Information Sharing Agreement between Thames Valley Police. And. The Ministry of Justice ( MOJ ) Claims Management Regulator

Transcription

1 Information Sharing Agreement between Thames Valley Police And The Ministry of Justice ( MOJ ) Claims Management Regulator This Agreement is established the day of February 2010 Parties to the Agreement: Version Control Date: Amendment Authoriser Reviewed: February 2015 Thames Valley SPOC updated FIB JIMU - TVP

2 THAMES VALLEY POLICE & THE MINISTRY OF JUSTICE CLAIMS MANAGEMENT REGULATOR ( MOJ ) Contents Page Introduction 3 Purpose and Intended Benefits 3 Legal Basis for Sharing 4 Details of Information to be Exchanged 6 Restrictions on use of information 7 Working procedures 8 Security arrangements 8 Individual rights to access information exchanged 8 Review Retention Disposal 9 Complaints 9 Termination of agreement 9 Signatures 10 Appendix 1 Definitions/Glossary of terms 11 Appendix 2 Data storage clauses 15 Appendix 3 Personal data request form Thames Valley Police 20 Appendix 4 Personal data request form Ministry of Justice 25 Appendix 5 Single Point of Contact (SPOC) 26 2

3 1.0 Introduction 1.1 The aim of this Agreement 1 is to provide a framework for the exchange of information between Thames Valley Police and the Ministry of Justice Claims Management Regulator (MoJ) (together the Parties ). 1.2 This Agreement defines the specific purposes for which the Parties have agreed to share information. 1.3 This Agreement sets out the legal provisions relating to personal data sharing and takes account of the relevant Codes of Practice in respect of the sharing of personal data held by Thames Valley Police (MOPI Guidance 2 and the ACPO 3 Data Protection Manual of Guidance). 1.4 This Agreement contains details of the standards agreed by the Parties involved in the sharing of personal so as to maintain confidentiality, integrity and compliance with the data protection principles, whilst ensuring that information is shared with those who need to know Requests for information will be considered on a case by case basis in light of this Agreement and the relevant legal parameters concerning the sharing of personal data. 1.6 Information 5 shared under this Agreement should not be disclosed to any persons who are not Parties or if there is any doubt that the requirements of this Agreement might be breached. 2.0 Purpose and Intended Benefits of this Agreement 2.1 The primary purpose of this Information Sharing Agreement (ISA) is to achieve a common understanding and set of standards whereby: Thames Valley Police will share intelligence with the MoJ in support of the MoJ s role as established by the Compensation Act 2006 and the Compensation (Claims Management Services) Regulations 2006, in particular: (a) to assess the suitability of persons to provide regulated claims management services in accordance with Part 2 of the Compensation Act 2006 ( the 2006 Act ); (b) to regulate the conduct of persons authorised to provide such services; 1 Appendix 1 b 2 Appendix 1 f 3 Appendix 1 a 4 Appendix 1 g 5 Appendix 1 e 3

4 (c) to investigate any potential unlawful activity, including the commission of an offence under sections 7 or 11; and (d) to assist the Regulator in exercising his enforcement powers under section 8 of the 2006 Act The MoJ will share information and intelligence with Thames Valley Police in support of its statutory functions: the prevention and detection of crime and the apprehension or prosecution of offenders. 2.2 This Agreement establishes the procedures for the lawful and effective exchange of personal data between the parties, in order to enable (a) the MoJ to make decisions regarding the suitability and competency of persons to provide regulated claims management services and to investigate potential breaches; and, (b) Thames Valley Police to investigate unlawful/ criminal activity revealed as a result of such investigations. 2.3 There is evidence and intelligence to indicate that there is wide-scale fraud involving motor insurance accident claims and persons performing the role of claims management services. There is evidence of staged, induced and invented accidents, multiple false injury claims, and the involvement of accident management companies, repair companies, car hire companies, vehicle recovery and salvage companies. There are also reports of alleged malpractice by some medical practitioners and solicitors. 2.4 Thames Valley Police functions of researching information and acting on it to eliminate criminal networks will assist in the reduction of collisions resulting in persons being killed or seriously injured. It will also: aid the enforcement of Road Traffic Legislation enacted to protect the public; Increase public confidence and satisfaction; Prevent and reduce crime and disorder; Increase safety and security; and Disrupt criminal networks. 2.5 The processing and exchange of personal data will in each case be proportionate to these legitimate aims. 3.0 Legal Basis for Sharing 3.1 When considering the legal powers associated with information sharing cognisance should be given to whether it is reasonable to gain the full consent of the Data Subject. 3.2 When the consent of a Data Subject 6 is refused or it is not reasonable to seek consent, consideration should be given to legal powers and this will be assessed on a case by case basis. 3.3 The collection, use and disclosure of personal information is governed by administrative law, the Human Rights Act 1998 (and the European Convention on Human Rights), the common law tort of breach of confidence and the Data Protection Act Appendix 1 d 4

5 3.4 As to administrative law, MoJ is a central government department headed by a Minister of the Crown. Its powers for these purposes are derived expressly from statute: Part 2 of the Compensation Act 2006 and the regulations made thereunder (in particular the Compensation (Claims Management Services) Regulations 2006). This legislation provides no statutory gateway for the sharing of information but the MoJ s duties under the Compensation Act 2006 (in particular its enforcement duties and the associated powers to gather information under section 8) enable it to process and share information to support its legislative purpose. [The power for Thames Valley Police to share information is founded on the Common Law for policing purposes. The Code of Practice on the Management of Police Information (MoPI) defines the policing purposes as: Protection of life and property Preserving order Preventing the commissioning of offences Bringing offenders to Justice Any duty or responsibility arising from common or statute law] 3.5 Disclosure of a person s personal data prima facie engages rights under Article 8 of the European Convention on Human Rights, which provides an individual right to respect for private and family life, home and correspondence. This is a qualified right it will be necessary to ensure that the data sharing is in accordance with the law, in pursuance of a legitimate aim, and necessary in a democratic society, public safety, prevention of crime and disorder and insurance fraud. The information to be exchanged must be proportionate to the needs of this Agreement. It must be the minimum necessary for the purposes of identifying individuals who are suspected of involvement in insurance fraud related activities and for the planning of enforcement operations to counter their criminal activity. 3.6 As to the common law tort of breach of confidence, this protects information with the necessary quality of confidence which was communicated in circumstances giving rise to an obligation of confidence from an unauthorised use of that material. The parties will need to decide in a particular case whether there is an obligation of confidence. Whilst the Parties will always take account of the common law duty of confidence in respect of confidential information, the disclosure of such information in the very limited circumstances envisaged by this Agreement would be protected by the defence of just cause or excuse and acting in the public interest. 3.7 To process information, the Data Controller 7 must ensure that the eight principles of the Data Protection Act (set out in Schedule 1 to that Act) are being met. 3.8 For the purpose of this Agreement, Thames Valley Police and the MoJ will be Data Controllers in their own right, as defined under the Data Protection Act 1998 and will be required to comply with the provisions of the Act. 3.9 Accordingly, it is the responsibility of each Party to ensure that they have appropriate Agreements in place, with regard to the processing of information that is personal data on their behalf. 7 Appendix 1 d 5

6 3.10 In addition, under the Act, Data Subjects have a right of access to records which are held about them, and further details are set out at Section There are a number of exemptions from and modifications to the requirements of the Act. Exemption from the non-disclosure provisions is available where the Act recognises that the public interest requires disclosure of personal information which may otherwise be in breach of the Act The parties to this Agreement would most likely rely upon section 29 (which provides exemptions if there would be likely prejudice to the purposes of the prevention or detection of crime; the apprehension or prosecution of offenders or the assessment or collection of taxes). The exemption is from the 1 st principle except a condition in Schedules 2 and 3 (data shall be processed fairly and lawfully) and section 7 (rights of access). Each Party would need to be satisfied that the disclosure falls within the exemption set out in section 29(3) Section 31 also provides a relevant exemption from the subject information provisions. Section 31 contains an exemption, if the likely prejudice test is met, from the 1 st principle (data shall be processed fairly and lawfully) and section 7 (rights of access) for personal data processed for the purpose of protecting members of the public against dishonesty, malpractice or other seriously improper conduct by those authorised to carry on any profession or other activity. A likely prejudice test must be met. 4.0 Details of the Information to be Exchanged 4.1 Where the MoJ is required to undertake/ has reasonable cause to check fraud or other criminal activity involving persons providing claims management services, it will disclose the details of such activity to Thames Valley Police to investigate. 4.2 Where the MoJ requires information relating to persons providing claims management services it will request such from Thames Valley Police. Specifically, Thames Valley Police and the MoJ will exchange information concerning, but not limited to individuals, vehicles, premises and companies. Thames Valley Police information may include: names, addresses, photos, conviction history of offenders and any current relevant intelligence. Thames Valley Police will supply such data from existing intelligence and information systems Information disclosed by either party will be subject to review, procedures and validation. Any perceived inaccuracies should be reported to relevant contact specified in this Agreement for verification and any necessary action The information passed to the MOJ, will generally be by way of the 5x5x5 evaluated written assessment which will have a unique reference number for any future reference. This will identify the extent to which the information can be disclosed further /or by telephone to the number given. For routine requests enquirers will be referred to the relevant data holder, actual intelligence information will not be disclosed. Where a flagged subject is searched the Officer in the Case (OIC) will be contacted by Force Intelligence Bureau staff and advised to contact the owner of the flag. Flagged records are NEVER disclosed to the enquirer, without the permission of the flag owner. 4.5 It is expected that information shared will be not be rated above the Restricted classification; should it become necessary to pass information of a higher 6

7 classification the request will be looked at on individual basis and dealt with in the most appropriate fashion. 5.0 Restrictions on Use of Information 5.1 Information must be treated as private and confidential and will not be divulged or communicated to any third parties, who are not authorised individuals, without the consent of the disclosing party, provided this shall not restrict usage that is necessary for the purposes set out in paragraph Information will not be matched with any other personal data otherwise obtained from the disclosing party, or any other sources unless specifically authorised in writing by the disclosing party. 5.3 Access to the Information will be restricted to those employees of the MoJ and those approved by one of the nominated representatives of the MoJ identified in paragraph All information provided is for intelligence purposes only. The information supplied and received will be handled as described by the national information/intelligence evaluation code, commonly known as the 5x5x Each assessment provided to the MoJ should carry the following wording:- This document contains sensitive material and may be subject to the concept of Public Interest Immunity. The use of any information or intelligence obtained from this source must be treated with caution and no copy or print must be made without the authority of officers from the Thames Valley Police [Force Intelligence Bureau], Whenever the material features in a prosecution, notification must immediately be given to the appropriate Constabulary representative. Equally no part of this document should be disclosed to the Defence without prior consultation with the Constabulary representative. Therefore should the material be required evidentially by the MoJ then these instructions MUST be fully complied with. This will ensure that the information is appropriately classified and exempted from disclosure where appropriate. 5.6 Each assessment provided to Thames Valley Police should carry the following wording:- This document contains sensitive material and may be subject to the concept of Public Interest Immunity. The use of any information or intelligence obtained from this source must be treated with caution and no copy or print must be made without the authority of MoJ. Whenever the material features in a prosecution, notification must immediately be given to the MoJ. Equally no part of this document should be disclosed to the Defence without prior consultation with the MoJ. Therefore should the material be required evidentially by Thames Valley Police then these instructions MUST be fully complied with. This will ensure that the information is appropriately classified and exempted from disclosure where appropriate. 7

8 6.0 Working Procedures 6.1 The following are the officers responsible under this Agreement: The SPOC for the Claims Management Regulation, Ministry of Justice will be Mr Stuart Davies/ Antony Bolton. Thames Valley Police will send the responses to those identified contacts. Where a request for information is refused the police response will identify the precise reasons for refusal. The SPOC for Thames Valley Police will be the Force Intelligence Bureau staff specifically D/Insp Pam Banfield. 6.2 The MoJ and Thames Valley Police will make their requests electronically. Details will include: Provide information (e.g. personal details, addresses etc) to trace the correct records within Thames Valley Police. Identify the precise information sought. The reasons why the information is sought. The intended use of the information (e.g. to refine data; determine investigation priorities, assist with an ongoing investigation). Confirm the legal gateway under which the information will be requested. The contact details of the requester. 6.3 Both parties will maintain records of requests for disclosures, and disclosures made. This will assist in the review of the effectiveness of the Agreement, and provide control over information disclosed. Both Parties recognise that these records will also be subject to disclosure. 7.0 Security Arrangements 7.1 The Parties agree to apply the terms of the Data Sharing Clauses annexed at Appendix Individual Rights to Access Information Exchanged (subject access) 8.1 The receipt from a Data Subject of a request to access Information must be reported to the Police Data Protection Officer as soon as the MoJ becomes aware that the scope of the request includes a request for Information which originated from Thames Valley Police. Similarly, the receipt from a Data Subject of a request to access Information must be reported to the MOJ Data Protection Officer as soon as 8

9 Thames Valley Police becomes aware that the scope of the request includes a request for Information which originated from MOJ. 8.2 Any request for Information under the provisions of the Freedom of Information Act 2000 (FOIA) or the Environmental Information Regulations 2004, should be referred to the Police Data Protection Officer by way of consultation, as soon as the MoJ becomes aware that the scope of the request includes a request for Information, whilst recognising that the final decision on disclosure lies with the MoJ. Similarly, information provided to the MoJ must not be subject of any subsequent disclosure in respect of a FOIA enquiry to Thames Valley Police without prior reference to the MoJ. 9.0 Review, Retention and Disposal 9.1 This Agreement will be reviewed annually by the both parties to ensure that it is valid, relevant and up to date. 9.2 Any proposed amendments to the Agreement must be notified to both parties and must be agreed in writing by both Parties. 9.3 Information must not be retained for longer than is necessary for the purpose for which it has been disclosed. The information should be retained for as long as is required for investigation purposes. If the information is to be deleted specific software should be employed to ensure its total erasure. 9.4 Information will be disposed of securely in line with the each Party s respective record management procedures. 9.5 Where data is deleted, a permanent record of Thames Valley Police reference for the data must still be retained. This is to ensure an audit trail of transferred data is maintained even after the data itself is destroyed Complaints 10.1 The Parties will give all reasonable assistance as is necessary to the relevant Data Controller to enable him to: - comply with a request for subject access - respond to the Information Notices served by the Information Commissioner - investigate any breach of the Agreement If a complaint is received by a third party relating to use of Information that is personal data and the complainant is the Data Subject and it relates to a breach of the Agreement then the complaint should be referred to the signatory of the Party whose action is the subject of the complaint, and that signatory will take appropriate action Termination of the Agreement 9

10 11.1 Either Party may at any time in writing terminate this Agreement if any Party is in material breach of any obligation under this Agreement or if either Party believes that after reviewing the operation of the Agreement it should be ended or replaced by a new Agreement Written notice provided by either Party regarding the termination of the Agreement shall give one week s notice if termination is in respect of material breach and one calendar months notice if termination is subsequent to review The obligations of or confidentiality imposed on the Parties by this Agreement shall continue in full force and effect after termination of this Agreement. We, the undersigned, agree that each Party that we represent will adopt and adhere to the Information Sharing Agreement: Signed. Name. Job Title Thames Valley Police Signed. Name. Job Title Ministry of Justice 10

11 APPENDIX 1 DEFINITIONS/GLOSSARY OF TERMS The following words and phrases used in this Agreement shall have the following meanings: ACPO Agreement Chief Constable means Association of Chief Police Officers means this Information Sharing Agreement together with any additional documents referred to or attached as part of this Agreement. means the Chief Constable of Thames Valley Police Data Controller Personal Data Data Subject Data Subject Access Relevant filing System are defined within the Data Protection Act Information means any data or information disclosed under this Agreement MOPI Guidance Guidance on the Code of Practice on Management of Police Information. Need to know is applied on a case by case basis and relates to those who are involved in the sharing of personal data/information and why they need to know about the information to be shared. "Affiliate" "Confidential Information" in relation to a body corporate, any other entity which directly or indirectly Controls, is Controlled by, or is under direct or indirect common Control with, that body corporate from time to time; any information, however it is conveyed, that relates to the business, affairs, developments, trade secrets, know-how, personnel and suppliers of either Party, including IPRs, together with all information derived from the above, and any other information clearly designated as being confidential (whether or not it is marked as "confidential") or which ought reasonably to be considered to be confidential, 11

12 including the Commercially Sensitive Information; "Control" "Crown Body" means that a person possesses, directly or indirectly, the power to direct or cause the direction of the management and policies of the other person (whether through the ownership of voting shares, by contract or otherwise) and "Controls" and "Controlled" shall be interpreted accordingly; any department, office or agency of the Crown; "Data" (a) the data, text, drawings, diagrams, images or sounds (together with any database made up of any of these) which are embodied in any electronic, magnetic, optical or tangible media, and which are: (i) supplied to either Party by or on behalf of the other Party; or (ii) which either Party is required to generate, process, store or transmit pursuant to this Agreement; or (b) any Personal Data for which either Party is the Data Controller; "Data Controller" "Data Processor" "Data Protection Legislation" "Data Subject" shall have the same meaning as set out in the Data Protection Act 1998; shall have the same meaning as set out in the Data Protection Act 1998; the Data Protection Act 1998, the EU Data Protection Directive 95/46/EC, the Regulation of Investigatory Powers Act 2000, the Telecommunications (Lawful Business Practice) (Interception of Communications) Regulations 2000 (SI 2000/2699), the Electronic Communications Data Protection Directive 2002/58/EC, the Privacy and Electronic Communications (EC Directive) Regulations 2003 and all applicable laws and regulations relating to processing of personal data and privacy, including where applicable the guidance and codes of practice issued by the Information Commissioner; shall have the same meaning as set out in the Data Protection Act 1998; 12

13 "Default" "Environmental Information Regulations" "FOIA" any breach of the obligations of the relevant party (including but not limited to fundamental breach or breach of a fundamental term) or any other default, act, omission, negligence or statement of the relevant party, its employees, servants, agents or Contractors in connection with or in relation to the subject-matter of this Agreement and in respect of which such party is liable to the other; the Environmental Information Regulations 2004 together with any guidance and/or codes of practice issues by the Information Commissioner or relevant Government Department in relation to such regulations; the Freedom of Information Act 2000 and any subordinate legislation made under this Act from time to time together with any guidance and/or codes of practice issued by the Information Commissioner or relevant Government Department in relation to such legislation; "Intellectual Property Rights" or "IPRs" (a) copyright, rights related to or affording protection similar to copyright, rights in databases, patents and rights in inventions, semi-conductor topography rights, trade marks, rights in Internet domain names and website addresses and other rights in trade names, designs, [Know-How, trade secrets and other rights in Confidential Information]; (b) applications for registration, and the right to apply for registration, for any of the rights listed at (a) that are capable of being registered in any country or jurisdiction; and (c) all other rights having equivalent or similar effect in any country or jurisdiction; "Know-How" "Law" all ideas, concepts, schemes, information, knowledge, techniques, methodology, and anything else in the nature of know how relating to the Services but excluding know how already in either Party s possession before this Agreement; any applicable law, statute, bye-law, regulation, order, regulatory policy, guidance or industry code, rule of court or directives or requirements 13

14 of any Regulatory Body, delegated or subordinate legislation or notice of any Regulatory Body; "Personal Data" "Personnel" "Process" "Regulatory Bodies" "Request for Information" "Working Day" shall have the same meaning as set out in the Data Protection Act 1998; all employees, agents, consultants and Contractors of either Party; has the meaning given to it under the Data Protection Legislation but, for the purposes of this Agreement, it shall include both manual and automatic processing; those government departments and regulatory, statutory and other entities, committees and bodies which, whether under statute, rules, regulations, codes of practice or otherwise, are entitled to regulate, investigate, or influence the matters dealt with in this Agreement or any other affairs of either Party and "Regulatory Body" shall be construed accordingly; a request for information or an apparent request under the Code of Practice on Access to Government Information, FOIA or the Environmental Information Regulations; any day other than a Saturday, Sunday or public holiday in England and Wales. 14

15 APPENDIX 2 DATA SHARING CLAUSES 1. DATA 1.1 Neither Party shall delete or remove any proprietary notices contained within or relating to the other Party s Data. 1.2 Neither Party shall store, copy, disclose, or use the other Party s Data except as necessary for the performance by either Party of its obligations under this Agreement or as otherwise expressly authorised in writing by either Party. 1.3 To the extent that one Party s Data is held and/or processed by the other Party, that Party shall supply that Data to the other Party as requested in the format specified. 1.4 Both Parties shall take responsibility for preserving the integrity of the other s Data and preventing its corruption or loss. 1.5 Both Parties shall perform secure back-ups of all Data and shall ensure that up-to-date back-ups are stored off-site. 1.6 Both Parties shall ensure that any system on which they hold any Data, including back-up data, is a secure system. 1.7 If either Party s Data is corrupted, lost or sufficiently degraded as a result of the other Party's Default so as to be unusable, either Party may: Require the other Party (at the Party at fault's expense) to restore or procure the restoration of the Data, and the Party at fault shall do so as soon as practicable; and/or Itself restore or procure the restoration of the Data, and shall be repaid by the Party at fault any reasonable expenses incurred in doing so. 1.8 If at any time either Party suspects or has reason to believe that Data has or may become corrupted, lost or sufficiently degraded in any way for any reason, then the Party at fault shall notify the other Party immediately and inform them of the remedial action it proposes to take. 2. PROTECTION OF PERSONAL DATA 2.1 With respect to the either Party' rights and obligations under this Agreement, both Parties agree that either Party can be Data Controller and Data Processor. 15

16 2.2 Both Parties shall: Process the Personal Data only in accordance with instructions from either Party (which may be specific instructions or instructions of a general nature as set out in this Agreement or as otherwise notified by one Party to the other Party); Process the Personal Data only to the extent, and in such manner, as is necessary for the provision of the Services or as is required by Law or any Regulatory Body; implement appropriate technical and organisational measures to protect the Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, damage, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful Processing, accidental loss, destruction or damage to the Personal Data and having regard to the nature of the Personal Data which is to be protected; take reasonable steps to ensure the reliability of any Personnel who have access to the Personal Data; obtain prior written consent from the other Party in order to transfer the Personal Data to any Contractors or Affiliates for the provision of the Services; ensure that all Personnel required to access the Personal Data are informed of the confidential nature of the Personal Data and comply with the obligations set out in this clause 2; ensure that none of either Party s Personnel publish, disclose or divulge any of the Personal Data to any third party unless directed in writing to do so by the Party that owns the Data; notify the other Party (within five Working Days) if it receives: a request from a Data Subject to have access to that person's Personal Data; or a complaint or request relating to either Party's obligations under the Data Protection Legislation; provide either Party with full co-operation and assistance in relation to any complaint or request made, including by: providing the other Party with full details of the complaint or request; complying with a data access request within the relevant timescales set out in the Data Protection Legislation and in accordance with the other Party's instructions; providing the other Party with any Personal Data it holds in relation to a Data Subject (within the timescales required by the other Party); and 16

17 providing the other Party with any information requested by the other Party; permit the other Party or the other Party s Representative (subject to reasonable and appropriate confidentiality undertakings), access to the data Processing activities (and/or those of its agents, subsidiaries and Sub-contractors) and comply with all reasonable requests or directions by either Party to enable the other Party to verify and/or procure that the other Party is in full compliance with its obligations under this Agreement; provide a written description of the technical and organisational methods employed by either Party for processing Personal Data (within the timescales required by either Party); and not Process Personal Data outside the European Economic Area without the prior written consent of either Party and, where the Either Party consents to a transfer, to comply with: the obligations of a Data Controller under the Eighth Data Protection Principle set out in Schedule 1 of the Data Protection Act 1998 by providing an adequate level of protection to any Personal Data that is transferred; and any reasonable instructions notified to it by the other Party. 2.3 Both Parties shall comply at all times with the Data Protection Legislation and shall not perform its obligations under this Agreement in such a way as to cause the either Party to breach any of its applicable obligations under the Data Protection Legislation. 3. FREEDOM OF INFORMATION 3.1 Both Parties acknowledge that both Parties are subject to the requirements of the Code of Practice on Government Information, FOIA and the Environmental Information Regulations and shall assist and co-operate with the other Party to enable the other Party to comply with its Information disclosure obligations. 3.2 Both Parties shall procure that their Contractors shall: transfer to either Party all Requests for Information that it receives as soon as practicable and in any event within two Working Days of receiving a Request for Information; provide the other Party with a copy of all Information in its possession, or power in the form that the other Party requires within five Working Days (or such other period as the other Party may specify) of the other Party's request; and provide all necessary assistance as reasonably requested by the other Party to enable the other Party to respond to the Request for Information within the time for compliance set out in section 10 of the FOIA or regulation 5 of the Environmental Information Regulations. 17

18 3.3 Each Party shall be responsible for determining in its absolute discretion and notwithstanding any other provision in this Agreement or any other agreement whether any Information is exempt from disclosure in accordance with the provisions of the Code of Practice on Government Information, FOIA or the Environmental Information Regulations. 3.4 In any event, both parties agree to inform one another of disclosure requests for Information obtained from the other party. 3.5 Both Parties acknowledge that (notwithstanding the provisions of this clause 3) either Party may, acting in accordance with the Department of Constitutional Affairs Code of Practice on the Discharge of the Functions of Public Authorities under Part 1 of the Freedom of Information Act 2000 ("the Code"), be obliged under the FOIA, or the Environmental Information Regulations to disclose information concerning either Party or the Services: in certain circumstances without consulting the other Party; or following consultation with the other Party and having taken their views into account; provided always that where applies the other Party shall, in accordance with any recommendations of the Code, take reasonable steps, where appropriate, to give the other Party advanced notice, or failing that, to draw the disclosure to the other Party s attention after any such disclosure. 3.6 Both Parties shall ensure that all Information is retained for disclosure [in accordance with paragraph 9 of the Information Sharing Agreement and shall permit the other Party to inspect such records as requested from time to time. 4. CONFIDENTIALITY 4.1 Except to the extent set out in this clause or where disclosure is expressly permitted elsewhere in this Agreement, each party shall: treat the other party's Confidential Information as confidential [and safeguard it accordingly]; and not disclose the other party's Confidential Information to any other person without the owner's prior written consent. 4.2 Clause 4.1 shall not apply to the extent that: such disclosure is a requirement of Law placed upon the party making the disclosure, including any requirements for disclosure under the FOIA, Code of Practice on Access to Government Information or the Environmental Information Regulations pursuant to clause 3 (Freedom of Information); 18

19 4.2.2 such information was in the possession of the party making the disclosure without obligation of confidentiality prior to its disclosure by the information owner; such information was obtained from a third party without obligation of confidentiality; such information was already in the public domain at the time of disclosure otherwise than by a breach of this Agreement; or it is independently developed without access to the other party's Confidential Information. 4.3 Either Party may only disclose the other Party's Confidential Information to the Personnel who are directly involved in the provision of the Services and who need to know the information, and shall ensure that such Personnel are aware of and shall comply with these obligations as to confidentiality. 4.4 Either Party shall not, and shall procure that the other Party s Personnel do not, use any of the other Party's Confidential Information received otherwise than for the purposes of this Agreement. 4.5 Nothing in this Agreement shall prevent a Party from disclosing the other Party's Confidential Information: to any Crown Body or any other Contracting Authority. All Crown Bodies or Contracting Authorities receiving such Confidential Information shall be entitled to further disclose the Confidential Information to other Crown Bodies or other Contracting Authorities on the basis that the information is confidential and is not to be disclosed to a third party which is not part of any Crown Body or any Contracting Authority; to any consultant, contractor or other person engaged by the other Party or any person conducting an Office of Government Commerce gateway review; for the purpose of the examination and certification of the other Party's accounts; or for any examination pursuant to Section 6(1) of the National Audit Act 1983 of the economy, efficiency and effectiveness with which the other Party has used its resources. 4.6 Both Parties shall use all reasonable endeavours to ensure that any government department, Contracting Authority, employee, third party or Contractor to whom either Party's Confidential Information is disclosed pursuant to clause 4.6 is made aware of its' obligations of confidentiality. 4.7 Nothing in this clause 4 shall prevent either party from using any techniques, ideas or know-how gained during the performance of the Agreement in the course of its normal business to the extent that this 19

20 use does not result in a disclosure of the other party's Confidential Information or an infringement of Intellectual Property Rights. APPENDIX 3 To Claims Management Regulation Ministry of Justice High Street Burton on Trent Staffordshire DE14 1JS Personal Data Request Form This request for personal data and other information is made under the powers invested in me as a constable of Thames Valley Police by the Police Act 1996 (section 30(1) which gives constables all the powers and privileges of a constable throughout England and Wales and Section 30(5) defines powers as powers under any enactment when ever passed or made). These powers include the investigation and detection of crime, apprehension and prosecution of offenders, protection of life and property and maintenance of law and order. Under the Police Reform Act 2002, the Chief Constable can delegate certain powers to police staff. The personal data I require relates to the following individual(s): (Include identifying details of the person where known, such as name, address and date of birth) I have the following information to assist you in locating the personal data and other information: (Include further details, where available, to assist locating the information sought) 20

21 I require the following personal data and other information: (Describe the information sought) I require the personal data and other information to assist with my enquiries into: (Describe the subject of those enquiries as far as is possible without prejudicing them) I confirm the personal data and other information is required for the following purpose(s): (Tick the relevant box(es) and complete the Other row where necessary) Purpose Legal Basis Tick For the prevention, investigation and detection of crime Police Acts, Common law For the apprehension and prosecution of offenders Police Acts, Common law To confirm or corroborate information for intelligence purposes Police Acts, Common law To put before a court to obtain a search warrant Police Acts, Common law To prepare a file for the Coroner's court On request of the Coroner To further a money laundering or confiscation investigation Proceeds of Crime Act 2002 To risk assess the address to safeguard the health and safety of any emergency personnel attending Police Acts, Health & Safety, Common law To identify if there are children at the address to negate any harm Children Act 2004 caused by police action To locate a missing person to ascertain their well being Police Acts, Common law To progress enquiries into a Road Traffic Incident Police Acts, Common law To protect life or property Police Acts, Common law Other (please specify) 21

22 I request that the personal data and other information should be provided to the police in the following manner: (Having considered factors such as the protective marking indicate how the information should be provided to the police, e.g. in person, by post, by fax, by etc.) The Data Protection Act 1998 defines personal data as data which is biographical in nature, has the applicant as its focus and/or affects the data subject s privacy in his or her personal, professional or business life. Under the Data Protection Act 1998, disclosure of personal data:- For the prevention and detection of crime or the apprehension or prosecution of offenders is permitted under s29(3) Required by or under any enactment, by any rule of law or by order of the court is permitted under s 35(1) (including the Health and Safety Act) For the purpose of, or in connection with, any legal proceedings is permitted by s35(2) (a) Where no data protection exemption applies, consideration should be given to the first principle issue of fairness. Where the rights and freedoms or the welfare of an individual is in doubt such as in enquiries 8 and 9 above, a harm test should be applied. It is highly unlikely disclosure would be unfair in these circumstances. Human Rights Act 1998 Article 8 right to privacy. This request is consistent with Article 8(2) prevention of disorder or crime. 22

23 (To be completed by the officer requesting the personal data and other information tick appropriate box(es)) I confirm that: this information will be used in connection with this enquiry and held and used only as long as this is required for policing purposes and any subsequent criminal justice proceedings. if this personal data is not disclosed it will prejudice the prevention or detection of crime or the apprehension or prosecution of offenders. if this personal data is not disclosed it will prejudice the purpose indicated overleaf. Signed... Collar No... Date... Print Name... Post... BCU/Area/Dept address... Phone... Fax If the nature of the enquiries is specified above this form must be countersigned by a Sergeant or Supervisor; if the investigation is such that no explanation can be given, this form will be countersigned by a Superintendent. Signed... Collar No... Date... Print Name... Post... This section to be completed by the recipient of request for personal data and information Response Please reply to all requests so that we know they have all been considered and to help prevent duplication. As part of your decision making process, please take into account the requirements upon you/ your organisation in relation to the request, for example the Crime and Disorder Act 1998, (any person or organisation has a power to provide information to a relevant authority in order to achieve a crime and disorder objective), the Local Government Act, Children Acts 1989 and 2004, and other legislation relevant to your organisation Signature... Date... Name... Position... Organisation & Dept

24 ... The information requested above has been approved for disclosure and is attached* The information requested above has not been approved for disclosure* *Delete as applicable Please explain why you have decided not to disclose the information so that we know whether you need additional information or for us consider presenting to the Court to obtain a Disclosure Order: If there is insufficient room please continue on an additional sheet(s). The subject of the request should not be given any indication that this request has been made prior to consultation with the requesting officer. If your organisation subsequently receives a request for a copy of this document (e.g. under the Data Protection Act or Freedom of Information Act) for this information, please contact the Force Data Protection Officer. 24

25 APPENDIX 5 RESTRICTED Address ClaimsManagement RegulationMonitoring& Compliance Unit High Street Burton upon Trent Staffordshire DE14 1JS T or F or Einfo@claimsregulation.gov.uk Our Reference: DATA PROTECTION ACT 1998 SECTION 29(3) REQUEST FOR INFORMATION This request for information should be treated as RESTRICTED. To: (Name and address of organisation from whom information is being sought) I am making enquiries for the purpose(s) of: * (a) The prevention or detection of a crime * (b) The apprehension or prosecution of offenders (* Delete as appropriate) Information required / Nature of enquiry I declare that I am a person authorised to make this request and that the information being requested is necessary for the purpose(s) indicated above. A failure to provide the information will, in my view, be likely to prejudice that / those purpose(s). Name (Please Print) Signed Department Date Contact details for receipt of information: Countersigned Name (Please Print) Department 25

26 Signed Date * A copy of this request should be retained on the claims investigation file. Single Point of Contact (SPOC) APPENDIX 5 Thames Valley Police Force Intelligence Bureau Fountain Court Kidlington Oxfordshire OX5 1NZ Claims Management Regulation Claims Management Regulation Monitoring and Compliance Unit Ministry of Justice High Street Burton on Trent Staffordshire DE14 1JS 26