Information and data sharing and retention
The legislative framework and right to privacy context is provided for in both the Data Protection Act 1998 which covers the use of personal data and Article 8 of the European Convention on Human Rights which provides that everyone has the right to respect for his private and family life his home and his correspondence.
Given the nature of the data collected, which includes details of an individual's movements, decisions on how EM data and information is generated, stored, analysed and accessed is an important consideration. The Working Group, therefore, recommends that a clear framework be put in place to ensure that the control and processing of data collected as a result of electronic monitoring is appropriate and that such data is only used for the purpose for which it was intended.
The requirement for such a framework comes into sharper focus with the introduction of GPS technology and the locational data that will be produced. This additional data will raise data protection and data retention considerations due to the amount of data that could be collected on any one person and the ease with which it could potentially be aggregated and analysed to discern patterns. When the potential for live tracking of an individual's whereabouts is also possible, although the Working Group have not recommended this at this stage, further issues arise around the use of this information.
The Integration and Rehabilitation sub-group
The Integration and Rehabilitation sub-group of the Working Group considered information sharing in more detail as part of its remit to consider how best to use electronic monitoring more effectively to support a person-centred approach.
Their findings concluded that effective information/data sharing can support multi-agency working. To support the appropriate sharing of personal information, new information sharing protocols and data retention schedules should be agreed and put in place. This would ensure that information is shared in a way which satisfies both the legal and professional obligations of the agencies, their respective staff and the legitimate expectations of the individual being monitored.
Improvements in sharing information
The sub group concluded that improved information sharing was essential to effectively communicating the risk, nature, seriousness, pattern and likelihood of further offending. The following improvements were suggested by the sub-group to ensure more effective information sharing in support of improved practice and risk:
- Where an individual is released from custody on EM with supervision and support , partners including SPS, Police Scotland, the Parole Board for Scotland, the EM service provider, CJSW, the third sector and MAPPA (if applicable) must work together to share information in advance of the person being released to ensure that an effective support package is in place upon the persons release
- Similarly, when Courts are considering ordering a community sentence and the CJSW report and home assessment report has determined that additional support is required, relevant information must be shared between Courts, CJSW, the EM service provider and the third sector to ensure that said the support is in place timeously
- Where an EM Home Assessment Report has been completed by CJSW for an HDC or an RLO, CJSW should receive feedback on the outcome of the report. CJSW should also receive feedback on whether the individual has successfully completed their order
- Where a CPO and an RLO are ordered concurrently, the Courts must inform the service provider. The service provider must then share relevant information with the supervising officer, as defined in the contract, within the timescales set out in the contract.
- With regards to engagement with victims, the sub-group identified the need to develop a process for sharing information with victims. In particular, where an 'away from' is recommended to protect a victim, the victim's consent should be sought prior to the service provider installing the equipment. A process to seek this consent should be drawn up as a matter of urgency
- Going forward a process will also be required to be developed where an exclusion zone has been set up using GPS technology to protect a victim.
Information sharing protocols
To underpin the suggestions set out above, information sharing protocols which offer transparency and clarity to the services and individuals whose information or data may be shared should be developed and agreed. These protocols will provide a framework to allow information to be shared appropriately.
It was noted that the existing information sharing protocols in place for children and young people and MAPPA worked well and should be maintained.
The sub-group noted that protocols should:
- Comply with the law and good practice on information sharing
- Support integrated assessment of risk and case management
- Support transition from prison to the community
- Support continuous improvement of services in the case of statistical data.
Records management and data retention
Key to progressing any new use of electronic monitoring and, in particular, the introduction of GPS in Scotland will require an accompanying review of any records management policies and related procedures. These must comply with the Data Protection Act 1998.
Any storage facilities for archived data and retrieval and access procedures should ensure that personal data is held securely and access provided on a controlled basis only. Likewise, to ensure security of data, procedures for the protection of electronic monitoring records and data and for disaster recovery should be reviewed to ensure currency with any new uses of electronic monitoring. Procedures for the disposal of records should ensure timely and accurate destruction.
To deliver on the above, the sub group further agreed that robust data retention schedules must be developed. These were seen to be fundamental to ensure an individual's privacy in line with Article 8 of the European Convention on Human Rights and the appropriate use of data in line with the Data Protection Act 1998.
This will require detailed consideration depending upon the purpose for which the data is being held. However, the sub-group suggested that any data retention schedule should at least clarify:
- What data is held
- Who should have access to this data
- Purpose for collecting this data
- How long the data should be held
- How data will be destroyed and the accompanying audit trail and notification processes.
It was noted that while there has been a large amount of EM data collected since its introduction in 2002, only small amounts of the data collected has been available for research purposes. The Group agreed that when developing data retention schedules how anonymised data could be made available for research purposes should be considered.
The 2015 SCCJR research supports this direction of travel and found that there is a belief amongst agencies that more collaboration, integration and multi-agency work will be beneficial. The review also notes that CJSW and SPS staff highlight the need to balance the rights and interests of different people in the process of assessing risk and the suitability of an address. A sense of duty of care to balance the needs and rights of different parties involved was common in interview discussions about the use of discretion in decision-making about EM. The review also highlights that CJSW are not routinely provided with the decision and outcomes after submitting their report and recommendations to the SPS.
In relation to risk management, the review concluded that basic risk-related information should be communicated to all agencies involved and recommends that " Authorising agencies should consistently instruct the private EM service provider about the number and gender of field officers needed to visit each person/household. This is necessary to further ensure excellent duty of care and risk management with regards to all parties involved".
'Privacy by Design' and Privacy Impact Assessments
Given the nature, volume and depth of information or data that would be involved with the introduction of new uses of electronic monitoring and GPS in particular and the potential requests for access to this data, the Working Group suggest that it would be sensible to take a 'Privacy by Design' approach to developing detailed policy objectives and required legislation.
Taking such an approach, although not a requirement under the Data Protection Act, is advocated by the Information Commissioner's Office ( ICO.) to ensure that privacy and data protection is a key consideration in the early stages of implementation of the recommendations contained within this report. This approach pertains as much to engineers and technology providers as it does to policy makers.
The ICO.website states:
"Taking a privacy by design approach is an essential tool in minimising privacy risks and building trust. Designing projects, processes, products or systems with privacy in mind at the outset can lead to benefits which include:
- Potential problems are identified at an early stage, when addressing them will often be simpler and less costly.
- Increased awareness of privacy and data protection across an organisation.
- Organisations are more likely to meet their legal obligations and less likely to breach the Data Protection Act.
- Actions are less likely to be privacy intrusive and have a negative impact on individuals."
Therefore, at the point of starting work to implement any recommendations in this report which introduce new or expanded collection or use of information or data, the Working Group suggests that a Privacy Impact Assessment be carried out to identify and minimise privacy risks and that this work should be taken forward in dialogue with the ICO.