Multi-Agency Public Protection Arrangements (MAPPA): national guidance

Updated ministerial guidance to Responsible Authorities on the discharge of their obligations under sections 10 and 11 of the Management of Offenders etc. (Scotland) Act 2005.


12. Information Sharing

Introduction

12.1 This chapter provides general guidance and relevant links on the sharing of information between agencies under the MAPPA framework. These are the Responsible Authorities, Duty to Co-operate (DTC) agencies, and other bodies with an interest in the management of these cases.

12.2 MAPPA as such is not an organisation, but a set of statutory arrangements for managing the risks posed by certain individuals. It therefore cannot be the owning agency for any information on individuals subject to MAPPA.

12.3 The purpose of sharing information about individuals ("data subjects") managed under MAPPA is to enable the relevant agencies to work more effectively together in assessing risks and considering how to manage them. This points towards sharing all the available relevant information, so that nothing is overlooked and public protection is not compromised.

12.4 However, agencies must respect the rights of data subjects, which will tend to limit what can be shared. In order to strike the right balance, agencies need a clear understanding of the law in this area. Information sharing needs to be considered on a case by case basis and must meet legislative requirements including the Data Protection Act 2018 (DPA 2018) and the Human Rights Act 1998 ("HRA 1998"). Responsible Authorities should seek their own independent legal advice on the application of data protection law where necessary.

12.5 The processing of data for law enforcement purposes is covered under Part 3 of the DPA 2018. For detailed information on the legislative requirements including processing data for law enforcement purposes, please visit the Information Commissioner's Office website (ICO - DPA). The Information Commissioner's Office also published a Data Sharing Code of Practice which should be observed by all agencies.

12.6 The UK General Data Protection Regulation (UK GDPR) does not apply to the processing of data by competent authorities for the purposes of the execution of criminal penalties including the safeguarding against, and the prevention of, threats to public security.

Principles of Information Sharing

12.7 Information sharing must comply with the general principles of data protection as set out in the UK GDPR which are:

  • Lawfulness, fairness and transparency - The processing of data must be lawful, fair and transparent.
  • Purpose limitation - The purposes for processing of data must be specified, explicit and legitimate.
  • Data minimisation - Personal data must be adequate, relevant and not excessive.
  • Accuracy - Personal data must be accurate and kept up to date.
  • Storage limitation - Personal data to be kept no longer than is necessary.
  • Integrity and confidentiality (security) - Personal data to be processed in a secure manner.
  • Accountability - The data controller takes responsibility for what is done with the personal data and how that complies with the other principles.

12.8 Each agency should follow its own data protection policies in sharing information with other agencies under MAPPA. There may be differences on points of detail. Co-operation between agencies will be easier if there is a shared understanding of each other's policies. For this reason, it is advised that each MAPPA Strategic Oversight Group (SOG) should develop a set of Information Sharing Principles (ISP) and/or where necessary an Information Sharing Agreement (ISA) setting out how they will share information with each other, so that they are following a common set of rules and security standards as far as possible. Further information on ISA/ISP can be found in Chapter 3 – Duty to Co-operate.

12.9 Information shared must be accurate, up-to-date and proportionate to the purpose for which it is being shared. It must be stored and transferred securely; and it must not be retained any longer than necessary.

12.10 Although the exchange of information with non-MAPPA agencies has to be considered on a case-by-case basis, formal protocols or agreements should be in place in advance if possible. These agreements should pay particular attention to ensuring the lawfulness, safety and security of the personal information shared.

Information Sharing must be Lawful, Necessary and Proportionate

12.11 The sharing of information must be in accordance with the law. As far as the MAPPA agencies are concerned, there must be a statutory basis for sharing information. This exists for the agencies who make up the Responsible Authority or who have a duty to co-operate with it. Section 1(2)(a) of the Management of Offenders etc. Scotland Act 2005 expressly permits the sharing of information between these agencies for MAPPA purposes.

12.12 Whilst the Responsible Authorities and the Duty to Co-operate agencies are routinely and regularly involved in the management of individuals subject to MAPPA, from time to time, other agencies can contribute significantly to the person's Risk Management Plan. Information sharing between the MAPPA agencies and these third parties does not benefit from section 1(2)(a) of the 2005 Act. In general, non-statutory bodies are able to share information provided this does not breach the law. They are bound by the common law duty of confidence.

12.13 The key principle of the duty of confidence is that information provided should not be used or disclosed further in an identifiable form, except as originally understood by the provider, or with their subsequent permission. However, case law has established a defence to breach of confidence where an individual breaches the confidence in the public interest.

12.14 The prevention, detection, investigation and punishment of serious crime and the prevention of abuse or serious harm will usually be sufficiently strong public interests to override the duty of confidence.

12.15 Information sharing must be necessary. Article 8 of the European Convention on Human Rights, given domestic effect by the HRA, provides a right to respect for private and family life, home and correspondence. Article 8(2) states that:

"There shall be no interference by a public authority with the exercise of this right except such as is in accordance with the law and is necessary in a society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others."

12.16 The sharing of information by MAPPA agencies for MAPPA purposes satisfies these conditions in that it is clearly aimed at preventing disorder or crime or administering justice. Provided the information shared is only used for MAPPA purposes the necessity test will be met, as information-sharing by way of MAPPA is not an excessive or unreasonable way of assessing and managing these risks.

12.17 Information sharing must be proportionate. In human rights law, the concept of proportionality means doing no more than is necessary to achieve a lawful and reasonable result.

12.18 The personal data shared must be relevant, and not excessive in relation to the purpose for which it is being shared. For MAPPA agencies, this essentially means ensuring that information about the data subject is relevant to assessing and managing risk and that no more information is shared than is needed to manage that risk. For example, if what is actually needed is the names and addresses of individuals, sharing their race and religion as well would be disproportionate.

12.19 The Information Commissioner's Office (ICO) website provides full details and helpful advice on Data Protection including the processing of data for law enforcement purposes – Guide to Law Enforcement Processing.

Information Sharing - Health Considerations

12.20 If MAPPA documents are marked appropriately in terms of the Government Security Classification then @nhs.scot can be used to transmit documents between the NHS and other agencies. Within the NHS, MAPPA documents must be stored in accordance with the classification, either physically or electronically. Within the hospital environment, MAPPA records are held separately from the patient's records, however, if considered appropriate, a summary, containing relevant information, may be included within the patient's records.

12.21 This is recognised as good practice and should be reflected in the processes employed by General Practitioners. Documents or letters outlining key points may be useful ways to ensure that relevant information is made available to appropriate health service staff where this is necessary without transmitting full MAPPA documents.

12.22 If MAPPA documents are shared with staff that do not have access to a method of storing documents in keeping with the security classifications, then after the documents have been read they should be destroyed.

Social Security Scotland

12.23 On 8th January 2021, Social Security Scotland became a statutory Duty-to Co-operate agency by virtue of the Management of Offenders etc. (Scotland) Act 2005 (Specification of Persons) Amendment Order 2020. This Order provides for the exchange of certain prescribed information for those individuals subject to MAPPA without the individuals consent. At the time of publication, there are information sharing agreements in place between Social Security Scotland and:

  • Scottish Prison Service
  • Police Scotland

Department for Work and Pensions (DWP)

12.24 The Management of Offenders etc. (Scotland) Act 2005 (Disclosure of Information) Order 2010 sets out the conditions under which information may be disclosed between the Secretary of State for Work and Pensions (Department for Work and Pensions), the Responsible Authorities and Duty to Co-operate agencies within the MAPPA framework - albeit that the DWP is not itself a DTC agency.

12.25 In practice, there are three ways by which the Responsible Authorities can obtain information from DWP, namely:

  • Part 3 of the DPA 2018 This is the means by which Police Scotland routinely access DWP information for the prevention and detection of crime;
  • The DWP/Police Scotland Memorandum of Understanding in relation to tracing missing sex offenders; and
  • Notifications under the terms of The Management of Offenders etc. (Scotland) Act 2005 (Disclosure of Information) Order 2010. This piece of legislation is intended to restrict the placing of certain individuals in inappropriate employment or training and to provide a legislative mechanism by which the DWP can make the Responsible Authorities aware of employment and training information which may affect the risk assessment of an individual subject to MAPPA.

12.26 Each piece of legislation has its own defined uses and the appropriate legislation should be used when circumstances dictate.

Contact

Email: Avril.Coats@gov.scot

Back to top