Guidance for Sharing Information without consent
Sharing personal information is essential to safeguard the individual. Article 5 of the GDPR sets out seven key principles which lie at the heart of the general data protection regime.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
These principles should lie at the heart of your approach to information sharing (processing personal data).
The GDPR specifies what individuals have a right to be informed about when you collect and use their personal data, who you share it with and how long you keep it for. Providing this information is a key element of the principle of transparency and can also help you to build trust with clients. This form has been designed to encourage the safe, lawful and secure sharing of personal information with relevant agencies by providing a clear framework to assist and record the decision-making process.
You must ensure the information you share is:
- adequate – sufficient to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not share (or hold) more than you need for that purpose.
Purpose
You must be clear about what your purposes for processing are from the start. You need to record your purposes as part of your documentation obligations and specify them in your privacy information for clients. You can only use the personal data for a new purpose if either this is compatible with your original purpose, you get consent, or you have a clear basis in law. Reference your local Marac Operating/Information Sharing Protocol which will detail the Lawful Basis for information sharing in the Marac process.
Lawful basis
There are six available lawful bases for processing. No single basis is ’better’ or more important than the others – which basis is most appropriate to use will depend on your purpose and relationship with the individual. Most lawful bases require that processing is ‘necessary’. If you can reasonably achieve the same purpose without the processing, you won’t have a lawful basis. You must determine your lawful basis before you begin processing, and you should document it. Take care to get it right first time - you should not swap to a different lawful basis at a later date without good reason. Your privacy notice should include your lawful basis for processing as well as the purposes of the processing. If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose (unless your original lawful basis was consent). If you are processing special category data you need to identify both a lawful basis for general processing and an additional condition for processing this type of data. If you are processing criminal conviction data or data about offences you need to identify both a lawful basis for general processing and an additional condition for processing this type of data.
Consent
The GDPR sets a high standard for consent. But you often won’t need consent. Consent means offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement. When a person is assessed to be at high risk of serious harm or homicide (Marac threshold) information can be shared without consent thus the client cannot choose or control the process. In order to lawfully process special category data (formally sensitive data), you must identify both a lawful basis under Article 6 and a separate condition for processing special category data under Article 9. These do not have to be linked.
You must ensure the personal data you are processing is:
- adequate – sufficient to properly fulfil your stated purpose;
- relevant – has a rational link to that purpose; and
- limited to what is necessary – you do not hold more than you need for that purpose.
Safety
The safety of the victim and children living with domestic abuse is paramount.
When considering whether to share information you must always consider risk factors – how great is the risk? Will that risk increase if information is shared. Can that risk be managed? Do I need to limit who the information is shared with? Record and document all decisions whether to share or not to share information. Decisions should be defensible NOT defensive.
Useful links
SafeLives recommend that all practitioners have a good working knowledge of the provisions in The GDPR 2018 and the Data Protection Act 2018) and refer to the ICO for advice and guidance on information sharing. You should also refer to internal policies and your local Marac Operating Protocol/Information Sharing Protocol.
If in doubt always seek advice from management/ your Data Protection Officer and or legal experts