The Scottish Government

« Previous | Contents | Next »

Listen

07 Information Sharing

Summary

Information sharing is a crucial element of civil protection processes underpinning all forms of co-operation:

• The initial presumption is that all information should be shared.
• Some information should be controlled if its release would be counter-productive or damaging in some other way.
• In most instances, information will pass freely between responders, as part of a more general process of dialogue and co-operation.
• A formal request for information should state what is required and why it is required.
• The information sharing obligation only applies to information the responder already has. It does not enable one responder to require another to create new information.
• Not all information can be shared.

Information sharing

7.1 Information is shared between Category 1 and Category 2 responders as they work together to perform their duties under the Act. Information sharing is a key element of civil protection work underpinning all forms of co-operation. It is essential to other duties under the Act, in particular risk assessment, business continuity management and emergency planning. It may be undertaken by the Strategic Co-ordinating Groups. It may involve direct contacts between responders where information held by one is needed to help another fulfil its civil protection duties.

7.2 The process of sharing information is crucial to other elements of the duty:

• Sound risk assessment relies on obtaining accurate information about the nature of the hazard, the probability of a hazardous event occurring and the potential effects and impact on the community if it does. Each of these elements may involve some specialist knowledge and the information required may be privileged or sensitive and not generally in the public domain.
• Business continuity management largely involves knowledge of the vulnerabilities of one's own organisation - but it also examines linkages to and dependencies on suppliers and contractors, where information may be harder to obtain.
• Emergency planning relies essentially on knowledge of how partners in response have planned to perform - what their aims and contribution will be, how they will organise and co-ordinate their efforts with those of other bodies and how contacts will be managed before and during the event. All these details are constantly changing as plans are revised, organisations are restructured, roles redefined and individuals and teams replaced.

7.3 Information sharing is necessary so that Category 1 and 2 responders are able to make the right judgements. If Category 1 and 2 responders have access to all the information they need, they can make the right decisions about how to plan and what to plan for. If they do not have access to all information their planning will be weakened and they will be less well placed to make judgements around cost-benefit analysis - what to plan for and what not to plan for.

7.4 The situation is complicated because each individual Category 1 or 2 responder's needs have to be balanced against the needs of others. For example, sharing a piece of information which helps the planning of one Category 1 or 2 responder could harm the interests of another. Similarly, the perspective of an organisation on a piece of information can be affected by its own position. For example, a Category 1 or 2 responder might interpret something to be a risk, but another with greater expertise might be less concerned. In some circumstances Category 1 or 2 responders will not be able to appreciate the wider environment into which the information fits. For example, a seemingly innocuous piece of information might have implications for national security.

7.5 These two competing factors point towards a framework in which the presumption is that information should be shared unless its release would be counterproductive or damaging in some other way.

When information should not be formally requested

7.6 In most instances, information will pass freely between Category 1 and 2 responders as part of a more general process of dialogue and co-operation. This is the means by which the overwhelming majority of information sharing should happen and has happened. If this is not the case, it is probably evidence of a wider systemic failing in the way the Act is operating in the local area in question.

7.7 As a consequence, the Regulations require Category 1 and 2 responders to consider alternative routes before pursuing a formal information request. ¹ This ensures that Category 1 and 2 responders make proper efforts to use existing and informal routes to gather information. The aim of this provision is to avoid excessive bureaucracy in the information-sharing process and reinforce the message that the information-sharing mechanisms under the Act should be regarded as a fallback rather than as the first option.

7.8 First, the Category 1 or 2 responder must be satisfied that it does not already hold the information, ² either by virtue of a previous request or because of informal information exchange. Category 1 and 2 responders should, as a consequence, marshal the information they hold in such a way as to ensure they can make a judgement on this point.

7.9 Secondly, the Category 1 or 2 responder must satisfy itself that the information is not reasonably accessible to the public - that is to say, is not put out generally by the Category 1 or 2 responder as part of its wider information policy. Examples of this would include material made available in annual reports or accounts, or material on websites (both those of individual Category 1 or 2 responders and general websites with generic information such as www.civilcontingenciesscotland.gov.uk and www.ukresilience.info.

7.10 Thirdly, the Category 1 or 2 responder must satisfy itself that the information cannot be obtained by other means. ³ This includes all forms of informal dialogue and information sharing and obliges responders to work together in the first instance to agree information flows that meet the need of those organisations involved. These will include many of the informal information-sharing agreements that exist at the local level. Category 1 and 2 responders may also have pre-existing requirements on them under other legislation (including, for example, their licence conditions from a regulator, or by direction of a Minister) to assess risk and to prepare planning arrangements for emergencies. This may mean that relationships and information-sharing routes are already established. Where possible, these should be built on and complemented, rather than duplicated.

Procedure for making a request

7.11 There may be some instances in which the supply of information will be more controlled. Under the Regulations, any Category 1 or 2 responder can request information from another Category 1 or 2 responder, so long as it is for the purpose of fulfilling responsibilities under the Act, or the performance of another function which relates to an emergency. ⁴ This should be seen very much as a fallback option and every effort should be made to maintain relationships between Category 1 and 2 responders that allow information to be shared without recourse to formal requests. But should formal requests be necessary there are a number of procedures that need to be followed in order to make the system work.

7.12 In any instance of information sharing, one or more Category 1 or 2 responders will request the information and one or more will receive the request. They are known respectively as "the requesting Category 1 or 2 responder" and "the receiving Category 1 or 2 responder".

7.13 An information request should be made in writing. It must specify either the information required or a description of the information requested. The request should be sufficiently precise that the nature of the information sought is clear. The request must include reasons as to why the responder needs the information.

7.14 The request may specify a time limit for dealing with the request and the place at which the information should be provided. The requesting responder may also specify the form in which the information is to be supplied (for example, in paper form or on a computer disk). In each case the time allowed and the place and form specified must be reasonable. For example, a request for details from an established emergency plan could be expected sooner than one which sought information not collated or subject to release only with the permission of a third party. Wherever possible the request should be discussed in advance between responders.

Procedure for dealing with a request

7.15 A valid request for information in possession of the Category 1 and 2 responder receiving the request must be complied with unless one of the exceptions (set out below) applies. ⁵ This is the case even where the information has been originally supplied in confidence - though the responder which receives the information is also likely to become subject to that duty of confidence. Where the responder is subject to restrictions on the disclosure of information in another enactment or a contract, the other enactment or contract will have to be considered in light of the Regulations. Which provision applies will depend on the particular terms of the other enactment or contract.

7.16 In considering whether the request is valid, a responder should consider if the procedural requirements have been satisfied and whether the reasons given by the requesting responder indicate the information does appear to be reasonably required in connection with the requesting responder's functions.

7.17 The information must be provided within the time limit specified in the request. ⁶ If no time limit is specified, the information must be provided in a reasonable period. The information must be supplied in the form and at the place specified by the request.

7.18 The request relates to information, not documents. A responder which receives a request is not required to disclose all the documents which contain the information which has been requested. However, this will often be the easiest way to deal with an information request. In other cases, a new document which contains the information being requested may be prepared.

7.19 Where a request relates to information, part of which is sensitive and part of which is not, the exception only applies to the sensitive information. The application of an exception does not necessarily enable a Category 1 or Category 2 responder to refuse to share a piece of information in its entirety.

What information can be shared?

7.20 Not all information can be shared and Category 1 and Category 2 responders can claim exceptions in specified circumstances and thus not supply certain information. Exceptions relate to sensitive information only. Where the exceptions apply, a Category 1 or Category 2 responder must not disclose the information.

7.21 The exceptions are:

• Exception where disclosure would prejudice sensitive information⁷- A Category 1 or 2 responder must refuse to comply with an information request if the information is sensitive; and if it has reasonable grounds to believe that complying with the request would compromise that information. If a Category 1 or 2 responder refuses to disclose information on this basis, it must give reasons for so doing, unless the information is sensitive by virtue of its impact on national security. ⁸For example, a Category 1 or 2 responder might be unwilling to pass sensitive information to another responder because the latter was known to have problems with its employees leaking information to the media. It should be noted, however, that this exception is only rarely likely to be available, as generally there will be no robust reason to expect that information would be passed on.
• Exception where information has been supplied by the intelligence services⁹ - Where a Category 1 or 2 responder receives an information request in relation to information which has been supplied directly or indirectly by the intelligence services (the Security Service, Secret Intelligence Service, Government Communications Headquarters or National Criminal Intelligence Service), the responder must not comply with the request unless the relevant intelligence service consents to the disclosure of the information. The intelligence service may impose conditions on its consent.

Sensitive information

7.22 There are four different kinds of sensitive information as defined by the Regulations: ¹⁰

• Information prejudicial to national security - information, the disclosure of which to the public would adversely affect national security.
• Information prejudicial to public safety - information, the disclosure of which to the public would adversely affect public safety.
• Commercially sensitive information - information which relates to the business or other affairs of a person or organisation and disclosure of which to the public would prejudice the legitimate business interests of the person or organisation to whom the information relates.
• Personal information - information which is personal data within the meaning of the Data Protection Act 1998, disclosure of which to the public would breach any of the data protection principles or section 10 of that Act.

7.23 It will be for individual Category 1 or 2 responders to reach a decision about whether the information they hold is sensitive. There are a number of general points that should be considered:

• All Category 1 and 2 responders should presume that information requested should be disclosed. Non-disclosure should only occur in exceptional cases, such as where there are national security implications.
• Where the Category 1 or 2 responder knows that the information has originated from the intelligence services and that disclosure to the public would threaten national security it must not be disclosed. Where the Category 1 or 2 responder suspects that the information has originated from the intelligence services or that it may be sensitive for reasons of national security, it should consult with the originator of the information. However, material that originates from the intelligence services is not, as a matter of course, sensitive information.
• In considering national security implications, the test is whether disclosure to the public would threaten national security, not whether disclosure to the requesting Category 1 or 2 responder would threaten national security. A similar test applies in the other categories of sensitive information.
• In the case of information that is sensitive by virtue of its national security implications a Scottish Minister or Minister of the Crown may issue a certificate certifying that disclosure of that information to the public would be contrary to the interests of national security. ¹¹ This certificate is conclusive. The Minister can issue a certificate in relation to a class of information or a specific piece of information. Note, however, that absence of a certificate does not mean that the information cannot be sensitive on national security grounds.
• Where a request relates to information, only part of which is sensitive, the exception only applies to the sensitive information. Therefore, the application of an exception does not necessarily enable a Category 1 or 2 responder to refuse an information request in its entirety.

Using non-sensitive information

Using within the planning process

7.24 The Act and Regulations do not impose any limits on the use of information obtained under the Act which is not sensitive. However, use of non-sensitive information may be limited by duties of confidence established by other legislation or by contract.

7.25 There are unlikely to be any restrictions on the use to which a Category 1 or Category 2 responder can put non-sensitive information which it creates in the course of carrying on its duties under the Act. Responders should be mindful that information may be sensitive within different environments and whilst some information may be suitable for sharing among responders, it might not be suitable for the wider public. For example, there is a requirement to avoid alarming the public in the information made available under other duties.

Disclosure

7.26 Neither the Act nor the Regulations place any restriction on the disclosure of non-sensitive information that is obtained under the Act. Nor do the Act or Regulations create any restriction on disclosure of non-sensitive information that is created in the course of a responder carrying out its functions under the Act. However, non-sensitive information which is received from other responders or third parties may be subject to a duty of confidence or contractual restrictions on disclosure. Category 1 or 2 responders may also be subject to other statutory restrictions on disclosure.

7.27 Just because there is no restriction on disclosure does not necessarily mean that the Category 1 or 2 responder will be obliged to disclose the information. Some Category 1 or 2 responders may be under a legal obligation to disclose certain information - under enactments such as the Freedom of Information (Scotland) Act 2002 and the Environmental Information (Scotland) Regulations 2004.

7.28 Members of the public may make requests under the Freedom of Information (Scotland) Act 2002 to see the Community Risk Register or any of the individual risk assessments. Individual responders which are presented with such requests will need to consider what can be released. The exemptions relating to national security and commercial sensitivity may be particularly relevant to these deliberations. Given the relatively short timeframe in which information must be provided, it would be helpful for local responders to consider in advance how such requests would be handled.

Using sensitive information

Using within the planning process

7.29 Sensitive information reasonably requested by a Category 1 or Category 2 responder to perform its functions which relate to an emergency, may only be used for the purpose of performing the function for which it was requested. ¹² The effect of this should limit the circulation of information within a responder's organisation. For example, information about the robustness of mobile phone coverage, legitimately obtained for use in developing emergency plans, should not be shared with those responsible for the contractual relationship with its mobile phone provider.

7.30 If a responder wishes to use sensitive information it has received by virtue of an information request under the Act for a different purpose, it must obtain the consent of the relevant person or organisation. The relevant person or organisation for different types of sensitive information is set out in Figure 7.1 below.

7.31 The use of sensitive information may be further restricted by duties of confidence, by other enactment or by contract.

Figure 7.1 - Relevant persons or organisations for different types of security information

Disclosure

7.32 Category 1 and Category 2 responders are prohibited from publishing or otherwise disclosing any sensitive information which they have received by virtue of the Act or which they created in the course of discharging their duties under the Act. For example, a risk assessment might identify that planning to evacuate a city centre was deficient and would exacerbate the effects of a terrorist attack. Making the information public could expose a weakness that might encourage an attack. If this information was obtained by virtue of an information request made under the Act or created by a Category 1 or 2 responder in performing its duties, the sensitive information must not be disclosed even if it would otherwise fall within the Category 1 responder's duty to publish a risk assessment/plan or its duty to warn, inform and advise the public.

7.33 There are two exceptions to the prohibition on disclosure. Where the exceptions apply, the responder may disclose. However, unless the responder is subject to an obligation under the Act to disclose the information (for example the duty to publish risk assessments), it is not obliged to do so.

7.34 The two exceptions are:

• Consent for the publication or disclosure is obtained¹³ - Consent should be obtained from the person identified in the table above. The consent may be given subject to conditions.
• The information is commercially sensitive or personal data and the public interest in disclosure outweighs the interests of the person¹⁴ - This exception does not apply if the information is sensitive by virtue of its national security or public safety implications. When relying on this exception, the responder must inform the person to whom the information relates of its intention to disclose the information and provide reasons why it is satisfied that the public interest in disclosure outweighs their personal interests.

7.35 The prohibition on disclosure applies when the Category 1 or Category 2 responder is discharging its duties under the Act or any other function that it has in relation to an emergency. ¹⁵ However, the restrictions on the use of information mean that in most cases sensitive information should not be used for other purposes. The prohibition does not apply where a Category 1 or Category 2 responder is dealing with an information request or contributing to the Community Risk Register ( CRR). However, the Regulations covering those topics also allow for the treatment of sensitive information if the information may be compromised or its confidentiality may be threatened.

7.36 The prohibition on disclosure will not apply where the Category 1 or Category 2 responder receives an information request under the Freedom of Information (Scotland) Act or the Data Protection Act. In such circumstances responders must consider the relevant legislation to determine whether or not the information should be released. Each case should be considered on its merits.

7.37 Under its duties related to risk assessments the Category 1 responder does not need to provide information for the Community Risk Register ( CRR) where it considers that to do so would compromise or impair the confidentiality of the information. Note that there is no obligation under the Regulations to publish the CRR although publication by the Strategic Co-ordinating Group "as far as necessary or desirable" of the Register or parts of the Register would fulfil other duties. It is possible for a local responder to contribute a risk assessment to the CRR on condition that its risk assessment is not published.

Category 2 responders

7.38 It is important for Category 1 responders to be realistic about what information is requested from Category 2 bodies. Information sharing has the potential to be burdensome if it is not handled responsibly.

7.39 Where possible, Category 1 responders should seek to channel requests through as small a number of routes as possible so as to avoid duplication of effort. For example, all local responders could channel requests through the Strategic Co-ordinating Group or lead responder and share the information.

7.40 Where sensitive information is held, many Category 2 responders are likely to rely on exceptions that relate to commercial confidentiality. This may reflect the status of some responders as private sector commercial organisations. In that regard considerations related to contract and confidentiality may also apply.

7.41 In return for responsible use of these powers to request information, Category 2 responders should ensure that they can deal with reasonable requests made by Category 1 responders.

Security of sensitive information

7.42 Category 1 and Category 2 responders must establish arrangements to ensure that sensitive information it obtains or creates under the Act is not compromised or its confidential nature impaired. ¹⁶

7.43 The arrangements made must include:

• security marking;
• regulation of access to those performing duties or functions who need to have access to the information; and
• secure storage and transfer arrangements, including electronic transfer.

Health and Safety at Work Act 1974

7.44 Restrictions on disclosure of information under Section 28(2) of the Health and Safety at Work Act do not apply to the disclosure of information by the Health and Safety Executive if the disclosure is made in connection with:

• performance of a duty under section 2(1) or 4(1) of the Act;
• a request under regulation 45; or
• a request under regulation 44 in connection with functions of the Health and Safety Executive.

Other legislative requirements

7.45 Although there are many pieces of legislation which affect the use of information within individual sectors, there are three which have a wider-ranging impact of which responders should be aware. They are:

Freedom of Information (Scotland) Act 2002

7.46 The Freedom of Information (Scotland) Act 2002 provides individuals with the right to seek information from public bodies, subject to procedural requirements and particular exemptions. The rights of individuals to seek such information under that Freedom of Information Act must be considered by responders alongside the duties under the Act and the Regulations.

7.47 Further information is available through the Scottish Executive's website at: http://www.scotland.gov.uk/Topics/Government/FOI.

Environmental Impact (Scotland) Regulations 2004

7.48 The Environmental Impact (Scotland) Regulations 2004 provide for the freedom of access to information on the environment, subject to certain conditions and must be taken into account when carrying out duties under the Act and Regulations.

7.49 Further information is available through the Scottish Executive's website at http://www.scotland.gov.uk/library5/environment/aeig-00.asp.

Data Protection Act 1998

7.50 The Data Protection Act 1988 provides certain rights to individuals to request information from public bodies about personal data held by them which relates to that individual. It also provides limits on the use or processing of such data by public authorities. The Data Protection Act must be considered in relation to the duties imposed under the Act and Regulations.

7.51 Guidance on the Data Protection Act can be found on the Information Commissioner's website at www.informationcommissioner.gov.uk.

7.52 It is for each responder to make the final judgements about the detailed implications of each of these pieces of legislation and how they interface with the Act.

« Previous | Contents | Next »