Agenda Item No
The Vale of Glamorgan Council
Cabinet: 13th December 2011
Report of the Cabinet Member for Legal and Public Protection
Adoption of the Wales Accord on the Sharing of Personal Information (WASPI)
Purpose of the Report
1. To inform Cabinet of the Wales Accord on the Sharing of Personal Information (WASPI) and seek authority for the Council to adopt same.
1. Cabinet notes and approves the contents of this report.
2. The Chief Executive be given delegated authority to sign the WASPI Declaration of Acceptance and Participation and delegated authority be granted to Chief Officers to enter into individual Information Sharing Protocols (ISPs) where necessary and appropriate.
Reasons for the Recommendations
1. To inform Cabinet of the WASPI arrangements.
2. In order for WASPI to be adopted and implemented by the Council.
2. This year has seen significant changes in the regulatory environment with regard to data sharing, in particular the Information Commissioner's statutory Data Sharing Code of Practice was published and Version 3 of the Welsh Government's Data Sharing Initiative, WASPI was introduced. This is particularly relevant to the Council as the Corporate Plan now places much emphasis on collaborative working and data sharing in order to deliver better services more efficiently.
3. The sharing of personal data has always been regulated by the Data Protection Act. However, the statutory Code explains how the Data Protection Act applies to the sharing of personal data. It sets out governance issues and recommends the use of data sharing agreements / protocols for the sharing of information.
4. The Wales Accord on Sharing of Personal information provides a standard template protocol for the sharing of information. It also sets standards which organisations must sign up to in order to formally adopt it.
5. The WASPI framework has been recognised as one of the key elements of the Welsh Government's sharing personal information programme. Its purpose is to enable service providing organisations directly concerned with the safeguarding, welfare and protection of the wider public to share personal information between them in a lawful and intelligent way.
Relevant Issues and Options
6. The WASPI framework consists of two elements; firstly, the Accord Annex 1 attached and secondly, the Information Sharing Protocol Template Annex 2 attached.
7. The Accord identifies commitments required by the Council. In accepting the Accord the Chief Executive is agreeing to the adoption, dissemination, implementation, monitoring and review of the Accord and its requirements.
8. The organisational commitments are set out in Part 2 of the document. The following are the most relevant :
· It sets out guidance on information to be provided to service users and their rights. It deals with consent issues and when consent will be required.
· Service users must be informed as to the circumstances in which their informed consent will be required before their information will be shared. Service users have the right to object to information they provide in confidence being disclosed to others in a form that identifies them. Service users will be informed they are entitled to limit the disclosure of their information.
· Information may only be shared without consent in circumstances where it is justified and compatible with the requirements of current legislation, common law and guidance e.g. Child protection - where it is judged that a child or young person is at risk of significant harm.
· The Information Sharing Protocol (ISP) will set out procedures for staff to follow when deciding to share information.
· Each participating organisation will have in place and apply an appropriate decision process which is compliant with the Mental Capacity Act 2005.
· Each organisation must have in place internal operational policies and procedures that will facilitate the effective processing of personal information.
· Each organisation must ensure that all relevant staff receive training, advice and ongoing support to understand the accord and the implications of it and the law in this area.
· Each organisation must ensure that mechanisms are in place to address the issues of physical security, security awareness training, security management, systems development, role based security / practitioner access levels, receiving transfer of data and system specific security policies. The standard applied should be ISO27001.
· Part 3 of the accord introduces a monitoring framework. Each organisation must identify a designated person or persons who will have responsibility for implementing and monitoring commitments under the Accord.
9. The second element of WASPI is the Information Sharing Protocol (ISP) Annex 2. This is a template document designed for specific sharing. It addresses the who / why / where / when / what / and how questions on sharing. The guidance provides it must be used as the basis for all ISP development. The headings and standard text within each part of the document should not be altered. The template is broken down into the following four parts.
· Part A -This details the scope and purpose of the sharing. It describes the information to be shared and the benefits to the service user.
· Part B - This details the lawful justifications for the sharing, including statutory powers and consent issues.
· Part C - This sets out the detailed operational procedures to be followed when sharing personal information. It describes how service users are to be informed of the sharing, deals with consent issues and lists the agreed information collection tools to be used.
· Part D - This is a template information flow reference table which, when populated, sets out the detail of how the information is to be shared. It also details the controls to be applied.
10. The statutory Code provides to the effect that different staff will have different roles in data sharing, with implications of data sharing, the decision to enter into an agreement should be at a high level, accordingly it should rest at Chief Officer level. Accordingly, delegated authority is sought for Chief Officers to enter into information sharing protocols where necessary and appropriate.
Resource Implications (Financial and Employment and Climate Change, if appropriate)
11. To implement the Accord's requirements will require resources. Implementation of WASPI has been recognised as a corporate project and it has been agreed by CMT that a project plan be prepared in relation to the matter.
Legal Implications (to Include Human Rights Implications)
12. The Council has to comply with the Data Protection Act in sharing data. It also has to comply with the Information Commissioner's Statutory Code. The Code provides that it is good practice for organisations to have data sharing agreements / protocols in place. WASPI is an example of such a protocol.
Crime and Disorder Implications
13. There are no crime and disorder implications directly related to this report.
Equal Opportunities Implications (to include Welsh Language issues)
14. There are no equalities implications directly related to this report.
15. The Corporate Plan promotes the use of collaboration and shared services.
Policy Framework and Budget
16. This report is a matter for Executive decision.
Consultation (including Ward Member Consultation)
17. The Information Governance and Strategy Board have considered the Accord. The Board contains representatives from all departments. Due to the corporate nature of this document individual Ward Member consultation has not taken place.
Relevant Scrutiny Committee
18. Corporate Resources.
The Data Protection Act 1998
The Data Sharing Code of Practice - May 2011
The Wales Accord on Sharing of Personal Information (WASPI) Version 3
Head of Resource Management and Accountancy
Head of ICT
Head of Business Management and Innovation Social Services
Peter H. Evans, Director of Legal, Public Protection and Housing Services