1. Commissioning Services: with the DPA in mind South Yorkshire Information and Data Sharing Group Sheffield 14 th August 2014 Lynne Shackley Lead Policy Officer Information Commissioner’s Office

2. Purpose To talk about commissioning services with new partners To discuss the data protection implications of working in this way To explain the importance of data flow monitoring To promote questions and discussion

3. The ICO’s role Enforce and regulate –Data Protection Act –Freedom of Information Act –Environmental Information Regulations –Privacy and Electronic Communications Regulations Provide information to individuals and organisations Adjudicate on complaints Promote good practice

4. The Principles 1.Fair and lawful 2.Obtained for one or more lawful purpose 3.Must be adequate, relevant and not excessive 4.Accurate and kept up to date 5.Not kept for longer than is necessary 6.Processed in accordance with the rights of data subjects 7.Must be kept secure 8.Not transferred outside the European Economic Area, unless an adequate level of data protection exists

5. The Major Drivers Austerity and the need to do more with less across the whole of the public sector Greater public demand for services and a perception that this can be met. An aging population, which will live longer and have more complex needs The role of public sector organisations as advisors, signposting services and as service guarantors

6. What Information? This might depend on what you are doing Are you helping colleagues form a mutual to provide a service? Are you splitting off and commissioning part of your usual in house services? Are you commissioning back room or front line services? Will there be much interaction with the public?

7. Scoping the project Start your Privacy Impact Assessment Agree your purpose: clarity aids progress Decide what information is required Will you provide it all, or will some be created by your commissioning partner Do a risk assessment, how will information be moved, where will it be stored, who will have a claim on it How will disaster recovery be handled, and by whom? Have a contingency plan for organisational failures What are the timescales: limited one -off or yearly renewal Does your commissioning partner understand the public sector environment? Who is going to tell the clients, and how will this be done?

8. Checking out your Commissioning partner Does your commissioning partner understand that red tape is not just red tape? Have you seen their premises, are they secure? Do they have good quality policies and procedures for information governance and handling? Where do they recruit their staff, are they vetted, how are they trained? How will you monitor what they do with your information? Should you even try? Is this starting to sound familiar?

9. Putting it in writing Service level agreement, partnership papers, commercial contract Time to articulate the rules What your commissioning partner can and cannot do with your information Time to decide who is the data controller, to decide whether your commissioning partner is a data processor, or a data controller in their own right Joint, or in common, or just too darn complicated? The thorny question of “What’s in it for the commissioning partner?” Data protection contract clauses Solicitor, or IG staff?

10. Or not putting it in writing No-one goes into business without some form of written agreement If the service you are commissioning has a statutory basis, you may still be responsible for the DP aspects of it The potential reputational damage of a breach could be enormous Public perception may be that you are at fault The ICO might think so too

11. Scary possibilities Your commissioning partner sub contracts a task to organisation B with the personal information they need to do it. Organisation B is short of cash and sells the information to a sales company. Your commissioning partner goes bankrupt and in closing down its office dumps all the personal information it holds (including yours) into a skip Your commissioning partner performs badly, loses its contract, and holds your information hostage while you argue about money owed Meanwhile, what about the clients?

12. Safety nets Think things through, due diligence is vital Take as much care over the DP aspects of the commissioning as you do over commercial and service provision aspects If it starts looking like a data Controller / data processor contract that might not be a bad thing Talk to your IG people Use flow charts to show where your information is and who is the data controller at each point of its lifecycle If information is regularly moving back and forth it might also help to have an ISA

13. And in the end Spend as much time working out what will happen at the end of any commissioning contract as you spend on what happens at the beginning Ensure that contracts contain prohibitions on some uses of information e.g. marketing Ensure that there is a means of recovering all the necessary information when the contract ends Align retention schedules where possible, or ensure commissioning partners have a reasonable schedule which they follow Ensure that information which cannot be recovered can be securely destroyed

14. Some useful links The ICO website: http://www.ico.org.uk/ Free publications and training aids https://www.ico.org.uk/Global/request_publications Privacy Impact Assessments: http://www.ico.gov.uk/for_organisations/data_protection/topic _guides/privacy_impact_assessment.aspx Data Sharing Code of Practice http://ico.org.uk/for_organisations/data_protection/topic_guid es/data_sharing Data Controller / Data Processor new guidance http://ico.org.uk/for_organisations/guidance_index/~/media/d ocuments/library/Data_Protection/Detailed_specialist_guides/d ata-controllers-and-data-processors-dp-guidance.pdf

15. www.twitter.com/iconews Keep in touch Subscribe to our e-newsletter at www.ico.gov.uk or find us on…