When sharing information with organisations outside of Bron Afon one of the following conditions must be in place:
- It is part of contract. Specific terms and conditions must be within the contract that identifies whether the contractor is a processor or controller, and it must clearly define the responsibilities of both parties.
- It is a part of a partnership arrangement. Where we are working with other organisations to provide services, e.g. support services, an Information Sharing Protocol (ISP) must be in place. Staff must ensure that the ISP is updated regularly.
- There is a legal requirement to share this information. For example, we are required to share tenant information with Welsh Water; Torfaen social services for court cases and the HSE in relation to specific incidents. All requests via this method should include the legal basis for the sharing request.
- The customer has given consent for the information to be shared. e.g. for a job reference.
Our Bron Afon occupation contract contains clauses to which the contract holder agrees by signing the contract permitting us to share information with the Council, Department of Work and Pensions (DWP) or other statutory bodies for the following reasons:
- To prevent fraud or other crime
- To protect public funds; or
- To ensure that the tenant receives all the payments or subsidy for support that they are entitled to
This clause permits us to:
- Share information with the Council to make sure the contract holder gets housing benefit and Supporting People Grant where appropriate
- Share information for fraud detection purposes with the DWP or Benefits Agency.
- Share information about money-laundering.
- Pass the information on to comply with a legal obligation. For example, to Welsh Water for the payment of Water Rates or Torfaen Council in relation to Child Protection matters.
We can pass personal information on if it is ‘necessary in order to protect the vital interest of the data subject’. Essentially this is about child protection, mental health and the protection of other vulnerable adults.
This is not a blanket permission to simply pass on information about people. We need to make a judgement that it is necessary to protect the vital interest of the data subject. We should pass on only the personal information needed for this purpose not a whole file of information. The ‘vital interest’ suggests issues such as life or death, or serious injury or serious financial loss etc.
So, for example, we would use this:
- To contact the child protection team if we had a concern about a child and be willing to share the information we knew about that child and their household.
- Provide information to Social Care or a GP about a vulnerable adult who was in danger or an adult we thought might be a suicide risk.
- Refer a matter to the Police if we had information about a vulnerable adult who was being financially exploited by their family or someone else.
- We can pass personal information on for the prevention or detection of crime or the apprehension or prosecution of offenders.
We can pass personal information needed to the Police if they are to prevent or detect a particular crime or the information is needed to arrest a particular offender. Again, we should only pass on the personal information required by the Police to prevent or detect crime or make an arrest, not a whole file.
We have a protocol with the Police over the sharing of information. Information should only be shared with the Police using this protocol and with advice from the Community Safety Team – the Police should be able to justify any request for information that they make and document. There is also a system in place for sharing information specific to individuals at casework meetings under Section 115 of the Crime and Disorder Act 1998 which permits those present to share the information for the purposes of the prevention of crime or anti-social behaviour.
There are other grounds on which we can share information, but they are unlikely to be relevant to most staff, so we have not put in the details here. If you think that we ought to be sharing information with another organisation or person and it is not permitted by any of the grounds mentioned above, seek advice from a manager.
Where possible, appropriate and safe to do so, we should ask people’s permission before sharing information about them with anyone.
Data Sharing Agreements (DSA) should be in place and reviewed with contractors, suppliers and partners. All DSAs must be sent to the DPO to log on an internal register. DSA template can be found on Buzz.