Dear All,
 
 Yes, Doreen is quite right.  Data Protection and "Joint up Government" are 
 dragging L.A.'s in opposite directions.  However ....
 
 1.  With the '98 Act, the Data Controller is "The Council".  This should 
 make it easier as there is less scope for the older turf wars between 
 Depts. Data is "owned" by the Council.  However, watch out for any special 
 rules for CT data and don't forget confidentiality as the old Common Law 
 duty still exists.  Your new Notification should cover sharing data around 
 the Council - as long as it is only the data needed, etc.  Of course, this 
 is all dependent on getting informed prior consent from the data subject 
 to the use of their data for a purpose other than that for which it was 
 originally supplied.  Leeds is reviewing all its application forms (try 
 defining an "application form" in your Council) with the aim of including 
 statements about use of data and,if necessary, tick lists of purposes.  
 Don't forget that most people will agree to data sharing WITHIN the 
 Council if it might be to their advantage, e.g. they might get better 
 services, more benefits, bins emptied better, etc.  Its not just about 
 stating the law.  You may need to positively sell the advantages of 
 allowing personal data to be used within the Council. (One possible 
 practical solution is to use "Chinese Walls".  If Dept. A wants data from 
 Dept. B to pursue a new initiative, B can send a letter to its clients 
 containing a message from A plus a replied paid envelope from A. If the 
 client is interested in the new service, they can reply directly to A to 
 ask for it.  That way, A has no idea who B has mailed while B has no idea 
 who replied to A. And the clients have given consent to A - providing some 
 careful thought has been given the wording of the letter and they reply 
 using a pro forma.)
 
 2.  Where there are joint initiatives involving other public sector groups, 
 the use of contracts will be vital.  A contract must cover all the rules 
 about the data to be shared, who has access, security measures, training 
 plus, naturally, strict rules about obtaining informed prior consent from 
 data subjects - where this is necessary.  Leeds already has one such 
 contract in place for joint use of a housing waiting list by both our Dept. 
 and local housing assocs.  Others are in the pipe line.
 
 3.  Where health data is concerned, it is vital to become acquainted with 
 "Caldicott Guardians" and "Caldicott Principles".  The Principles are 
 relatively simple but the Guardians - a real person in each bit of the NHS - 
 will jealously guard access to any clinical data.  This poses severe 
 problems.  E.g. we have had to go through several hoops to get hold of data 
 about 4 year olds for next September's school entries.  The practical 
 approach here is to create "Caldicott Agreements" WITH EACH PART OF THE 
 LOCAL NHS.  You have to pick them off as they are incapable of acting 
 jointly!  We have one such agreement with the local hospital trust and Soc. 
 Services to cover a Joint Care Planning Team getting little old ladies out 
 of hospital and back into the community.  (For example, where hospital staff 
 access our data, they have to follow our published Security Policy and where 
 our staff access their data, they follow the hospital's Security Policy.) So 
 find out who your "Caldicott Guardians" are and get agreement to formal 
 statements of joint working.
 
 4.  Where there are public/private sector initiatives, I dread to think 
 what we are doing.  Private sector attitudes to data protection are highly 
 variable.  In the current climate, it is difficult to give practical 
 advice.
 
 5.  However, the general principles should be clear :-
 - informed prior consent must be obtained 
 - some form of written and legally binding contract is necessary
 - make sure each side swaps their security policy (Principle 7) or even 
 agrees a joint policy
 - include staff awareness/training and get them to sign a piece of paper 
 that says "I understand and will abide by the Data Protection and other 
 rules."
 Remember you can sack you own staff but you will have to sue others if 
 there is a total #@*%$*-up. If you don't have a contract, it is difficult 
 to sue a third party.  So my advice is to actively pursue contracts in one 
 form or another and act defensively.
 
        Roger Cook
        I.T. Security Manager
        Leeds City Council

______________________________ Reply Separator _________________________________
Subject: Data Protection/Modernising Government
Author:  "Broom; Doreen" <[log in to unmask]> at Internet
Date:    17/08/00 11:28


All
Have any of your organisations given any thought to the above?
The Prime Minster wants this joined-up Government approach (I believe now by 
2005) which I foresee as a means of sharing information within organisations 
both internally and eventually externally.  This makes sense in some 
instances especially in connection with detection of fraud/crime prevention 
etc.
How do you see our roles of Data Protection Officers because on the one hand 
Mod Govt wishes to make information freely available and on the other, Data 
Protection ensures that information is only obtained for one specific 
purpose and not freely disclosed.  Really, both these agendas contradict 
each other.
I would be glad to receive any views on this. 
Doreen Broom
Data Administrator
Scottish Borders Council
Council HQ
Newtown St.Boswells
Melrose
Borders  TD6 0PX
Tel: 01835 824000 (Ext.5444)
Fax: 01835-825041
 
 
________________________________________________________________
 
This e-mail is privileged, confidential and subject to copyright. 
Any unauthorised use or disclosure of its contents is prohibited. 
The views expressed in this communication may not necessarily
be the views held by the Scottish Borders Council. 
_________________________________________________________________
 
 
 
__________________________________________________________________________
 
Please ensure that any attachments to this E-Mail are checked for viruses. 
__________________________________________________________________________

________________________________________________________________________

The information in this email (and any attachment) may be for the
intended recipient only. If you know you are not the intended recipient,
please do not use or disclose the information in any way and please
delete this email (and any attachment) from your system.
________________________________________________________________________


%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%%