Infrastructure Section
Download
Report
Transcript Infrastructure Section
Sharing Personal Data
‘What you need to know’
Corporate Information Governance Team
Strategic Intelligence
Sharing personal data
Sharing must comply with the law
These laws must be complied with when sharing personal data:
1. Human Rights Act 1998
2. Data Protection Act 1998
3. Common law duty of confidence
The following slides provide information on how to comply with the law. Failure
to comply could result in someone suffering damage or distress as a result.
Deliberate breaches could also amount to a criminal offence or
a disciplinary offence
Sharing personal data
Human Rights Act – right to a private life
Article 8 of the European Convention of Human Rights, gives people the right to a private
life, family life, home and correspondence. Public authorities are not allowed to interfere
with people’s privacy, for example disclose their personal data, unless the disclosure is
lawful and necessary and is for:
•
•
•
•
•
public safety or the economic wellbeing of the country
prevention of disorder or crime
protection of health or morals
the rights and freedoms of others
national security
Disclosures must be proportionate. The public interest in making the disclosure
must outweigh the person’s right to a private life. In practice, if the person
disclosing the information complies with the Data Protection Act, disclosure is
unlikely to breach the Human Rights Act.
Sharing personal data
Data Protection Act - the principles
The Data Protection Act is the main law that governs how organisations process
i.e. obtain, use, record and disclose personal data, about living people and sets
out 8 principles which must be complied with. These are summarised as:
Personal data must be:
1. Processed fairly & lawfully
2. Processed for specified & lawful purposes
3. Adequate, relevant & not excessive
4. Accurate & where necessary kept up to date
5. Not kept for longer than is necessary
6. Processed in accordance with the rights of data subject
7. Kept secure
8. Transferred only to countries with adequate security
Sharing personal data
Data Protection Act – sharing must be fair
The first data protection principle is very important. It requires personal data to be shared
fairly.
In order to be ‘fair’, the subject of the data must be told that their information will be
shared, with whom and why, and it must be communicated to the person in a way in
which they can understand.
This is sometimes known as providing a ‘privacy notice’ or a ‘fair processing statement’
and is often stated on forms when personal data is collected. However, this may not
always be the case and therefore it is best practice to tell the person that their data is
being shared (or it can be in writing).
A person does not have to be told their information will be shared, if by doing this it would
prejudice the prevention or detection of a crime or put someone at increased risk of
harm.
Sharing personal data
Data Protection Act – sharing must be lawful
The first data protection principle also requires that any sharing is lawful. The Data
Protection Act provides several powers which allows personal data to be shared.
For example, it can be shared if one or more of the following applies:
•
•
•
•
•
•
•
the person has given their consent
there is a specific legal obligation to share
disclosure is necessary to protect someone’s life or from serious harm
disclosure is necessary in the public interest and is necessary for our organisation or
another organisation to undertake its official duties
disclosure is for a legitimate and lawful purpose and does not cause unwarranted
prejudice to the person
disclosure is in the substantial public interest
disclosure will assist in the prevention or detection of an unlawful act
Disclosures must be relevant, not excessive and proportionate.
Sharing personal data
Data Protection Act – sharing with consent
If it is appropriate to obtain consent, then the person giving it must be fully informed,
understand why their information may be shared, who will see it and what might happen as
a result. Consent must also be freely given and not obtained through coercion. Where
possible consent should be in writing.
Competent
Where a child is under 12 yrs, consent should be obtained from the parent or carer. Where
a child is over 12 but under 16yrs, you need to assess whether they are competent to
consent for themselves and if so, obtain their consent. Individuals aged 16yrs and over are
presumed, in law, to have the capacity to give or withhold consent to the sharing of their
personal data, unless there is evidence to the contrary.
If a person is considered not to have capacity to make decisions (whether child or adult),
their views should still be sought as far as possible.
Sharing personal data
Data Protection Act – sharing without consent
It is not always necessary or appropriate to obtain consent in some
circumstances, for example if:
•
someone has been hurt and information needs to be shared quickly to help them;
•
obtaining consent would put someone at increased risk of harm;
•
obtaining consent would prejudice a criminal investigation or prevent a person being
caught or questioned for a crime they may have committed
•
the information must be disclosed regardless of whether consent is given, for
example if a court order or other legal obligation requires disclosure.
The Data Protection Act provides other powers to share without consent
(see previous slides)
Sharing personal data
Data Protection Act – share information securely…
Whenever personal data is shared, it must only be given to people who have a legal
power to see it and it must be shared in a way that is secure.
Verbal – make sure you cannot be overheard by people who shouldn’t hear. If sharing
over the phone, make sure you know who you are talking to, they are the right person to
speak to and are legally entitled to the information.
Email – sensitive personal data should not be sent by email unless both the sender
and recipient have a secure email address i.e. both addresses contain one of the
following sets of letters: .pnn.gov.uk, .gsi.gov.uk, gsx.gov.uk, gsm.net and nhs.net.
To obtain a secure email address go to ‘Keep Devon’s Data Safe’ on the Source.
Sharing personal data
Data Protection Act – …share information securely
…continued
Post – mark it ‘for the attention of the addressee only’ and make sure envelopes and
packages are properly sealed. Tell the person receiving it that you have sent it and ask
them to contact you if they do not receive it within the expected time frame. Limit the
amount of personal data disclosed, to those details necessary for the recipient to carry
out their role effectively.
Fax – mark the cover sheet ‘for the attention of the addressee only’. Only fax the
minimum personal data you need to. Do not identify clients by name unless you have to
and there is no other secure means of sending the information. Telephone the recipient
beforehand, to ensure they know they will shortly be receiving a fax. Double check the
fax number before sending.
If personal data is lost or sent to the wrong person, you must notify the Information
Governance Team immediately on 01392 384682 or email [email protected]
Sharing personal data
Duty of Confidentiality – sharing confidential data…
There may be times when you want to share personal data which was originally provided
to you in confidence. Case law has surmised confidential information as something that
has the “…necessary quality of confidence about it” and is not public knowledge.
A duty of confidence will generally arise in circumstances where a person receives
information that he/she knows or ought to know, is being given in confidence. In such
cases the organisation or person given the information, is restricted from using it for a
purpose other than that for which it was provided, or disclosing it without the individual’s
permission, unless there is an overriding reason in the public interest for this to happen or
another law or power permits disclosure.
Sharing personal data
Duty of Confidentiality – …sharing confidential data
…continued
When deciding whether there is a public interest in sharing confidential personal data, ask
yourself the following questions:
do I have the person’s consent?
is the sharing necessary to protect a child, young person or adult from harm?
is the sharing necessary to prevent or detect a crime?
is the sharing necessary to apprehend an offender?
is the sharing necessary to comply with a court order or legal obligation?
If you can say yes to one or more of these, then you can override a duty of confidence and
share confidential personal data. Disclosures must be kept to a minimum, be relevant, and
proportionate to what you are trying to achieve.
Sharing personal data
Summary
•
•
•
•
•
•
•
•
Only share personal data if it is for a legitimate & lawful reason
Tell the person you want to share their data, with whom and why
Decide whether you need the person’s consent. If you have consent, it must be
informed, explicit & they must have capacity to give consent
Decide whether you can share without consent - do you have other powers?
Keep personal data disclosures to a minimum
Check the identity of the person you want to share data with & their entitlement
Be careful when discussing clients, that you cannot be overheard
Do not send personal data by email unless sender and recipient have a secure email
address. If this is not possible, password protect the document or
use alternative methods of disclosing the data securely.
To find out more go to the Knowing when to Share pages on the Source