1 Introduction
To make informed decisions about safeguarding and achieve quality outcomes for individuals, we must share information with our partner agencies who also have responsibilities for safeguarding and prevention.
It has been frequently recognised in local and national reviews of practice that failing to share information at critical times has costs lives or led to detrimental outcomes. A fear of sharing sensitive information must not be a blocker to safeguarding and promoting the welfare of children at risk. The relevant UK government departments and independent non-departmental government bodies responsible for protecting children and/or regulating data protection therefore set out policy, legislation, and statutory guidance on how the protection system should work and data protection compliance is achieved at the same time. Those pieces of legislation are in place for the relevant sharing partners to be used to justify information sharing and to allow it in a safe and legal way. Some legislation puts a duty on organisations to share and others provide with the power to do so. The terms ‘information’ and ‘data’ are used interchangeably in this agreement.
The partners of this agreement are aware and understand their legal responsibilities to deliver safeguarding to the whole population as defined (amongst others) in the:
Children Act 2004, Section 10
Each local authority must make arrangements to promote co-operation between partners (including the ICB, Police, Schools and other) to improve the wellbeing of children including:
- physical and mental health and emotional well-being;
- protection from harm and neglect;
- education, training and recreation;
- the contribution made by them to society;
- social and economic well-being.
Children Act 2004, Section 16H
- Any of the safeguarding partners for a local authority area in England may, for the purpose of enabling or assisting the performance of functions conferred by section 16E [Local arrangements for safeguarding and promoting welfare of children] or 16F [Local child safeguarding practice reviews], request a person or body to provide information specified in the request to
- the safeguarding partner or any other safeguarding partner for the area,
- any of the relevant agencies for the area,
- a reviewer, or
- another person or body specified in the request.
- The person or body to whom a request under this section is made must comply with the request.
- The safeguarding partner that made the request may enforce the duty under subsection (2) against the person or body by making an application to the High Court or the county court for an injunction.
- The information may be used by the person or body to whom it is provided only for the purpose mentioned in subsection (1).
The Working Together to Safeguard Children 2023 statutory guidance on multi-agency working set out how to apply the laws linked to sharing information for Safeguarding reasons and should be used when using information for safeguarding reasons.
The effective and timely sharing of information between agencies and organisations is essential to enable early intervention and preventative work for safeguarding and promoting welfare of those experiencing and at risk of abuse and harm and for wider public protection. For this reason, this Tier 1 DSA applies to all areas of children’s safeguarding. In the context of this document a Tier 1 DSA can be understood as an overarching, strategic agreement between Safeguarding partners defining the appropriate arrangements to support multi-organisational information sharing for safeguarding reasons, see appendix 1 for further details.
The UK GDPR sets out seven key principles which should lie at the heart of the partnership’s approach to processing personal data:
- Lawfulness, fairness, and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
Please visit the ICO website for more detail on the principles.
2. Contents
3 Administration
The organisations below are signatories to this Tier 1 Data Sharing Agreement (see Appendix 5 for further details):
Organisation(s) |
Cambridgeshire Constabulary |
Cambridgeshire County Council |
Peterborough City Council |
Education |
Cambridgeshire and Peterborough ICB |
Cambridgeshire and Peterborough NHS Foundation Trust (CPFT) |
Cambridgeshire Community Services NHS Trust (CCS) |
Cambridge University Hospital Trust |
Hinchingbrooke Healthcare NHS Trust |
North West Anglia Foundation Trust |
East Anglia Ambulance Service |
Cambridgeshire Youth Offending Service |
Peterborough Youth Offending Service |
Cambridgeshire Fire and Rescue Service |
Royal Papworth Hospital |
National Probation Service |
Other strategic partners that have responsibilities to address issues relevant to safeguarding children |
General:
Date Tier 1 DSA comes into force: | March 2024 |
Last review: | March 2024 |
Date for review of DSA: | March 2025 or as required (annual schedule) |
DSA Owner (Organisation): | |
DSA Author(s): | Joanne Procter (Cambridgeshire & Peterborough Safeguarding Partnership Boards Antje Carpenter (NHS SCW CSU) |
Version control:
Version | Date | Author | Edit/Update |
V0.1 Draft | 09/10/2023 | Antje Carpenter, SCW | First draft for consideration |
V0.2 Draft | 07/02/2024 | Antje Carpenter, SCW | Update to incorporate feedback from Group |
V0.3 Draft | 19/02/2024 | Antje Carpenter, SCW | Update to incorporate feedback from Group |
V0.4 Draft | 05/03/2024 | Antje Carpenter, SCW | Section 16 completion |
4 Scope
This Tier 1 Data Sharing Agreement applies to organisations operating within Cambridgeshire and Peterborough. It is a multi-agency agreement between Local Authorities, ICB & NHS Organisations, Police, Education, Probation, Prison Service and Voluntary Sector Organisations. A full list of signatory organisations can be found under section 3 Administration and in appendix 5. The Agreement covers the sharing of personal and special category data about children and young people for safeguarding reasons.
The Cambridgeshire and Peterborough Safeguarding Children Partnership is established in accordance with the Children Act 2004 (as amended by Children and Social Work Act 2017) and Chapter 2 Working Together to Safeguard Children 2023. The partnership provides the safeguarding arrangements under which the safeguarding partners and relevant agencies work together to coordinate their safeguarding services, identify and respond to the needs of children in the relevant area, commission and publish local child safeguarding practice reviews and provide scrutiny to ensure the effectiveness of the arrangements.
The responsibility for joined up working rests locally with three safeguarding partners who have a shared and equal duty to make arrangements to work together to safeguard children in a local area. These partners area:
- a) The Local Authority (Chief Executive)
b) Integrated Care Board (ICB) (Chief Executive)
c) Police (Chief Officer)
The three safeguarding partners should agree ways to co-ordinate their safeguarding services, act as a strategic leadership group in supporting and engaging others; and implement local and national learning including from serious child safeguarding incidents.
This DSA is for use by professionals, staff and volunteers of organisations who have signed, and therefore agreed to the terms of this agreement and providers of services commissioned by the organisations who have signed this agreement. Safeguarding is everyone’s responsibility, not just safeguarding practitioners.
Where there needs to be a more specific agreement about sharing data, it will be necessary to complete a Tier 2 information sharing agreement. This agreement should not be seen as an alternative to a Tier 1 agreement, Tier 2 agreements must be completed for specific information sharing projects between the partner organisations but will be linked to this overarching agreement. The Tier 2 agreement should be developed in line with best practice and/or using the National Template and Guidance provided by the Department for Education which can be found here (Data Sharing Agreements – Important information for professionals (somerset.gov.uk)).
The Department for Education defines children’s safeguarding as follows within their ‘Working Together to Safeguard Children’ statutory guide to inter-agency working to safeguard and promote the welfare of children:
- providing help and support to meet the needs of children as soon as problems emerge
- protecting children from maltreatment, whether that is within or outside the home, including online
- preventing impairment of children’s mental and physical health or development
- ensuring that children grow up in circumstances consistent with the provision of safe and effective care
- promoting the upbringing of children with their birth parents, or otherwise their family network through a kinship care arrangement, whenever possible and where this is in the best interests of the children
- taking action to enable all children to have the best outcomes in line with the outcomes set out in the Children’s Social Care National Framework.
The Information Commissioner’s Office (ICO) recognises in their 10-step guide to sharing information to safeguard children that there is no single definition of safeguarding but highlights the inclusion of
- a) preventing harm;
- b) promoting the welfare of a child; and
- c) identifying risk in order to prevent harm (especially helpful where the risk may not be obvious to a single person or organisation).
Safeguarding must therefore be seen as a protection of wellbeing (including physical, mental & emotional); a prevention of harm and reduction of risk through care and support requiring information sharing. This allows intervention in immediate situations demanding the safeguarding of children but also sharing for prevention and early intervention in less immediate or high-risk situations.
Information sharing with non-statutory agencies e.g. registered charities is within the scope of this Tier 1 DSA. There are a number of charitable organisations that offer support and services. Such organisations are not created under statute and therefore do not have statutory powers; nevertheless, they are often able to offer help and assistance in the form of counselling, advice, early help support, prevention and guidance as well as referring individuals to other organisations and charities within their network.
5 Purpose and benefits
The purpose of this Tier 1 Safeguarding DSA is to facilitate the lawful sharing, use and security of personal, special category data and criminal offence data in order to safeguard children who require safeguarding intervention and to facilitate the statutory functions of the Childrens Safeguarding Partnerships. This agreement will function as the foundation to embed strong, effective multi-agency arrangements that are responsive to local circumstances and engage the right people. Signatories to this agreement must be engaged to work in a collaborative way to provide targeted support as appropriate. This approach will provide flexibility to enable joint identification of, and response to, existing and emerging needs, and to agree priorities to improve outcomes. This agreement provides an overall framework for the secure sharing of information between the organisations (multi-agency/integrated working) that are parties to this agreement with the intention of:
- Protecting people’s health, wellbeing, and human rights, and enabling them to live free from harm, abuse and neglect (including self-neglect).
- Taking action to enable all children and their families to have the best outcomes.
- Identifying risk and emerging threats in order to prevent harm (prevention, early intervention).
- Raising public awareness so that communities as a whole, alongside professionals, play their part in preventing, identifying and responding to abuse and neglect and promoting the welfare of children.
- Preventing impairment of children’s mental and physical health or development.
- Ensuring that children are growing up in circumstances consistent with the provision of safe and effective care.
- Collaborating, sharing and co-owning the vision for how to achieve improved outcomes for vulnerable children.
- Challenging appropriately and holding one another to account effectively.
- Sharing information effectively to facilitate more accurate and timely decision making for children and families.
- Ensuring that shared learning is promoted and embedded in a way that local services for children and families can become more reflective and that changes to practice are implemented.
- Reducing the need for individuals to provide duplicate information when receiving an integrated service.
- Managing risks, performance, service planning and auditing.
6 Responsibilities / partner commitments
By becoming a partner to this sharing agreement all organisations are making the following commitments. It is understood that signatories to this agreement are committing their whole organisation to entirely support the principles and carry out their responsibilities to the full.
Area of responsibility: |
The parties to this DSA are committed to ensuring that information is shared lawfully (within the parameters of the UK GDPR and Data Protection Act 2018) between those professionals/organisations working with children and young people at risk of harm across Cambridgeshire and Peterborough who have a legitimate need for that information to assist with delivering a high quality, integrated safeguarding service that meets the needs of the relevant individuals. |
Organisations signed up to this agreement commit to sharing confidential information in accordance with their legal, statutory, and common law duties and meet the requirements of any additional supporting guidance. |
All organisations must have in place policies and procedures to meet the national requirements for Data Protection, and which are consistent with this DSA. The existence of, and adherence to, such policies provide all organisations with confidence that data shared will be transferred, received, used, held and disposed of appropriately. |
Organisations acknowledge their ‘Duty of Confidentiality’ to the people they serve. In requesting release and disclosure of personal information from other organisations, employees and contracted volunteers will respect this responsibility and not seek to override the procedures which each organisation has in place to ensure that data is not disclosed illegally or inappropriately. This responsibility also extends to third party disclosures; any proposed subsequent re-use of data which is sourced from another organisation should be approved by the source organisation. |
Where processing is likely to result in a high risk to the rights and freedoms of a natural person (as per UK GDPR, Article 35), a Data Protection Impact Assessment will need to be completed and shared with the relevant partners as appropriate. This agreement does not replace the need to conduct a Data Protection Impact Assessment of the information or processes involved. |
An individual’s personal information must be complete and up to date and will only be disclosed where the purpose for which it has been agreed to share clearly requires that this is necessary. For all other purposes, data should be anonymised. |
Where it is agreed that the sharing of personal information is necessary, only that which is needed, relevant and appropriate will be shared and would only be on a ‘need to know’ basis. |
When disclosing information about an individual; organisations will clearly state whether the information being shared is fact, opinion, or a combination of the two. |
There will be occasions where it is legal and / or necessary for organisations to request that personal information supplied by them is kept confidential from the person concerned. Decisions of this kind will only be taken on statutory grounds and must be linked to a detrimental effect on the physical or mental wellbeing of that individual or other parties involved with that individual. The outcome of such requests and the reasons for taking such decisions will be recorded. |
All organisations agree to make reasonable efforts to ensure that recipients of personal information are kept informed of any changes to the information that they have received, so that records can be kept up to date. |
Careful consideration will be given to the disclosure of personal information concerning a deceased person, and if necessary, further advice should be sought before such data is released. |
All organisations will ensure that Subject Access Requests and other Individual Rights requests made to them are responded to in accordance with the requirements outlined in the Data Protection Act (2018). |
All organisations agree that appropriate training will be given to staff so that they are aware of their responsibilities to ensure personal information is processed lawfully. |
All staff will be made aware that disclosure of personal information, which cannot be justified on legal or statutory grounds, whether inadvertently or intentionally, could be subject to disciplinary action. |
Organisations are responsible for putting into place effective procedures to address complaints relating to the disclosure of personal information. |
Extreme care and careful consideration should be taken where the disclosure of information includes third party information and particularly personal data relating to witnesses, victims or complainants. |
The person or persons to whom a request is made must comply with such a request in relation to a child death review or child safeguarding practice review and if they do not do so, the safeguarding partners may take legal action against them. |
The qualifying standard for organisations to achieve to sign up to this sharing agreement is achievement of ‘standards met’ to the current version of the Data Security & Protection Toolkit (Data Security and Protection Toolkit (dsptoolkit.nhs.uk)) or equivalent standard depending on the type of organisation.
If ‘standards met’ has not been achieved (organisation failed, not required to complete the DSPT, DSPT expired) organisations will be asked to confirm their plans (including the completion of the DSPT voluntarily) and share the relevant details. The statutory partners will consider the position of the organisation and make recommendations regarding the signing of the agreement.
7 Lawfulness
Partners agree that in order to share personal data, there needs to be a relevant legal gateway. It is important to note that the existence of this Tier 1 Safeguarding Data Sharing Agreement does not provide partners with a legal gateway or secure an automatic right or obligation to share information with or from another partner. This may come from statue, common law, or legal precedent. Statutory powers (also referred to as legal gateways) will differ between the signatory organisations and cannot be prescribed in this Agreement. A list of commonly used legal gateways / applicable legislation for safeguarding sharing can be found in Appendix 3.
Principle legislation governing the protection and use of personal information is:
- UK General Data Protection Regulation (GDPR)
- Data Protection Act (DPA) 2018
- Human Rights Act 1998 (article 8)
- The Common Law Duty of Confidentiality
Each signatory must be able to identify their lawful basis to share personal data which should be recorded within a Tier 2 Data Sharing Agreement. The lawful basis under the UK GDPR and Data Protection Act 2018 is however likely to be the following:
Article 6(1)(c) – processing is necessary for compliance with a legal obligation to which the controller is subject.
Article 6(1)(e) – processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller.
Article 9(2)(b) – processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller or of the data subject in the field of employment and social security and social protection law in so far as it is authorised by Union or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the fundamental rights and the interests of the data subject.
Article 9(2)(h) – processing is necessary for the purposes of preventive or occupational medicine, for the assessment of working capacity of the employee, medical diagnosis, the provision of health or social care or treatment or the management of health or social care systems and services on the basis of Union or Member State law or pursuant to contract with a health professional and subject to the conditions and safeguards referred to in paragraph 3.
Article 9(2)(g) – processing is necessary for reasons of substantial public interest, on the basis of Union or Member State law which shall be proportionate to the aim pursued, respect the essence of the right to data protection and provide for suitable and specific measures to safeguard the fundamental rights and the interests of the data subject.
Article 10 Criminal offence data processing meeting a specific condition in Schedule 1 Data Protection Act 2018.
The Police’s underlying power to share personal data is derived from (i) Common Law Policing Purposes which may be summarised as: protecting life and property, preserving order, preventing the commission of offences, and bringing offenders to justice and/or (ii) any duty or responsibility arising from statute or other rule of law including court order and royal prerogative.
The signatories of this agreement understand that ‘Consent is one lawful basis, but it is not required for sharing information in a safeguarding context. In fact, in most safeguarding scenarios you will be able to find a more appropriate lawful basis.’ (Source ICO). The UK GDPR provides several bases for sharing personal information. Partners will however be transparent with individuals whose data is being processed if it does not increase the risk of harm. The difference between consent to treatment/service opt-in and consent to share information under Data Protection laws must be understood by all partners to this agreement. If consent to share information is considered to be required, this must be escalated to the relevant partner organisation’s DPO for review.
8 Guidance
Partners will rely on the following guidance to adhere to principles defined in this agreement.
National Guidance:
- Working together to safeguard children 2023 (Department for Education)
- Information Sharing Advice for practitioners providing safeguarding services for children, young people, parents and carers (Department for Education)
- 10 step guide to sharing information to safeguard children (Information Commissioner’s Office)
- MAPPA Guidance (Ministry of Justice, National Offender Management Service, HM Prison Service)
- The Caldicott Principles (National Data Guardian)
- Serious Violence Duty (Home Office)
- Management of Police Information (MoPI) statutory Code of Practice College of Policing
- MARAC Guidance Department for Health
Local Guidance:
- Multi Agency Safeguarding Arrangements [currently still under development, add link once available]
- Information Sharing Cambridgeshire and Peterborough Safeguarding Partnership Board
9 Security Standards
Each partner will be responsible for ensuring data is subject to sufficient security.
All partners signed up to this agreement must ensure appropriate organisational policies and procedures are in place to cover the security of personal information under this agreement.
All reasonable steps should be taken to ensure that confidentiality of data is maintained, the integrity of data is preserved and that data remains available where needed.
Controllers must also consider determining how they will test/audit the effectiveness of information security controls as part of a Data Protection Impact Assessment.
Sharing arrangements involving shared systems/assets will require joint decisions on security controls, therefore responsibility may be shared (pertinent to joint controller arrangements). This may include (but is not limited to) decisions on:
- A satisfactory level of compliance with industry cyber/information security standards (e.g. Cyber Essentials)
- A role-based access model
- Patching schedules
- Remote access solutions
- Third party security assurances and contractual arrangements (which may permit certain autonomy to maintain security)
- Recovery point/time objectives
A system level security policy should be developed jointly for such assets to document the agreed security controls/assurances for the sharing partners and demonstrate controller responsibility.
Appropriate contractual, data processing and confidentiality agreements must be in place to underpin the processing of personal information by a third party / processor.
10 Proportionality and necessity
The data relevant under this Tier 1 Data Sharing Agreement can include personal data, special category data and criminal offence data shared for the reasons of safeguarding.
Partners agree that only information that is relevant to the purposes should be shared with those partners who need it (need to know basis). Assessing proportionality and necessity for any sharing initiative under this agreement is paramount and should be documented to assure compliance with current UK data protection legislation. In circumstances where data is to be shared for safeguarding purposes both the benefits and the risks must be balanced against each other to assure the right level of proportionality and necessity. Organisations signed up to this Tier 1 Data Sharing Agreement must therefore include Caldicott Guardians (for Health), Service Leads or other equivalent individuals as they must be core to such decision-making. It is recommended under this agreement that organisations take a default ‘starting position’ of considering what data/information is reasonably, foreseeably needed. Data minimisation and proportionality will be maintained by only asking for data that is needed to fulfil a specified purpose.
Partners must consider any harm or detriment that may come from sharing information, and make sure this does not outweigh what is trying to be achieved (least intrusive amount of personal information to be shared appropriate to the risk presented). This is particularly important for sensitive information. Partners will consider who could be affected by any disclosures contemplating that sharing information about one individual may also have an effect on the privacy rights of others. Information must be of the right quality to ensure that it can be understood and relied upon.
Organisations signed up to this agreement will consider the level of identification required for each sharing initiative.
11 Retention
Records will be retained and disposed of in accordance with data protection legislation and national and local/organisational guidelines. Each organisation which has received information referred to in this agreement has to follow their own Retention and Disposal Policy which should state how long they will keep different types of information. Additionally, organisations should consider the business need beyond any national/industry code or guidance which could justify a shorter or longer retention period. Retention periods should be agreed with sharing partners, at the early stages of data sharing, in a Tier 2 Data Sharing Agreement as relevant (documented justification). Especially sharing arrangements involving shared systems/assets require joint decisions on retention and/or system configuration as they are more complex.
Health and Social Care partners will consider the NHS England Records Management Code of Practice to inform decision making. The Constabulary (and other Police Forces) must consider and also comply with the statutory College of Policing Management of Police Information (MoPI) Code of Practice and Guidelines, also known as the Authorised Professional Practice (APP) for Police Information. Other partners will consult the relevant industry guidelines.
National inquiries must be considered when assessing records for destruction.
Any records which no longer need to be retained in accordance with the partners’ own policies and procedures should be destroyed under secure conditions.
12 Individuals’ Rights
The partners agree that in simple sharing arrangements each Controller will handle subject rights requests in accordance with their own established processes and policies. In multi-stakeholder sharing arrangements where shared information assets/systems are used, responsibilities for the handling of individuals’ rights requests by the sharing partners must be clearly set out in the relevant Tier 2 Data Sharing Agreement. Requests relating to information shared for safeguarding purposes are likely to require careful consideration and may require assistance from partners as the provider of the information may be aware of a wider context to make a fully informed decision. Therefore, sharing partners agree to set out clear arrangements in a Tier 2 Data Sharing Agreement or Policy for the handling of individuals’ rights and provide reasonable assistance to sharing partners as required.
The right to be informed – Partners must ensure that individuals are informed about the collection and use of their personal data and are provided with the privacy information required as per current data protection law. See the following section ‘Transparency’ for further detail.
The right of access – Sharing partners will set out clear responsibilities, including (but not limited to); whether there will be a central process to manage and co-ordinate requests, what the process shall be if a request is received by them but is relevant to another organisation, how partners’ involvement affects what they should disclose and the process for determining lawful reasons to withhold data from disclosure (i.e. if they are viewing data in a shared asset but are not controller nor a joint controller of the data, or if they are a joint controller).
The right to object and the right to restrict – Sharing partners will set out clear responsibilities, including (but not limited to); whether there will be a central process to manage and co-ordinate objections and restriction requests, what the process shall be if an objection or restriction request is received by them but is relevant to another organisation and the process for determining whether to uphold the objection or restriction request (although unlikely due to the nature of processing).
The right to rectification – Sharing partners will agree a process of how to respond to requests for rectification (i.e. if received by them but it is relevant to another organisation). The process will be dependent upon the sharing arrangement; this may require action from multiple partners (especially when a request for rectification of a professional opinion is received) or by a single partner that has provided the data into a shared asset and may require partners to assist each other to determine whether data should be rectified.
The right to erasure – Sharing partners will agree a process of how to respond to requests for erasure (i.e. if received by them but it is relevant to another organisation). It is unlikely to uphold a request for erasure when processing for Safeguarding reasons.
Automated decision-making and profiling – If the sharing arrangement is to involve automated decision-making or profiling then the sharing partners will agree how individuals affected will be informed of this (unless an exemption applies) and how requests for a member of staff to review any such activity will be handled. As it stands, data used for safeguarding purposes is unlikely to be classed as ‘automated decision making’ or ‘profiling’ without human intervention prior to decisions being made that affect individuals.
The right to data portability – If the sharing arrangement is to involve the processing of data based on the explicit consent of the data subject or a contract with the data subject (which are both highly unlikely for the purposes of safeguarding), or data will be carried out by automated means, then the sharing partners shall ensure that it is possible for data to be provided to the data subject in a structured, commonly used and machine-readable format and/or have this data transmitted to another controller. The lawful basis of processing data for safeguarding purposes is not likely to be explicit consent. Therefore, it is unlikely that the right to data portability applies.
Any Information Rights request directed at the Safeguarding Partnership should be forwarded to the Cambridgeshire County Council (if relevant to Cambridgeshire) or Peterborough City Council (if it relates to Peterborough) Data Protection Officer (FOI@cambridgeshire.gov.uk or FOI@Peterborough.gov.uk) or to coordinate the appropriate response. When a partner agency requires cooperation from the Safeguarding Partnership to respond to a Subject Access Request they should contact the relevant Business Support Team Manager to ensure appropriate liaison with the Council’s Data Protection Officer.
13 Transparency
Each organisation must be clear, open and transparent with data subjects about the collection and use of their personal information, paying particular attention to the ‘right to be informed’. The sharing partners (controllers) each have a responsibility to take reasonable steps to ensure that individuals (to whom data they are processing pertains) are informed of the uses of their data. The sharing partners will therefore agree an approach to informing individuals about the sharing of data for safeguarding purposes. This may, for example, take the form of each partner updating their own privacy information (i.e., a website privacy notice) or the partners may agree to reference a single privacy notice from their own privacy information, which is then maintained by one or several organisations (e.g., joint controllers). The privacy information must be concise, transparent, intelligible, easily accessible, and it must use clear and plain language, tailored to children if required.
Best practice in respect of transparency is to take a layered approach by utilising various methods to communicate information about how individuals’ data is being used, i.e., website privacy notice, leaflets, posters, letters, conversations, etc., However, given the nature of processing for safeguarding purposes it may not always be appropriate. The sharing partners must consider exemptions (e.g., law enforcement purposes under Part 3 of the DPA 2018, or serious harm to the physical or mental health of any individual).
14 Staff development
Each sharing partner must ensure that its staff are sufficiently trained to handle personal data appropriately as part of their controller responsibilities under UK data protection law (the UK GDPR principle of ‘accountability’ and specifically principle 5(f) (integrity and confidentiality) as an appropriate organisational measure). This can include training on confidentiality, data protection, record keeping, records management, system training, as well as more specific training on handling individuals’ rights requests for those staff typically involved in these, etc. Sharing partners should therefore consider whether staff affected by a new sharing arrangement will require additional training (in addition, controllers should continually assess the training needs of their workforce, which is often done by maintaining/appraising a ‘Training Need Analysis’ on a routine basis).
All staff must have access to the policies of their own organisation, this agreement and any materials jointly developed. For the purposes of this agreement the supporting processes will be that all staff authorised to access information will be trained in the basic requirements of the Data Protection legislation and have an awareness of the implications associated with shared information. They will also understand the risks associated with inappropriate disclosures and the impact that this has on safeguarding and the necessity to undertake thorough checks. Staff contracts must therefore contain appropriate confidentiality clauses detailing the possible consequences of unauthorised or inappropriate disclosure of personal information. Each organisation must have in place disciplinary procedures to be invoked if a member of staff is found to have breached the confidentiality of an individual. Consideration should be given to the category and nature of information to which staff have access and whether their role includes any specific requirements to access personal information.
The process of supervision is generally confidential between the supervisor and supervisee(s). The ground rules in relation to confidentiality will be made explicit, such as ownership of supervision records, retention of information. There may be occasions when it is necessary to share information with other practitioners/ managers/ external agencies/professional bodies in the best interests of the child at risk in line with organisational and multi-organisational information sharing agreements. Poor or dangerous practice will be addressed in line with partner organisation policy and procedures.
15 Incident Management and Complaints
Data security and protection incidents must be treated with priority and urgency; swift action should be taken to contain incidents and prevent both the number of individuals that may be affected and increased severity for those already affected. As such, sharing partners must inform the responsible controller as soon as possible (where they become aware of an incident that they are not responsible for or are only partially responsible for). Sharing partners must also determine whether other sharing partners (beyond those responsible) should be informed as concerns may have been, or be, raised to them that are linked to the incident, which they may otherwise not know.
Given the nature of the data involved in processing for safeguarding purposes, care and consideration should be given to who needs to be informed of an incident (in terms of both sharing partners, as well as the individuals affected and/or third parties).
Where an incident is isolated and deemed to only affect one sharing partner than the incident may be handled solely by that sharing partner according to their own incident management policy and processes. Where multiple sharing partners are affected, they must be prepared to establish a joint incident response plan. Clear responsibilities should be set out for any joint controller arrangements.
Complaint handling should follow a similar path; however, they are unlikely to require such priority/urgency unless they are intrinsically linked to an incident.
All partner organisations must put in place processes that allow concerns about non-compliance with this agreement to be reported to the designated person.
16 Common sharing initiatives / area of work
The below sharing initiatives are covered by this agreement and give detail of how data is being used to safeguard children and their families.
Child Death Overview Panel (CDOP) |
The Child Death Overview Panel (CDOP) is responsible to the Cambridgeshire and Peterborough Safeguarding Children Board for reviewing information on all child deaths, looking for possible patterns and potential improvements in services, with the aim of preventing future deaths. CDOP’s statutory duties are laid out in Working Together 2023. CDOP will collect and collate information about each child death, seeking relevant information from professionals and, where appropriate, family members. This work will identify learning points and make recommendations to relevant organisations to help prevent future child deaths or to promote the health, safety and wellbeing of children, both locally and nationally. |
Multi Agency Safeguarding Hub (MASH) |
The Multi-Agency Safeguarding Hub (MASH) is a collaborative environment involving several agencies, all working together to safeguard vulnerable children. These agencies include Children’s Social Care, Police, Health, Education, Early Help, Domestic Abuse Services, and additional partners like Youth Offending, Probation, Fire Service, and Housing. The MASH brings together agencies and their information to enable a comprehensive understanding of potential risks to protect children and promote their well-being. |
Multi Agency Risk Assessment Conference (MARAC) |
MARACs provide a multi-agency response for high-risk domestic abuse victims. Agencies come together to provide risk information is combined with a comprehensive assessment of the victim’s needs. MARAC meetings take place 3 times a week where, for every case, discussion takes place and named professionals involved with the case contribute relevant information (i.e. police, Probation, IDVA Service, Housing, Children’s social care, Adult Social Care, Drug/Alcohol Services, Mental Health and Education). The allocated IDVA acts as primary safeguarding lead for the victim and shares risk led information and advocates the thoughts and wishes of the victim. Risks are collectively identified and agreed by the professionals present and a plan is collectively formulated by professionals suggesting specific actions to reduce identified risks. The primary aim being to keep the victim, children and other named vulnerable household members safe from further abuse. |
Multi Agency Public Protection Arrangements (MAPPA) |
Multi-Agency Public Protection Arrangements (MAPPA) are a set of statutory arrangements to manage the risk posed by the most serious sexual and violent offenders. The MAPPA Responsible Authority brings together the Police, Probation and Prison Services. These agencies work together to review and manage risks, with the cooperation of other agencies (such as Local Authority Adult Social Services, Children’s Services, Health trusts, Youth Offending Teams and housing authorities) who are under a duty to cooperate and to share relevant information that is deemed necessary to assist with the process. |
Prevent |
The Prevent strategy aims to stop people becoming terrorists or supporting terrorism, as well as reducing threats, risks and vulnerabilities posed by domestic extremists. Prevent is supported by three objectives:
If a referral is then made to the Prevent team, and it is determined that there are concerns around radicalisation and violent extremism in relation to the referred individual, they can be supported through Channel. Channel assesses the nature and extent of the potential risk to an individual and, where necessary, provides an appropriate support package tailored to their needs. This decision is made by a multi-agency panel with representation from the police, education, health, housing, social care etc. |
Risk Outside the home |
Nationally we are seeing an increase in extra familial harm. This is harm that occurs outside of the family home and includes county lines and child exploitation. It is important that risk occurring outside the home is recognised and effectively responded to by agencies across Cambridgeshire and Peterborough. To ensure that this takes place partners may need to share information regarding;
Sharing this information will ensure thorough and accurate assessment of risk can be undertaken and relevant risk plans and interventions put in place. A failure to share information in this area may result in the risk not being fully recognised and children and young people not adequately safeguarded. When sharing information, it is important that only relevant information is shared and that it is proportionate. |
Child Safeguarding Practice Reviews |
The purpose of reviews of serious child safeguarding cases, at both local and national level, is to identify improvements to be made to safeguard and promote the welfare of children. Learning is relevant locally, but it has a wider importance for all practitioners working with children and families and for the government and policy makers. Understanding whether there are systemic issues, and whether and how policy and practice need to change, is critical to the system being dynamic and self-improving. Reviews should seek to prevent or reduce the risk of recurrence of similar incidents. Locally, safeguarding partners must make arrangements to identify and review child safeguarding cases which in their view, raise issues of importance in relation to their area. They must commission and oversee the review of those cases where they consider it appropriate for a review to be undertaken. Serious child safeguarding cases are those in which:
Reviews are about promoting and sharing information about improvements, both within the area and potentially beyond and they should be published on their completion. |
Section 47 (Children Act 1989) |
Local authorities are required by Section 47 of the Children Act 1989 to make enquiries where an assessment raises concerns that a child may be suffering, or likely to suffer, significant harm. This process requires a social worker to lead the S47 enquiry with the support of the police, health professionals, teachers and other relevant professionals as part of a multi-agency assessment. The social worker must contact the other agencies involved with the child to inform them that a Section 47 Enquiry has been initiated and to seek their views. Information sharing among partners is essential to ensure all relevant information is known and considered at the conference where decisions are made regarding the child. |
Section 17 (Children Act 1989) |
Section 17 of the Children Act 1989 imposes a general duty on Local Authorities to Safeguard and Promote the Welfare of Children who are ‘in need’ and to promote the upbringing of such children by their families by providing a range and level of services appropriate to those children’s needs. Other agencies have a duty to co-operate with Social Care in carrying out their duty to assess the needs of children and to provide services as necessary. |
Local Authority Designated Officer (LADO) |
The LADO role focuses on concerns raised about adults in positions of trust who work with children. Their responsibilities include:
Information sharing between partners is a vital part of ensuring that concerns are reported, all relevant information is collated, and risk assessments can be carried out to ensure safeguarding measures are in place. |
It should be noted that the above list is not exhaustive but any data sharing for Safeguarding Children purposes will still fall under this agreement.
There is a duty on Local Authorities under the Children and Families Act 2014 and the Care Act 2014 to assure a safe transition from Children’s to Adult Services. Where there are ongoing safeguarding concerns or needs for a young person and it is anticipated that on reaching 18 years of age, they are likely to require adult safeguarding support, the relevant arrangements should be discussed as part of the transition and the appropriate information must be shared.
17 Dissemination, monitoring and review of the agreement
This protocol will be shared with all signatories, processors and relevant parties for the purpose of upholding the principles of this agreement.
It is intended that this overarching Tier 1 Data Sharing Agreement contains high level principles and partner commitments only. It will therefore be reviewed every annually to establish if the sharing remains necessary, still operates as intended and, has or is, achieving the intended benefits, unless legislative changes or other significant changes require immediate action. The monitoring and review of this protocol will be undertaken by members of the Executive Safeguarding Partnership Board.
Subject to there being no significant changes, the agreement may be extended by a further year without seeking further approval or new signatures. However, any significant changes will require the full approval process.
In the event that this Tier 1 Agreement is not renewed or is otherwise withdrawn, it is incumbent on the parties to amend their records accordingly and to communicate the status of the agreement within their respective organisations to interested parties and the wider public as necessary. The obligations of confidentiality imposed on the Parties by this Agreement shall continue in full force and effect after the expiry or termination of this Agreement.
18 Signatories
If this Data Sharing Agreement is published to a system that manages signatures/agreement, then this section can be removed.
Each organisation should identify who is the most appropriate post holder within their agency to sign the DSA having taken account of their organisational policy and the fact that the signatory must have delegated responsibility to commit their agency/organisation to the agreement. Additionally, each agency will be asked to identify the post which is responsible on a day-to-day basis for monitoring compliance with this DSA.
By signing this DSA, all signatories acknowledge and accept the requirements placed upon them and others within their organisations by the DSA and their responsibilities under data protection legislation. A decision needs to be made if the signatory is a list of organisations all signing one document in turn, or if a single organisational signature is collected per copy of the DSA, with a central point of collection and maintained list of signatories.
1. Signed on behalf of: |
Name: Detective Super Intendent John Massey |
Role: Head of Crime and Vulnerability | Cambridgeshire Constabulary |
Signature: Email Confirmation (Virtual sign off) |
Date signed: 13 May 2024 |
Person/Post which is responsible on a day-to-day basis for monitoring compliance with this DSA: |
2. Signed on behalf of: |
Name: John Gregg |
Role: Executive Director Children and Young People’s Service, Peterborough City Council |
Signature: Email Confirmation (Virtual sign off) |
Date signed: 16 May 2024 |
Person/Post which is responsible on a day-to-day basis for monitoring compliance with this DSA: |
3. Signed on behalf of: |
Name: Carol Anderson |
Role: Chief Nursing Officer |
Signature: Email Confirmation (Virtual sign off) |
Date signed: 16 May 2024 |
Person/Post which is responsible on a day-to-day basis for monitoring compliance with this DSA: |
4. Signed on behalf of: |
Name: Martin Purbrick |
Role: Executive Director for Children, Education and Families, Cambridgeshire County Council |
Signature: Email Confirmation (Virtual sign off) |
Date signed: 20 May 2024 |
Person/Post which is responsible on a day-to-day basis for monitoring compliance with this DSA: |
Appendix 1 – Glossary of terms
Term | Definition |
|---|---|
Ad-hoc data sharing | Information sharing outside a formal meeting or system, often on a one-off basis. |
Appropriate Policy Document (APD) | An appropriate policy document is a short document outlining your compliance measures and retention policies. It is required under the Data Protection Act 2018 for some of the conditions documented in Schedule 1 (Part 1, 2 and 3). |
Caldicott Guardian | A senior person responsible for protecting the confidentiality of people’s health and care information and making sure it is used properly. All NHS organisations and local authorities which provide social services must have a Caldicott Guardian. Further, guidance has been issued under the Health and Social Care (National Data Guardian) Act 2018 that recommends “other organisations providing services as part of the publicly funded health service, adult social care, or adult carer support” should have a Caldicott Guardian by 30/06/2023: https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1013756/Caldicott_Guardian_guidance_v1.0_27.08.21.pdf |
Common law duty of confidentiality | The common law duty of confidentiality is not codified; it is based on previous judgements in court. Whilst various interpretations of the common law may be possible it is widely accepted that, where information which identifies individual service users is provided and held in confidence, disclosure may only be justified in one of three ways:
(source: Health and Social Care (Control of Data Processing) Act (Northern Ireland) 2016, Explanatory Note, Common Law Duty of Confidentiality) |
Consent | Consent under Data Protection Law is defined as any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her. |
Criminal Offence Data | Includes personal data relating to the alleged commission of offences by the data subject, or proceedings for an offence committed or alleged to have been committed by the data subject or the disposal of such proceedings, including sentencing. |
Data | The use of data in this document must be understood as information which may refer to non-identifiable or identifiable data. It will be specified if it refers to personal data. |
Data Controller / Joint Controller | The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. |
Data Protection Act (DPA) 2018 | The DPA 2018 sits alongside and supplements the UK GDPR. |
Data Protection Impact Assessment (DPIA) | A process to help you identify and minimise the data protection risks related to processing of personal data. A DPIA is legally required in some circumstances. |
Data Protection Officer (DPO) | The primary role of the data protection officer (DPO) is to ensure that their organisation processes the personal data of its staff, customers, providers or any other individuals (also referred to as data subjects) in compliance with the applicable data protection rules. |
Data Subject | The individual to whom the data being processed relates and is identified/identifiable by that data. |
Data Sharing | Data sharing as used within this document can be understood as sharing of personal data. |
Data Sharing Agreement (DSA) | Terminology can vary (Data Sharing Protocol, Data Sharing Contract, Personal Data Sharing Agreement) but can be used interchangeably in the guidance. A DSA can be used between sharing partners (Controllers) to help demonstrate compliance with the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, the common law duty of confidentiality and other relevant laws. It should help you justify your data sharing, clarify responsibilities of the sharing partners and set agreed parameters for the use of data. |
European Economic Area (EEA) | The EEA includes EU countries and Iceland, Liechtenstein, and Norway. The UK has adequacy regulations in place about these countries (expected to last until 27 June 2025). |
Information | The use of information in this document must be understood as organised data providing context which may refer to non-identifiable or identifiable data. It will be specified if it refers to personal data. |
Information Commissioner’s Office (ICO) | The UK’s independent body set up to uphold information rights. |
Law Enforcement Processing | Processing (including sharing) of personal data by competent authorities (for definition click here) for a Law Enforcement Purpose. |
Law Enforcement Purposes | As defined by Section 31 Data Protection Act 2018 – the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (for details click here). |
Legal gateway | Legislation and common law that establishes justifiable grounds for the processing of personal data. |
Local Authority (LA) | An LA is a local government organisation responsible for the administration of government policy at a local level. |
Means [of processing] | Actions taken in the processing of data to achieve the purpose(s) for its processing i.e. how the data is processed but can also be considered to extend to what data is used to achieve the purpose(s). |
Multi-Agency Safeguarding Hub (MASH) | The Multi-Agency Safeguarding Hub (MASH) brings key professionals together to facilitate early, better quality information sharing, analysis, and decision-making, to safeguard vulnerable children and young people more effectively. |
Personal data | Data that relates to a living identified or identifiable individual. |
Processor | A natural or legal person, public authority, agency, or other body which processes personal data on behalf of the controller. |
Public task | You can rely on this lawful basis if you need to process personal data:
|
Purpose(s) [of processing] | Reasons to process personal data. |
Secure File Transfer Protocol (SFTP) | A protocol for securely accessing and transferring large files across the web. |
Special Category Data | Data pertaining to an identified or identifiable individual that reveals their racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation. |
Tier 1 DSA | In this document Tier 1 Data Sharing Agreement can be understood as an overarching Multi Agency Safeguarding Data Sharing Agreement which can be used by all agencies and organisations within the relevant geographical area to provide a framework for data sharing between the partners. Sometimes Tier 1 Agreements are referred to as: Overarching DSA, Data Sharing Protocol, Data Sharing Charter, and others. |
Tier 2 DSA | In this document a Tier 2 Data Sharing Agreement can be understood as a more operational document setting out the purpose of data sharing for a specific initiative, detailing what happens to the data at each stage, setting specific standards and helping all the parties involved in sharing to be clear about their roles and responsibilities. |
UK Data Protection Legislation | For the purpose of this template/guidance the UK data protection legislation means the UK GDPR and the DPA 2018 and regulations made under the DPA 2018 which apply to a party relating to the use of personal data. |
UK General Data Protection Regulation (GDPR) | Legislation that determines lawful and unlawful use of individuals’ data, and places requirements on those processing data, to ensure appropriate use and adequate protections. |
Appendix 2 – Information sharing checklist
By sharing information, we work better together, and this Tier 1 Children Safeguarding Data Sharing Agreement encourages the appropriate sharing of personal information between the relevant agencies. If you cannot identify an individual from the information you are planning to share, then you are free to share. However, if the information identifies an individual, please use this checklist to help you determine that it is safe to share information. Here is a simple flow chart of what you will need to do to go from having concerns about sharing data to sharing data legally and securely with confidence.
Routine Information sharing checklist (e.g. monthly, routine data sharing of specific indicators)
Why is the information needed?
What is the purpose for sharing the relevant information, think about the purpose for individuals, your organisation and the wider public.
What information is needed?
Be specific and descriptive, consider how often it is required.
What organisation can provide the information?
Have you explored if the information is available already, maybe in other parts of your organisation. Have you spoken to a counterpart in the potential sharing organisation who can advise you on what information is available and how often.
Have you completed a Data Protection Impact Assessment (DPIA)?
Be aware that a DPIA is likely to be a legal requirement. Complete it before you start processing any data.
How will it be transferred?
Consider your options and assess the risk of those. Transfers must be safe and secure, consult with your technical teams for more complex digital solutions (e.g., data transfer system to system or via Secure File Transfer Protocol [SFTP]).
Where will it be held?
Consider your options and assess the risk of those. Any information must be held safe and secure, consult with your technical teams for more complex digital solutions.
Are you sure the information is accurate and not misleading?
Take all reasonable steps to ensure the personal data you hold is not incorrect or misleading. If you discover that personal data is incorrect or misleading, you must take steps to correct or erase it as soon as possible. Carefully consider any challenges to the accuracy of personal data.
How will you process it?
Define what solutions are available to process the information (e.g., data warehouse, modelling, risk scoring, manual usage to inform cases), work closely with the relevant teams (e.g., analytics, IT, ethics).
How long will you keep it?
Follow your internal retention policy and establish how long you need the information. Include any potential outcome products and long-term requirements to hold the data.
How will you delete the data?
Follow your internal records retention or data destruction policy to assure safe destruction of the information you hold. Consider the method depending on your storage solution to allow for safety of destruction.
Ad-hoc Information sharing checklist (e.g. sharing ad-hoc during corridor conversation)
Why is the information needed?
What is the purpose for sharing the relevant information, think about the purpose for individuals, your organisation and the wider public.
What information is needed?
Be specific and descriptive, consider what information is necessary and relevant.
Is it fair to share in this way?
Consider less intrusive ways of fulfilling your purpose or reach your objectives and consider what individuals are expecting to happen to their data.
What are the benefits and what are the risks?
Balance the benefits for an individual and/or the public against the risks of harm it could cause.
Where does the information originate from, does the source organisation need to be consulted?
Consider who is best placed to assess disclosure decisions around the risk of causing harm (e.g. interference with a police investigation, disclosure of details not knows to the recipient (adopted child).
What needs to be done to transfer the information securely?
What technical and organisational measures are appropriate to ensure the security of the data.
Am I being transparent about information sharing?
Consider what you have to tell people about sharing their data and how you will communicate that information in a way that is concise, transparent, easily accessible and uses clear and plain language.
Check your organisational policies and procedures
What policies and processes around sharing are in place and what guidance must be considered.
Ask for help to make disclosure decisions
Consult colleagues, managers and Caldicott Guardians if you are unsure about sharing information.
Document your decision
Document your decision as appropriate.
Appendix 3 – Applicable Legislation
| Relevant Act | Relevant Section | Content | Partners the Legislation is relevant for | Adults or Children |
| Care Act 2014 | Section 1 | Duty on Local Authorities to promote an individuals well-being including: (a)personal dignity (including treatment of the individual with respect); with regard to a number of matters including | Local Authority | Adults Children |
| Care Act 2014 | Section 2 | The Local Authority must prevent needs for care and support by arranging for the provision of services, facilities or resources, or take other steps. | Local Authority | Adults Children |
| Care Act 2014 | Section 3 | Places a duty on local authorities to carry out their care and support functions with the aim of integrating services with those provided by the NHS or other health-related services. | Local Authority, Police, Health | Adults Children |
| Childcare Act 2006 | Section 1 | General duties of local authority in relation to well-being of young children including the improvement of well-being of young children in the local authority area, and reduce inequalities between young children in their area in relation to the matters as follows: (a)physical and mental health and emotional well-being; | Local Authority | Children |
| Childcare Act 2006 | Section 3 | Describes specific duties of local authority in relation to early childhood services. The authority must make arrangements to secure that early childhood services in their area are provided in an integrated manner which is calculated to- (a) Facilitate access to those services, and (b) maximise the benefit of those services to parents, prospective parents and young children. | Police, Local Authority | Children |
| Children (Leaving Care) Act 2000 | The main purpose of the Children (Leaving Care) Act is to improve the life prospects of young people who are looked after by Health and Social Care Trusts as they make the transition to independent living. To do this it amends the Children Act 1989 (c.41) to place a duty on local authorities to assess and meet need. The responsible local authority is under a duty to assess and meet the care and support needs of eligible and relevant children and young people and to assist former relevant children, in particular in respect of their employment, education and training. | Local Authority | Children | |
| Children Act 1989 | Part 3 | Each local authority has a duty to “safeguard and promote the welfare” of children who are assessed as being in need. A child is deemed as “in need” if they are disabled or unlikely to achieve a reasonable standard of health or development unless services are provided. s17 (General duty of local authority to safeguard and promote welfare of children in their area who are in need) s27 (local authority ability to request help and assistance in complying with the s17 duty from other authorities and corresponding duty to comply with such a request) s47 (Local authority duty to investigate where there is reasonable cause to suspect that a child who lives, or is found, in their area is suffering, or is likely to suffer, significant harm) s1(1) of Schedule 2 (Duty of local authority to take reasonable steps to identify the extent to which there are children in need within their area) | Local Authority, Police, Health, ICB | Children |
| Children Act 2004 | Section 10 | Each local authority must make arrangements to promote co-operation between partners (including the CCG, Police, Schools and other) to improve the well-being of children including: (a)physical and mental health and emotional well-being; (b)protection from harm and neglect; (c)education, training and recreation; (d)the contribution made by them to society; (e)social and economic well-being. | Local Authority, ICB, Police, schools | Children |
| Children Act 2004 | Section 11 | This duty does not give agencies any new functions, nor does it override their existing ones, it simply requires them to carry out their existing functions in a way that takes into account the need to safeguard and promote the welfare of children. In order to safeguard, all staff in contact with children are aware of the most effective ways of sharing information and understand what to do if they believe a child and family require targeted or specialist services in order to achieve their optimal outcomes. All staff in contact with children understand when to share information and what to do if they believe that a child may be in need, including those children suffering or at risk of significant harm. Arrangements to safeguard and promote welfare (this section applies to partners including the CCG, Police and Schools). | Local Authority, ICB, Police, schools | Children |
| Children Act 2004 | Section 16H | Safeguarding partners for local authority areas, 16H Information (1)Any of the safeguarding partners for a local authority area in England may, for the purpose of enabling or assisting the performance of functions conferred by section 16E [Local arrangements for safeguarding and promoting welfare of children] or 16F [Local child safeguarding practice reviews], request a person or body to provide information specified in the request to— (a)the safeguarding partner or any other safeguarding partner for the area, (b)any of the relevant agencies for the area, (c)a reviewer, or (d)another person or body specified in the request. (2)The person or body to whom a request under this section is made must comply with the request. (3)The safeguarding partner that made the request may enforce the duty under subsection (2) against the person or body by making an application to the High Court or the county court for an injunction. (4)The information may be used by the person or body to whom it is provided only for the purpose mentioned in subsection (1). | LA and all relevant Safeguarding partners (statutory and non-statutory) | Children |
| Children and Family Act 2014 | Section 23 & 25 | The Children and Families Act 2014 makes provision to reform the law relating to care and support for children with special educational needs or a disability. Section 23 places a duty on health bodies to bring certain children to local authority’s attention, where the health body has formed the opinion that the child has (or probably has) special educational needs or a disability. Section 25 places a duty on a local authority to exercise it’s functions with a view to ensuring the integration of educational provision, training provision with health care provision and social care provision where it thinks that this would – promote the well-being of children or young people in its area who have special education needs or a disability, or improve the quality of special educational provision in its area or outside its area for children it is responsible for who have special educational needs. | Health bodies and local authorities | Children |
| Common law duty of confidentiality | Data subjects are informed of their data being collected for these purposes through privacy notices and the publication of privacy impact assessments and are able to raise concerns. Data would not be shared unless it is shown to be a legal duty or substantial public interest. Data will not be shared without the data subject’s general knowledge unless there is a justifiable reason not to disclose. | Local Authority and all relevant sharing partners | Adults Children | |
| Counter Terrorism and Security Act 2015 | Section 38 | Co-operation (1) The partners of a panel must, so far as appropriate and reasonably practicable, act in co-operation with— (a) the panel in the carrying out of its functions; (b) the police in the carrying out of their functions in connection with section 36. (2) The partners of a panel are the persons and bodies specified in Schedule 7. (3) The duty of a partner of a panel to act in co-operation with the panel— (a) includes the giving of information (subject to subsection (4)); (b) extends only so far as the co-operation is compatible with the exercise of the partner’s functions under any other enactment or rule of law. (4) Nothing in this section requires or authorises the making of— (a) a disclosure that would contravene the Data Protection Act 1998; (b) a disclosure of any sensitive information. | Local Authority, Police, Probation, Education, Youth offending team, NHS Trust | Adult Children |
| Counter-Terrorism and Boarder Security Act 2019 | The Counter Terrorism and Security Act 2015 places a duty on “specified authorities” to have “due regard to the need to prevent people from being drawn into terrorism”. Specified authorities include County and District/Borough Councils, Schools; Police; National Probation Service and Community Rehabilitation Companies; NHS Trusts and NHS Foundation Trusts. | Local Authorities, Police, Schools, National Probation Service, NHS Trusts. | Adults Children | |
| Crime and Disorder Act 1998 | Section 115 | Disclosure of information. (1)Any person (educational settings) who, apart from this subsection (e.g. LA & Police), would not have power to disclose information— (a)to a relevant authority; or (b)to a person acting on behalf of such an authority, shall have power to do so in any case where the disclosure is necessary or expedient for the purposes of any provision of this Act. | Police, Health, Local Authority | Adults Children |
| Crime and Disorder Act 1998 | Section 17 | Duty on authorities to consider crime and disorder implications by doing what it reasonably can to prevent: (a)crime and disorder in its area (including anti-social and other behaviour adversely affecting the local environment); and | Police, Local Authority | Adults Children |
| Crime and Disorder Act 1998 | Section 37 | 37Aim of the youth justice system. (1)It shall be the principal aim of the youth justice system to prevent offending by children and young persons. (2)In addition to any other duty to which they are subject, it shall be the duty of all persons and bodies carrying out functions in relation to the youth justice system to have regard to that aim. | Police, Local Authority | Adults Children |
| Criminal Justice Act 2003 | Section 325 | The responsible authority for each area must establish arrangements for the purpose of assessing and managing the risks posed in that area by— (a)relevant sexual and violent offenders, and (b)other persons who, by reason of offences committed by them (wherever committed), are considered by the responsible authority to be persons who may cause serious harm to the public. (3)In establishing those arrangements, the responsible authority must act in co-operation with the persons specified in subsection (6); and it is the duty of those persons to co-operate in the establishment by the responsible authority of those arrangements, to the extent that such co-operation is compatible with the exercise by those persons of their [F2relevant functions]. (4)Co-operation under subsection (3) may include the exchange of information. | Police, Local Authority, Health | Adults Children |
| Digital Economy Act 2017 | Part 5, Section 35 | Part 5 of the Digital Economy Act 2017 comprises seven ‘Chapters’, designed to improve the sharing of publicly held information for specific purposes: Part five is supporting research for the public good. The power allows specified bodies (which includes private bodies who provide a service to a public authority) to share personal information for objectives which are set out in regulations, with four objectives. One of which is ‘Addressing ‘multiple disadvantage’. Schedule four of this act is the Public service delivery – specified persons for the purpose of section 35. Specified persons are: Local Authorities, Schools, Jobcentre Plus, Police, Fire, HM Revenue and Customs and Service Providers | Local Authority, Schools, Police (non Health) | Children |
| Domestic Abuse Statutory Guidance July 2022 | Section 248 | Police notify schools about all domestic abuse incidents before the start of the next school day so that appropriate… | Police, Local Authority, Educational Settings | Children |
| Domestic Abuse Statutory Guidance July 2022 | Section 439 | …everyone who works with children has a responsibility for keeping them safe and that multi-agency working and information sharing is essential to ensure that children and families receive the right help at the right time. | Police, Local Authority, Educational Settings | Children |
| Domestic Abuse Statutory Guidance July 2022 | Section 443 | For multi-agency working to be effective, all agencies must work with a clear and common focus. For this to be achieved partnerships should: … Share information in a way that is timely, proportionate, legal, and safe. | Police, Local Authority, Educational Settings | Adults Children |
| Domestic Abuse Statutory Guidance July 2022 | Section 445 | Effective and meaningful multi-agency work relies heavily on timely and appropriate, while lawful, information sharing, ensuring all agencies have the necessary information to participate materially in meetings and make informed decisions. | Police, Local Authority, Educational Settings | Adults Children |
| Domestic Violence Crime and Victims Act 2004 | Section 9 | Domestic Homicide Reviews (DHRs) were established on a statutory basis under Section 9 of the Domestic Violence, Crime and Victims Act (2004). The provision came into force on 13 April 2011; responsibility for undertaking DHRs lies with the Community Safety Partnership (CSP) within the victims area of residence (where the victim’s area of residence is not known, the CSP lead responsibility will relate to the area where the victim was last known to have frequented as a first option and then considered on a case by case basis). | Police, Local Authority, Probation, NHS Trusts | Adult Children |
| Education (Independent Schools Standards) (England) Regulations 2003 | Schedule ‘The Independent Schools Standards, Section 3 | Independent schools only, including academies and CTCs) Welfare, health and safety of pupils (2) The school shall draw up and implement effectively a written policy to— (b)safeguard and promote the welfare of children who are pupils at the school, which complies with DfES Circular 10/95 “Protecting Children from Abuse: the Role of the Education Service”; | Educational Settings, Local Authorities through DfES (guidance only) | Children |
| Education Act 1996 | Part 9, Chapter 4 | Various duties including ‘Duty to make arrangements to identify children not receiving education’ Requirement to provide information – Part 9, Chapter 4 | Educational Settings | Children |
| Education Act 2002 | Section 175 | Duties in relation to welfare of children The safeguarding duties” are— | Educational Settings, Local Authorities | Children |
| Education Act 2002 | Section 157 | Independent schools only, including academies and CTCs) (1)For the purposes of this Chapter, regulations shall prescribe standards about the following matters— | Educational Settings | Children |
| Education and Skills Act 2008 | Section 68 | Providian of support services by local authorities to support for participation in education or training, young adult with learning difficulties and young people in England | Local Authority, Educational Setting | Adults Children |
| Health & Social Care Act 2012 | Section 195 | Section 195: (contains guidance about) specific duties of co-operation, including creating a Health and Wellbeing Board, which must, for the purpose of advancing the health and wellbeing of the people in its area, encourage persons who arrange for the provision of any health or social care services in that area to work in an integrated manner. | All commissioners and providers of health and care services. | Adults Children |
| Health and Social Care (Quality & Safety) Act 2015 | Section 3 | Section 3 (1),(2)(a)(b): (1) This section applies in relation to information about an individual that is held by a relevant health or adult social care commissioner or provider (“the relevant person”). (2) The relevant person must ensure that the information is disclosed to (a)persons working for the relevant person, and (b)any other relevant health or adult social care commissioner or provider with whom the relevant person communicates about the individual. | All health providers and adult social care providers | Adults Children |
| Health and Social Care (Quality & Safety) Act 2015 | Section 251B | Local authorities must share information about patients for whom they are responsible with other health and social care organisations involved in their care. (There are various carve outs.) Note that this provision does not enable the sharing of data that breaches the Data Protection Act 1998, the common law duty of confidence or the common law duty of care. | All health providers and adult social care providers | Adults Children |
| Immigration and Asylum Act 1999 | Section 20 | Immigration and Asylum Act 1999 • To undertake the administration of immigration controls to detect or prevent criminal offences under the Immigration Act; • To undertake the provision of support for asylum seekers and their dependents. | Public Authority | Adults Children |
| Local Government Act 2000 | Section 2 | This gives local authorities ‘a power to do anything which they consider is likely to achieve any one or more of the following objectives’: (a) The promotion or improvement of the economic well-being of their area (b) The promotion or improvement of the social well-being of their area (c) The promotion or improvement of the environmental well-being of their area Section 3 is clear that local authorities are unable to do anything (including sharing information) for the purposes of the well-being of people – including children and young people – where they are restricted or prevented from doing so on the face of any relevant legislation, for example, the Human Rights Act, the Data Protection Act or by the common law duty of confidentiality. | Local Authority | Adults Children |
| Localism Act 2011 | The Localism Act includes a ‘general power of competence’. It gives local authorities the legal capacity to do anything that an individual can do that is not specifically prohibited. The new, general power gives councils more freedom to work together with others in new ways to drive down costs. It gives them increased confidence to do creative, innovative things to meet local people’s needs. Councils have asked for this power because it will help them get on with the job. The general power of competence does not remove any duties from local authorities – just like individuals they will continue to need to comply with duties placed on them. | Local Authority | Adults Children | |
| National Health Service Act 1977 | Section 22 | Co-operation between health authorities and local authorities. (1) In exercising their respective functions NHS bodies (on the one hand) and local authorities (on the other) shall co-operate with one another in order to secure and advance the health and welfare of the people of England and Wales. In this section “NHS body” means— (za) a Strategic Health Authority; (a) a Health Authority; (b) a Special Health Authority; (d) an NHS trust.] | Health bodies and local authorities | Adults Children |
| National Health Service Act 2006 | Part 3, Section 82 | Places a duty on NHS bodies and local authorities to co-operate with one another in order to secure and advance the health and welfare of the people of England and Wales. | Health bodies and local authorities as commissioners and providers of health and care and services, and those commissioned to provide those services | Adults Children |
| Social Security (Information Sharing in Relation to Welfare Services etc.) Regulations 2012 | Section 131(3) | To be read in conjunction with the Welfare Reform Act 2012, it enables specific sharing of data held by a ‘qualifying individual’ to the ‘qualified individual’ responsible for the Supporting Families programme. Section 131(3) states that a qualifying person who holds relevant information for a prescribed purpose relating to welfare services, council tax or housing benefit may— (a)use the information for another prescribed purpose relating to welfare services, council tax or housing benefit; (b)supply it to another qualifying person for use in relation to the same or another prescribed purpose relating to welfare services, council tax or housing benefit. | Local Authority to Local Authority sharing (including internal sharing) | Adults Children |
| Welfare Reform Act 2012 | Section 131 | Information -sharing in relation to welfare services (including the Local Authority and Schools) and for proscribed purposes relating to welfare services. Section 131 restores and widens powers for the DWP to share information with local authorities in relation to welfare services and section 134 allows for longer term data sharing powers between DWP, their service providers and local authorities in particular to those working with troubled families and their in work and out of work benefits. | Local Authority, Educational Setting, DWP | Adults Children |
Appendix 4 – Partners to this agreement
Organisation | Address | ICO registration number | Contact person | Contact details |
NHS Cambridgeshire and Peterborough ICB | Gemini House, Ely, CB7 4EA | Carol Anderson | ||
Cambridgeshire Constabulary | Hinchingbrooke Park, Huntingdon, PE29 6NP | Detective Chief Superintendent John Massey | ||
Peterborough City Council | 1st Floor Sand Martin House, Bittern Way, Fletton Quays, Peterborough PE2 8TY | John Gregg | ||
Cambridgeshire County Council | New Shire Hall, Emery Crescent, Enterprise Campus, Alconbury Weald, Huntingdon, PE28 4YE | Martin Purbrick | ||