As I near the end of another interesting and challenging data sharing consultancy exercise I thought it would be useful to take a step back and consider how public sector organisations can overcome some of the big challenges of sharing personal data. I am thinking mainly of data sharing in the health, social services, education and justice domains, because these are the areas that have dominated my time recently, but the thoughts are equally applicable to other parts of the public sector.
I’m starting with the governance of data sharing – which can appear as a minefield of confusing terminology, guidelines and practices. However taken one chunk at a time, and with some specialist advice – it’s not that hard!
At the core of data sharing governance is an agreement between two or more partners on how they will manage the sharing of data. Linked to this agreement are areas that are specific to each organisation, i.e. the organisation’s management of its data security and general information governance.
The standard way to document a data sharing agreement is by means of an Information Sharing Protocol or Agreement (ISP or ISA), which documents the who, why, where, when, what and how of the sharing.
There are a number of popular ISP frameworks available, for example, see the SASPI, WASPI and ICO web sites (links are given below). The available templates and guidance gets the ISP process off to a quick start, and help partners develop a common understanding. A recognised template should also help ensure that the legal aspects of the ISP are properly addressed.
When producing an ISP it’s important to remember to:
- Keep it simple. Would a front-line practitioner understands it? An ISP needs to clearly communicate the essential elements of the data sharing to all involved people, e.g. internal employees as well as external stakeholders (or a similar test – would my husband/wife/partner understand this? – assuming you can persuade them to read it!)
- Keep it standard. As detailed above, using an existing template helps to reach an agreement and avoids the pain of re-inventing the wheel
- Start the process early. An ISP should not be a last minute afterthought, and there are dependencies with the parallel design of the technical solution for sharing and storage, and the assessment of information risks
- Manage the process. One partner organisation should co-ordinate the development of the ISP, with designated ISP Coordinators appointed as primary points of contact in every organisation involved
- Integrate with data security. The ISP must document how security controls are applied to the data that is being shared. This should integrate with a Privacy Impact Assessment (PIA) that identifies the risks to the data, and how they will be managed
- Make the sign-off easy. There’s always a risk that too many stakeholders in the sharing organisations become involved in the review and agreement process, which then grinds to a halt. Numbers at the party should be kept to a minimum, and where several partners are involved, multiple bilateral flavours of the ISP should be avoided. Variety will not spice up your life!
- Communicate it. Publish it widely within your organisation (e.g. on intranets), with partners (consider a shared portal/intranet) and externally (on your web site, and on a national register, e.g. WASPI)
- Keep it up-to-date. Factors such as business practices, technologies and the data shared will change over time so there needs to be a process in place to ensure the ISP reflects these changes, and does not get lonely on a shelf
- Keep the benefits of sharing in mind. An ISP is a means to achieve benefits for the child, vulnerable adult etc
But don’t forget…
ISPs don’t exist in a vacuum and there are key areas where they integrate with the management of data in the rest of the organisation, in particular:
- With the wider arrangements for information governance, for example Information Assurance Committees
- With established data management roles, for example the Caldicott Guardian in the NHS or Data Protection Officers
- With existing policies, for example an Information Governance Strategy, Data Security Policy, etc (but avoiding duplication with the ISP)
The sharing of personal data is a sensitive topic and some citizens will always be wary despite appreciating that it can simplify the experience of dealing with multiple public service organisations and support the delivery of integrated and enhanced standards of care.
Setting up a good ISP means that public bodies can confidently share data with successful outcomes. An ISP provides a foundation that allows organisations to focus on the twin challenges of data security and the routing and matching of data between partners.
This has just been a quick overview – theses sites give some excellent and detailed guidance, templates and examples:
- Wales Accord on the Sharing of Personal Information (WASPI)
- Scottish Accord on the Sharing of Personal Information (SASPI)
- Information Commissioner’s Office (ICO) Data Sharing Code of Practice
Next time – the ins and outs of data matching and routing.
If you have any comments, leave a reply below or contact me by email.