The Effective Sharing of Key Adult and Child Social Care, and Educational Indicators with Key Housing Partners.

Title:

Version:

Date – Version – Comments

Date of Enactment:

The date the agreement comes into force.

Renewal:

This Information Sharing Agreement shall be reviewed by all parties no less frequently than on an annual basis.

Author:

Name of Author

Partners:

Information Asset Owners of Children’s Social Care, Adult’s Social Care, Education, Housing Partners (Temporary Accommodation, Social Housing Providers)

Purpose Introduction:

This Information Sharing Agreement is designed to facilitate the lawful and proportionate sharing of information between the indicated partners to promote more effective working. This should be read in conjunction with the Data Privacy Impact Agreement, which will define the data sources and transfer methods that may not be appropriate for publication, for reasons of cyber-security.

Data Controllers:

A list of the Information Asset Owners or Data Controllers/Processors involved, including whether they are separate or joint, in accordance with https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/controllers-and-processors/controllers-and-processors/

Purpose Detail:

Families and individuals that are in temporary accommodation are already in a vulnerable place and it is considered that it would be important for housing partners to be aware of key indicators of multiple disadvantages that their tenants are facing and whether there was involvement with a caseworker from Children’s or Adult Social Care and Education Services.

This will enable the Council to consider the priority of individuals of families for housing, should the temporary accommodation be an additional risk factor.

Consent Basis:

Consent is not gathered, however the use of data is clearly stated in the published Privacy Statements and tenancy agreements.

What is the Lawful Basis for Sharing under the UK General Data Protection Regulations 2018:

Sections 6(1)(c) Legal Obligation and 6(1)(e) Public Task for personal data.

Sections 9(2)(c) Vital Interests and 9(2)(g) Substantial Public Interest.

What statutory acts, instruments and guidance are used to give the LA the legal power for sharing the information as described in this ISA? Please state the relevant articles or sections:

Care Act 2014 Section 1(2)(h), Promoting Individual Well-being, suitability of living accommodation
Childcare Act 2006, Section 1, General duties of local authority in relation to well-being of young children.
Children (Leaving Care) Act 2000, Section 23B(8,10), Providing them with or maintaining them in suitable accommodation
The Children’s Act 1989, Section 17, Provision of services for children and their families
The Children’s Act 1989, Section 47, Protection of Children
The Children Act 2004, Section 10, Co-operation to improve well-being.
The Children Act 2004, Section 11, Arrangements to safeguard and promote welfare.
The Children’s and Families Act 2014, Section 28, Co-operating generally: local authority functions
The Localism Act 2011, Part 7, Chapter 1, Sections 145-149, Duties on Homelessness and Allocations
Local Government Act 2000, Section 2(1), Promotion of Well-being
Special Educational Needs and Disability Regulations Act 2014, Part 2, Regulation 7(e), Matters to be taken into account in securing an EHC needs assessment, (e) minimise disruption for the child, the child’s parent, the young person and their family
Housing Act 1996 (amended by: Homelessness Reduction Act 2017), Section 195, Duties in case of Threatened Homelessness
The Social Security (Information-sharing in relation to Welfare Services etc.) Regulations 2012, Part 3, Regulation 5, Determining whether a person is in receipt of housing benefit
Digital Economy Act 2017, Schedule 5, Digital Government
Digital Government (Disclosure of Information) Regulations 2018, Section 2, Multiple Disadvantages
School Discipline (Pupil Exclusions and Reviews)(England) Regulations 2012, Duties to notify the LA

Statutory Guidance:

Working Together to Safeguard Children 2018 (Statutory Guidance), Homelessness Duty
Homelessness Code of Guidance for Local Authorities, 2023, DLUHC
Safeguarding Adults, Association of Directors of Social Services 2005

Who are the data subjects and what items of data will be shared. Indicate any that fall under the special categories by prefixing (SC):

The data subjects will be anyone in social housing in the LA, including those in temporary accommodation. The data shared will be as follows:

First Name

Last Name

Date of Birth

Gender

In Council Temporary Accommodation Flag (Y/N)

Is in Rent Arrears Flag (Y/N)

Arrears Payment Plan In Place Flag (Y/N)

Is at Risk of Eviction Flag (Y/N)

Home Address (As displayed on each host system for comparison)

National Insurance Number (For Matching Only, Not Displayed)

National Health Number (For Matching Only, Not Displayed)

Unique Pupil Number (For Matching Only, Not Displayed)

Social Care System ID (For Matching Only, Not Displayed)

Education Data System ID (For Matching Only, Not Displayed)

(SC) EHCP Flag (Y/N)

(SC) SEND Type (Sometimes known as Primary Need) (Description)

(SC) Is Disabled Flag (Y/N)

(SC) Disabilities (Description)

Child Protection Flag (Y/N)

Child in Care Flag (Y/N)

Child in Need Flag (Y/N)

Child is at Currently at Risk of Exploitation Flag (Y/N)

Is Known to Children’s Social Care, Adults Care and Wellbeing or SEND Team Flag (Y/N) (Not incl. Youth Justice or other LA)

Social Care or SEND Team (Details) (Not incl. Youth Justice or other LA)

Assigned Caseworker(s)

Current School, including where EHE or not known

Current School Postcode

Current School Total Absence (AA+UA) (%)

Current School Lateness (%)

Exclusions from School in Current Academic Year (Count of Occurrences, Integer)

How will data be matched between systems?:

Data tables will be matched using the following criteria in order of reliability:

(1)           UPN or NHS number where they exist if included in the Privacy Statement
(2)           Education or Social Care System IDs
(3)           A concatenation of Date of Birth as a text string with the Legal Last Name and the first three letters of the Legal First Name
(4)           A concatenation of Home Post Code as a text string with the Legal Last Name and the first three letters of the Legal First Name
(5)           Other methodology identified by the LA IT Services Team

Where no link is found, data will not be displayed from any of the systems.

For personal identifiable health and social care data for planning and / or research purposes, has the National Data Opt-Out been applied?:

~~Yes~~ / No / Not Applicable

What Data Retention Policies will be put in place?:

Data will only be held on the joint system whilst clients of Housing are in temporary accommodation. Data on host systems will adopt the retention policies applicable to those areas. For Education data, data will be held until the subjects’ 25^th birthday, for safeguarding referrals, six years after the report, for Child Protection documents, 40 years and for looked after children, 75 years. For Adult Social Care and Health data, retention will be according to the NHS Records Management Code of Practice 2021 available at https://www.gov.uk/government/publications/records-management-code-of-practice-for-health-and-social-care . For Housing data, records are kept for three years after the discharge of homelessness duty.

How will the data be securely transferred and stored?:

Where possible, data will be transferred directly between LA systems. Where the Microsoft Azure platform is used, the servers are located in Western Europe and where Microsoft PowerBI is used, the data is stored in Northern Europe. For data from partner organisations hosted outside the LA, data should ideally be transferred into an SSH FTP dropbox using AES-256 encryption and SHA-2 hashing. Authentication will be for defined usernames and complex passwords, with no generic or system account names used. Passwords will be a minimum of fifteen characters and include all four character types. The client will be WinSCP or Filezilla. Any email containing PII, which is not of the .gov.uk form must use an encryption system, such as Egress.

What security measures will be put in place to mitigate risk of data breaches?:

Only defined users will have access to the combined dataset and will have user-level access to the minimum data required to achieve their function.

Data will never be printed, nor stored on removable media. If exported from the data dashboard, it must be stored in password-protected XLSX files, only made available to users who have access to the whole system. Where used for planning purposes, exported data must be pseudonymised. Data may only be used for the purposes included within this ISA.

All partners should work to the NHS Data Security and Protection Toolkit, or the requirements of ISO/IEC 27001:2005 (ISO/IEC 17799:2005) or their equivalent.