Scottish Government

ISBN 0 7559 2806 7
This document is also available in pdf format (248k)

Contents

Covering Letter: CIRCULAR SEJD:15/2005
Sharing Information About Sex Offenders - Guidance on the Development of Data Sharing Protocols

Covering Letter

CIRCULAR SEJD: 15/2005
November 2005

Directors of Social Work/Chief Social Work Officers
Criminal Justice Social Work Managers
ADSW
CoSLA
Scottish Court Service
Chief Executive, Scottish Prison Service
Crown Office (for Procurators Fiscal)
Parole Board for Scotland
ACPOS
Risk Management Authority
SCRA
ADES
SOLACE
The State Hospital
Voluntary Sector Forum
CIH

Dear Colleague

Following the agreement of the National Concordat on information sharing, I now attach guidance on the preparation of data sharing protocols which was developed by the Information Sharing Steering Group ( ISSG), chaired by the Solicitor General. The focus of ISSG's work was to take forward the recommendations of the Expert Panel on sex offending on information sharing. Its aim was to ensure the efficient and effective flow of information between the key agencies involved in the management of sex offenders by developing model protocols guidance and strategies.

The National Concordat on information sharing provides a structure within which both the management of, and sharing of information about sex offenders can be undertaken. This will be further strengthened by the provisions in sections 9 and 10 of the Management of Offenders etc (Scotland) Bill which require responsible authorities in the area of a local authority to establish joint arrangements, including information sharing, for the assessment and management of risks posed by violent offenders and sex offenders. These provisions will also allow Scottish Ministers to specify in secondary legislation those agencies (and voluntary partners) with a duty to cooperate with the responsible authorities.

The attached guidance on the development of bilateral and multilateral protocols is being issued to assist in the management of the information flow between agencies.

Further information may be obtained from Christine Thomson at the Scottish Executive Justice Department. (Tel:0131-244-4250 e-mail Christine.thomson@scotland.gsi.gov.uk.)

Yours faithfully

MRS ELIZABETH CARMICHAEL
Head of Division

Sharing Information About Sex Offenders - Guidance on the Development of Data Sharing Protocols

PURPOSE OF THIS DOCUMENT

1. Data sharing is at the heart of measures to protect the public from the risks posed by sex offenders. Each of the agencies involved in the management of sex offenders has signed a national Concordat, the basis of which is a clear commitment to share all relevant information, and to ensure that this is done in accordance with the law, and respecting the human rights of both victims and offenders. For the Concordat to be effective, and for the presumption of data sharing to be realised, this process must be managed in a way which is consistent, accurate and lawful. The signatories to the Concordat have agreed that the best way to ensure this is for each data transfer to be managed using a "Data Sharing Protocol", in effect, a detailed agreement between two or more agencies setting out the information which can be shared, and how this will be managed in practice.

2. The purpose of this document is to provide guidance on the development of such Data Sharing Protocols. The Guidance is relevant to all agencies involved in the management of sex offenders (at all stages).

WHAT THE GUIDANCE CONTAINS

3. The Guidance is split into a number of sections. Each covers a specific aspect of the development and management of a data sharing protocol. The main text of the Guidance addresses the following questions:

• Why is it necessary to share information about sex offenders?
• What is a data sharing protocol and why is it necessary?
• Which agencies should be involved in data sharing protocols?
• How should a data sharing protocol be developed?
• How should a data sharing protocol be managed?
• What should a data sharing protocol cover?

The Guidance will cover each of these areas in turn.

4. This Guidance relates specifically to the development of data sharing protocols. One of the key issues underpinning data sharing is ensuring that the data collection, management and sharing processes themselves are both lawful and appropriate. There is a great deal of detailed guidance already available about the often complex legal and policy issues involved in sharing information. For that reason, this Guidance will make only brief reference to issues such as the implications of the Data Protection Act and Human Rights Act, confidentiality and the technical aspects of managing sensitive personal data. Annex 1 provides a summary of the main guidance available on these issues.

WHY IS IT NECESSARY TO SHARE INFORMATION ABOUT SEX OFFENDERS?

5. In 2001, an Expert Panel, chaired by Lady Cosgrove, published a report entitled "Reducing the Risk: Improving the Response to Sex Offending". The Panel recognised that a large number of agencies, including the police, prosecutors, courts, prison service, criminal justice social work, as well as housing, health and education authorities play a role in managing the risk posed by sex offenders. The Panel concluded that these agencies (working with voluntary sector partners) have a duty to deliver the safer environment which communities expect and deserve but that there is a tendency for individual agencies to focus their attention on improving their internal procedures. This results in gaps in the system which sex offenders can exploit.

6. The Panel therefore called for a programme of action where:

• Agencies and organisations who work with sex offenders work together to overcome the risks which sex offenders present.
• Each organisation has a clear understanding of its own role and responsibilities in relation to sex offenders.
• Institutional barriers which prevent a more effective co-ordination of practices and integration of services are tackled, and
• The practical and operational difficulties which exist are addressed.

7. In 2003, the Solicitor General convened an Inter-Departmental Steering Group ( ISSG) with the following remit:

• To ensure the efficient and effective flow of information between the key agencies involved in the management of sex offenders by developing protocols, guidance and strategies. These will address where necessary, issues of confidentiality and data protection in a way which underpins the improved multi-agency arrangements endorsed by the report of the Expert Panel on Sex Offending "reducing the risk".
• To achieve agreement of the relevant agencies on the group to implementation of its work through appropriate consultation.

8. ISSG met on a number of occasions between 2003and 2005 and considered each of the recommendations relating to information sharing made by the Expert Group. This Guidance is a direct response to Recommendation 64, which states:

"Protocols to provide a framework for information sharing and joint working should be developed. These should draw on the best examples of current good practice and should be kept under review to ensure that they do not degrade and become less useful over time. The development of these protocols should involve liaison with relevant voluntary organisations."

9. Since 2001, a number of bilateral and multi-lateral data sharing protocols have been developed to manage the flow of information between agencies involved in the criminal justice process. These protocols, however, cover only some areas, and generally only some agencies in each area. It is important that the right information is available at the right time to enable all agencies to assess and manage risk effectively and to protect the public.

Data sharing in relation to sex offenders is central to public protection. Data can be shared for a wide range of reasons, some of which are summarised below:

• For the prevention, detection and reporting of crime.
• For the prosecution of offenders.
• To inform the court about possible sentences.
• To assess the risks and needs of prisoners.
• To facilitate rehabilitation or treatment both in prison and in the community.
• To determine an offender's suitability for parole.
• To assess and manage risk.
• To develop management plans for offenders to ensure the safety of the community.
• To protect children.
• To protect offenders.
• To track offenders.
• For research, monitoring and statistical purposes.

The National Concordat

10. All of the agencies involved in the management of sex offenders have signed a national agreement, known as the National Concordat. The basis of the Concordat is that each of the agencies involved has agreed to share relevant information about sex offenders and sex offending. There is a presumption that data will be shared unless there is a good reason, usually a legal reason, why it cannot be shared. This national agreement also covers all local data sharing arrangements and all local protocols (including bi- or multi-lateral protocols between national agencies) should take the National Concordat as their starting point.

11. The agencies represented on the ISSG and which have signed this Concordat have, therefore, come together to agree a set of principles and working arrangements which will improve their systems and procedures to ensure that public safety is given the highest level of priority through ensuring that all relevant information is shared. This Guidance provides assistance to agencies in implementing both national and local data sharing protocols. The ISSG also agreed a set of standards to support data sharing (Annex 2) and a set of definitions to be used by agencies which signed the Concordat (Annex 3)

WHAT IS A DATA SHARING PROTOCOL?

12. The Expert Panel was clear in its view, endorsed by ISSG, that to be fully effective, data sharing must be placed on a formal, agreed footing. A "Data Sharing Protocol" is the term agreed by ISSG to describe such a formal agreement between two or more agencies to share information, in this case about sex offenders. The protocol sets the basis of that agreement, and the procedures associated with it. A protocol should cover, as a minimum, four main areas :

• A clear statement of which agencies are involved in the agreement.
• A clear statement of the data which is covered by the agreement.
• A clear statement of the procedures by the sharing of information is managed, including reference to any pre-existing agreement, for example on data standards.
• A clear statement of how the protocol will be managed, including arrangements for its regular review.

Each of these issues is covered in a separate section below.

13. Protocols can also cover a range of other issues depending on the needs of the agencies involved, for example:

• Background information about the agencies involved.
• Background information about the development of the protocol.
• Explanatory information about sex offenders and sex offending.
• Explanatory information about the need to share information.

Types of Protocol

14. Although this Guidance (in common with most guidance on data sharing) talks in terms of "Data Sharing Protocols", in reality, these can take a variety of forms. Their common factors are that they encompass two or more agencies, and they manage the flow of information about sex offenders. Beyond this, there can be a range of variations, for example:

• An agreement between two or more national agencies (best described as a "bi-lateral protocol").
• An agreement between two or more local agencies, generally with reference to a national agreement (similarly, described as a "bi-lateral protocol").
• An agreement between local partners, for example within a community safety partnership (which could be called a "multi-lateral", or "local area" protocol).

15. Although the agencies involved would vary, and the agreement would be more or less complex, depending on the number of agencies involved, the basic content of the protocols would be very similar however the agreement is constructed.

16. There are a number of other forms of agreement in place covering the exchange of data about sex offenders. The most obvious of these is the ISCJIS Data Standards agreement. This covers data exchanges between criminal justice agencies relating to the prosecution of offenders, the punishment of offenders and the maintenance of criminal records. There are also a number of other agreements in place, for example relating to the commissioning and production of Social Enquiry and other pre-sentencing reports.

17. In the case of the ISCJIS Data Standards, these are explicitly identified within the National Concordat, but where other agreements exist, even where these are governed by National Standards, it is recommended that the parties to such agreements review these in the light of the National Concordat, and the Guidance presented here.

Types of data

18. Information about sex offenders and sex offending exists in various forms. The two main forms of data are personal data, which may or may not be sensitive, and aggregate, or depersonalised data. It is important that any protocol deals explicitly with both types of data, as agencies have various legal obligations relating to each, as set out in the Data Protection Act 1998 and other relevant legislation. These obligations will not be set out in detail here, but will be summarised in Annex 1.

19. It is also important that agencies consider the implications of data within their records pertaining to third parties, for example, family members of offenders or victims, witnesses and associates. It is suggested that any data sharing protocol specifically sets out the legal duties of each agency in relation to the management and sharing of third party data.

WHICH AGENCIES SHOULD BE INVOLVED IN DATA SHARING PROTOCOLS?

20. ISSG has taken the view that all exchanges of information relating to sex offenders should be managed using a data sharing protocol. (The mapping exercise at Annex 4 outlines the key stages at which information is shared by agencies.) This means that any agency involved in sharing information about sex offenders should do so using a protocol. The only partial exception to this is that Procurators Fiscal may share information with defence agents.

Bi- and multi-lateral protocols

21. In practice, this is likely to mean that the following agencies and departments will be involved in bi- or multi-lateral protocols:

• Police.
• Crown Office / Procurator Fiscal Service.
• Scottish Court Service.
• Scottish Prison Service.
• The State Hospital.
• The Scottish Children's Reporter Administration.
• Local authorities (including various departments such as social work, housing, education, and the district courts).
• Health services.
• Job Centre Plus.
• The voluntary sector (including registered social landlords and those providing service to offenders, whether subcontracted to other statutory agencies or not).

22. It is unlikely that much data will be exchanged between voluntary organisations other than where both are sub-contractors of statutory services. This situation should, however, be kept under review by the voluntary organisations concerned, and, if necessary, a bi-lateral protocol should be developed. An alternative approach would be for key voluntary organisations concerned in work with sex offenders to develop and agree a multi-lateral data sharing protocol.

Information sharing within services

23. It is important to bear in mind that much of the information which is shared about sex offenders, and associated issues such as victim and public safety, is shared among departments within agencies. To ensure public safety, as well as, for example, the safety of individual offenders, it is important that these exchanges are managed effectively. There are also a range of issues agencies must be aware of in relation to their data protection responsibilities in terms of sharing information within their own organisations ¹. Some agencies have chosen to develop what are, in effect, data sharing protocols, or binding guidance, which applies solely to exchanges within their own organisation. ISSG recommends that this approach be adopted by all agencies where more than one discrete service gathers and processes data on sex offenders (for example local authorities and health authorities).

24. In the specific case of voluntary organisations operating in multiple locations, it is recommended that a similar approach is adopted (an internal protocol, or binding guidance).

Data sharing between services in different areas

25. This issue particularly affects those agencies involved in the management of offenders in the community, particularly the police, social work and health services. It is as important that these exchanges are managed effectively as any exchanges between different agencies. ISSG recommends that National Standards are the appropriate vehicle through which to manage these processes, for example for the transfer of social work files from one local authority to another.

Local area protocols

26. It is a matter for agencies to agree whether a local area protocol is required, and, if so, the range of organisations which should be covered. It would be expected, however, that, as a minimum, the following agencies would be involved:

• Police.
• Local authorities (to include at least education and social work services).
• Housing providers (including the local authority and any social landlords involved in providing housing for sex offenders).
• NHS Boards and Trusts.
• Job Centre Plus.
• The Scottish Prison Service.
• Children's Reporter.

27. Wherever possible, voluntary organisations should be involved in the development and management of local area protocols. While, in some cases, voluntary organisations act as a subcontractor to local authorities (and to SPS), increasingly, they are providing services directly to sex offenders. The basis of the involvement of voluntary organisations is a matter for local partnerships to decide, but models which could be considered might include the nomination of one or more organisations to represent all of those involved, or, where a forum exists, a representative could be nominated by that body.

HOW SHOULD A DATA SHARING PROTOCOL BE DEVELOPED?

28. Clearly, it is a matter for individual agencies to decide how a protocol should be developed, but a survey of various good practice guidance undertaken on behalf of ISSG identified a range of issues which agencies may wish to consider:

• Many protocols have been developed by a short-life working group convened for that specific purpose.
• Some guidance suggests that there is a need for a specific champion, usually a senior member of staff, within each participating organisation.
• Although it seems obvious, it is also suggested that such a group, or any other arrangement considered, should involve all of the agencies which will be affected by the protocol.
• It is also suggested that the prospective parties to any agreement carry out an audit of their data holdings and procedures prior to embarking on the development of a protocol, in order to ensure that the protocol is comprehensive, and covers all the potential data shares.
• In the light of potential legal complexities, some guidance suggests that a short-life working group should contain, or should retain, a legal advisor.
• Notwithstanding the presence of a legal advisor on the group, most guidance recommends that specific legal opinion should be sought in relation to any protocol developed.
• Some guidance suggests that, once a protocol is agreed, it should be endorsed by senior figures within each agency, for example council leaders and chief executives, chief constables and agency chairs (and involving voluntary organisations in the same way where they are party to an agreement). A common way of illustrating this is for a "signatures" page to be included in any published version of a protocol.
• Most guidance suggests that agencies should develop a dissemination strategy, to include training and awareness raising for staff.
• As will be set out in more detail below, the management arrangements for the protocol should be agreed as part of its development process, and should include, for example, implementation and review dates, and a summary of success criteria.

HOW SHOULD A DATA SHARING PROTOCOL BE MANAGED?

29. Once in operation, it is important that any data sharing protocol remains a live document. One way of ensuring this is to establish a group comprising a representative of each of the partners with direct responsibility for the management of the protocol.

30. It is suggested, in relation to management, that the following represents the minimum which should be agreed by the partners at the outset:

• The remit, membership and administrative processes related to any management group, including the basis of appointment of a chair, any specific voting rights and procedures for issues such as adding additional members and raising concerns about relevant matters.
• The means by which changes to policy and legislation will be monitored and how these will be reflected in revisions to the protocol.
• The implementation date for the protocol.
• The dates on which the protocol should be reviewed. (Clearly, this is a matter for the partners to each protocol, but it is suggested that 6 months, followed by an annual review would be a suitable minimum.)
• A commitment to monitor and evaluate the implementation and impact of the protocol at a set point in time (which may be two or three years from the date of implementation), together with a statement of the measures which will be considered in these processes.

These issues should be set out explicitly in the body of the protocol in order that they form an integral part of the agreement.

WHAT SHOULD A DATA SHARING PROTOCOL COVER?

31. As will be clear from the previous paragraphs, there are a range of types of data sharing protocol. However, although their scope, and the numbers of signatories may vary, the basic content of protocols should be broadly similar. The subsections below will provide an overview of each of the main topics which should be covered in a typical data sharing protocol.

Core information

32. It is suggested that each data sharing protocol should set out a range of core information. The extent and particularly the detail of this will vary, depending on the needs of the agencies involved. For example, a protocol between agencies which have shared data over an extended period using an agreed set of data standards is unlikely to require an extensive introduction, but where, for example, one or other partner has not previously operated in this way, a more extensive background section may help staff better understand the context within which data sharing is to take place.

33. As a minimum, it is suggested that each protocol should contain:

• A statement of intent by the partners to the Protocol, expressed in a positive tone and signed by senior staff within each organisation. It is important that this initial statement sets out clearly the presumption that data will be shared where it is desirable and legal to do so, and it is also likely to be helpful if a summary of the benefits to be gained from such sharing is presented.
• A list of the partners in the protocol, with contact information, and a lead officer named for each agency, or each service where, for example a number of local authority or health service functions are involved. Where it is intended that sub-contractors should be covered by the Protocol, this should be clearly stated.
• A statement of the purpose of the Protocol, a summary of its policy objectives and a summary of the broad types of data to be shared.
• A clear reference to the National Concordat and any other protocols which may impact on, or which may be affected by the newly agreed Protocol.

34. Clearly it is open to agencies to consider the inclusion of other material. Among the material which could be considered would be:

• Information about the work of the Expert Panel and ISSG .
• Current policy in relation to the management of sex offenders and any issues relevant to the subject, or geographical area of the protocol.
• Background information on the agencies concerned (which may be helpful where either new agencies, or new services - or staff - within agencies are likely to be required to work within the framework of the protocol) and their relationship to local structures such as Community Planning, or Community Safety Partnerships.
• A summary of the way in which the protocol was developed.

35. It is also suggested that any definitions central to data sharing arrangements are set out explicitly in the protocol. The core definitions relating to sex offenders, drawn from ViSOR, have been set out and agreed as part of the National Concordat and these should be reproduced in each protocol, together with any additional definitions which are relevant (for example, in relation to homelessness where housing-related data is included).

Duties, legislation etc

36. A second area which should be covered by any data sharing protocol is the legal duties imposed on each partner in relation to the information to be shared. At the very least, this should consist of a summary of any specific legislation which applies to the data to be shared. It can, however, be helpful if extracts from relevant legislation and guidance are reproduced in an annex to the Protocol. This approach has been used successfully in a range of pre-existing protocols examined by ISSG. If this approach is adopted, however, clearly it is critical for this information to be maintained, and it is recommended that a named individual be given responsibility for ensuring that any extracts from legislation or guidance are current, and for ensuring that any new legislation or guidance is included.

37. The tone of any section relating to duties and legislation can be a key factor in the success or otherwise of a data sharing protocol. It is clear, from information provided to ISSG, and from wider research, that there are widespread misunderstandings about data sharing, particularly in relation to the common law duty of confidentiality and the implications of the Data Protection Act 1998. The Bichard Inquiry illustrated clearly the dangers of such misunderstandings. It is clear that, in some cases, staff use both "confidentiality" and the "Data Protection Act" as, in effect, excuses to block information sharing which may be in the public interest. The way in which a data sharing protocol deals with these issues is, therefore, very important. While it is critical that staff are aware of their obligations, some guidance can have the effect of making staff wary of any data sharing. It must be clear that there is a presumption to share information, and it must be clear that the protocol exists to enable, rather than restrict the flow of information.

38. There are two main areas in which legislation impacts on data sharing relating to sex offenders. The first relates to the powers of the agencies involved to share information, the second to the law relating to sex offenders directly. Although there is a clear public policy imperative to share information, the legality of this, even in relation to sex offenders, is rarely clear cut, except in limited cases such as the detection of crime and the administration of justice. In areas such as rehabilitation and management in the community, there are few area in which information sharing is expressly permitted, and, therefore, some measure of assessment and justification on the part of agencies is required. Part of the purpose of the development of protocols is to help ensure that data sharing takes place within a lawful and justifiable framework.

The main legislation likely to impact on data sharing is listed below. Annex 1 provides a summary of the key considerations in relation to each.

39. In relation to data sharing per se, the main legislation to be considered in the development of a protocol includes:

• Broadly, administrative law, concerned primarily with whether or not the agency concerned has the power, express or implied, to share the information which is the subject of the protocol.
• The Human Rights Act 1998 and the European Convention on Human Rights, which provide a series of safeguards in relation to the collection, management, use and sharing of information about any individual (including sex offenders).
• Common law, which, in this context, relates particularly to the duty of confidentiality which may apply to agencies.
• The Data Protection Act 1998, which sets in place a range of safeguards to protect individuals' rights in relation to information held about them by public agencies.

40. The law in relation to sex offenders is continually evolving, and one of the key issues for any protocol is ensuring that any changes are reflected in policy and practice. For the purposes of the development of data sharing protocols, the key relevant legislation includes:

• Sex Offenders Act 1997 and Sexual Offences Act 2003
• Criminal Justice and Court Services Act 2000
• Crime and Disorder Act 1998
• Criminal Procedure [Scotland] Act 1995
• Anti-Social Behaviour (Scotland) Act 2004
• Protection of Children and Prevention of Sexual Offences Act 2005

41. There is a wide range of other legislation which may impact on information sharing in relation to sex offenders, including:

• Housing (Scotland) Act 2001
• Homelessness etc (Scotland) Act 2003
• Local Government in Scotland Act 2003
• Mental Health (Care and Treatment) (Scotland) Act 2003
• National Health Service Reform (Scotland ) Act 2004

Data coverage

42. It is important that any protocol sets out clearly and unambiguously the data which will be shared. This process would clearly be greatly aided if agencies accept the recommendation made earlier to audit both their data holdings and procedures prior to the development of the protocol. The level of detail provided in the body of the protocol can vary, with, for example, detail being provided in an annex. In the specific case of data sharing which is already covered by data standards (such as the ISCJIS data standards), this section can be covered simply by reference to these standards.

43. Agencies may find it helpful to set out explicitly any relevant data which is not to be shared, and which would, therefore, be excluded from the Protocol. This may help to avoid misunderstandings, particularly where staff change, or where new systems are introduced.

44. Where data is to be shared only in exceptional circumstances (for example, sensitive data which would only be shared in the event of immediate risk to a child), this should also be referred to explicitly, with a clear accompanying statement setting out the circumstances which must apply for this to take place, and the procedure which must be adopted by each party to trigger its release.

Procedures

45. There are two main approaches which may be taken in relation to the description of procedures relating to data sharing. The first is that these can be described in the body of the protocol. The second is that these can be described in service-specific annexes which are integral to the protocol, and which are shared among the partners. However the information is presented, the following issues should be covered.

• A statement from each partner on measures in place to ensure confidentiality and prevent secondary disclosure, including procedures in place relating to third party information.
• A summary of the precise procedures to be adopted by each partner to the agreement relating to the transfer of information. These should be as detailed as possible in order that the protocol can serve as a live management document. It is suggested that this section cover the following:
• A summary of agreed procedures for the management of data within each partner organisation - it can be helpful it these are reproduced as an annex and are considered integral to the protocol.
• Individual contacts for each type of data, or each department as relevant - clearly these should be updated regularly.
• A statement of the level of authority required for each type of data to be transferred.
• A summary of procedures which would apply, for example, in the absence of designated decision makers, where there are urgent requests (such as those relating to child protection), for the resolution of disputes, and for the notification and correction of errors.
• A summary of procedures covering data weeding, and the need to consult with, and, where necessary, secure the agreement of interested parties.
• A summary of the procedures to cover the notification and correcting of changes within the framework of the Data Protection Act 1998.

It may also be useful to set out clearly any agreed single or multi-agency training agreed to ensure the effective implementation of the Protocol.

Management arrangements

46. The protocol should also contain clear information on how the protocol will be managed. This should cover as a minimum the issues described in the previous section.

OVERVIEW

47. Data sharing is a critical component of ensuring public safety. In order that this is managed effectively, it is important that clear agreements are in place covering each aspect of the data sharing process. Data sharing protocols are, in their simplest form, agreements to enable the flow of information in an efficient and legal manner. ISSG has set an objective that, by April 2006, all data sharing relating to sex offenders will be managed using protocols. This Guidance, alongside the National Concordat, provides a framework within which protocols can be consistently implemented among criminal justice agencies in Scotland.

48. This framework will be further strengthened by the provisions in sections 9 and 10 of the Management of Offenders etc (Scotland) Bill which requires responsible authorities in the area of a local authority to establish joint arrangements, including information sharing, for the assessment and management of risks posed by sex offenders and serious violent offenders. These provisions will also allow Scottish Ministers to specify in secondary legislation those agencies with a duty to cooperate with the responsible authorities.

ANNEX 1 : KEY LEGAL CONSIDERATIONS

49. This Annex will provide a brief overview of some of the key legal considerations which impact on sharing information about sex offenders. There is a range of other, more comprehensive guidance available, which agencies should refer to in the development of protocols. Among the most relevant and useful guidance is:

Data Sharing: Legal Guidance For The Scottish Public Sector - published by the Scottish Executive and available via the Open Scotland website ( www.openscotland.gov.uk)

Guidance on Disclosure and Sharing of Information Antisocial Behaviour etc. (Scotland) Act 2004 - published by the Scottish Executive and available via the Scottish Executive website ( www.scotland.gov.uk)

Public Sector Data Sharing : Guidance on the Law - published by the Department for Constitutional Affairs ( www.dca.gov.uk)

Data Protection Act 1998 Legal Guidance - published by the Information Commissioner and available from the Commissioner's website ( www.informationcommissioner.gov.uk)

MAPPA Guidance (including a section in information sharing) - published by the Probation Directorate of the Home Office and available from www.probation.homeoffice.gov.uk

50. There is also a model protocol on the Crime and Disorder website ( www.homeoffice.gov.uk).

51. Clearly, only the first two pieces of guidance identified pertain specifically to Scotland, but, as will be set out below, much of the legislation which is relevant to data sharing is either UK-wide, or, in some cases EU-wide.

Key legislation

52. The law relating to data sharing is complex, in part because there are a wide range of potential considerations. It is clear that there is no single piece of legislation governing these processes, and, even where legislation exists, it is rarely definitive. The Guidance, in common with other publications relating to data sharing, recommended that specific legal advice be sought by each partnership prior to implementing any protocol, and this summary cannot be seen as a substitute for this. It is clear that the responsibility for ensuring the legality and appropriateness of each data share rests with the agencies concerned. It is also clear, from existing guidance and advice provided to ISSG, that it is important that each aspect of data sharing is scrutinised in isolation, and that steps are put in place to ensure that, where the law demands case by case consideration, this can take place.

53. It is important, however, as set out in the Guidance, to view the law not as a barrier to data sharing, but as a framework within which it should take place. Much of the law relating to data sharing exists to protect the rights of individual data subjects (including sex offenders), but it is also clear that, where circumstances warrant, these rights can be superseded by wider concerns, primarily, in the case of sex offenders, public safety concerns. Sharing information is central to protecting the public from the threat posed by sex offenders and agencies have, therefore, a duty to ensure that this is carried out. The National Concordat is based on an explicit presumption that relevant data will be shared where it is appropriate and legal to do so. The summary below sets out the considerations about which agencies should be aware in order to ensure that all relevant information is shared within this legal framework, balancing the rights of individual data subjects and the wider public.

Ownership of information

54. A data sharing protocol cannot define ownership of any information relating to sex offenders. The ownership of information is defined by the Data Protection Act and the legal issues involved in the disclosure of both personal information and sensitive personal information are clearly set out in the Act (and summarised below). In the context of sharing information about sex offenders, it is worth bearing in mind that at each point, the disclosure of information is governed by the Act (and through this, other legislation summarised below). This means, in practice, that an agency which receives information is also bound by the same duties as the agency which passed the information, and this issue (knows as secondary disclosure) is of critical importance. This means, for example, that a social work service cannot legally pass information obtained from another agency (say, for example, from SPS) to a third party (say a housing association) without the express consent of the original data controller.

The "tests"

55. The Scottish Executive Guidance on Data Sharing sets out a four stage process which allows an agency to assess whether or not any proposed data sharing is legal ².

• Establish whether you have the power to carry out the function to which the data sharing relates. In doing so it will be important to ascertain whether there are express statutory restrictions on the data sharing activity proposed, or any restrictions which may be implied by the existence of other provisions of statute or common law.
• Decide whether the sharing of the data would infringe rights under Article 8 of the European Convention on Human Rights in a way which would be disproportionate to the achievement of a legitimate aim and unnecessary in a democratic society.
• Decide whether the sharing of the data would breach any common law or statutory obligations of confidence.
• Decide whether the sharing of the data would be in accordance with the Data Protection Principles.

The remainder of this annex provides an overview of the considerations which apply to each of these tests.

The "power" to share information ³

56. In relation to the powers of the agencies involved, it is essential that the data share relates to an area which is within the powers of that agency. There is no single power allowing criminal justice agencies to exchange information relating to sex offenders (or in relation to offending more generally), and it needs to be clear, therefore, on an agency by agency basis, that the reason why an agency holds and processes data relates directly to its powers. This is not necessarily clear cut either, as the work an agency actually carries out may have evolved far beyond its original defined role in statute, and there is, therefore, a need for agencies to be satisfied that they are not, in the first instance, acting ultra vires, and secondly, that the information exchange is consistent with their powers and does not breach any of the relevant rights-based legislation listed in the body of the Guidance.

57. There are relatively few examples of express powers (known as gateways) existing relating to sharing information, and, therefore, most decisions have to be based on implied powers. A recent example of such a gateway in a criminal justice context is Section 106 of the Antisocial Behaviour etc. (Scotland) Act, which permits information sharing for any purposes set out in the Act. At a wider level, the Local Government in Scotland Act 2003 places a power on local authorities to promote or improve the well - being of people within its area. It has been argued that this provides a gateway power which may permit the exchange of information in relation to community protection functions, including the management of sex offenders. In most cases, however, where powers to share information exists, these are implied.

58. It is clear, as set out earlier, that agencies cannot assume that, because they perceive data sharing to be in the public interest, that it will necessarily be lawful. The Scottish Executive Guidance recommends explicitly that agencies which are party to data sharing (or more widely, process information about individuals) consider carefully (and if necessary, take advice on) the legal basis upon which this is carried out. It is also clear that, even where an express or implied power exists, it cannot be assumed that any data sharing will be legal.

Article 8.1 of the ECHR

59. Agencies must also satisfy themselves that they are acting within the terms of the Human Right Act 1998 which confirms the provision of the European Convention on Human Rights ( ECHR) in domestic law.

The key Article within ECHR relating to data sharing is Article 8. Article 8 provides that:

'8.1. Everyone has the right to respect for his private and family life, his home and his correspondence.
8.2. There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.'

60. In effect, Article 8.1 provides a basic right to the privacy of personal information. This is not an absolute right, but public agencies which wish to disclose information about an individual (specifically to another agency in this case) have to establish that this is necessary and lawful under the terms of Article 8.2. There is some degree of crossover between this, the discussion on the powers of agencies (above) and the provisions of the Data Protection Act (see below).

The obligation of confidence

61. Many of the agencies involved in the management of sex offenders also have a common law duty of confidence. In essence, data subjects have a common law right to confidentiality unless there is a public interest served by breaching this. This is another area (along with data protection) where there is considerable controversy. There is widespread concern either that many staff do not properly understand their duties in relation to "confidentiality", or use the term as a blanket justification for a failure to share, or a failure to consider sharing information. Many professional bodies (for example, in social work, police and health fields) have produced guidance on interpreting the duty of confidentiality. As with the Concordat, these guidance documents start from the presumption that effective and lawful data sharing is in the public interest, and that agencies (and professional bodies) have an obligation to ensure that staff (or members) do not wilfully, or unknowingly, fail to discharge their duties, in this case in relation to public safety citing confidentiality as a justification.

The Data Protection Act

62. The Data Protection Act is arguably the most misunderstood and misquoted of current legislation. Evidence presented to ISSG (as well as evidence from elsewhere) suggests that staff in many agencies are concerned about the implications of the Act, and are, as a consequence, reluctant to share information. While the Scottish Executive wishes to ensure that the rights contained within the Act are observed, it is imperative that the maximum amount of information consistent with the provisions of the Act is permitted to flow between agencies. It is essential, therefore, that each data share can satisfy the tests contained within the Act (and which are set out below). The duty to do this rests with the data controller at each stage, and each exchange must be assessed on its merits. It is strongly recommended, therefore, that any data sharing protocol contains a section on the implications of the Data Protection Act for the agencies involved, and for the information which it is proposed to share.

63. For data processing ⁴ (and, therefore, sharing) to be lawful, each of the eight principles set out within the Data Protection Act must be satisfied, even where there is a statutory basis for information sharing. These principles are set out below, namely that data should be:

1. Processed fairly and lawfully
2. Processed only for specified, lawful and compatible purposes
3. Adequate, relevant and not excessive
4. Accurate and up to date
5. Kept for no longer than necessary
6. Processed in accordance with the rights of data subjects
7. Kept secure
8. Transferred outside the European Economic Area only if there is adequate protection in the country to which the data is to be transferred.

64. In relation to sex offenders, these tests may not be as straightforward as they may seem, and work is ongoing to assess the legal issues involved at each of the main points of data exchange with the criminal justice system.

65. Virtually all of the information about sex offenders held by criminal justice agencies would be categorised as sensitive personal information and, as such, for any processing (and hence sharing of this information) to be lawful (and hence meet the first principal set out above), it must pass a number of additional tests as set out in Schedules 2 and 3 of the Act. In essence, the sharing of sensitive personal data can only be lawful if any two standards in Schedule 2, and any one standard in Schedule 3 are met. For reference, Schedules 2 and 3 are reproduced at the end of this Annex.

66. It is critical to bear in mind that the Act also applies to information shared between departments, for example between child protection and criminal justice teams in a social work department, or between a social work and housing service, even if these are part of the same administrative unit. Data which is transferred within agencies must satisfy the same eight principles and Schedule 2 and 3 tests as if it were to be disclosed to another agency.

67. It is also important to bear in mind that, on the basis of current legal opinion, "data" in this context means information about sex offenders, rather than the format in which it is presented. This means, for example, that the tests have to be applied to each of the pieces of information within a social enquiry report rather than to the report as a whole.

68. Section 29 of the Data Protection Act exempts from certain provisions of the Act personal data processed for (i) the prevention or detection of crime; (ii) the apprehension or prosecution of offenders. Current advice from Scottish Executive solicitors is that this exemption must be applied on a case by case basis, and cannot be taken to be a blanket exemption for criminal justice purposes. The legal basis is that operation of the Act to prevent the flow of sensitive personal information must "prejudice" the prevention or detection of crime, or the apprehension or prosecution of offenders.

69. "Factual" information about sex offenders is subject to the same tests as any other sensitive personal information, although there may, in some cases, such as previous conviction information, be a clear basis for sharing in statute.

Consent

70. The issue of consent is complex. Whilst, in ordinary circumstances, the giving of informed consent simplifies the transfer of information, in the context of sharing information about sex offenders, two issues are of critical importance:

• The data subject (in this case, the offender) can refuse to give consent, or can give, in effect, partial consent.
• The data subject can, at any time, withdraw consent.

71. The practical effect of either course of action is that data sharing, assuming consent was the means by which the first data protection principle was satisfied (see below), would be unlawful. This means that it is critical that the lawfulness of any information sharing about sex offenders does not rely solely on the consent of the offender]

Note : The Data Protection Act 1998 - Schedule 2 and 3 conditions

Conditions in Schedule 2:

Paragraph 1: The data subject has given consent to the processing.

Paragraph 2: The processing is necessary for (a) the performance of any contract to which the data subject is a party; or (b) for the taking of steps at the request of the data subject with a view to entering into a contract.

Paragraph 3: The processing is necessary for compliance with any legal obligation to which the data controller is subject, other than an obligation imposed by contract.

Paragraph 4: The processing is necessary in order to protect the vital interests of the data subject.

Paragraph 5: The processing is necessary: (a) for the administration of justice; (b) for the exercise of any functions conferred on any person by or under any enactment; (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department; or (d) for the exercise of any other functions of a public nature exercised in the public interest by any person.

Paragraph 6(1): The processing is necessary for the purposes of legitimate interests pursued by the data controller or by the third party or parties to whom the data are disclosed, except where the processing is unwarranted in any particular case by reason of prejudice to the rights and freedoms or legitimate interests of the data subject.

Paragraph 6(2): The Secretary of State may by order specify particular circumstances in which this condition is, or is not, to be taken to be satisfied.

Conditions in Schedule 3:

Paragraph 1: The data subject has given explicit consent to the processing.

Paragraph 2: The processing is necessary for the purposes of exercising or performing a legal right or obligation in the context of employment.

Paragraph 3: The processing is necessary to protect the vital interests of the data subject or another in cases where consent cannot be obtained.

Paragraph 4: The processing is of political, philosophical, religious or trade union data in connection with its legitimate interests by any non-profit bodies.

Paragraph 5: The processing is of information made public as a result of steps deliberately taken by the data subject.

Paragraph 6: The processing is necessary in connection with legal proceedings or the seeking of legal advice.

Paragraph 7: The processing is necessary (a) for the administration of justice; (b) for the exercise of any function conferred on any person by or under any enactment; (c) for the exercise of any functions of the Crown, a Minister of the Crown or a government department.

Paragraph 8: The processing is necessary for medical purposes and is carried out by medical professionals or others owing an obligation of confidence to the data subject.

Paragraph 9: The processing is necessary for ethnic monitoring purposes.

Paragraph 10: The personal data are processed in circumstances specified in an order made by the Secretary of State for certain purposes. The Data Protection (Processing of Personal Data) Order 2000 ( SI 2000 No 417) specifies a number of circumstances in which sensitive personal data may be processed such as crime prevention, policing and regulatory functions (subject to a substantial public interest test); counselling (subject to substantial public interest test); insurance, equality monitoring in the area of disability and religious or other beliefs; and research. A further order relates to the processing of sensitive personal data by MPs and other elected representatives (The Data Protection (Processing of Sensitive Personal Data) (Elected Representatives) Order 2002 ( SI 2002 2905)).

ANNEX 2 : NATIONAL STANDARDS FOR INFORMATION SHARING ON SEX OFFENDERS

Recommendation 65 from the Expert Panel states:

"the importance of information sharing should be reflected in the key performance indicators of individual agencies."

The ISSG recognised that whilst key performance indicators are specific to individual agencies, a set of national standards would create a framework for the KPIs within individual agencies. The framework would include:

• a set of agreed national standards to share information on sex offending
• a set of targets within each individual agency to support the standards
• an internal system to monitor the sharing of information within each agency
• Inspectorates to monitor performance in information sharing.

On that basis, the ISSG agreed national standards to set out what every agency undertakes to do to ensure the effective transfer of information under its obligation to protect the public and to ensure that decisions on sex offenders are made on the best possible information. The standards provide the basis for agencies to develop effective systems for the transfer of information on sex offending and to ensure that through raised awareness, good practice and robust systems and procedures, agencies are helped to ensure the protection of the public, especially children, from sex offenders. The standards also provide a benchmark against which practice can be measured and audited in order to assist agencies in reviewing and evaluating current practice and identifying areas for further development. The standards make explicit what is expected from those agencies with responsibility for protecting the public from sex offending. They provide a basis for accountability and challenge if practice falls below expected standards.

Standard 1: Policy and Procedures

Agencies have written policies and procedures in place, supported by robust systems and structures to collect, store and ensure the effective handling and transfer of information with timed targets for the speed of transfer.

• Policies and guidance set out the principles and reasons for information sharing
• The statutory authority and obligations for sharing information on sex offenders are included in the written procedures
• A senior member of staff provides leadership and takes responsibility for high level decisions on the release of information, including decisions not to share which should be subject to audit
• There are clear instructions, regularly updated, on how the arrangements operate within the organisation
• Timed targets are set for the transfer of information and performance is monitored on a regular basis
• There is a procedure for ensuring that accurate records are maintained and processes are proofed for security integrity
• Rules for recording, managing and deleting information are in place.

Standard 2: Processes for Managing the Partnerships and Flow of Information

Agencies and staff are clear about the information to be transferred and received and the agencies with whom it can be shared.

• Local protocols are agreed with partner agencies and reviewed at regular intervals
• Rules are in place to establish which agency owns the data at each stage in the process
• A checklist is maintained of the information to be transferred at each stage, to whom and the timescales for doing so
• A checklist is maintained of the information to be received at each stage, from whom and the timescales for doing so
• The rules are set out for disclosing information to other public bodies
• Systems are in place to ensure that the process of transferring information to partners is secure.

Standard 3: Management of People

Staff are aware, knowledgeable and skilled in the information sharing principles and process, recognising their own needs and those of their partners.

• Staff roles and responsibilities are clearly set out in job descriptions
• Suitable training and supporting written material including checklists are provided for staff
• Staff participate in joint training with other agencies to develop shared understanding and effective communication.

Standard 4: Performance Monitoring

• Agencies have performance monitoring and reporting mechanisms in place, including an internal quality assurance process.

ANNEX 3 : AGREED DEFINITION OF TERMS

In response to recommendations of the Expert Panel, signatories to the National Concordat have agreed to use the following terms defined with reference to the ViSOR system.

Primary designations

Registered Sex Offender - this being an offender that has been convicted of an offence that requires them to register under the Sex Offenders Act 1997 or the Sexual Offences Act 2003 or by the granting of a civil order which imposes such a requirement.

Non Registered Sex Offender - this being an offender who has been convicted of a sex offence, as determined by the Criminal Justice and Court Services Act 2000 or the Sexual Offences Act 2003 which does not carry a registration requirement, but have received the appropriate sentence.

Violent Offender - an offender that has been convicted of a violent offence as determined by the Criminal Justice and Court Services Act 2000 and has received the appropriate sentence or, as identified under Schedule 15 of the Criminal Justice Act 2003 having received the appropriate sentence.

Dangerous Offender - this being an offender, with the relevant offence, who is demonstrating behaviour that is deemed to pose a significant risk of harm to the public.

Potentially Dangerous Person - this being a person, without a conviction or a relevant offence, who is demonstrating behaviour that is deemed to pose a significant risk of harm to the public.

Secondary designations

These terms form a core dataset on sex offenders (and violent offenders), and any national or local additions to this should be implemented so as to protect the integrity of these categories.

The following sub-categories of Registered Sex Offender have been agreed. These should only be used in a way which allows the primary designation of Registered Sex Offender to be readily identified. The agreed subcategories are:

• Registered Sex Offender - Currently registered
• Registered Sex Offender - Required to register but has not yet done so. (This would include those serving a prison sentence who would be required to register on release.)

The following sub-categories of Non Registered Sex Offender have been agreed. These should only be used in a way which allows the primary designation of Non Registered Sex Offender to be readily identified. The agreed subcategories are:

• Non Registered Sex Offender - Not required to register
• Non Registered Sex Offender - Previously registered but the period has expired.

ANNEX 4 : MAPPING EXERCISE

Introduction

This summary relates to cases where an offender is reported, prosecuted and convicted of an offence which results in a custodial sentence, detention under Mental Health powers or a community-based disposal. It is also worth bearing in mind that Registered Sex Offenders can be sentenced to periods of custody for non-sexual or non-child related offences during the period of their registration.

The stages used are those designated by the Expert Panel with the addition of a further stage, "in custody", to reflect the fact that there is a great deal of data exchanged following reception and prior to release preparations commencing. It is recognised that these summaries do not necessarily represent the exact order in which specific processes take place.

Reporting, investigation and pre-investigation

Prosecution process

Pre - Sentence Process

Court to custody

Court to Community Disposal

In custody

Pre-release

Community

1. At wider level, there are generally community safety plans, sex offender management plans or similar. These contain general policy information rather than individual cases.
2. In most areas, there are protocols in place covering the transfer of information (covering a range of services).
3. SW files are transferred when an offender moves area [although there are issues with this - ISSG(34)03 refers]

Footnotes

1. These are summarised in both the Scottish Executive and Office for Constitutional Affairs guidance outlined in Annex 1, as well as in various guidance available from the Office of the Information Commissioner.
2. These bullets are reproduced from "Data Sharing: Legal Guidance For The Scottish Public Sector", Scottish Executive 2004
3. There is an extended discussion in the Scottish Executive Legal Guidance about the status of various bodies likely to be involved in the management of sex offenders and the implications of this in terms of the existence of express or implied powers.
4. Data processing covers a wide array of potential issues, including the gathering, storage, manipulation, interrogation, disclosure and sharing of information. A reasonable working assumption is that data processing, and hence the provisions of the Act, covers any potential use of data relating to sex offenders.