Key findings - information governance
When sharing data among partners, a common set of rules and conditions should be developed. This will typically start with the ODA outlining its intentions in an information sharing strategy or charter, to which all partners sign up (this will often first be mentioned in the Memorandum of Understanding).
Many ODAs have signed a data sharing charter that recognises and respects the underlying principle of ‘a duty to share data unless there is a legal or ethical reason that prevents sharing’. This helps to standardise the information sharing approach upfront and uses it as a starting point for setting up the ODA.
The mechanism to then share information for any given data initiative will be made more specific and measurable in the form of a data sharing agreement (also known as an Information Sharing Protocol - ISP). ISPs are necessary whenever personal data is shared, but are equally recommended for the sharing of non-personally identifiable data.
A range of templates are available from the Information Commissioner's Office, as well as checklists providing a step by step guide through the process of deciding whether
to share personal data (for systematic data sharing and one-off requests).
The Office for Data Analytics (Avon and Somerset) provides templates of Tier 2 Privacy Information Assessment and Information Sharing Agreement on their website. In these documents the need to share information to meet the purpose is explained, on the basis that all signatories accept and adopt the practices defined in the overarching Information Sharing Protocol hosted by Avon and Somerset Constabulary. Therefore, the baseline security and other specified requirements are not repeated because they are detailed in the agreement.
Information sharing platforms and frameworks
One of the most compelling priorities identified by existing ODAs is to identify a space where all information agreements could be stored, providing information not only for a given dataset (who it is shared with and under what terms), but also for a given organisation (what are the datasets already shared and with whom).
Most of the ODAs we’ve interviewed are currently using or intend to use the Information Sharing Gateway (ISG), an online tool that helps create, manage, sign and store data sharing agreements. The ISG has legal gateways and privacy screening questions directly built into the tool, meaning that information sharing protocols can be completed and signed off much more rapidly and securely. In addition, it includes a sign-off request option, which allows the sending of information sharing agreements to signatories and includes a system to archive agreements and flag those that need a review.
GDPR-compliant, ISG is a step toward standardising information governance around data sharing and has already been adopted by over 1,900 organisations.
In Essex, a Whole Essex Information Sharing Framework (WEISF) is in place, providing its members with access to advice, guidance, good practice, networking and tools to support the development of local information sharing. It will lay the foundations for the further development of the Essex Centre for Data Analytics. The WEISF provides:
- An overview of all active information sharing protocols submitted to WEISF, allowing practitioners to identify existing sharing, find examples of protocols and provide transparency for citizens
- A list of agencies which are partners in the framework, linking through to their websites;
- Advice and guidance sourced from the ICO as regulators;
- Templates to simplify and standardise the completion of ISPs, flexible enough to meet partners’ needs;
- Tools and guidance to assist in increasing data management maturity