Quickly exit this site by pressing the Escape key Leave this site
We use some essential cookies to make our website work. We’d like to set additional cookies so we can remember your preferences and understand how you use our site.
You can manage your preferences and cookie settings at any time by clicking on “Customise Cookies” below. For more information on how we use cookies, please see our Cookies notice.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Your cookie preferences have been saved. You can update your cookie settings at any time on the cookies page.
Sorry, there was a technical problem. Please try again.
This site is a beta, which means it's a work in progress and we'll be adding more to it over the next few weeks. Your feedback helps us make things better, so please let us know what you think.
1.1 This procedure/SOP has been reviewed in June 2023:
2.1 This procedure/SOP defines Information Sharing and Information Sharing Agreements (ISAs); it identifies when Information Sharing Agreements are required; and describes the processes that will be followed to produce and manage Information Sharing Agreements.
Compliance with this procedure/SOP and any governing policy is mandatory.
3.1.1 ‘Information Sharing’, sometimes referred to as ‘Data Sharing’, is the disclosure of information from one or more organisations to another organisation(s) where permitted by law. It can take the form of:
3.1.2 Information Sharing can be achieved through the sharing of information verbally, in physical or digital form.
3.1.3 Most sharing by the police involves ‘personal data’ and therefore has to comply with either the Data Protection Act 2018 (DPA) or the UK General Data Protection Regulation (UK GDPR) – together known as ‘Data Protection legislation’.
3.1.4 Personal Data is any information relating to an identifiable person who can be directly or indirectly identified from the shared information or the shared information combined with other information. For further information on Data Protection see
W 1011 Procedure/SOP – Data Protection.
3.1.5 Where information sharing does not involve sharing personal data there is no need to comply with Data Protection legislation though information security requirements must be considered.
3.1.6 Information Sharing involving personal data may be divided into two types:
3.1.7 Differing approaches apply to these two types of information sharing.
3.1.8 For ad-hoc, one-off sharing it is expected that details of the disclosure are appropriately recorded in an accessible format either within an incident/crime report, or attached to the system as an upload. Within that rationale the following criteria must be met:
3.1.9 For systematic, routine sharing an Information Sharing Agreement (ISA) can be created. Whilst an ISA is not a requirement under data protection legislation, it is an instrument designed to ensure all parties understand their roles and data protection obligations whilst undertaking the sharing of information. The remainder of this procedure/SOP explains what they are and how they should be created and managed.
3.1.10 ISA’s should not be confused with Data Processing Contracts, also known as Data Processing Agreements, or Data Protection Agreements. These are the documents that Data Protection legislation requires where one organisation processes personal data on behalf, and under instruction, of another, such as for research purposes.
3.2.1 An Information Sharing Agreement (ISA) is a document accepted by organisations involved in sharing personal data (‘partners’) on a systematic, routine basis which prescribes how information sharing will take place, demonstrates that it is lawful and shows it will be carried out with appropriate safeguards to protect the information shared.
3.2.2 Most ISA’s follow a similar structure, based on one of the many templates available within the police service and beyond.
3.2.3 Essex Police Form ISA provides an ISA template and guidance notes, or, in the case of sharing with a partner within the Whole Essex Information Sharing Framework (WEISF), the WEISF template may be used.
3.2.4 Kent Police require information sharing partners to be partners in the Kent and Medway Information Partnership (KMIP), in most cases. The partner will be required to sign up to the Kent and Medway Information Sharing Agreement (KMISA). Further information can be found on the inSite Information Sharing Page. The KMISA must be read and the expectations placed on new partners must be fully understood. The KMISA is a generic ISA. Where KMIP partners are sharing for a specific purpose, or project, a repeat sharing form setting out the lawful basis, responsibilities and expectations will be required (Contact the Kent DPO). If it is decided that the KMISA is not a suitable vehicle then a new ISA will be required.
3.2.5 National ISA’s have been created by the NPCC for information sharing from a national police systems to external organisations. These documents are commissioned by an NPCC lead and the ISA’s relate to their national policing coordination committee or portfolio area. They are recorded in a national ISA register on Knowledge Hub and their existence may preclude the need for an ISA to be developed by the force.
3.2.6 The existence of an ISA does not automatically make any sharing of personal data between partners lawful. An ISA should be seen as an administrative tool to assist in information sharing.
3.3.1 The following stages covered in the subsequent parts of this procedure/SOP must be followed:
3.3.2 Within Essex Police and the Serious Crime Directorate assistance for progressing through these stages may be obtained from the Essex Police Data Protection Officer or from the Data Protection Compliance Team.
3.3.3 Within Kent Police and the Shared Services Directorate assistance for progressing through these stages may be obtained from the Kent Police Data Protection Officer, or from the Public Disclosure Team.
3.4.1 This is the initial stage where a proposal to share information between the police and partners first arises. The proposal may be generated by the police force, its partner(s) or other bodies. This stage may occur at the same time as Stage 2.
3.5.1 The initial proposal must have necessary support and sponsorship to progress, so each of the following must confirm their agreement in principle to pursuing the sharing initiative:
3.5.2 If support is not forthcoming the sharing initiative should be abandoned or amended for reconsideration.
3.6.1 At this stage the sponsor should ensure that the following are confirmed:
3.7.1 At this stage the sponsor will ensure that in accordance with W 1022 Procedure/SOP Data Protection Impact Assessments (DPIA’s) a Stage 1 DPIA Assessment is made, which will determine whether a full Stage 2 DPIA is required and, where it is, one is conducted.
3.7.2 The outcomes of the DPIA process must inform whether or how the sharing should occur.
3.8.1 Informed by the DPIA an ISA should be considered when the force participates in systematic, routine sharing of the same type of personal data, including an arrangement to ‘pool’ information, with partners for an established, specific and lawful purpose.
An ISA should be created when the following applies:
3.8.2 An ISA is not required when any of the following applies
3.8.3 Where there is a need for an ISA:
3.8.3.1 For Essex Police and the Serious Crime Directorate it should be created using either: Form ISA which provides an ISA template; or, in the case of sharing with a partner within the Whole Essex Information Sharing Framework (WEISF), the WEISF template; or a template used by the partner agency provided that it includes all aspects set out in Form ISA.
3.8.4 For Kent Police and the Shared Services Directorate it is preferred that all information sharing partners are partners in the Kent and Medway Information Partnership (KMIP), the partner will be required to sign up to the Kent and Medway Information Sharing Agreement (KMISA). Further information can be found on the Information Sharing Page. If it is decided, in conjunction with the DPO, that the KMISA is not a suitable vehicle, a new ISA should be created using the ISA template, which also includes a DPIA.
3.9.1 For Essex Police and the Serious Crime Directorate the Information Asset Owner(s) should determine whether officers and/or staff who will carry out the sharing should be given written operational instructions to assist them in this activity. Operational instructions do not need to be agreed by partners. They are more likely to be required where there are high risks around the sharing due to the nature of the shared information, the means by which it is shared or the type of recipient. A DPIA outcome may require operational instructions to be established.
3.9.2 Within Kent Police and the Support Services Directorate the Information Asset Owner(s) should determine whether officers and/or staff who will carry out the sharing should be given written operational instructions to assist them in this activity. Operational instructions do not need to be agreed by partners. They are more likely to be required where there are high risks around the sharing due to the nature of the shared information, the means by which it is shared or the type of recipient. A DPIA outcome may require operational instructions to be established.
3.10.1 Within Essex Police and the Serious Crime Directorate there is no requirement for the Data Protection Officer to ‘approve’ the ISA - their role is that of an advisor. The Information Asset Owner(s) may require sight and approval of an ISA involving their information asset. The signatory on behalf of the Chief Constable must be an officer of at least Chief Inspector or police staff equivalent, usually but not exclusively the sponsor. Once signed by all parties the sponsor must ensure a copy of the ISA is given to all information asset owners involved and the Information Asset Owner should ensure that this added to the Information Asset Register. A copy should also be provided to the DPO who will ensure it is added to the Data Protection Connexion pages.
3.10.2 Within Kent Police and the Support Services Directorate there is no requirement for the Data Protection Officer to ‘approve’ the ISA - their role is that of an advisor. The Information Asset Owner(s) may require sight and approval of an ISA involving their information asset. The signatory on behalf of the Chief Constable must be an officer of at least Chief Inspector or police staff equivalent, usually but not exclusively the sponsor. Once signed by all parties the sponsor must ensure a copy of the ISA is given to all information asset owners involved and to the Records Manager who will ensure the document is added to the force Information Asset Register. A copy should also be provided to the DPO who will ensure it is added to inSite, and is easily accessible.
3.11.1 The sponsor is responsible for ensuring the ISA is reviewed, amended or cancelled in accordance with the review process set out in the ISA.
4.1 This procedure/SOP has been assessed with regard to an Equality Impact Assessment. As a result of this assessment it has been graded as having a low potential impact as the proposals in this procedure would have no potential or actual differential impact on grounds of age, sex, disability, race, religion or belief, marriage and civil partnership, sexual orientation, gender reassignment and pregnancy and maternity.
5.1 There is an overall risk concerning the use and management of Essex and Kent Police information. Advice and guidance relating to the assessment of risk is contained within the individual procedures/SOP. The Corporate Risk Register will contain any risks in relation to Information Security.
6.1 The following have been consulted during the formulation of this document:
7.1 The forces’ partnership lead departments will be responsible for ensuring that the procedure/SOP will remain current in line with HMG and NPCC policy.
7.2 This procedure/SOP will be reviewed by or on behalf of the forces’ SIROs every year.
Overarching force policies or related procedures (Essex) / linked standard operating procedures (Kent)
Joint Essex Police and Kent Police
• W 1000 Policy – Information Management
8.1.1 Essex Police and Kent Police have measures in place to protect the security of your data in accordance with our Information Management Policy – W 1000 Policy – Information Management.
8.2.1 Essex Police and Kent Police will hold data in accordance with our Records Review, Retention & Disposal Policy – W 1012 Procedure/SOP - Records Review, Retention and Disposal.
8.2.2 We will only hold data for as long as necessary for the purposes for which we collected.
Procedure/SOP Author: Head of Information Management, Essex Police
Procedure/SOP Owner: The Senior Information Risk Owners (SIROs) for Essex Police and Kent Police
Policy reference: Information sharing agreements SOP (W1014)
Contact point:
Date last reviewed: June 2023
If you require any further information or to request any documentation referenced within the policy please email [email protected]. For general enquiries, contact us.