Melton Borough Council

Leicestershire and Rutland information sharing protocol

We have signed up to the most recent version of the Leicestershire and Rutland Information Sharing Protocol (ISP). The ISP defines the framework for the sharing of personal information by agencies operating within Leicester, Leicestershire and Rutland and provides a commitment by the organisations that are signed up to it, to ensure that a framework is in place that facilitates the sharing of information between partners and respects the individual’s right to privacy.

This is not a new commitment – organisations in Leicestershire and Rutland have long recognised that information sharing is increasingly important in the provision of services to our communities, and have had a protocol for information sharing in place since 2009. The 2014 version of the ISP has been refreshed to take into account the requirements for information sharing included in the Information Commissioners Office (ICO) Data Sharing Statutory Code of Practice, which explains how the Data Protection Act 1998 applies to the sharing of personal data.

In addition to the ISP, Information Sharing Agreements (ISA’s) are established for particular projects or services that require personal information to be shared. These ISA’s sit underneath the ISP and set out the purpose and legal basis for the specific sharing, what information is to be shared, and arrangements around information security.

It is important to remember that the Information Sharing Protocol and Information Sharing Agreements don’t automatically mean that personal data can be shared – they simply set out our commitment to doing so when it is appropriate and how the safe sharing of personal information will be achieved. Any information sharing activities carried out under the ISP and any ISA’s still need to comply with the eight Data Protection Principles of the Data Protection Act 1998 – 

1. Personal data shall be processed fairly and lawfully and, in particular, shall not be processed unless –


(a) at least one of the conditions in Schedule 2 is met, and

(b) in the case of sensitive personal data, at least one of the conditions in Schedule 3 is also met.

2. Personal data shall be obtained only for one or more specified and lawful purposes, and shall not be further processed in any manner incompatible with that purpose or those purposes.

3. Personal data shall be adequate, relevant and not excessive in relation to the purpose or purposes for which they are processed.

4. Personal data shall be accurate and, where necessary, kept up to date.

5. Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.

6. Personal data shall be processed in accordance with the rights of data subjects under this Act.

7. Appropriate technical and organisational measures shall be taken against unauthorised or unlawful processing of personal data and against accidental loss or destruction of, or damage to, personal data.

8. Personal data shall not be transferred to a country or territory outside the European Economic Area unless that country or territory ensures an adequate level of protection for the rights and freedoms of data subjects in relation to the processing of personal data.

The statutory code of practice can be viewed on the ICO website.