Information Sharing Agreement 2023

This individual Agreement is made between the below parties, acting as joint data controllers:

SSCB Partners

Staffordshire County Council

Staffordshire Police

Staffordshire and Stoke-on-Trent Integrated Care Board

Named Agencies

University Hospitals of North Midlands NHS Trust

University Hospitals of Derby and Burton NHS Trust

Midlands Partnership NHS Foundation Trust

North Staffordshire Combined Healthcare NHS Trust

Staffordshire and Stoke-on-Trent Integrated Care Board

Probation Service

CAFCASS

Youth Offending Service

Werrington Young Offender Institution

We know that timely and effective sharing of information ‘is essential for early identification of need, assessment and service provision to keep children safe’ (Working together to safeguard children 2023)

Both the Child Safeguarding Practice Review Panel and the Care Review acknowledged the importance of robust information sharing arrangements across local safeguarding partners and made recommendations in this area. Specifically, the Care Review called for Safeguarding Partners to confirm they have information sharing agreements in place.

The following agreement defines the information that will be shared and transferred between the organisations listed and arrangements for assisting compliance with relevant legislation and guidance including the General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (DPA).[1]

1.0 Background and scope of the Agreement

The Children and Social Work Act 2017 replaced Local Safeguarding Children Boards (SSCBs) with new local safeguarding arrangements, led by three key safeguarding partners.

The local authority;
b. An Integrated Care Board for an area any part of which falls within the local authority area;
c. The chief officer of police for an area any part of which falls within the local authority area.

Staffordshire Safeguarding Children Board (SSCB) consists of Staffordshire County Council, Staffordshire, and Stoke-on-Trent Integrated Care Board and Staffordshire Police. The partners are committed to ways of co-ordinating their safeguarding services, to act as a strategic leadership group in supporting and engaging others and to implement local and national learning including from serious child safeguarding incidents.

To fulfil this role, the Partners have agreed to work together and to involve relevant agencies where required. Relevant agencies are those organisations and agencies whose involvement the safeguarding partners consider may be required to safeguard and promote the welfare of children with regard to local need.

The purpose of these local arrangements via the SSCB is to support and enable local organisations and agencies to work together in a system where:

Learning is promoted and embedded in a way that local services for children and families can become more reflective and implement changes to practice
Children are safeguarded and their welfare promoted
Partner organisations and agencies collaborate, share, and co-own the vision for how to achieve improved outcomes for vulnerable children
Organisations and agencies challenge appropriately and hold one another to account effectively
There is early identification and analysis of new safeguarding issues and emerging threats
Effective exchange and sharing of relevant information between representatives of key agencies in order to improve outcomes
Information is shared effectively to facilitate more accurate and timely decision making for children and families.

The SSCB is a multi-agency partnership, with key partners and agencies named above but also including relevant public and third sector organisations.

Schools, colleges and other educational providers have a pivotal role to play in safeguarding children and promoting their welfare. Their co-operation and buy-in to the new arrangements is vital as they have duties in relation to safeguarding children and promoting their welfare.

In addition there is representation to SSCB from relevant third sector organisations as required.

1.1 Framework for confidentiality and information sharing

The following key documents provide the main national framework for information sharing:

GDPR & Data Protection Act 2018 – The main legislative framework for confidentiality and information sharing issues. The legislation stipulates the principles that must be followed when personal or special category data is processed by organisations. The legislation stipulates the conditions under which information may be shared.
Part 3 of the Data Protection Act 2018 – covers the EU Law Enforcement Directive concerns requirements and guidance for processing of data relating to administration of justice (prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties), prevention of fraud.
Human Rights Act 1998 – This Act incorporates Article 8 of the European Convention of Human Rights which provides that everyone has the right to respect for their private and family life, home and correspondence.
Caldicott Principles – Caldicott Principles applies to all NHS organisations and local authority Social Services Departments.
NHS Confidentiality Code of Practice – The Code of Practice was issued in July 2003 and applies to all NHS organisations. It is a guide to required practice on confidentiality, security and disclosure of personal information.
Crime and Disorder Act 1998 – The Crime & Disorder Act 1998 is the primary legislative tool, common to all crime reduction protocols.
Children Act 1989 & 2004 -The Acts stipulate requirements to safeguard and promote children’s welfare, along with agencies working together.
Working Together to Safeguard Children 2023 – statutory guidance setting out what organisations and agencies that have functions relating to children, must and should do to safeguard and promote the welfare of all children under the age of 18 in England.

This agreement has been formulated to provide guidance and support around the exchange of information between parties for the purposes set out above. All parties need to recognise any information shared must be justified, proportional and necessary, and appropriate; however, the need to process data fairly should not lead to fears around sharing information to safeguard, protect and reduce crime, disorder and fear.

1.2 Scope of the agreement

The Agreement covers the sharing of personal and special category data about children to ensure effective systems are in place to protect children from abuse and to prevent impairment to children’s health and development. Additionally, SSCB will review the following:

notifiable incidents and non-notifiable, but serious, incidents for safeguarding reviews,
child safeguarding practice reviews,
audits,
child death overview panel.

1.3 Approval of the SSCB Information Sharing Agreement

The SSCB Information Sharing Agreement (the Agreement) will be submitted to the three statutory partners for formal approval and after any significant change, update or amendment, partners are asked to approve the Agreement and:

Facilitate the sharing of information on the basis detailed in the Agreement
Implement the Agreement within each organisation
Support staff in the implementation of the Agreement through the provision of training, advice and guidance.
Provide relevant information to facilitate monitoring and review.

Other named parties will be provided with the agreement and asked to sign. The Agreement will also be published on the SSCB webpage.

2.0 Principles

2.1 General principles under the Data Protection legislation

Partners to the Agreement will ensure that their staff operate in accordance with the requirements of the UK GDPR and DPA 2018 and other national guidance on confidentiality and will facilitate the sharing of information wherever possible.

All three partners have equal and joint responsibility for local safeguarding arrangements. Named organisations are considered separate Data Controllers for the data held by each organisation and shared at the SSCB meetings and are each required to comply with the requirements of the Data Protection legislation. Where the SSCB produce analysis or reports, which contain personal and special category data, the Partners are considered joint data controllers with joint liability for compliance. In situations that require a clear, single point of contact, Staffordshire County Council will take the lead from a Data Protection perspective. However, all Partners will be responsible and accountable for the data produced by the SSCB.

2.2 Key principles for agencies

The following key principles guide the sharing of information between the Partners and agencies,

Agencies endorse, support and promote the accurate, timely, secure and confidential sharing of both person identifiable and anonymised information where such information sharing is essential for the provision of effective and efficient services to the local population.
Agencies are fully committed to ensuring that if they share information, it is in accordance with their legal, statutory and common law duties, and that it meets the requirements of any additional guidance.
All agencies must have in place policies and procedures to meet the national requirements for Data Protection, Information Security and Confidentiality. The existence of, and adherence to, such policies provide all agencies with confidence that information shared will be transferred, received, used, held and disposed of appropriately.
Agencies acknowledge their ‘Duty of Confidentiality’ to the people they serve. In requesting release and disclosure of information from other agencies, employees and contracted volunteers will respect this responsibility and not seek to override the procedures that each organisation has in place to ensure that information is not disclosed illegally or inappropriately.
An individual’s personal information must be complete and up to date and will only be disclosed where the purpose for which it has been agreed to share clearly requires that this is necessary. For all other purposes information should be anonymised.
Where it is agreed that the sharing of information is necessary, only that which is needed, relevant and appropriate will be shared for the Board to meet their statutory requirements particularly Serious Incident Notifications, Rapid reviews and Child Safeguarding Practice Reviews and performance activity.
When disclosing information about an individual, agencies will clearly state whether the information being supplied is fact, opinion, or a combination of the two.

3.0 Purposes for sharing information

3.1 Legislative provision

Under Article 5(1a), personal data must be processed lawfully, fairly and in a transparent manner and in particular must not be processed unless at least one Article 6 condition is met, and in the case of special category data unless at least one Article 9 condition is also met. The processing of data can be justified under the following conditions for processing of the GDPR:

Article 6 (1c) processing is necessary for compliance with a legal obligation to which the controller is subject
Article 6 (1e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
Article 9 (g) processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject

The processing under Article 9 (g) also requires a justification from the Data Protection Act:

Schedule 1, part 2, section 18, processing is necessary for the purposes of safeguarding of children and of individuals at risk

GDPR Recital 41 confirms that this does not have to be an explicit statutory obligation, as long as the application of the law is foreseeable to those individuals subject to it. The relevant legal obligations are listed as follows:

Crime and Disorder Act 1998
Anti-social Behaviour, Crime and Policing Act 2014
Domestic Violence, Crime and Victims Act 2004
Children Act 1989 & 2004
National Health Service Act 2006
Working Together to Safeguard Children 2023
Children & Social Work Act 2017

There is a requirement for individuals to be informed of how organisations use their data to ensure fairness and transparency via a privacy notice. As a Data Controller, each Partner is required to have a privacy notice which complies with the requirements of the GDPR. Additionally, the SSCB, via Staffordshire County Council, will also publish a privacy notice for the Board.

Partners to this agreement have not identified any legislation that will prevent the sharing of the information covered by the agreement. It is recognised that all public bodies must act in a manner compatible with the European Convention on Human Rights / Human Rights Act 1998. In particular Article 8. All parties agree that there will not be any infringement of an individual’s privacy under Article 8 because the initial identification of personal data is covered by the legal provisions above.

It is worth noting that data collected by the SSCB may relate to individuals who are deceased; Data Protection legislation only relates to living individuals and therefore does not apply to such data. However, the common law duty of confidentiality still applies even in death and the SSCB will treat any such deceased data with the same level of confidence as data protected by the Data Protection legislation.

This agreement addresses the sharing of information for the purposes of child protection, welfare and prevention of harm and therefore the GDPR provision for processing has been addressed. Should the purpose change to criminality and be processed for law enforcement purposes then the DPA 2018 Part 3 will be applicable.

3.2 Purposes for sharing information

The purpose of sharing information is to ensure secure, confidential, proportionate and necessary information sharing, in relation to children and families. The sharing is necessary to ensure that partners are able to Safeguard and promote the welfare of children. This will include:

protecting children from maltreatment
preventing impairment of children’s mental and physical health or development
ensuring that children grow up in circumstances consistent with the provision of safe and effective care
taking action to enable all children to have the best outcomes

Sharing information is essential to achieve the listed purposes. Serious case reviews (SCRs13) have highlighted that missed opportunities to record, understand the significance of and share information in a timely manner can have severe consequences for the safety and welfare of children. Therefore, it is essential information is shared for the above purposes to minimise these risks.

4.0 How Information will be shared

At the SSCB meeting individual cases will be discussed and information will be shared with and by relevant partner agencies. Organisations are required to share all relevant information in accordance with this agreement to ensure the best interests of children and families are achieved and the incidents of safeguarding are reduced.

Personal data must be shared with the appropriate security controls in place depending on the sensitivity of the data being shared, in accordance with the requirements of Article 5 (f) (security) and Article 32 (security of processing) of the UK GDPR.

Documents will be emailed between relevant parties prior to the SSCB meeting and then, where necessary shared on the screen at the meetings. Occasionally information is shared post meeting if the action requires this.

Senders should ensure that information sharing before and after meetings is done via an encrypted method. For example, this could be via TLS (Transport Layer Security) encrypted email or via SFT (Secure File Transfer). Emailed documents can be password protected for an added layer of security.

Information discussed at the meetings and any actions required will be recorded by each of the Partners, as individual Data Controllers, on their own case management system. Any joint SSCB working will be recorded on the Staffordshire County Council secure network and shared electronically with Partners where appropriate.

4.1 Type of Information to be shared

Information shared will be personal and potentially sensitive in nature, including:

Name

Address

D.O.B

Family members

Age

Gender

Health information, NHS numbers etc

Race/Religion/disability/ethnicity to now be included for EDI purposes.

Legal status – CIN/CP etc

Criminal investigations

Adult safeguarding concerns

Descriptions of abuse

The information shared could relate to the subject child and their family/other parties whose data needs to be shared to meet the purposes of sharing outlined above.

5.0 Access and security

5.1 Access and data quality

Only the minimum amount of data required will be shared so that the purposes for sharing can be achieved, in accordance with Article 5 (c) (Data minimisation) of the UK GDPR.

Staff access to personal information must be on a ‘need to know’ basis and any specific additional restrictions agreed within agencies. Care should be taken to ensure that access to personal information is restricted on this basis. Restrictions need to be re-enforced by clear policies on confidentiality and by inclusion of appropriate confidentiality clauses in staff contracts. Staff must be aware of and comply with their own organisation’s information governance policies, procedures and training.

6.0 Security

All parties must ensure they have appropriate technical and organisational measures in place to protect data, in accordance with Article 32 of the UK GDPR.

Organisational measures must include appropriate policies, staff training on data protection and information security and processes which cover access controls.

Technical solutions must include measures such as appropriate firewalls to protect data and adequate access controls. All parties must work to the principles of ISO27001 and Cyber Essentials.

Personal data shared under this agreement will only be done so in a technically secure way (encrypted) and data stored by each party must be stored on secure networks with appropriate access controls in place.

To ensure adequate levels of protection and safeguards and in accordance with data protection legislation, data must not be transferred outside of the UK.

Parties will ensure that appropriate training is provided for all staff involved in sharing personal information, and that all staff have access to both the policies of their own organisation and this agreement. For the purposes of this agreement the supporting processes will be that all staff authorised to access information will be trained in the basic requirements of the Data Protection legislation and have an awareness of the implications associated with shared information and of the common law of confidentiality. They will also understand the risks associated with inappropriate disclosures and the impact that this has on safeguarding and the necessity to undertake thorough checks.

6.1 Retention of records

All Parties should keep their own records in relation to each case in accordance with their own organisations policies on the retention of records. Any records which no longer need to be retained in accordance with agencies’ own policies and procedures should be destroyed under secure conditions. Any records held jointly by the SSCB will be maintained in accordance with Staffordshire Council Council’s retention as lead for Data Protection matters.

Statutory Child Safeguarding Practice Reviews will be published online by SSCB for one year.

All information obtained through this Information Sharing Agreement must be stored in each parties appropriate client case management system. No information should be stored by individuals in their own email systems. Once up to date information has been shared then there is a requirement for staff to update the appropriate client case management systems. This will ensure the most up to date information is available within client case management systems and retention policies are applied.

7.0 Staff development

7.1 Incident management & complaints

All Parties agree that any and all personal data breach, near-misses, complaints or identified bad practice by the employees of any party should be reported via the appropriate incident reporting procedures for each organisation. Oversight is required by appropriate levels of management and the involvement of the respective organisational information governance leads. All parties will co-operate on the investigation of these incidents, when necessary.

All parties agree that should any investigation under the above paragraph evidence on-going or repeated (but non-malicious) bad practice, wilful bad practice, disregard of policy or procedure or unlawful activity, that disciplinary action will be considered at a level appropriate to the incident (s) evidenced. The Partners further agree to co-operate and negotiate on such incidents so that the outcome may, wherever possible, be mutually satisfactory. All parties agree however that any disciplinary outcome must ultimately be at the sole discretion of the employing organisation.

In the event of a data breach occurring relating to data shared under this agreement, the party responsible for the breach will inform the other parties and will carry out a full investigation in line with their organisations Information Security Incident Procedure. The ICO and the data subject will be informed of the breach where the breach meets the necessary threshold for reporting. All parties will co-operate on the investigation of these incidents, when necessary.

Should a complaint be received in relation to the partnership and/or information sharing, the SSCB group collectively will decide who is best placed to respond to the issue. Where such a complaint involves more than one party, the SSCB group as a whole will respond through a nominated representative.

Contact to sscb.admin@staffordshire.gov.uk

8.0 Individual rights requests (GDPR & FOIA)

Each party will be responsible for processing and responding to any information rights requests they receive. If a party receives a request which relates to information which they do not hold or do not act as a controller for then they must instruct the requestor to direct their request to the relevant party.

Public authorities are subject to the requirements of the Freedom of Information Act 2000, therefore parties subject to this agreement must provide assistance to any of the public authorities in response to any requests they may receive which involve data relating to the agreement

9.0 Dissemination, monitoring and review of the Agreement

This agreement should be signed by a senior officer for each Partner. All signatories must ensure that this agreement is implemented within their organisation and develop procedures to ensure staff awareness of issues and responsibilities around information sharing.

It is the responsibility of signatories to ensure that they are correctly registered with the Information Commissioner and that this agreement is adhered to.

Partner organisations will disseminate copies of this agreement to all relevant staff and, on request, to anyone requesting this.

If any party breaches this agreement all partners should be notified and a joint decision will be made regarding what action is taken against the organisation that instigated the breach

This agreement should be reviewed six months after the first signature and on a yearly basis thereafter. This agreement will remain in force irrespective of whether the agreement has been officially reviewed until a notice of termination is served.

10.0 Key Contacts:

Staffordshire County Council – Neelam Bhardwaja
Staffordshire Police – Becky Riggs
Staffordshire and Stoke-on-Trent Integrated Care Board – Heather Johnstone
University Hospitals of North Midlands NHS Trust – Sarah Curran
University Hospitals of Derby and Burton NHS Trust – Jane O’Daly-Miller
Midlands Partnership University Foundation Trust – Sharon Conlon
North Staffordshire Combined Healthcare NHS Trust – Zoe Grant
Probation Service – Tony Kuffa
CAFCASS – (TBC)
Youth Offending Service – Hazel Williamson
Werrington Young Offender Institution – Jasmin Steadman

11.0 Signatories to the Agreement

The signatories to this agreement are not necessarily officers who attend specific meetings when personal information is shared. Therefore, it is vital that officers who chair and attend such meetings understand their roles and responsibilities in relation to the use and handling of personal and special category information. It is a requirement of this agreement that the Chair starts the meeting with a reminder that any information shared is confidential and that the Data Protection legislation must be followed. Any visitors will be given the same information, and this will be recorded in the SSCB minutes.

The agreement should be sent to the following agencies via their representatives.

Staffordshire County Council
Name: Neelam Bhardwaja
Position: Director of Children’s Services
Date: 19.9.23

Staffordshire and Stoke-on-Trent ICB
Name: Heather Johnstone
Position: Chief Nursing and Therapies Officer
Date: 19.9.23

Staffordshire Police
Name: Becky Riggs
Position: Assistant Chief Constable
Date: 19.9.23

Appendix One

Serious Incidents

The duty to notify serious incidents to the National Panel sits with local authorities.

However, good practice suggests that the local authority should, wherever possible, consult with other Safeguarding Partners when deciding whether to notify.

When should a notification be made?

A notification should be made if a child dies or is seriously harmed in the local authority area (or outside of England while they are normally resident in the local authority area) AND abuse or neglect is known or suspected.

(Local authorities have a separate duty to notify the Secretary of State and Ofsted where a looked after child has died, whether or not abuse or neglect is known or suspected.)

Local Child Safeguarding Practice Reviews Regional Guidance (December 2022)

[1] This Information Sharing Agreement is specifically for the Staffordshire Safeguarding Children Board and is in addition to the ‘One Staffordshire’ Information Sharing Protocol.

Revised V101 4 January 2024