*

Crime Reduction Toolkits

Intelligence and Information
Crime - Let's bring it down
  
* *
*
* *
*Front Page | Site Help | Search | Contact Us | Site Map

 
*
*
Toolkits Homepage
*
Toolkits Content
*
*
Introduction
*
What do we know
*
Local Solutions
*
Tackling The Problem
*
Making It Happen
*
Resources
*
Innovation
*
Practical Tools
*
Contact Points
*
*
*

Toolkit Index

Use of consultants/researchers

Initiatives may from time-to-time involve the need to employ independent advisers, possibly to evaluate projects or assist with developing IT applications. In rare circumstances, this may involve the processing of personal information.

As a general principle, this should be avoided where possible and only undertaken if no reasonable alternative to achieve the required objective is available. Wherever possible, this should be avoided, however, if there is no alternative the agency(s) concerned will need to draw up a formal contract with the consultant concerned.

The agency holding the personal information retains full responsibility for ensuring that it is processed legally by the contractor at all times. The contract should therefore stipulate how the information is to be used by the contractor (defined as a ‘data processor’’ under the Data Protection Act).

This should clearly set out requirements for maintaining compliance with the Data Protection Act and other relevant legislation, in much the same way as a protocol. It should cover the following:

  • security measures required from and guaranteed by the consultant (these should be equivalent to the agency’s own security measures).

  • the reasonable steps the agency will take to ensure that those security guarantees are being met.

  • that the consultant is quite clear about the what they can and cannot do with the personal data they are given access to

  • that there will be no further disclosure of personal data to any third parties (including other partners) without the written consent of the agency holding that data.

  • that any documents published by the consultant did not identify any individuals or families and that the agency is entitled to a copy of any published document (to verify this and demonstrate that the consultant was acting on their behalf)

  • there is a clear commitment to remove any excessive or irrelevant personal data, at the completion of the project or the point that it is was no longer necessary, whichever is the sooner.

In essence, the contractor should be bound in much the same way as an employee of the agency concerned and constrained by the same legal duties and responsibilities to protect personal (sensitive) data.

Consideration should be given as to as to how the agency might notify relevant individuals or families that their personal data is being used for this purpose – in order to be as open with individuals as possible.

Disclosure to a sub-contractor (data processor) for a purpose, which is reasonably subordinate to that of the agency, itself would not normally impose a requirement to notify the Information Commissioner or to obtain the consent of the individual to whom the information relates. Advice from the Office of the Information Commissioner should normally be sought, if there is doubt.

Back to Vires and Intravires

<<Contents  < Previous  Section > Next Section

 

 

 *
   
** Back to Top    Site Help    Search    Contact Us    Site Map    Knowledgebase