliance with relevant legislation and guidance including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).
1.0 Background and scope of the Agreement
The Children and Social Work Act 2017 replaced Local Safeguarding Children Boards (LSCBs) with new local safeguarding arrangements, led by three key safeguarding partners.
a. The local authority;
b. A clinical commissioning group for an area any part of which falls within the local authority area;
c. The chief officer of police for an area any part of which falls within the local authority area.
Leeds Safeguarding Children Partnership (LSCP) consists of Leeds City Council, Leeds Clinical Commissioning Group and West Yorkshire Police. The partners are committed to ways of co-ordinating their safeguarding services, to act as a strategic leadership group in supporting and engaging others and to implement local and national learning including from serious child safeguarding incidents.
To fulfil this role, the Partners have agreed to work together and to involve relevant agencies where required. Relevant agencies are those organisations and agencies whose involvement the safeguarding Partners consider may be required to safeguard and promote the welfare of children with regard to local need.
The purpose of these local arrangements via the LSCP is to support and enable local organisations and agencies to work together in a system where:
- Learning is promoted and embedded in a way that local services for children and families can become more reflective and implement changes to practice;
- Children are safeguarded and their welfare promoted;
- Partner organisations and agencies collaborate, share and co-own the vision for how to achieve improved outcomes for vulnerable children;
- Organisations and agencies challenge appropriately and hold one another to account effectively;
- There is early identification and analysis of new safeguarding issues and emerging threats;
- Effective exchange and sharing of relevant information between representatives of key agencies in order to improve outcomes;
- Information is shared effectively to facilitate more accurate and timely decision making for children and families.
The LSCP is a multi-agency partnership, with key partners named above but also including relevant public and third sector organisations. The partnership will comprise representation from the following organisations:
- Leeds Community Healthcare NHS Trust
- Leeds and York Partnership NHS Foundation Trust
- Leeds Teaching Hospital Trust
- West Yorkshire Community Rehabilitation Company
- National Probation Service
- Wetherby Young Offender Institution
- NHS England
- Immigration Compliance & Enforcement
- British Transport Police
Schools, colleges and other educational providers have a pivotal role to play in safeguarding children and promoting their welfare. Their co-operation and buy-in to the new arrangements is vital as they have duties in relation to safeguarding children and promoting their welfare.
In addition there is representation to the LSCP from relevant third sector organisations as required.
1.1 Framework for confidentiality and information sharing
The following key documents provide the main national framework for information sharing:
- GDPR & Data Protection Act 2018 – The main legislative framework for confidentiality and information sharing issues. The legislation stipulates the principles that must be followed when personal or special category data is processed by organisations. The legislation stipulates the conditions under which information may be shared.
- Part 3 of the Data Protection Act 2018 - covers the EU Law Enforcement Directive concerns requirements and guidance for processing of data relating to administration of justice (prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties), prevention of fraud.
- Human Rights Act 1998 – This Act incorporates Article 8 of the European Convention of Human Rights which provides that everyone has the right to respect for their private and family life, home and correspondence.
- Caldicott Guidance – Caldicott Guidance applies to all NHS organisations and local authority Social Services Departments.
- NHS Confidentiality Code of Practice – The Code of Practice was issued in July 2003 and applies to all NHS organisations. It is a guide to required practice on confidentiality, security and disclosure of personal information.
- Crime and Disorder Act 1998 - The Crime & Disorder Act 1998 is the primary legislative tool, common to all crime reduction protocols.
- Children Act 1989 & 2004 -The Acts stipulate requirements to safeguard and promote children's welfare, along with agencies working together.
- Working Together to Safeguard Children 2018 - statutory guidance setting out what organisations and agencies that have functions relating to children, must and should do to safeguard and promote the welfare of all children and young people under the age of 18 in England.
This agreement has been formulated to provide guidance and support around the exchange of information between parties for the purposes set out above. All parties need to recognise any information shared must be justified, proportional and necessary, and appropriate; however, the need to process data fairly should not lead to fears around sharing information to safeguard, protect and reduce crime, disorder and fear.
1.2 Scope of the agreement
The Agreement covers the sharing of personal and special category data about children and young people to ensure effective systems are in place to protect children from abuse and to prevent impairment to children’s health and development. Additionally LSCP will review the following:
- notifiable incidents and non-notifiable, but serious, incidents for safeguarding reviews,
- serious case reviews,
- appreciative inquiries,
- child death overview panel.
1.3 Approval of the LSCP Information Sharing Agreement
The LSCP Information Sharing Agreement (the Agreement) will be submitted to the three statutory Partners for formal approval and after any significant change, update or amendment. Partners are asked to approve the Agreement and:
- Facilitate the sharing of information on the basis detailed in the Agreement
- Implement the Agreement within each organisation
- Support staff in the implementation of the Agreement through the provision of training, advice and guidance.
- Provide relevant information to facilitate monitoring and review.
Other parties will be provided the Agreement for information purposes and the Agreement will also be published on the LSCP webpage.
2.1 General principles under the Data Protection legislation
Partners to the Agreement will ensure that their staff operate in accordance with the requirements of the GDPR and DPA 2018 and other national guidance on confidentiality, and will facilitate the sharing of information wherever possible.
All three Partners have equal and joint responsibility for local safeguarding arrangements. Partners are considered separate Data Controllers for the data held by each organisation and shared at the LSCP meetings and are each required to comply with the requirements of the Data Protection legislation. Where the LSCP produce analysis or reports, which contain personal and special category data, the Partners are considered joint data controllers with joint liability for compliance. In situations that require a clear, single point of contact, Leeds City Council will take the lead from a Data Protection perspective. However all Partners will be responsible and accountable for the data produced by the LSCP.
2.2 Key principles for agencies
The following key principles guide the sharing of information between the Partners and agencies,
- Agencies endorse, support and promote the accurate, timely, secure and confidential sharing of both person identifiable and anonymised information where such information sharing is essential for the provision of effective and efficient services to the local population.
- Agencies are fully committed to ensuring that if they share information it is in accordance with their legal, statutory and common law duties, and that it meets the requirements of any additional guidance.
- All agencies must have in place policies and procedures to meet the national requirements for Data Protection, Information Security and Confidentiality. The existence of, and adherence to, such policies provides all agencies with confidence that information shared will be transferred, received, used, held and disposed of appropriately.
- Agencies acknowledge their ‘Duty of Confidentiality’ to the people they serve. In requesting release and disclosure of information from other agencies, employees and contracted volunteers will respect this responsibility and not seek to override the procedures that each organisation has in place to ensure that information is not disclosed illegally or inappropriately.
- An individual’s personal information must be complete and up to date and will only be disclosed where the purpose for which it has been agreed to share clearly requires that this is necessary. For all other purposes information should be anonymised.
- Where it is agreed that the sharing of information is necessary, only that which is needed, relevant and appropriate will be shared and that would only be on a “need to know” basis.
- When disclosing information about an individual, agencies will clearly state whether the information being supplied is fact, opinion, or a combination of the two.
3.0 Purposes for sharing information
3.1 Legislative provision
Under Article 5(1a), personal data must be processed lawfully, fairly and in a transparent manner and in particular must not be processed unless at least one Article 6 condition is met, and in the case of special category data unless at least one Article 9 condition is also met. The processing of data can be justified under the following conditions for processing of the GDPR:
- Article 6 (1c) processing is necessary for compliance with a legal obligation to which the controller is subject;
- Article 6 (1e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
- Article 9 (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject;
The processing under Article 9 (g) also requires a justification from the Data Protection Act:
- Schedule 1, part 2, section 18, processing is necessary for the purposes of safeguarding of children and of individuals at risk.
GDPR Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. The relevant legal obligations are listed as follows:
- Crime and Disorder Act 1998
- Anti-social Behaviour, Crime and Policing Act 2014
- Domestic Violence, Crime and Victims Act 2004
- Children Act 1989 & 2004
- National Health Service Act 2006
- Working Together to Safeguard Children 2018
- Children & Social Work Act 2017
There is a requirement for individuals to be informed of how organisations use their data to ensure fairness and transparency via a privacy notice. As a Data Controller, each Partner is required to have a privacy notice which complies with the requirements of the GDPR. Additionally the LSCP, via Leeds City Council, will also publish a privacy notice for the Partnership.
Partners to this agreement have not identified any legislation that will prevent the sharing of the information covered by the agreement. It is recognised that all public bodies must act in a manner compatible with the European Convention on Human Rights / Human Rights Act 1998. In particular Article 8. All parties agree that there will not be any infringement of an individual’s privacy under Article 8 because the initial identification of personal data is covered by the legal provisions above.
It is worth noting that data collected by the LSCP may relate to individuals who are deceased; Data Protection legislation only relates to living individuals and therefore does not apply to such data. However the common law duty of confidentiality still applies even in death and the LSCP will treat any such deceased data with the same level of confidence as data protected by the Data Protection legislation.
This agreement addresses the sharing of information for the purposes of child protection, welfare and prevention of harm and therefore the GDPR provision for processing has been addressed. Should the purpose change to criminality and be processed for law enforcement purposes then the DPA 2018 Part 3 will be applicable.
3.2 Purposes for sharing information
The purpose of sharing information is to ensure secure, confidential, proportionate and necessary information sharing, in relation to children and families, and that this is safeguarded, protected and their welfare is promoted. Strong, effective multi-agency arrangements are ones that are responsive to local circumstances and engage the right people. For the LSCP to be effective, the LSCP will engage relevant organisations and agencies that can work in a collaborative way to provide targeted support to children and families as appropriate. This approach requires flexibility to enable joint identification of, and response to, existing and emerging needs, and to agree priorities to improve outcomes for children.
The Agreement will be used to assist in ensuring that:
- Information is shared in a secure manner.
- Information is only shared with the specific relevant agencies concerned in order to perform their role.
- There are clear procedures to be followed with regard to information sharing.
- Each agency is responsible for what information is shared and they must satisfy the fair data processing conditions in the Data Protection legislation.
- Information will only be used for the reason(s) it has been obtained or for additional purposes where this is permitted under the Data Protection legislation.
The Agreement has been approved only for the purposes listed above. If other information sharing purposes are subsequently identified these will be considered for inclusion in the Agreement by the ISA partners or the relevant organisation will have justification for processing (such as the law enforcement provisions).
4.0 Arrangements and detail for information to be shared
The information shared about individuals with organisations who have not previously had routine access to the information is covered by this agreement.
At the LSCP meeting individual cases will be discussed and information will be shared with and by relevant partner agencies. Organisations are required to share all relevant information in accordance with this agreement to ensure the best interests of children and families are achieved and the incidents of safeguarding are reduced.
Information discussed at the meetings and any actions required will be recorded by each of the Partners, as individual Data Controllers, on their own case management system. Any joint LSCP working will be recorded on the Leeds City Council secure network and shared electronically with Partners where appropriate.
5.0 Access and security
Staff access to personal information must be on a ‘need to know’ basis and any specific additional restrictions agreed within agencies. Care should be taken to ensure that access to personal information is restricted on this basis. Restrictions need to be re-enforced by clear policies on confidentiality and by inclusion of appropriate confidentiality clauses in staff contracts. Staff must be aware of and comply with their own organisation’s information governance policies, procedures and training.
6.0 Secure storage and transfer of personal information
Steps should be taken by all Partners to ensure that personal information is held and transmitted securely. Should any information be printed staff are required to store this securely when not in use. Each party should ensure that staff are aware of and comply with their organisations Confidentiality and Information Security and governance policies.
6.1 Retention of records
Partners should keep their own records in relation to each case in accordance with their own organisations policies on the retention of records. Any records which no longer need to be retained in accordance with agencies’ own policies and procedures should be destroyed under secure conditions. Any records held jointly by the LSCP will be maintained in accordance with Leeds City Council’s retention as lead for Data Protection matters.
Statutory reviews (Serious Case Reviews / Child Safeguarding Practice Reviews) will be published online by the LSCP for one year.
All information obtained through this Information Sharing Agreement must be stored in each parties appropriate client case management system. No information should be stored by individuals in their own email systems. Once up to date information has been shared then there is a requirement for staff to update the appropriate client case management systems. This will avoid duplicate information storage across organisations and ensure the most up to date information is available within client case management systems and retention policies are applied.
7.0 Staff development
Partners will ensure that appropriate training is provided for all staff involved in sharing personal information, and that all staff have access to both the policies of their own organisation and this agreement. For the purposes of this agreement the supporting processes will be that all staff authorised to access information will be trained in the basic requirements of the Data Protection legislation and have an awareness of the implications associated with shared information and of the common law of confidentiality. They will also understand the risks associated with inappropriate disclosures and the impact that this has on safeguarding and the necessity to undertake thorough checks.
7.1 Incident management & complaints
All Partners agree that any and all personal data breach, near-misses, complaints or identified bad practice by the employees of any party should be reported via the appropriate incident reporting procedures for each organisation. Oversight is required by appropriate levels of management and the involvement of the respective organisational information governance leads. All Partners will co-operate on the investigation of these incidents, when necessary.
All Partners agree that should any investigation under the above paragraph evidence on-going or repeated (but non-malicious) bad practice, wilful bad practice, disregard of policy or procedure or unlawful activity, that disciplinary action will be considered at a level appropriate to the incident (s) evidenced. The Partners further agree to co-operate and negotiate on such incidents so that the outcome may, wherever possible, be mutually satisfactory. All Partners agree however that any disciplinary outcome must ultimately be at the sole discretion of the employing organisation.
All Partners agree that in the event of a personal data breach (unless unlikely to result in a risk to the rights and freedoms) this will be escalated in accordance with Article 33. All Partners agree that such reporting should be the prime responsibility of the recognised ‘Data Controller’ for the information in breach, but that a co-operative approach to escalation will be sought through negotiation, with a view to escalation being mutually agreed. All Partners agree however that any escalation must ultimately be at the sole discretion of the recognised Data Controller.
Should a complaint be received in relation to the partnership and/or information sharing, the LSCP group collectively will decide who is best placed to respond to the issue. Where such a complaint involves more than one party, the LSCP group as a whole will respond through a nominated representative.
8.0 Individual rights requests (GDPR & FOIA)
The LSCP is not a public body under the Freedom of Information Act (FOIA) and therefore are not obliged to respond to any FOI requests. However should a request be received in relation to individuals exercising their GDPR/DPA/FOIA rights by the partnership, the LSCP group collectively will decide who is best placed to respond to the issue. Where such a request involves more than one party, the LSCP group as a whole will respond through a nominated representative, which is likely to be Leeds City Council as lead on Data Protection matters.
9.0 Dissemination, monitoring and review of the Agreement
This agreement should be signed by a senior officer for each Partner. All signatories must ensure that this agreement is implemented within their organisation and develop procedures to ensure staff awareness of issues and responsibilities around information sharing.
It is the responsibility of signatories to ensure that they are correctly registered with the Information Commissioner and that this agreement is adhered to.
Partner organisations will disseminate copies of this agreement to all relevant staff and, on request, to anyone requesting this.
10.0 Signatories to the Agreement
The signatories to this agreement are not necessarily officers who attend specific meetings when personal information is shared. Therefore it is vital that officers who chair and attend such meetings understand their roles and responsibilities in relation to the use and handling of personal and special category information. It is a requirement of this agreement that the Chair starts the meeting with a reminder that any information shared is confidential and that the Data Protection legislation must be followed. Any visitors will be given the same information and this will be recorded in the LSCP minutes.
The agreement should be sent to the following agencies via their representatives.
Leeds City Council
Name: Sal Tariq
Position: Director of Children and Families Services
Leeds Clinical Commissioning Group
Name: Jo Harding
Position: Executive Director of Quality and Nursing
West Yorkshire Police
Name: Damien Miller
Position: Chief Superintendent