Suffolk Information Partnership

Information Sharing and Warm Handovers

Data Exchange Agreement

February 2014

CONTENTS

PARTIES

1 BACKGROUND AND CONTEXT

1.1 Context

1.2 Scope

2 LEGAL REQUIREMENTS FOR THIS DEA

3 INFORMATION SHARING GOVERNANCE

3.1 The Suffolk Information Partnership Board

3.2 Future Membership

3.3 Monitoring and Review Procedures

4 WARRANTIES

4.1 Warranties and Undertakings

4.2 Breach of this DEA

4.3 Indemnity

4.4Security breaches

5 DATA SPECIFICATION AND DATA HANDLING ARRANGEMENTS

5.1 Categories of data for exchange

5.2 How the data will be used

5.3 Client consent

5.4 Data transfer, security, storage, retention and destruction

5.5Release of data to third parties

5.6 Resource implications

6 TERMINATION

PARTIES TO THIS AGREEMENT AND SIGNATORIES

PARTIES

The parties to this Data Exchange Agreement (DEA), known as the Suffolk Information Partnership (SIP), are, as of February 2014 (updated June 2017):

(1)Access Community Trust

(2)Age UK Suffolk

(3)Avenues East

(4)Citizens Advice North East Suffolk

(5)Customer First, Suffolk County Council

(6)Ipswich Citizens Advice

(7)Local Area Coordinators, Public Health, Suffolk County Council

(8)Lofty Heights

(9)Orbit Care and Repair

(10) Papworth Trust

(11)Sue Ryder

(12)Suffolk County Council (Adult and Community Services)

(13)Suffolk Family Carers

(14)Suffolk Fire and Rescue Service Prevention Team

(15)Suffolk Libraries

(16)Suffolk Mind

(17)Survivors in Transition

(18)Trading Standards

(19)Warm Homes, Healthy People

1 BACKGROUND AND CONTEXT

1.1 Context

1.1.1 The aim of this DEA is forthe above-named organisations to work effectively and efficiently together, sharingappropriate and relevant personal information about a customer between the SIP organisations within a secure framework,to ensure co-ordinated care for that customer.

1.1.2 The aim of this DEA is to benefit the customer so that they only have to tell their story once and are confident that their personal information is secure.

1.1.3 All the SIP organisations recognise that the initial legal responsibility for personal information resides with the organisation that first created or received it. But if personal information is shared, the responsibility extends to the recipient in the receiving organisation regardless of how transitory the storage of the personalinformation by the receiving organisation might be.

1.2 Scope

1.2.1 This DEA:

a)provides a framework for the secure and confidential sharing ofpersonal information between the SIP organisations on a “need to know” basis to create a joined up care and support experience for the customer;

b)describes roles and structures to support the exchange of personal information between the SIP organisations;

c)applies to the sharing of personal information relating to residents of Suffolk and others who areservice users;

d)applies to the sharing of personal information whatever the medium inwhich it is held and however itis transmitted;

e)is designed to ensure that service users are informed of the reasons why personal information aboutthem may need to be shared and how this sharing will be managed;

f)applies to the activities of the SIP organisations’ personnel;

g)describes how complaints from service users relating to personal information sharing between two ormore SIP organisations will be investigated and resolved

1.2.2 This DEA only relates to referrals, where a customer (or carer, family member, etc.) is already known to a SIP organisation or has contacted them to access their services. Their details will be logged on theSIP organisation’s customer database and consent given to hold these details. If aSIP organisation feels that a customer needs further support or would benefit from services provided by another SIP organisation they will seek the customer’sconsent to pass on personal information to the new SIP organisation to enable that organisationto contact theclient.

1.2.3 This DEA is not applicable to signposting enquiries where aSIP organisation passes on service information and contact details to the customer to follow up themselves.

2 LEGAL REQUIREMENTS FOR THIS DEA

a)Data Protection Act 1998

b)Information Commissioner’s Data Sharing Code of Practice, May 2011

c)Information Sharing: Guidance for practitioners and managers. Department for Children, Schools and Families and Communities and Local Government, 2008

3 INFORMATION SHARING GOVERNANCE

3.1 The Suffolk Information Partnership Board

3.1.1 The Suffolk Information Partnership Board (SIPB) will ensure operational compliance with this DEA and review any issues (see paragraph 3.3.1 below) arising from the operation of the DEA.

3.2 Future Membership

3.2.1 The intention of the SIPB is that membership will increase to include other voluntary, statutory and community organisations. PotentialSIP members will be required to agree to become a signatory to this DEAprior to joining the SIP.

3.3 Monitoring and Review Procedures

3.3.1 This DEA will be reviewed annually from the date of its commencement. It will be the responsibility of the Chair of the SIPB to arrange such reviews.

3.3.2 The use and effectiveness of this DEA will be evaluated in a number of ways:

a)Staff in each SIP organisation will be required to log and report any issues which they believe are not in accordance with this DEA. Reports of potential and actual data breaches will be included in the annual review process;

b)Complaints received by SIP organisations about personal information sharing will be analysed to determine whether they relate to a breach or breakdown of this DEA;

c)Complaints will be managed through each of the SIP organisation’s complaints procedures.

3.3.3 Interim reviews of this DEA may, however, be carried out at the specific request of either the Chair of the SIPB or the SIP organisation.

4 WARRANTIES

4.1 Warranties and Undertakings

4.1.1 Each SIP organisation warrants to the other SIP organisations that:

a)it has a Data Protection Policy

b)it has full power and authority to enter into and perform this DEA and when signed on behalf ofeach SIP organisation this DEA will constitute binding obligations on that organisation in accordance with the terms of this DEA; and

c)the SIP organisation’s signatory is duly authorised to sign this DEA on behalf of its organisation

4.1.2 Each SIP organisation undertakes to the other organisations to:

a)ensure that it complies with the statutory obligations and relevant national guidance set out in 2 above;

b)ensure that its staff adhere to the principles and procedures set out in this DEA;

c)ensure that a complaints procedure, confidentiality policy and procedures, risk assessmentprocedure and ‘whistle blowing’ procedure are all in place;

d)ensure that all staff have access to appropriate training and development activities to enablethem to comply with the procedures laid down in this DEA, including for example but not limitedto, the correct processes and procedures for obtaining consents from individuals and thecircumstances when consent is not required;

e)provide evidence to the SIPB upon becoming a signatory to this DEA, that agreed procedures and structures havebeen implemented;

f)acknowledge the professional judgement of the referring SIP organisation to the customer’s needs.

4.2 Breach of this DEA

4.2.1 Breaches of this DEA shall include but not be limited to the following:

a)Any breach of the warranties and undertakings in paragraph 4.1.1

b)Disclosure of personal information to individuals who do not need to know the personal informationconcerned

c)Inadequate security arrangements and/or the inappropriate use of such arrangements

d)Disregard for or breach of the procedures agreed in this DEA

e)Inappropriate or inadequate use of the procedures in thisDEA

f)Failure to respond as required by this DEA within a reasonable time to arequest for personal information from another SIP organisation

g)Failure to conduct a risk assessment before a disclosure without consent

h)Failure to accurately record such a risk assessment.

4.3 Indemnity

4.3.1 Each party will fully indemnify the SIPB for all direct and indirect losses, damages, costs, expenses, liabilities, claims or proceedings, whether these arise under statute or common law, (together referred to as 'the losses') which it suffers as a result of any negligence, default or breach of statutory duty on the part of the SIP organisation or on the part of any individual it employs or engages to carry out its obligations in relation to the information released to it under this DEA.

4.4Security breaches

4.4.1 Any loss of data exchanged under this DEA must immediately (within 24 hours) be reported to the Chair of the SIPB.

5 DATA SPECIFICATION AND DATA HANDLING ARRANGEMENTS

5.1Categories of data for exchange

5.1.1 The following personal data and sensitive personal data set will be shared between the SIP organisations:

a)Name(s) of individual(s)with care needs / cared for / family carer / personwho made contact with the organisation;

b)Their address and postcode;

c)Telephone number;

d)Email address;

e)Date of birth;

f)CareFirst ID (social care reference number) or NHS number, (if known);

g)Relationship to individualrequiring support (if appropriate);

h)Purpose of referral;

i)Other organisations or individuals providing support;

j)Permission to contact.

5.2 How the data will be used

5.2.1 The data will be used as part of the referral process to enable SIP organisations to sharecustomers’ personal information between themselves, where they feel another SIP organisation can provide further support and services.

5.3 Client consent

5.3.1 EachSIP organisation must ask for written or verbal consent from their customers to pass on personal information to other SIP organisations;

5.3.2 If someone is acting on behalf of a customer, e.g. a family carer or family member, the SIP organisation must have verbal agreement from that person that the customer / cared for person has been spoken to and has given their consent;

5.3.3Each SIP organisation must record on its client database that they have obtained the consent of their customer to share information with another SIP organisation(s);

5.3.4Each SIP organisation must ensure that their customers are aware that they can choose not to give consent to their personal information being shared with another SIP organisation and that a customer may exercise his/her right to either contact the SIP organisation directly or to take no further action. In these circumstances,SIP organisations are prohibited from transferring their customer’s personal information to another organisation.

5.4 Data transfer, security, storage, retention and destruction

5.4.1 Process of transferring data:

a)If they feel it is requireda SIP organisation may make initial contact with another SIP organisation verbally by telephone, but this must be followed up by submitting an online referral form.

b)All personal data and reason for referral to be transferred securely using the online referral form. No data should be sent by unencrypted email.

c)The person originating the online referral form may request a copy which will be sent to them via a secure email.

d)The online referral form platform will send secure emails containing the referral content to a designated email address at each SIP organisation.

e)These designated mailboxes will be monitored on a daily basis during each organisation’s working hours. The person responsible for monitoring their organisation’s mailbox will forward the email contents to the appropriate member of staff or department within their organisation for further action.

f)If an organisation wishes to acknowledge the receipt of a referral from another SIP organisation they can do this by quoting the Order Number of the referral. No personal data should be included. Acknowledgements are not normally sent unless there is a good reason.

g)The staff member who has been passed the referral email will contact the customer within five working days to acknowledge that they have received their details and briefly explain what action(s) they will be taking together with a timeframe as to when the action(s) will be implemented and, if appropriate, circumstances for the timeframe (e.g. long waiting list, person on holiday – to limit unrealistic expectations).

h)If the customer has heard nothing from the organisation they have been referred to, they should contact the person they have been dealing with at the referring organisation. (Each organisation may wish to set up a system to monitor how frequently this happens.)

i)If the referral is felt to be inappropriate by the receiving organisation they will contact the referring organisation within five working days to discuss the referral.

j)SIP organisations will store referral emails securely and destroy them in accordance with their organisation’s retention and destruction policies.

k)The SIP Co-ordinator will maintain and share guidance notes on the process and instructions on using the encryption service with all SIP organisations and support them when necessary. New organisations will be given the link to the online referral form once they have agreed to and signed this DEA.

5.5Release of data to third parties

5.5.1 The information exchanged, under this DEA, between the SIP organisationsmust not be passed to third parties outside the Partnership or used for commercial gain, without the explicit consent of the SIPB.

5.6 Resource implications

5.6.1 No costs will be incurred or chargeable between the SIP organisations for any data exchanged under this DEA.

6 TERMINATION

6.1 This Agreement may be terminated with immediate effect upon the agreement of both the SIPB and the SIP organisation.

PARTIES TO THIS AGREEMENT AND SIGNATORIES

Commencement date:

Between:

(1)Suffolk Information Partnership Board (SIPB)

And

(2)

Signatories to this Agreement

The exchange of data under this Agreement is authorised by:

Name:

Signature:

Job Title:

Organisation:

Date:

:

The above-named signatory is responsible for ensuring that staff involved in the operation of this Data Exchange Agreement (DEA) are aware of their obligations in this respect. The above-named signatory will be the initial point of contact for any queries in relation to this DEA.

Suffolk Information Partnership Information Sharing and Warm Handovers Data Exchange Agreement Version 2February 2014