Scottish Government

Chapter 2 Policy and Strategy

2.1 The National Perspective

The Scottish Executive Criminal Justice Plan for Scotland sets out a vision for the criminal justice system in which services work effectively and coherently in the interests of justice to protect citizens, safeguard their rights and help create communities which are stronger and safer. The main challenge set out in this strategy is for criminal justice partners to work together more effectively and coherently. It focuses on the key areas of anti-social behaviour, reform of court processes, reducing re-offending rates and tackling drug addiction. Better intelligence and information sharing between the criminal justice community partners will be essential to delivering this vision.

The Scottish Executive believes that improving joint working in public services will bring about consequential improvements to the quality of these services, thereby making a positive difference to the people who access them. The community planning process, acting as a framework for making public services responsive to, and organised around, the needs of communities, also has a critical role in ensuring that these challenges are met.

2.2 Community Planning

As a result of the Local Government in Scotland Act 2003, community planning has already led to the creation of joint strategies in most areas in Scotland, and has provided the basis for impressive examples of partnership working. The community planning process puts joint visions and plans into practice with the intent of achieving a tangible improvement in services across Scotland. It is an evolving process involving ongoing changes to working cultures, behaviours, skills and attitudes to achieve effective partnership working with a genuine community focus.

HMIC acknowledges the findings of the recently published Audit Scotland Report 'Community Planning: An Initial Review', and the recommendations contained therein for both the Scottish Executive and community planning partnerships to develop a shared vision and priorities. Although this report does not deal directly with information sharing, it does state that "significant progress has been made in the availability and use of robust data to inform community planning" and that "there is evidence of increased sharing of information on service use between partner organisations".

Partnerships bring together key participants, and so can act as a bridge to link national and local priorities better. This should be a three-way process, whereby local community planning partnerships can influence national direction and help to co-ordinate the delivery of national priorities in a way that is sensitive to local needs and circumstances. Local or neighbourhood priorities should also be able to influence priorities at the community planning partnership level.

2.3 Anti-Social Behaviour

During this inspection HMIC found that a significant contributory factor in developing partnership working and information sharing arrangements across agencies, had been the maturing approach to tackling anti-social behaviour. The Anti-social Behaviour etc (Scotland) Act 2004 has specifically addressed the need to share information in tackling local problems in terms of Section 139, which states that to manage anti-social behaviour effectively the relevant agencies must share information at a local level.

Under the provisions of section 139, any person has the power to release information to a relevant authority where that is necessary for the purposes of any measure in the 2004 Act or any piece of legislation which relates to tackling anti-social behaviour. Clearly this includes exchanging information in relation to ASBO (anti-social behaviour order) investigations, applications and other relevant matters.

Section 139 also provides that, where confidential information is released to a relevant authority under this section, the receiving authority must respect that need for confidentiality.

HMIC believes that including this section in the Act paves the way for an environment where a wider and even more frequent exchange of information and intelligence is possible in the future, in order to strengthen communities and make them safer.

2.4 National Data Sharing Forum

The launch in April 2006 of a National Data Sharing Forum and Local Data Sharing Partnerships offered a governance structure for personal data sharing in Scotland, with the aim of providing a framework within which Scottish Ministers and local partners can collaborate to facilitate inter-agency data sharing. The National Data Sharing Forum was developed from the Scottish Executive eCare framework, which is the name given to the technology developed by the Data Sharing and Standards Division of the Scottish Executive to enable information sharing between agencies for the care and protection of citizens. (See Model 1)

Model 1

The purpose of the National Data Sharing Forum is to develop coherent and integrated national approaches to data sharing. Fourteen local data sharing partnerships are planned, each based in a health board area. The two main priority areas for these partnerships in the first year are to complete a roll-out of the use of single shared assessments to all adult care groups and to implement information sharing for child protection purposes. This work is closely associated with the Scottish Executive's 'Getting It Right For Every Child' ( GIRFEC) initiative, which is discussed later in this chapter (page 18) It is intended that each of the local data sharing partnerships will appoint a data sharing manager to facilitate the work of the partnerships.

In the 2003 Inquiry into the death of Victoria Climbie, Lord Laming's report noted that information sharing is "a matter that Government must address. It is not a matter that can be tackled satisfactorily at local level" (Lord Laming, The Victoria Climbie Inquiry 2003, paragraph 1:44). HMIC acknowledges the progress made since then towards greater information sharing, and supports the view that this issue reaches across all organisational and geographical boundaries.

2.5 The Data Protection Act 1998

The Data Protection Act 1998 ( DPA) became effective on 1 March 2000 and replaced the provisions of the previous 1984 Act. The DPA contains the following eight principles:

1) Information must be processed fairly and lawfully

In most cases this relates to an individual's consent to having his or her personal information processed - for example, data protection notices in application forms. When the information contains sensitive data, e.g. trade union membership or health details, then explicit consent must be obtained and recorded. There are exemptions to this requirement that can be applied to information processing for 'policing' purposes, e.g. for preventing or detecting crime, or apprehending or prosecuting offenders.

2) Information must be obtained for one or more specified and lawful purposes (as per the notification)

Data obtained for a specific purpose, e.g. personnel/employee administration, can only be used for that purpose. The purpose(s) of obtaining and retaining the information, arrangements for processing it, as well as the sources and disclosures for the data, must be notified to the (Data Protection) Information Commissioner. Such notification provides the basis for retaining and using the data.

3) Must be adequate, relevant and not excessive for the purpose

4) Must be accurate and, where necessary, up to date

Obviously information should be appropriate for its intended use and maintained accurately. Information that is not necessary for the purpose, which could therefore be classed as 'excessive', should not be requested or retained.

5) Must not be kept longer than necessary for the specified purpose

There should be retention policies for the information retained, in accordance with the purpose identified.

6) Must be accessible to the individual concerned

Individuals have a right to access and obtain copies of their own personal data - though not that relating to a third party. This provision is to allow individuals to check that information retained about them is accurate and appropriate.

7) Must be surrounded by proper security

Processors of personal data are obliged to ensure that appropriate technical and organisational measures are taken to protect the data held. Where government protective marking is used, further security implications may apply to certain information.

8) Must not be transferred out with the European Economic Area ( EEA) except in certain circumstances

If there is a requirement to process or share information with a country not within the EEA, steps should be taken to ensure that the data protection principles are taken into account.

From an information sharing perspective, organisations which process personal data must take due cognisance of the data protection principles at every stage. Each organisation is expected to adopt appropriate guidelines or protocols, within the lawful authorities, to process, secure and retain data. In light of Principle 6 regarding access by individuals, and following the introduction of the Freedom of Information (Scotland) Act 2002 ( FOISA) on 1 January 2005, the process for dealing with requests for information from an organisation other than the one the information originated from, must be clarified from the outset. The timescales for dealing with requests under either Act must be adhered to.

Historically the police service has viewed the DPA as an inhibiting piece of legislation. This position, whilst perhaps understandable when first adopted, has undoubtedly had a negative effect on the quality and quantity of information being shared between forces and with partner agencies. The Bichard Inquiry commented that misinterpretation of the DPA prevented partner agencies from delivering an effective service. The report advocated that "better guidance is needed in the collection, retention, deletion, use and sharing of information, so that police officers, social workers and other professionals can feel more confident in using information properly" (The Bichard Inquiry 2004, 4:23).

The police service was not alone in its restrictive interpretation of the DPA. Partner agencies have also used the Act as an excuse for not sharing information. The recent MacLeod short-life working group was established to examine the national guidance on information sharing between the National Health Service ( NHS) and police. This group was set up as a result of uncertainties over the extent of any duty of confidentiality placed upon NHS staff, identified during inquires into the deaths of Rory Blackhall and Simon Harris in West Lothian in 2005 (referred to in Chapter 3 page 32).

As recently as September 2006, an HM Government document - 'Information Sharing Vision Statement' - identified that "[w]e must, of course, properly use the provisions of the Data Protection Act as a safeguard to protect privacy and confidentiality but it must not be used to justify unnecessary barriers to sharing information" ( HM Government Information Sharing Vision Statement 2006, point no. 8).

HMIC also concurs with the vision statement's assertion that the DPA contains sufficient safeguards and that "within the law, it is possible for there to be greater information sharing than currently occurs - and this can be combined with proper respect for the individual's privacy" (ibid, point no. 9).

The Inspection has revealed issues relating to legislative competency and compliance in respect of the Data Protection Act 1998 at operational levels within the police service. The question of training is discussed later in this report and HMIC accepts that improved training on data protection issues may go some way to resolving this difficulty. However, it is suggested that positioning data protection sections within force organisational structures as administrative, as opposed to operational, functions has not helped to discourage an inward facing tendency. The effect can be a negative, protectionist attitude towards data sharing within the force concerned as a whole. HMIC believes that there is a need to ensure that the DPA is interpreted as enabling legislation which encourages data sharing, especially in the high-risk business areas of child protection and vulnerable adults. Achieving this will require a change of culture within the police service in Scotland: that is, moving from a default position of data custody to one where the presumption is in favour of data disclosure. HMIC considers that one way of contributing towards that change would be to realign the position of data protection departments within forces.

2.6 Safeguarding Vulnerable People

Policing is a continuous risk management exercise. It is therefore essential to recognise that fundamental elements of intelligence and information sharing present some of the areas of highest risk. The need to deliver effective data sharing is most apparent in the headline-making, high-risk areas of protecting those vulnerable people in society who are most at risk.

Safeguarding vulnerable adults and children is a multi-agency function, where inter-agency working is essential to ensure that those concerned are protected effectively. The Laming report identified that "[t]he future lies with those managers who can demonstrate the capacity to work across organisational boundaries. Such boundaries will always exist… the safeguarding of children must not be placed in jeopardy by individual preference" (Lord Laming, Victoria Climbie Inquiry 2003, paragraph 1:37).

2.7 Child Protection

There have been many high profile cases and subsequent inquiries in which the arrangements for intelligence and information sharing have come under scrutiny. These include events in Cleveland, Orkney, the Western Isles and Edinburgh, along with the more recent inquiry into the deaths in Soham and the report by Lord Laming referred to elsewhere in this document. Most of these reports have identified, among other matters, that inadequate information sharing across organisational borders has been a contributory factor in the failure of public services to protect the public in these high-risk areas. Lord Laming's report proposed that "[i]mprovements to the way information is exchanged within and between agencies are imperative if children are to be adequately safeguarded… each agency must accept responsibility for making sure that information passed to another agency is clear and the recipients should query any points of uncertainty" (Lord Laming, The Victoria Climbie Inquiry 2003, p.9).

During the inspection HMIC found that, while all the relevant agencies involved in child protection in Scotland are moving towards greater information sharing, this is being undertaken on an ad hoc, regional basis. What is equally apparent is that the commitment of individual practitioners, in all services, is impressive. But that fact in itself, when viewed alongside some of the lingering cultural obstacles, means that there can be an over-reliance upon personal relationships in establishing the basis and format for information sharing.

The Inspection revealed that information sharing between agencies is often conducted through local information sharing protocols that take into account the relevant legislation from the Data Protection Act 1998, Freedom of Information Act 2002, Human Rights Act 1998 and the Children (Scotland) Act 1995. However, there is no universal structure for these protocols and no formal register to monitor their effectiveness.

HMIC recognises the importance of relationships in establishing foundations for enhanced information sharing. Strong relationships will normally build trust between individuals that will lead to greater information sharing. HMIC considers that the ability to develop effective working relationships by personnel who possess strong interpersonal skills, are effective communicators and have good negotiating skills, is vital for personnel working in partnership or in outward-facing positions. These necessary qualities should be reflected in the personal competencies or person specification for such positions. This is especially true for posts within co-located units, but also applies to all posts which involve a significant degree of direct contact between agencies.

Nonetheless, whatever the role of relationships they cannot be allowed to dictate the framework for information sharing. Any data sharing structure which is overly reliant upon relationships creates an unnecessary additional degree of risk. Information sharing on this basis has no consistency. No individual, or group of individuals, can or should be relied upon to determine the quality and thresholds of when to share information. Irrespective of the pressure this system places upon these individuals, it would represent a clear failure if information was only to be shared when a specified person was on duty. This would not be an effective method of protecting the public. The Inspectorate also cautions that over-reliance on the quality of individual relationships and levels of trust can be catastrophic to critical information sharing systems when post-holders move. There have to be systems and channels of information sharing that operate effectively, no matter who the post-holders are.

Information sharing protocols give individuals within each organisation the security to share data. However, they do not of themselves create an environment for sharing. Such an environment can only be engendered through strong strategic leadership and commitment, training and confidence. One of the means of consolidating training and achieving that confidence is to apply a formal decision-making process to data sharing that is based upon sound analysis. Consistent information sharing across an organisation and over time can best be achieved within a formalised structure.

Ad hoc arrangements which are overly reliant upon relationships can create a lottery for public safety.

Scenario

Information relating to a child in Area A is shared by health professionals with the police. The combination of this with other information known to the police leads to action being taken by the relevant agencies using the powers conferred on them. An initial referral discussion is called, and the child is removed to a place of safety.

Identical information relating to a child in Area B is not shared by health professionals with the police. This results in the child remaining with the people who pose the risk. This lack of information sharing culminates in the child suffering serious harm.

Whatever the strength of any existing individual framework for child protection, no single agency is able to know the true value of any single individual piece of information it possesses. This creates a situation where sharing decisions necessarily start from a position of incomplete information, and so might well only be directed at those partners indicated by that incomplete information. This can introduce an element of guesswork which exacerbates the risk.

2.8 'Getting It Right For Every Child' ( GIRFEC)

Following the 2004 review of the Children's Hearing system, a consultation document 'Getting It Right For Every Child - Proposals for Action' was published in June 2005. This led to the 'Getting It Right For Every Child: Implementation Plan', which was published on 22 June 2006. The plan contains proposals for reforming the delivery of children's services, including the Children's Hearing system. The aim is to place a greater focus on improving outcomes for children.

Implementation was originally intended to involve a three-pronged approach of the following:

• Practice change: developing the tools professionals need to do their jobs better - a single assessment record and plan, practice guidance and skills development.
• Removing any barriers that get in the way of joined up working and prevent more timely and appropriate responses for children.
• Legislation: placing new duties on agencies to co-operate with each other and share information.

The aim is to deliver a child-centred approach by ensuring that agencies work together to assess, plan and deliver improved outcomes for children, particularly those who are vulnerable or at risk. All children should get the help they need, when they need it, from services that are planned and delivered in an integrated way at a local level. It is intended that the agencies and practitioners working with children will work together to ensure that children's needs are met in the most appropriate, proportionate and timely way.

In order to achieve the GIRFEC agenda there is a proposal for developing a 'prototype' ICT system that could facilitate information sharing. The system will be designed to enable the existing systems of individual agencies to be adapted to support the single assessment record and plan. Entries made on the single assessment by any agency and input into the system electronically will have the potential to populate a multi-agency electronic 'store'. Relevant partner agencies can then access this when they have concerns about a child and wish to check who else may be involved (see also Model 1 on page 15). Depending on the information and its assessment of the child's needs, the agency can then proceed either to take action or to consult with relevant agencies over what plan may be needed for the child.

The new Executive will consider legislation to support 'Getting It Right For Every Child' after the elections in May 2007. The proposals for legislation were set out in the consultation document on Getting it Right. It is expected to place duties on all agencies to be alert to the needs of every child and to take appropriate action as required, if necessary on a multi-agency basis. It is also anticipated that, where multi-agency action is necessary, the legislative proposals will require a lead professional to be appointed to ensure that the agreed action is taken forward and improved outcomes for the child are secured.

A principle of 'Getting It Right For Every Child' is that the consent of parents/carers to share information should be secured wherever possible. HMIC accepts this principle, but believes that "wherever possible" must be taken to mean that consent should not be sought where there is any reasonable suspicion that doing so will put a child at further risk. Nor is there any requirement in either the Data Protection Act 1998 or the Children (Scotland) Act 1995 to seek consent. It follows that, in circumstances where the act of seeking consent might increase the risk of harm to a child, discretion must be deliberately exercised NOT to seek consent.

HMIC acknowledges the ambition and vision of the GIRFEC agenda, and supports the progression towards greater integration of public services in delivering public safety.

2.9 Protection of Vulnerable Groups (Scotland) Bill ('Bichard Legislation')

Provisions to disclose information where a child is at risk are the subject of proposed legislation currently before the Scottish Parliament, in the Protection of Vulnerable Groups (Scotland) Bill. The aim was to remove any existing confusion and conflicting information in order to place a primary duty for information to be shared to protect children from harm.

This obligation was not to be placed on the individual professionals but upon their organisations, which would have been held corporately accountable for any failures to share information. Simultaneously, there was to have been a parallel obligation on each agency to provide a concurrent support framework for their staff. Unfortunately, in HMIC's view, at the time of writing, this part of the legislative proposals appears likely to be dropped during Parliamentary consideration of the Bill in early 2007. Nevertheless, Scottish Ministers still intend to produce a code of practice with guidance on sharing child protection information. Although the code will not specifically oblige professionals to share information electronically, there will clearly be training and ICT implications for the police service in Scotland in order to comply with the code. (Referred to in Chapter 6, page 66)

HMIC recognises that these and any future proposals will require direct action from the police service if it is to meet its responsibilities. ACPOS is already working on this and is seeking to clarify some of the issues associated with the legislation.

HMIC strongly supported the direction in which advances in child protection were heading as part of the GIRFEC agenda and the Protection of Vulnerable Groups (Scotland) Bill. While imposing a legal duty to share information in the interests of child protection is apparently no longer on the table, Ministers have not ruled out that possibility for the future, and the Parliamentary objections appear to have been based on a perceived lack of consultation on the subject. HMIC is therefore hopeful that publication of this thematic inspection report will afford all interested parties the opportunity to discuss an alternative approach to achieving the same end, as proposed below.

The issues considered during this Inspection suggest a need both to lower the threshold for information sharing even further than originally proposed by the Scottish Executive, and to give greater assurance to professionals on the security of that information. The GIRFEC programme may still require this to be addressed, as 'Getting It Right For Every Child' applies to all children and not just those who are most vulnerable or at risk. Relying on the criterion of "risk of serious harm" or "significant need" ( HMIC understands that these definitions are still being considered at the time of writing) may be correct in so far as taking action to intervene. But HMIC believes that this sets the bar too high for information sharing. It means that little things which, considered in isolation, may not mean very much but which might be part of a much more serious picture, could be ignored at great risk. A far better approach to protecting children and vulnerable adults in the future would surely be one involving more assessments, a higher proportion of which resulted in no interim action, rather than one which in concentrating only on critical cases allowed other serious cases to be missed.

In considering the implications of this HMIC has noted the finding of many reviews of protection failures in the UK (including the most recent in Scotland) that, while each of the separate pieces of information about the risk to the child was known to public services, no one agency or person was aware of all the information. Protection failures often occurred because these isolated pieces of information may not have, in themselves, given cause for concern that the child (or vulnerable adult) was at risk of serious harm. The Inspectorate assesses that, even if all the Bichard and GIRFEC reforms had been implemented, failures as a result of not integrating available information could still have occurred.

Scenario

Kirsty is a 10-year-old child. Her teacher observes that she has recently been consistently absent from school. The teacher notices that this is unusual.

At the same time local police officers have information relating to domestic abuse between Kirsty's mother and her new partner.

The social services have information about the adverse home conditions in which Kirsty is currently living.

Health professionals have concerns over a non-accidental injury that has been inflicted on Kirsty's younger brother.

No element of information viewed in isolation gives a clear picture, and some of the elements might not suggest a need for contact with another agency. The true value of the information can only be ascertained when all elements are put together and a collective, shared assessment of the information is undertaken.

While acknowledging the protection afforded to all by the European Convention on Human Rights, it may be that we need to remind ourselves that the state, through its public services, has a greater duty of protection for children and vulnerable adults than it does for other people.

Police experience and skills in this area have developed over recent decades. But neither the police service in Scotland, nor HMIC, would claim that police staff are the most proficient in recognising the first signs of possible risk in children and vulnerable adults, nor in knowing how to protect them once they are identified. What the service is incrementally developing a leading expertise in is managing intelligence. This has required a cultural shift away from the idea that one practitioner seeks, collects, assesses and decides upon the action merited by his/her own intelligence. Instead, the more rational, effective view now is that intelligence cannot be assessed in isolation, that the intelligence gatherer may not be the best person to make use of that intelligence, and that assessing risk to subject and source is best carried out by those who have been specifically trained and have an aptitude for doing so. This has led to the creation of structures and frameworks in which to achieve this and to preserve and protect sources. The most recognisable part of this structure to the layman is perhaps the 'intelligence cell' - the hub of trained staff who provide that professionalism, consistency and confidence.

The current multi-agency structures for protecting children and vulnerable adults do not yet facilitate a holistic view of all existing information held by partners about an individual. Partners need to provide a joined-up service which removes organisational, professional and cultural barriers without compromising safety and standards. As reported in 'It's Everyone's Job to Make Sure I'm Alright', which was the 2002 Report of the Child Protection Audit and Review: "The current strengths of Child Protection Committees lie in their role in co-ordinating information exchange, procedures and training". The subsequent Scottish Executive guidance for these committees, contained in 'Protecting Children and Young People: Child Protection Committees', made clear that "[t]he CPC is the primary strategic planning mechanism for inter-agency child protection work in each area". More recently the Scottish Executive vision for overall public service reform is for a 'user focused' climate which advocates greater partnership working and integrated service delivery. HMIC believes that the combination of these imperatives is particularly relevant to information sharing between separate professions, and that there are opportunities for all public service providers to contribute to real improvements in public safety.

The advantages of collaborative working include improved services, preventing people from falling through the gaps, and reducing overlap and duplication. All agencies need to be flexible and work together across common boundaries to meet agreed priority goals. This requires cultural change within agencies and may require the removal of barriers to joint working through the type of government interventions currently being pursued, with some further refinement.

HMIC suggests that an effective system for information sharing to protect children and vulnerable adults would involve all of the following key elements, some of which are based on the proven concept of the intelligence cell:

• a lower threshold of concern as part of the criteria for sharing information on children and vulnerable adults;
• lead agency responsibility for collating information;
• lead agency responsibility for initial consideration of collated information;
• the most sensitive information 'locked' until the source agency or some independent arbiter agrees that further sharing is necessary;
• an equivalent duty on all agencies to share information on children and vulnerable adults; and
• agreed 'trigger' criteria, leading to a single shared assessment that generates co-ordinated and informed action.

This would suggest that for every one of the 30 child protection committee areas (or for some in partnership with neighbouring areas), a central pool of information would be collated from, and accessible with appropriate degrees of access to, all the agencies involved. Only when all the available information about a child is collated from every agency - i.e. not just from those agencies that initially recognised the need - can a single shared assessment be achieved. The difficulties in achieving this at times when not all the agencies involved are available, i.e. 'out of office hours', is acknowledged. However, this may need to be addressed as a result of the recommendation below.

HMIC is also keenly aware that there are many public service generalist practitioners in Scotland who have contact with children and vulnerable adults, but who do not specialise in protecting these vulnerable groups and may only very rarely be involved in dealing with critical cases. Creating a system that could overcome this lack of experience and exposure would be extremely expensive. Moreover, it is doubtful to what extent training could instil the requisite skills and knowledge to recognise and act upon 'trigger' criteria on the infrequent occasions that these practitioners are faced with them. A better solution would be to raise awareness amongst this group, as recommended by 'It's Everyone's Job to Make Sure I'm Alright', and to implement a system which encourages them to offer information; assurance could be given that the information they give will only be shared if additional information is forthcoming, and sometimes only then with their subsequent permission. Decision making could then be restricted to a limited number of key personnel who can be properly trained.

The Inspectorate believes that the following recommendation contains all of the key elements identified in the paragraphs above, and takes account of the need to focus decision-making on experienced and skilled personnel. However HMIC has not scoped the volume of work which either this recommendation, or the suggestion above for lowering the thresholds for sharing information, would create. It stands to reason that low thresholds for information sharing (not necessarily for taking action) in this area of public safety will inevitably entail greater costs than higher thresholds would. A solution that falls somewhere between what HMIC recommends and the status quo may be more practicable, but would be a matter more of affordability and efficiency than effectiveness.

The proposal is aimed at gaining the co-operation of those professionals who are properly concerned about the confidentiality of personal information and the effect of unjustified disclosure on public welfare. That co-operation can only be obtained by creating a secure and carefully guarded system which is transparently trustworthy and over which the professionals themselves have ultimate control.

It might be argued that concentrating too much on improving information sharing in this difficult field shifts attention away from the more important business of agreeing on and executing whatever action is necessary. HMIC is in no doubt that providing the most appropriate and effective service to a child or vulnerable adult, or deciding not to act as the case may be, is the most important aspect of protection. However, it is also true to say that public services and their practitioners across Scotland may fail children and vulnerable adults if they do not have the means of consistently and more frequently getting to the point at which an informed decision to act can be made. Lack of judgement may well be a weakness, but failing to gather available information when the need to do so has been recognised is difficult to defend.

These recommendations aim to overcome the challenges involved in personal, case-specific data sharing between agencies. However there is still a need to recognise the value in greater sharing of aggregated, non-personal data. There is no need for legislation to enable this. Proper analysis of trends and volume across organisational boundaries should help to make effective service delivery decisions and overcome the historical effects of 'silo working'.

2.10 Vulnerable Adults

Safeguarding vulnerable adults is a priority for the Government and all relevant public services. A growing awareness and documentation of the range, level and frequency of abuse towards vulnerable adults has resulted in a national drive for improved protection, led by the Scottish Executive.

The Adults with Incapacity (Scotland) Act 2000 changes the system for safeguarding the welfare, and managing the finances and property, of adults aged 16 and over who are unable to make some or all of these decisions for themselves because of mental disorder or inability to communicate by any means.

In order to provide suitable protection for vulnerable adults, multi-agency guidelines have been developed and currently operate on a regional basis between partner agencies across Scotland. These guidelines rely on regional information sharing protocols, similar to those used in child protection.

The benefits and risks associated with regional information sharing protocols and the role of relationships are almost, if not, identical to those addressed earlier in this Chapter with regard to child protection.

Notwithstanding the specific legislation that relates to protecting vulnerable adults and children, HMIC accepts that both require a collaborative response from the partners involved. Improved intelligence and information sharing between these partners is central to enhancing service delivery in these high-risk areas.

2.11 Health Service Records

HMIC is aware that the confidentiality of health records presents a particular challenge when considering the wider needs of everyone. The earlier recommendation for a single agency to collate child protection information does not resolve that issue for adults. There may be a need to look at the feasibility of applying to adults the type of sharing arrangements recommended for children and vulnerable adults at recommendations 2A and 2B, but with a higher criterion of risk of harm.

Considerable progress in information sharing between the NHS and police service has been achieved through the MacLeod short-life working group recommendations, discussed in depth in Chapter 3 (page 32). These recommendations advocate that police requests for information should not be refused solely on the grounds that all health information is confidential.

HMIC recognises that further significant consultation is required to deliver these recommendations successfully. Creating an information sharing group between the police and Health to advance these discussions would be of considerable benefit.

2.12 The Policing Perspective

The preceding paragraphs have discussed the national perspective with reference to Scottish Executive and UK Government policy issues, taking account of the impact on policing matters. The remaining part of the chapter examines the issue of intelligence and information sharing from a police strategy and policy viewpoint.

Strategy and policy development within the police service in Scotland is overseen by the Association of Chief Police Officers in Scotland ( ACPOS), whose structure is organised around a range of specific business areas. Policy is agreed at the ACPOS Council, which comprises all chief constables and other relevant representatives. ACPOS and the Scottish Executive regularly liaise over a wide range of policy development.

During this inspection HMIC observed that the weight of ACPOS activity in relation to intelligence and information sharing has concentrated on intelligence. This is understandable given the development of the National Intelligence Model and the Scottish Intelligence Database, which are discussed in the following paragraphs, and the Bichard recommendations as already mentioned.

The increased threat from terrorism and other imperatives has brought a firmer focus to this work and a recognition of the importance of information sharing as a separate but linked matter. To date information sharing has been practiced widely, but with an unstructured approach. ACPOS is now developing improved arrangements for police ICT convergence across the eight forces in Scotland simultaneously with improved business change arrangements. These developments are discussed in the following paragraphs, and provide real opportunities for improving the way in which information is handled in the service.

2.13 The National Intelligence Model

Historically the police service has had some difficulty in effectively collating and analysing information and data on crime and disorder across the organisational boundaries of both police forces and other agencies. The lack of common ICT systems and common standards has made comparisons and the aggregation of data difficult. Recent work by the Violence Reduction Unit in Strathclyde, provides a good example of how some of these obstacles can be overcome.

The police service has adopted a national business model - the National Intelligence Model ( NIM) - which facilitates improved business planning. The NIM ensures that information is used in a way that enables managers to determine strategic direction, make tactical and resourcing decisions and manage risk. It is an intelligence-led model which encourages proper examination and analysis of all available information, and decision-making based on sound evidence.

Four main products emerge from the NIM process and these are:

• The strategic assessment. This drives the business of the NIM and provides an overview of current and long-term issues.
• The tactical assessment. This defines short-term issues, comparing current figures to seasonal averages and makes recommendations in accordance with the control strategy (see below).
• Target profiles. These bring together information leading to a greater understanding of a person or group of people, for example a gang of people engaged in criminal or anti-social behaviour.
• Problem profiles. These provide information leading to a greater understanding of a problem, perhaps involving a series of crimes or incidents or a hot-spot location, and make recommendations for tactical resolution.

The NIM is simply the framework that links all aspects of business planning. Having completed a strategic assessment from a comprehensive environmental scanning exercise, a control strategy will be set for the area concerned at a strategic tasking and co-ordinating group meeting. The control strategy is derived from the strategic assessment and sets the long-term priorities to be tackled under the headings in the tactical assessment document (crime prevention, intelligence and enforcement).

The NIM operates over three geographical levels. Broadly speaking, level 1 deals with local issues as found in a police division or command unit, level 2 with force and regional issues, and level 3 with national issues.

Information used by the NIM is gathered from a variety of sources, including reports of criminal activity, reports of road accidents, criminal intelligence and, in the forces which have adopted this good practice, relevant statistical information from partners. Once collated, this information is analysed by the intelligence unit, which produces the four 'products' indicated above. After analysis, the NIM aims to ensure that the information is used in an effective and efficient manner by identifying problems, prioritising them and allocating an appropriate response.

Central to the NIM is the tasking and co-ordinating group ( TACG) process, which operates at all three levels. A tasking and co-ordinating group comprises key representatives from the geographical area under examination, who consider the resources available and prioritise activity for a specified period in a focused fashion. Resourcing decisions are generally aligned to priorities identified within the control strategy and take into account the nature of crimes and or incidents, what is known of the suspects/perpetrators/victims, and any hot-spot locations.

The NIM is not just about intelligence or policing. The principles are very similar to those used in other risk businesses in the public and private sectors, like public health or fund management. It follows that the NIM business model can be applied beyond crime and anti-social behaviour to deliver more effective community safety and partnership working. In some forces, relevant partners are invited to the strategic and tactical tasking and co-ordinating group meetings. HMIC commends this as good practice.

The development of neighbourhood policing has led to the introduction of local action groups. These are multi-agency groups that co-ordinate local neighbourhood operations aimed at the effective tactical resolution of local priorities within the NIM parameters. It is at this level that problem-solving partnerships or the problem-oriented policing model sits. Problem-oriented policing is where partners work together to identify and tackle specific problems, usually short term and connected with either a location, a victim, a perpetrator or perpetrators, e.g. a known anti-social behaviour hot spot. HMIC believes that any community intelligence opportunities arising from these meetings must be tied into the police intelligence system using the Scottish Intelligence Database.

2.14 Criminal intelligence and Community intelligence

The police service in Scotland has a single over-arching system for the storing data that have been assessed as intelligence: the Scottish Intelligence Database ( SID). This provides clear unambiguous rules, conventions and data standards in accordance with the Guidance on the Management of Police Information 2006 © ACPO 2006 and the forthcoming ACPOS version of that document, the Human Rights Act 1998 and the Data Protection Act 1998. The SID system is the single repository for all criminal intelligence and HMIC is aware of the work currently being undertaken by ACPOS to advance new and improved versions of the SID. This will allow interfaces to be developed with other national information and intelligence systems, including the Violent Offender and Sexual Offender Register ( ViSOR) and the Criminal History System ( CHS), with links to Automatic Number Plate Recognition ( ANPR) and individual force data warehouses.

Intelligence across Scotland was previously held in disparate databases within each force. There was no ICT mechanism to share intelligence and officers had no knowledge of the intelligence requirements of other forces or whether a piece of intelligence they possessed might assist in securing an arrest in a neighbouring area. The SID system means that Scotland is the first country in the UK to exploit technology successfully to achieve true cross-border policing and intelligence sharing. SID delivers a unified approach and facilitates communication across traditional boundaries, improving the consistency and accessibility of information and allowing Scottish forces to deliver improved value for money and safer communities.

SID is also the nationally recognised method of recording what has become known as 'community intelligence'. The definition of community intelligence recognised by ACPOS is: "Local information which, when assessed, provides intelligence on issues that affect neighbourhoods, and informs both strategic and operational perspectives in the policing of local communities. Information may be direct or indirect and come from a diverse range of sources including community and partner agencies." HMIC is aware that this definition of community intelligence will also be adopted in the Scottish version of the Management of Police Information ( MOPI) guidance document, which is discussed later (page 27).

One of the ways of promoting consistency and integrity of intelligence data on SID is to apply nationally defined standard grounds for entry. Standard grounds are established where it is believed that recording and disseminating intelligence material is likely to be of value in:

• the interests of national security;
• preventing or detecting crime and disorder;
• maintaining community safety;
• assessing or collecting any tax or duty/imposition of a similar nature; or
• otherwise serving a significant public interest.

The standard grounds form the basis of the Rules, Conventions and Data Standards, which is an ACPOS document governing the way in which data is entered and retained in the SID.

During the inspection, HMIC noted the proposal to record community intelligence entries under one of several related sub headings, refined to differentiate between different types of community intelligence, such as Antisocial Behaviour, Feuds, Gang Activity, Licensing Issues, Community Tensions and Youth Disorder. In addition a new heading of 'lifestyle' has also now been created to manage a specific type of Community Intelligence relating to an individual(s), but which will require further development. Such entries would cover instances when entities (such as telephone numbers, vehicles and addresses) are identified in the absence of any other information which would justify retention under the Standard Ground, but where the entities are linked to 'nominals' who are worthy of note.

Using these headings will make the quality of life issues and tension indicators associated with community intelligence easier to assess. The information gleaned from this process will result in action being taken to address these issues through the National Intelligence Model ( NIM) tasking and co-ordination process described earlier.

HMIC welcomes this clear and straightforward guidance. However, the inspection found that where community information does not meet the standard grounds for recording in the SID, it is routinely retained in other data repositories, e.g. command and control or crime management systems. If a force cannot extract this type of information from systems easily, for example due to technological difficulties, it is clear that collecting such information may be wasted effort or that the potential to use the information will be lost. Similarly, where such information cannot be shared in a national system, the inherent dangers of geographical boundary constraints come into play.

Partner organisations also often hold community information. Forces should adopt strategies that allow them access to this information, in order to assess its suitability for inclusion on SID. HMIC has noted that when partner agencies are aware of the purpose of storing this information on SID, and of the integrity of the system, they are more likely to assist than when they are unaware of these factors.

2.15 Scottish Criminal Record Office

The Bichard recommendations and Laming Report have, properly, imposed additional demands and expectations on the wider criminal justice system in terms of efficient and effective sharing of accurate data within the areas of child protection and public safety.

This environment creates an opportunity to review the existing data sharing arrangements involving the Scottish Criminal Record Office ( SCRO) and partner agencies, regarding access to the Criminal History System ( CHS). Developments to existing business practices could result in improved efficiency savings.

Currently, the Crown Office and Procurator Fiscal Service ( COPFS) is given restricted access to CHS. The result of this is that individual force record offices provide CHS information to COPFS on both accused and witnesses. Whilst HMIC accepts that some movement has been made in this area, a forthcoming pilot scheme that will allow COPFS access to previous convictions of witnesses suggests that the current level of access is too restrictive.

The proposed pilot will allow COPFS to access criminal histories using an individual's SCRO number only. To facilitate this police forces have adapted their reporting procedures so that, where applicable, statements will include the SCRO number of each individual. This process means that the administrative and resource burden of completing the task still rests with the police.

Scenario

Under the existing system, when a police officer reports an offender for a crime or a series of crimes where there were civilian witnesses, the relevant police force has to:

• use trained staff with access to an SCRO terminal to search CHS under the nominal for each individual witness
• if a CHS record exists, print the record
• physically deliver 'hard' copies of each record to the relevant prosecuting authority.

The proposed pilot, allowing COPFS greater access to CHS, would still result in the police service having to:

• use trained staff with access to an SCRO terminal to search CHS under the nominal for each individual
• add the relevant SCRO number to each witness statement.

Once in receipt of the relevant SCRO number, a COPFS employee will duplicate the work already completed by searching CHS using the SCRO number, to print a copy of the relevant record. Clearly this approach will not assist in improving the timeliness of the overall criminal justice process.

In practice in both situations police human and ICT resources are being used without delivering a tangible policing product.

Many agencies have a legitimate need to access CHS. For example, when a Specialist Reporting Agency ( SRA), such as Her Majesty's Revenue and Customs ( HMRC) or the Driver and Vehicle Licensing Authority ( DVLA), wants to report a case to the procurator fiscal, a force record office has to create the record on CHS and then supply a court print for the procurator fiscal. These overly complicated procedures slow the reporting process for these agencies and generate wasted effort by record offices at the expense of police authorities.

The needless bureaucracy in both these examples illustrates the potential efficiency gains that could be realised by allowing greater access to CHS.

HMIC is aware that ACPOS previously decided that creating and updating offender records should be the sole remit of force record offices. The rationale behind this decision was to preserve the integrity of data standards. HMIC also recognises ACPOS' decision to review the 'create and update' work of individual force record offices on behalf of SRAs. The proposal to establish an Agency Support Bureau within SCRO, to accommodate the work of SRAs, would certainly represent progress.

However HMIC believes that police authorities can no longer afford to subsidise other criminal justice partners by absorbing these inefficiencies. Both require more fundamental changes of approach. It must be possible for partner agencies to introduce vetting, training and systems to achieve the integrity required for the CHS. Equally, the introduction of an Agency Support Bureau within SCRO perpetuates the misapprehension that resolving the problem of SRA access rests within and at the expense of the police service alone. Allowing identified partners in the criminal justice process greater access to CHS would enable all partners to work more efficiently, consequently improving the criminal justice process.

HMIC believes the traditional view that the police alone should manage the CHS should be reconsidered. The needs of criminal justice partners must be more carefully considered against the efficiency of the whole criminal justice process.

During the HMIC inspection of SCRO in 2004 HMIC recommended that:

' ACPOS consult with the Scottish Executive to determine a formal framework which protects the interests of all stakeholders in maintaining accurate CHS, but which facilitates the increased efficiency in working practices which ISCJIS offers (paragraph 5.109).'

In light of opportunities now emerging at national level, not least the creation of the Scottish Police Service Authority from 1 April 2007, it may now be appropriate to return to this.

HMIC accepts that any extension of access to the CHS would have to be supported by a robust structure of governance. This structure should include common data standards and universal protocols, and be underpinned by a rigorous auditing system. However, all such conditions of access must be reasonable and must not create unnecessary disincentives to deter partner agencies.

Meaningful progress in this area may require re-visiting the debate over the role of the eight chief constables as data controllers of SCRO. HMIC has already recommended, in a Review Inspection Report on the Scottish Criminal Record Office (published in December 2006) that the ownership of data on the CHS be reviewed. The additional reasons given here simply give greater weight to that recommendation and so it is repeated here. Seeking Scottish Executive leadership in this matter (perhaps with the assistance of the National Criminal Justice Board) for the benefit of the criminal justice community could be the practical development that is needed to deliver the necessary changes.

2.16 Management of Police Information ( MOPI)

A manual of guidance on the Management of Police Information is being developed for the Association of Chief Police Officers in Scotland. It is derived from a similar document produced by the National Centre for Policing Excellence on behalf of the Association of Chief Police Officers in England and Wales, following the publication in July 2005 of the associated code of practice. The code of practice formed part of the government response to recommendations made by Sir Michael Bichard, following his inquiry into the circumstances around the murders of Jessica Chapman and Holly Wells in Soham. The IMPACT Programme, discussed later in this report, is responsible for delivering on the Bichard recommendations for ACPO and the Home Office. ACPOS is working closely with the programme and this work includes delivering a replacement for the PNC by 2010. This is also the latest timeframe for achieving the standards associated with the guidance on Management of Police Information according to the IMPACT Programme.

ACPOS has endorsed the use of the adapted ACPO guidance manual as the Scottish framework for managing police information, a key element of which is the need for common standards in high-risk areas of activity.

The manual defines policing purposes in terms of information management. Policing purposes have deliberately been described at a high level and are intended to be inclusive. The definition does not incorporate every policing activity and no existing legal power or duty on the police is superseded. The fact that these policing purposes do not specifically refer to an activity, e.g. road policing, protecting vulnerable persons or counter-terrorism, does not in any way imply that this is not a legitimate activity for the purposes of police information management. It is important to distinguish between information that is collected for a policing purpose which is covered by the guidance, e.g. crime records or custody records, and information ancillary to a policing purpose, e.g. personnel, pay or invoice records, which are not covered.

This guidance is subject to a nationally agreed implementation strategy, oversight of which lies with the ACPOSNIM Development Project. This involves attaining associated threshold standards, which will be subject to a phased implementation. These standards sit outside the guidance itself, but are part of the overall package for chief officers to take account of in terms of police information management.

The phased implementation of the guidance on the Management of Police Information recognises the challenge for the police service in Scotland at this time. The focus of activity in the initial phase will be on the following six areas, considered to present the highest threat and risk to the service in terms of information management:

• crime
• intelligence
• domestic violence
• child abuse investigations
• firearms revocations and refusals
• custody.

The emphasis for the first phase will be on the standards relating to infrastructure, policy, processes and procedures. Further phases are likely to follow which will progressively raise standards across the whole area of police information management, subject to understanding the full impact across the police service.

Once implemented it may be useful to conduct a thorough review of the guidance, to ascertain users' views and experiences of it in practice.

It is intended that a timetable of compliance for the initial phase will be agreed in March 2007, once force and SCDEA capability assessments are complete and have been considered by ACPOS.

HMIC commends the work undertaken so far in this regard, and the prioritisation of areas of highest risk for the first phase.

2.17 The Scottish Police Services Authority ( SPSA)

An important development in Scottish policing, which should coincidentally assist forces in working more closely together by way of information and intelligence sharing, will be the creation of the SPSA.

The SPSA will come into being on 1 April 2007, as a result of the Police, Public Order and Criminal Justice (Scotland) Act 2006. It will bring together several existing support services that operate at a number of different locations throughout Scotland and which have developed separately with different cultures and practices. It will also be responsible for establishing a new Scottish Forensic Science Service and providing future national ICT development and support. It is envisaged that in due course SPSA could take on responsibility for an increasing range of police support services on a national basis.

This is an ambitious and high profile initiative which will require strong leadership and change management skills. The challenge is to forge a new, dynamic and expanding organisation as a single national service with its own identity, and to create a platform for developing and improving further support services.

The SPSA will bring together the existing common police services and some entirely new services into a single national body. The support services provided will be:

• training and education - the Scottish Police College ( SPC) at Tulliallan currently provides most formal training for the police service in Scotland. It accommodates up to 650 residential students and a further 3,500 students on short professional development courses each year;
• the development, provision, procurement, maintenance, management, support and oversight of national data and IT systems and records - the Scottish Police Information Strategy ( SPIS) is the body which currently co-ordinates national ICT projects across the police service in Scotland, such as the replacement Criminal History System ( CHS), the Violent and Sex Offenders Register ( ViSOR) and Automatic Number Plate Recognition ( ANPR). The Scottish Criminal Record Office ( SCRO) provides governance for the Scottish Intelligence Database ( SID) and ANPR along with the CHS. The latter system also holds electronic references for fingerprints and images, although these are physically stored at the same location. The convergence and subsequent integration of all police ICT development and procurement will add to this critical mass and should help to create an information synergy which will substantially increase public safety and enhance service;
• a national system for collecting, identifying and verifying forensic evidence (to be known as the Scottish Forensic Science Service).

The SPSA has a duty to provide these support services mentioned, but it will also maintain the Scottish Drug Enforcement Agency ( SDEA). The SDEA was established in 2000 to tackle drug trafficking and other serious organised crime in Scotland, such as hi-tech crime and money laundering. The Police Act re-designates the SDEA as the Scottish Crime and Drug Enforcement Agency ( SCDEA), with new and expanding statutory powers and functions.

HMIC is aware of and welcomes developments that will improve the way business change in the police service in Scotland is co-ordinated. This is particularly relevant to the development of a single ICT directorate and common ICT systems, discussed later in Chapter 5 (page 59).

The SPSA may also take on other shared services over time which do not need to be provided at a local level and may be more efficiently, effectively and consistently delivered by a single organisation.

2.18 Data Sharing Arrangements

Prior to the start of the tournament, a bi-lateral agreement between the German government and the governments of each participating nation was signed. This covered all policing aspects associated with the event and included the facility for information sharing.

In the case of the UK, the Home Office decided to provide the German police with the details of all 3,700 people previously issued with football banning orders under the terms of the Football Disorder Act 2000. These banning orders can be applied for either on conviction for a football-related offence in a criminal court or through a civil court. It is a criminal offence to breach the terms of such an order. The Home Office also gave details of people with football-related convictions. Although no criminal intelligence was provided, such an exchange was permissible under a section of the bi-lateral agreement that allowed the National Football Policing Unit to consider cases on an individual basis.

Where personal information was provided, this was accompanied by a letter signed by the head of the National Football Policing Unit. This letter articulated the terms by which the information was provided, what it could be used for and how long it could be retained. In this case, all such information had to be deleted at the conclusion of the FIFA World Cup.

2.19 Risk Supporters Data Base

In 1994 the German police set up a 'risk supporters database'. All persons with football-related criminal convictions, German football banning orders, convictions for a number of relevant listed offences, or suspected of being involved in football-related violence had their details included on this computer database. For the period of the FIFA Word Cup, all the information concerning risk supporters that had been requested from participating nations was added.

The inspection team discovered that the database was also linked to the principal German police criminal records database, which covers all 16 states and federal police authorities. Any new nominal details could be input by the processing police officer at the same time that he or she was amending or creating a nominal criminal record file, in a single entry data capture process. Thus a standard 'person check' on a nominal in Germany could generate a computer link to relevant information held on the risk supporters database.

2.20 National Police Intelligence and Information Centre ( ZIS - Zentrale Informationsstelle Sporteinsatze)

The role of the ZIS was to:

• collect, evaluate and disseminate all relevant information and intelligence from national and international sources;
• summarise and update the information in a Situation Report;
• integrate central foreign liaison officers;
• deploy and give logistical support to international police delegations.

Strengths

• Effective organisational structure constructed around an existing and proven effective national system.
• Documented strategy for information management.
• Evidence of a co-ordinated effort by all the agencies involved, including the 16 German state police forces, the German Federal Police Force and the international police forces represented, towards the common intelligence and information sharing aim.
• General international information sharing conditions set out in the bi-lateral agreement, which also articulates the conditions for sharing personal information.
• Personal information shared in written form, with an indemnity clause included.
• Agreement to share intelligence via a single point of contact and each case considered on its own merits.
• Guidance for intelligence and information sharing contained in the EU policing handbook.
• Single point of data capture into the computerised intelligence system, including the risk supporters database.
• A computerised intelligence system that could be accessed by all German police services.

Weaknesses

• No process for evaluating the intelligence.
• No evidence of tasking liaison officers as a result of the intelligence.
• Insufficient detail of arrested persons conveyed to the ZIS to allow for further action by the arrested person's national police force.

2.21 Conclusion

There is no doubt that the German police worked closely with other countries and established a significant information and intelligence sharing system for the FIFA World Cup. This operation was built around existing police information and intelligence management arrangements, and included the facility to share information and intelligence between the competing nations.

HMIC is of the opinion that several areas of good practice can be identified. Notably, from a strategic viewpoint, bi-lateral agreements between the German government and the governments of each of the participating nations facilitated the official exchange of crucial information, and, on an individual basis, intelligence relating to the proposed activities of prominent known hooligans.

This process was assisted greatly by a national ICT system, established and provided centrally by the German government and common to all 16 federal state police forces, the national force dealing with cross-border policing, ports and railway policing and the Federal Bureau of Investigation. Incorporated in this national ICT structure is a risk supporters database which contains details of all persons with football-related convictions. This database is linked to the principal German police criminal records database, and these two systems can be updated and cross-populated using a single entry data capture process.

This integrated, single-entry information technology for one aspect of policing demonstrates the type of thinking which the police service in Scotland aspires to for all its systems.