Advanced Search

Gwent Information Exchange Protocol

Crime and Disorder Act 1998 Information Exchange Protocol (Section 115)

Please note - this is a historical document, available only as example of models used in Special Domestic Violence Court pilots and for research purposes

  1. The Gwent Partnership
  2. Purpose and Legitimate Aim
  3. Application
  4. Definitions
  5. Notification
  6. Consent
  7. Requesting/Disclosing Personal Data
  8. Third Parties
  9. Nomination of Staff
  10. Accuracy of Data
  11. Retention of Data
  12. Security of Data
  13. Data Subject Requests
  14. Complaints
  15. Confidentiality
  16. Compliance and Good Practice
  17. Indemnity
  18. Certification
  19. Publication
  20. Non Discriminatory Clause

  1. The Gwent Partnership
  2. Heddlu Gwent Police
    Gwent Probation Service
    Gwent Health Authority
    Blaenau Gwent County Borough Council
    Caerphilly County Borough Council
    Newport City Council
    Monmouthshire County Council
    Torfaen County Borough Council
    Monmouthshire Youth Offending Team
    Newport Youth Offending Team
    Blaenau Gwent/Caerphilly Youth Offending Team
    South East Wales Race Equality Council
    South Wales Fire Service
    Gwent Healthcare and NHS Trust
    British Transport Police

    1. Other organisations and agencies in the statutory, voluntary and community sector (or organisation by order of the Secretary of State) may also become signatories to this Protocol where this is necessary or expedient to the successful implementation of Sect.115 (1) Crime and Disorder Act 1998 (the Act.).
    2. It will be the responsibility of these signatories to ensure that:
      1. Realistic expectations prevail from the outset.
      2. Ethical standards are maintained.
      3. A mechanism exists by which the flow of information is controlled.
      4. Appropriate multi-agency training and awareness is provided.
      5. Adequate arrangements exist to test adherence to the Protocol.

    Back to top

  3. Purpose and Legitimate Aim
    1. The purpose of this Protocol is to facilitate the exchange of information between the partner agencies, that will enable the partnership to fulfil its statutory duty and work together (sect 17 of the Act 1998) to ensure public safety and for the prevention of disorder and crime, furthering the aims of the Crime and Disorder Act 1998. (See Appendix 2).
    2. This Protocol is mainly concerned with the exchange of personal data where no other form of data will satisfy the requirement of personal data (see 4.5). When completely de-personalised information is requested, the assumption is that this information will be shared, e.g. statistical information.

    Back to top

  4. Application
    1. The partnership subscribes to the following for this Protocol and any sub-Protocols:
      1. The agreed standards must provide safeguards and an appropriate framework for the controlled exchange of relevant information.
      2. The principles of the Data Protection Act 1998 must be upheld. (See The Data Protection Act 1998 Principles 1-8).
      3. All partner agencies must be compliant with the Human Rights Act 1998.
      4. The Gwent Crime and Disorder Partnership will periodically review this Protocol. The first review will be within 6 months of signing, thereafter annually. However intermediate and subsequent reviews may be initiated by any changes in legislation, case stated or ruling by the Commissioner for information.
      5. Partners may request changes to this Protocol at any time by submitting a suggested revision to the Protocol holder in writing. Any suggested alterations to this will be discussed at the next Gwent Crime and Disorder Partnership meeting. All decisions must be minuted and their actions recorded and retained by the protocol holder.
    2. The nominated holder of this Protocol is the Head of Community Safety, Gwent Police, who shall, on behalf of the partnership:
      1. Ensure that a review is carried out in the first six months of the document being signed and then subsequently reviewed on an annual basis.
      2. Circulate all requests for change, co-ordinate responses, obtains agreement for the changes from the partnership.
      3. Appendix 1 contains a list of contacts that should be referred to in each organisation.

    Back to top

  5. Definitions
    1. 'Crime' is defined as any act, default or conduct prejudicial to the community, the commission of which, by law, renders the person responsible liable to punishment by a fine, imprisonment or other penalty.
    2. 'Anti-social behaviour' means acting in a manner which causes or is likely to cause harassment, alarm or distress to one or more persons who is/are not of the same household as the identified person.
    3. 'Disorder' is an expression that refers to a level or pattern of anti-social behaviour within a particular area.
    4. 'Prevention of Offending' is activity which reduces the likelihood of offending/re-offending e.g. by promoting young peoples' best interests through provision of community programmes, that reduce the risk factors associated with offending and promotes protective factors.
    5. 'Personal data' is information that relates to a living individual, that can be identified from those data or from those data and other information which is in the possession of, or is likely to come into the possession of the data controller. It includes any expression of opinion or intention in respect of the individual.
    6. 'De-personalised'- where an individual cannot be identified - e.g. by part of a postcode, NP4 etc.
    7. 'Data Controller' is the organisation or the nominated person who (either alone or jointly or in common with other persons) determines the purposes for which and the manner in which any personal data are, or to be processed.
    8. 'Data Processor' in relation to personal data, means any person (other than an employee of the Data Controller) who processes the data on behalf of the Data Controller. 'Any person' includes Computer Bureaux or Third Party Agencies or Organisations that process the data on behalf of the Data Controller.

    Back to top

  6. Notification
    1. Each partner will ensure that they are appropriately registered under the Data Protection Act for the purpose of this Protocol.
    2. As data exchanged will include some sensitive information, it will be necessary, at the registration stage, to select the appropriate criteria for processing from Schedules 2 and 3 of the Data Protection Act 1998.

    Back to top

  7. Consent
    1. Many (but not all) of the data protection issues surrounding a disclosure can be avoided if the consent of the individual has been sought and obtained. The first consideration should be whether the individual has consented to the disclosure. Details of victims, witnesses and complainants should not be disclosed without their written consent.
    2. If consent has been withheld or could not be obtained, then the nominated officer should assess whether the lack of consent can be overcome. Consideration must be given as to whether the personal information is held under a duty of confidence, whether there is an overriding public interest or justification for disclosing the information. (section 29(3) Data Protection Act 1998), and whether the individual was informed that their information would be disclosed to the recipient. (Note: R v Chief Constable of North Wales ex parte AR & Another). See Appendix 6.

    Back to top

  8. Requesting/Disclosing Personal Data
    1. It is essential that adequate control of the flow of data be maintained. The Data Protection Act 1998 permits the exchange of data, provided the data has been fairly obtained and processed (the individual has been clearly informed how their data will be used and disclosed) and it is appropriately registered under the Act.
    2. Disclosures can also take place under the Act's non-disclosure exception provisions. Reliance on these must be assessed on a case by case basis. The provisions are:
      1. For the prevention or detection of crime, the apprehension or prosecution of offenders, and taxation purposes. Request for information must be on a case by case basis, when failure to provide the information would likely to prejudice these purposes. All requests and responses must be appropriately authorised and documented. (section 29(3) Data Protection Act 1998).
      2. Where information is made available to the public by or under enactment. (section 34 Data Protection Act 1998).
      3. Where the disclosure is required by law or by the order of a court. (section 35 Data Protection Act 1998).
      4. Where a disclosure is made in connection with legal proceedings, for the purpose of obtaining legal advice, and establishing, exercising or defending legal rights. (section 35 Data Protection Act 1998).
      5. For the purpose of safeguarding national security. (section 28 Data Protection Act 1998).
      6. By order of the Secretary of State. (section 38 Data Protection Act 1998).
    3. Procedures and agreements for the handling of requests and disclosing information can be found in Appendix 3.

    Back to top

  9. Third Parties
    1. The Act permits Third Parties to process data (Data Processors see 4.8) on behalf of a Data Controller (see 4.7) (see Data Protection Act 1998). It is imperative that should a partner be party to such an arrangement, that the processing is carried out with appropriate safeguards in place (see 12.1). Partners should therefore ensure that:
      1. Contracts/agreements between themselves and external suppliers include adequate and concise requirements for the processing, security and exchange of personal data. The contracts/agreements must include the requirement for service providers to act only on instructions given by the partner.
      2. Guarantees are provided by the service provider in respect of security measures they intend to take, and partners should take reasonable steps to ensure the service provider complies with those measures.
      3. Flows of information are limited to those between the partner and their service provider only.
      4. Partners have sufficient access to confirm the adequacy of standards for the protection of data, to respond to any complaints and breaches, and also to satisfy data subject requests.
      5. Partners carry out all relevant checks with prospective suppliers prior to awarding any contracts and refer back to the data controller prior to disclosure should their intention be to use the contractor to process or store shared data.

    Back to top

  10. Nomination of Staff
    1. To ensure compliance with the principle of security and the common law duty of confidentiality, this Protocol contains a list of appropriate nominated officers (see Appendix 1- Authorised Officers).
      • with whom contact should be made in relation to this Protocol.
      • to whom requests for information should be sent (see Appendix 3), and who are responsible for resolving issues arising from non-disclosure.
      • to whom disclosures should be made (see Appendix 3).
    2. Requests from unauthorised organisations/staff will be declined.
    3. In the event of a serious investigation or large scale information exchange between partner agencies, a pre-meeting should be arranged between all relevant agencies and interested parties to discuss what information is to be requested and by whom. All subsequent requests should then be made in writing.

    Back to top

  11. Accuracy of Data
    1. Each partner has a responsibility to maintain the accuracy of data supplied under this Protocol. There is a duty in the Data Protection Act 1998 on a partner supplying personal data to advise the recipients if the data supplied is subsequently found to be inaccurate.
    2. Where an inaccuracy is discovered after a disclosure has been made, it will be the responsibility of the party discovering the inaccuracy, to bring this to the notice of the data owner who should notify all recipients of the correction.
    3. To meet this responsibility, partners will maintain records that indicate a disclosure has been made and to inform recipients if they become aware of any inaccuracies, which may either prejudice or detrimentally effect the rights and freedoms of the data subject or individual.
    4. Material amendments ONLY (i.e. significant to the nature of the request) require notification on a cross-referenced disclosure document.
    5. The responsibility on the discloser will continue for a period of two months after the date of the original disclosure. If the requester is still using that data after the two-month period, he/she shall obtain confirmation of the accuracy of the data, if required.

    Back to top

  12. Retention of Data
    1. The partnership supports the Data Protection Principle that data must not be retained for an excessive period. It follows that data must be destroyed as soon as it is no longer required for the original purpose for which it was supplied or collected.
    2. To achieve this, partners will introduce an audit procedure and nominate a person for this task.
    3. Data Audits will be recorded on 'The Information Review Form' and attached to the front of the case file.

    Back to top

  13. Security of Data
    1. Each partner must ensure they have appropriate security arrangements in place and take all reasonable steps to adequately protect the data from both a technological and physical point of view. This must include security of computer data, manual files and all forms of transfers of data between partners. Each partner must state:
      • Who can access what information
      • Who makes disclosure decisions
      • Where data/information is stored

    Back to top

  14. Data Subject Requests
    1. Individuals have the right of access to a copy of all information held about them on computer and manual files - unless an exemption applies where information can be withheld under certain circumstances.
    2. Partners will adopt common procedures for dealing with information access requests. See Appendix 5 for procedures for handling requests for individual access to information.

    Back to top

  15. Complaints
    1. Any complaints will be brought to the attention of the nominated officer of the relevant partner(s) and will be dealt with in accordance with their organisations internal complaint procedures.
    2. Partners will keep each other informed of developments following receipt of a complaint, where relevant.

    Back to top

  16. Confidentiality
    1. Each partner organisation shall at all times keep confidential, all personal data supplied pursuant to this Protocol. This clause shall survive termination of the agreement or the withdrawal of or removal of any partner.
    2. Any publication of data supplied pursuant to this agreement will not identify any individual.

    Back to top

  17. Compliance and Good Practice
    1. Any further guidance or codes of practice should be distributed via the Protocol holder for consideration and possible attachment to this Protocol.

    Back to top

  18. Indemnity
  19. See Appendix 6.

    Back to top

  20. Certification
    1. By signing this document the participants (identified below) accept and will adopt the statements included in it and agree to maintain the specified standards.

    Back to top

  21. Publication
    1. This Protocol is published by the Gwent Police on behalf of the Gwent Partnership (as shown at paragraph 1). This Protocol can be made available to the public as required.

    Back to top

  22. Non Discriminatory Clause
    1. Whilst ensuring its compliance with Article 14 of the European Convention on Human Rights (ECHR) 1998, there will be no discrimination to any person irrespective of their sex, race, colour, language, religion, political or other opinion, national or social origin, association with a national minority, property, birth or other status.

    Back to top

Back to Domestic Violence Protocols index