Sharing information at multi-agency meetings
Purpose of guidance
The purpose of this guidance is to help you understand:
- what a multi-agency meeting is
- how to set up information sharing at multi-agency meetings
- what to think about before you share information at a multi-agency meeting.
This guidance will help you share information at a multi-agency meeting in a considered and people-focused way.
We’ve also created an information sharing protocol template to help agencies document their sharing activity.
This guidance aligns to the structure of the template so you can develop your information sharing protocol easily and clearly.
Guidance audience
This guidance can be used by:
- public sector agencies, including:
- frontline staff
- regional staff
- national office staff.
- organisations working with government agencies.
Glossary
This section sets out the meaning of key terms used within the guidance.
- Agency
- Includes government agencies and departments, departmental agencies, and non-government organisations.
- Attending agencies
- Agencies that attend the multi-agency meeting and are signatories to the multi-agency meeting information sharing protocol.
- Lead attending agency
- The attending agency that sets up the multi-agency meeting and is responsible for developing and implementing the multi-agency meeting information sharing protocol.
- Information
- Includes data, personal information, aggregate information, and de-identified information.
- Māori data
- Digital or digitisable data, information, or knowledge (including matauranga Māori) that’s about, from or connected to Māori. It includes data and information about population, place, culture, and environment[Footnote 1].
- Multi-agency meeting
- A meeting where different agencies and organisations come together for a common purpose in a meeting setting. These meetings can be one-off events or occur regularly over a period of time.
- Organisations
- Non-government entities, or groups.
What is a multi-agency meeting?
A multi-agency meeting is a meeting where different agencies and organisations come together for a common purpose. These meetings can be one-off events or occur regularly.
To provide services and deliver effective outcomes, agencies and organisations often need to share information (both verbally and in written form) about individuals.
Sharing information enables them to understand and quantify the extent of a problem and then identify appropriate and effective supports, interventions, and services.
Examples of multi-agency meetings
Sharing information at multi-agency meetings
Sharing information about individuals at multi-agency meetings can be challenging when there are no clear policies and procedures to follow. Everyone knows the consequences of sharing too much can be significant. But so can the consequences of sharing too little.
Privacy is not about keeping things secret. It’s about getting the right information to the right people in a timely manner.
The way to be confident you’re doing the right thing is to embed best practice information sharing into the governance and operation of multi-agency meetings. That will protect the people you’re sharing information about and help you meet the objectives of your multi-agency meeting effectively and efficiently. It simply becomes the way you work.
We strongly recommend that all multi-agency meetings, especially those designed to operate over a period of time have an information sharing protocol in place.
Why we need multi-agency meeting information sharing protocols
Information sharing is a critically important activity for government agencies.
Good information sharing practices, including the development and use of multi-agency meeting information sharing protocols:
- build awareness within an agency of what information is being shared, who the information is being shared with and for what purpose
- create transparency and build public trust and confidence in how agencies are sharing personal information
- enable agencies to deliver effective, fit-for-purpose public services that improve outcomes for individuals.
Protocol purposes and what they record
The purpose of a protocol is to document authorised sharing of information. It ensures all attending agency representatives are aware of what information can and is being shared, for what purposes and under what legal authorities.
A protocol records:
- the purpose of the meeting
- the information being shared
- the legal authority the sharing is permitted under
- who the information will be shared with and for what purpose
- the controls and mechanisms that ensure personal information is shared safely and used appropriately.
Benefits of an information sharing protocol
The information sharing protocol helps attending agency representatives confidently share personal information in a timely manner. It also helps them to pause and make a confident judgement call when proposed information sharing within the meeting setting may create privacy risks.
Using our best-practice information sharing protocol template will enable you to show that the attending agencies have taken a privacy-by-design approach to information sharing practices. It’s important to be able to show you’ve carefully considered the purpose, use and on-going management and protection of individuals’ information.
From a practical perspective, recording how the information sharing works in the protocol also makes sure that the attending agencies and their representatives have the same understanding about what’s happening and why.
About the information sharing protocol template
Individual multi-agency meetings can adapt it for their own needs if they have to, but the template captures the key things you have to think about. The majority of the protocol will remain the same for each multi-agency meeting setting.
How the template works
Most of the time associated with developing a multi-agency meeting information sharing protocol is spent working through the purpose, information requirements, legal authority, use and appropriate controls.
Use the next section of this guidance to help you know what to write.
Once this thinking has been completed and agreed between agencies, just complete the areas of the template marked with an asterisk (*).
The protocol template contains drop-down lists to reduce the time spent manually entering information. There’s also the functionality to manually enter information such as names of attending agencies.
We’ve included instructions at the start of the template document to help you use and understand this functionality.
Develop your multi-agency meeting information sharing protocol
When setting up a multi-agency meeting it’s vital that you think about and set up your information sharing practices correctly. The time and effort spent on setting things up at the beginning will make it easier to share what you need to share, without harming the people you’re intending to help.
Use this guidance to complete the multi-agency meeting information sharing protocol template. This guidance walks through each section of the template and asks questions that agencies need to consider.
Multi-Agency Meeting — Information Sharing Protocol Template (DOCX, 1MB)
Meeting purpose
A clear purpose is key. Your meeting purpose is the foundation on which the rest of your information sharing activity and documentation is built.
A clear purpose will help:
- identify what information you need to achieve the purpose
- determine which agencies should be involved
- those agencies determine the best person to attend the meetings
- create transparency and help build public trust and confidence that you’re sharing information appropriately.
Purpose of sharing
Like your meeting purpose, having a clearly defined purpose (or purposes) for the sharing of information is critical.
Having a clear purpose shows that the sharing is justified and carefully considered. It also helps stop ‘scope creep’ – that is, to stop the sharing changing over time without proper consideration or authorisation.
The purpose of sharing should be aligned with the purpose of the multi-agency meeting, for example:
Information to be shared
Through the development of your purpose statements (both the multi-agency meeting and information sharing purposes) you’ll have determined:
- the information that needs to be shared to achieve those purposes
- the agencies that hold that information.
You’ll need to work with the attending agencies to identify the information they hold that’s relevant to the purpose of your meeting. Attending agencies know their information holdings and understand any limitations on that information such as reliability, accuracy and restrictions on secondary use.
Identify information relevant to your purpose
Identify this information early and record it in your multi-agency meeting protocol. This ensures that all attending agency representatives understand what information can be shared and for what purpose. It shows that you’ve carefully considered your information sharing and are only sharing what’s relevant and appropriate. It will also help to identify the appropriate legal authority under which the information is being shared.
Skip to — Legal authority to share
Examples of identifying relevant information
Having this clarity on what’s relevant enables timely information sharing and reduces unnecessary delays in achieving the purposes of the meeting — for example, identifying and providing appropriate support and services to individuals.
The multi-agency meeting protocol should clearly set out what information attending agency representatives can share, to whom, for what purpose.
Legal authority to share
There must be a legal authority to share information at multi-agency meetings. The multi-agency information sharing protocol does not itself provide the legal authority to share information. The multi-agency information sharing protocol must clearly state the legal authority for each of the purposes for which information is being shared.
Guidance on determining the appropriate legal authority — Legal authority to share information
To help you complete your information sharing protocol we’ve included the common legal authorities used to share information in a multi-agency meeting.
You can delete the legal authorities that do not apply to your multi-agency meeting. Alternatively, manually enter the legal authority if it’s not one of the examples provided in the template.
Oranga Tamariki and Family Violence Acts
If you’re using the Oranga Tamariki Act or the Family Violence Act information sharing provisions you’ll need to ensure that attending agencies meet the criteria for sharing under those provisions.
The multi-agency meeting protocol does not itself authorise the sharing of information – it cannot create or change the law.
All sharing of personal information must be permitted by legislation, such as the Privacy Act, the Oranga Tamariki Act, the Family Violence Act, or an agency’s enabling legislation.
Use of information
Information shared at a multi-agency meeting must only be used for the specific purpose enabled by the legal authority. The purpose set out in the multi-agency meeting protocol needs to match what the legal authority allows.
Attending agencies should not put any information shared at a multi-agency meeting into their own business systems or records. An exception would be if they’re doing so in order to carry out the specified purpose of that meeting.
That means you should not collect and store information about a person just because you think it might be relevant in the future. ‘Just in case’ is not a good enough reason.
Examples of use of information
Things to note when keeping information
If the attending agency needs to keep the information so that it can carry out the purpose of the sharing, then it should note:
- where the information came from
- the legal authority the information was shared under
- for what purpose the information was shared
- any restrictions on what the information can be used for
- the date the information was shared.
Information source | Agency A |
---|---|
Legal authority | Family Violence Act, section 20 |
Purpose | To complete a needs assessment and identify supports to reduce the risk of harm from family violence. |
Date shared |
1/7/2024 |
Secondary use of information
If an attending agency wants to use the information shared at the multi-agency meeting at a later time, they must work through assessments for the purpose and legal authority for the secondary use.
You should check with your privacy, legal or information sharing teams if you want to use the information shared at a multi-agency meeting for an unrelated secondary purpose.
Transparency and notification obligations
It’s essential not to lose sight of the people behind the information that you’re sharing.
Your multi-agency meeting information sharing protocol will already do this in a number of ways, for instance, by:
- having a clear and justified purpose
- using a legal authority that requires consultation (such as 66C of the Oranga Tamariki Act)
- limiting the information that’s shared to what’s genuinely necessary
- specifying controls that help to keep the information safe.
However, you should also set out the steps you’ll take — also known as ‘controls’ — to make sure that people know about the information sharing. This is because, to the greatest extent possible, people should know which agency is collecting and using their information, and for what purpose.
It’s hard to exercise their other rights without that knowledge. Sometimes, they may also be able to choose whether their information is shared or not.
Examples of transparency controls
Putting transparency controls into your multi-agency meeting protocol will help the attending agencies to be aware of and meet any obligations. They may have to advise, notify, or consult people about the sharing of their information[Footnote 2].
This is also a good place to note any controls. These can give people an opportunity to have a say before any adverse actions are taken against them.
If there’s a good reason not to tell people, modify the transparency clauses in the protocol template to be clear about what that reason is. Provide the clearest possible information without undermining the interests that you’re protecting.
For example, it may still be possible to reflect in an agency’s privacy statement or transparency statement that the share happens, even though details are not given. This is because it could undermine the ability to enforce the law.
Check with your privacy, legal or information sharing teams if you’re unsure what your notification obligations are.
Method of sharing
You’ll need to agree on the method of transfer of the information to the attending agency representatives. There are several ways information can be shared, including:
- the lead agency sends out a list of individuals that will be discussed at the meeting
- attending agency representatives share information verbally at the meeting
- attending agency representatives share information with each other via email prior to and/or after the meeting
- access to and use of a secure business system.
In all cases, attending agencies must ensure that the method of sharing information is one that’s approved for use by their agency and protects the information.
Secure business systems and security classifications
Where a secure business system is used to share information, agencies must ensure that there’s a robust policy about who can access the information so that it does not get accessed by people who do not have a legitimate reason to see it. Terms and conditions of use should also be clear.
If the information has been assigned a security classification, attending government agencies must ensure that the appropriate handling requirements under the Protective Security Requirements are met.
Skip to — Security Classification
If non-government organisations are attending the multi-agency meetings, ensure they’re entitled to receive information with that security classification, and that they understand how to handle it.
Things to note about specific sharing methods
The following are some things to note when deciding how information to support the multi-agency meeting will be shared:
- The more sensitive the information, the more careful you’ll need to be when sharing the information. Think about:
- whether emailing the information is appropriate – do you need to password protect the sensitive information that’s contained in an attachment? Should you share the information verbally at the meeting? Then follow up with a secure email to the relevant attending agencies after the meeting?
- if you’re emailing information to attending agencies’ representatives do you need to attach a security classification to the email? Can you use the SEEMail (or similar) functionality[Footnote 3]?
- We recommend that you do not take hard copies of information to a multi-agency meeting as they’re too easy to lose or leave somewhere where others can see them. However, if this cannot be avoided, ensure you:
- keep the hard copy information secure at all times, especially if the meeting is held in a location outside your agency
- securely destroy all hard copy information at the end of the meeting
- do not provide the hard copy information to attending agency representatives unless it’s appropriate and safe to do so.
- If you’re attending a multi-agency meeting virtually, do not put personal information in the chat function. Doing so could make the information available to others, including to the software company. Also make sure that you cannot be overheard by people who’re not entitled to know what happened at that meeting, for example if you’re working from home.
- If the multi-agency meeting is supported by a business system (for example, the Family Safety System) or secure online collaboration space (for example, Microsoft Teams, CoLab), ensure you understand how the business system or collaboration space works. Do not share your access credentials with other people.
Any restrictions or controls that are put in place to ensure the method of sharing is secure should be recorded in your information sharing protocol. The protocol template provides some standard controls that you can use but you can also insert your own specific controls.
Check your agency’s internal policies around the use of email and whether there are any processes you’re required to follow when emailing personal information to external people.
Security of the information
This section sets out the security controls required to protect personal information. These are required during the sharing of the information and within the attending agencies own IT environment.
This section contains 2 parts: security classification and security controls.
Security classification
Agencies must ensure that they comply with the New Zealand Government security classification systems and Protective Security Requirements (PSR) when sharing information. The security classification will determine the additional controls required to protect the information and comply with the PSR.
You’ll need to identify the appropriate security classification and select from the drop-down box in the protocol template.
Your ICT or information security team should be able to help you identify the correct security classification for the information being shared.
As a general rule, all personal information should be classified as IN-CONFIDENCE at a minimum.
Security controls
Appropriate security controls are an important part of sharing personal information. A loss or compromise of information in transit or at rest can have serious impacts on people’s privacy and on the agency’s reputation.
The protocol template contains the minimum level of security controls that should be in place for all information sharing.
Depending on the nature of the information shared, you’ll need to consider what additional security controls may be required and add these into the template.
Examples of security controls
Requirements
- Attending agency representatives have completed privacy and information security training modules — both internal modules and any modules associated with the use of a secure business system.
- All hard copy information shared at the meeting is securely destroyed at the end of the meeting.
- All email attachments containing personal information are password protected.
Restrictions
- Only sharing information with attending agencies from agency-approved devices.
- Not sharing personal information in the chat function, recording, or taking screenshots if the meeting is held virtually.
- Not sharing hard copies of information with other attending agency representatives.
Your ICT or information security team will be able to help you determine appropriate security controls to ensure the information is protected when it’s shared with attending agencies.
Tikanga considerations
In many cases Māori data and information is a taonga and may require additional controls and restrictions to ensure the mana of the individuals is respected.
Where you’re proposing to share Māori data and information you should consider whether tikanga should be applied to the sharing and subsequent use of the data. This consideration is especially important when a Māori organisation or an iwi may be attending the meeting.
Tikanga is a set of values, principles, understandings, practices, norms and mechanisms from which a person or community can determine the correct action in te ao Māori[Footnote 4]. Tikanga is not fixed.
What tikanga will be appropriate will depend on the circumstances and should be determined through meaningful engagement with the people who may be impacted by the sharing and use of the information.
Each agency will have its own definition of Māori data, Māori Data Governance strategies[Footnote 5] and Māori engagement practices. These will guide considerations and incorporation of tikanga into any information sharing protocol.
However, it’s not up to the Crown to determine what tikanga applies. So, you should engage early with your Māori advisory teams to ensure engagement with Māori is undertaken appropriately and in line with agreed protocols and practices.
Retention and disposal of information shared
Attending agencies should only retain information shared at a multi-agency meeting if they’re using that information for one of the meeting purposes — for example, undertaking a risk or needs assessment, identifying appropriate support services or interventions.
Where attending agencies do retain shared information for those purposes, they must ensure that the information is stored securely in their agency’s approved business system. Once the information is securely stored in that business system you should securely delete any personal information that was shared using email.
Information shared under a multi-agency meeting information sharing protocol should only be held by an attending agency for the period for which the information is required. Attending agencies should understand their agency retention and disposal authorities and how they apply to the information being shared.
Consider how the lead attending agency will manage multi-agency meeting administration documentation — for example, meeting agendas, action logs and meeting minutes.
Privacy and security breach management
It’s important that the attending agencies know what to do if there’s a privacy or security breach. Having this agreed in advance means you don’t have to figure it out when a breach happens, and everyone is under pressure.
Identify:
- which agency participant has volunteered to be the person to contact if there’s a breach involving information shared at the meeting. Having a designated contact point gives everyone certainty that they’ll have support if something happens.
- how the attending agencies will work together to help to respond to any breach — this includes deciding what to tell affected people.
The protocol template provides standard clauses that cover the agencies’ obligations in relation to privacy and security breaches. Check with your privacy team to make sure this fits with what’s expected at your own agency.
Managing conflicts of interest
It’s important that any conflict of interest is identified early and managed appropriately by both the lead agency and the attending agency representatives.
Having a process for managing a conflict of interest helps attending agency representatives identify any conflicts early, and know what they need to do to manage that conflict.
The protocol template provides standard clauses that set out how conflicts of interest should be managed in a multi-agency meeting setting.
Relationship management and oversight
Things change over time, so it’s important to check periodically that the information sharing is working as expected and is still fit for purpose.
We recommend that each attending agency nominates a relationship manager. They’ll check how things are working and who’s responsible for addressing any problems that arise.
They do not necessarily have to attend the multi-agency meetings, but they do need to have a good understanding of the meeting’s purpose, which agencies attend and what information is shared.
Relationship managers can also help support their agency representative with any information sharing issues that arise about their agency’s information. This could include helping to liaise with the agency’s privacy or legal teams.
We also recommend that relationship managers check in with the agency representatives on a regular basis to ensure that the protocol is operating as intended. This helps to make sure any issues with the information sharing (such as scope creep) are picked up and fixed early.
Approving information sharing protocols
Agencies will have different approaches to who should sign a multi-agency meeting information sharing protocol. However, an information sharing protocol should be checked by a person in a senior role related to privacy, legal or information and data. This should happen whether or not they’re the person to sign the protocol themselves. This will make sure that the proper protections are in place, so attending agencies can be confident about their sharing.
It’s important that the person approving the protocol has sufficient professional knowledge or has received specialist advice. This helps them to be confident that it’s appropriate to sign the protocol. This provides a level of integrity to the protocol. It gives other attending agencies and the public confidence that government agencies are sharing information appropriately.
Ultimately, each attending agency will need to determine the appropriate level of approval and sign-off for each information sharing protocol.
Helpful considerations for information sharing protocol approvals
- Is it appropriate for attending agencies’ representatives to sign the protocol on behalf of their agencies? Does this provide enough oversight of the protocol and assurance that the information sharing documented is appropriate?
- Senior level approvals and signoffs can take time – think about what parts of the protocol could be amended with agreement of another person (such as the relationship manager) rather than the original signatory.
- How will you ensure that staff attending the meetings are aware of the protocol and understand how the protocol operates in practice?
- Should attending agency representatives have to acknowledge that they’ve read and understood the protocol prior to attending meetings?
Managing your information sharing protocols
It’s important to have awareness and oversight of your information sharing protocol. You may need to:
- report to senior leadership on your information sharing activity
- respond to an Official Information Act (OIA) request
- know when to schedule resourcing for information sharing reviews
- know whether there’s already a share in place — so you do not need to create another or so you can make quick changes to your existing share.
Having all your information sharing protocol information in one place creates efficiencies and supports good governance of your information sharing practices.
Each attending agency should be provided with the completed and signed protocol so they can add the protocol to existing information sharing catalogues or registers.
Review contents and processes
Reviewing your multi-agency meeting information sharing protocol ensures that your information sharing remains fit for purpose. It ensures you’re still only sharing information necessary to achieve the purposes of the meeting.
You may find that additional information held by non-attending agencies is required to achieve the meeting purposes. Or, that different methods are required to share the information more securely. Reviewing the protocol will identify these new requirements and processes and enable the protocol to be amended and updated in a considered way.
The protocol template includes a section for stating an appropriate review period, and which attending agency is responsible for initiating the review.
If the multi-agency meeting has a lead agency, it’s recommended that that agency initiates and manages the review. There should also be a process for an attending agency to request a review of the protocol at any time if an issue with the sharing of information has arisen.
Steps for reviewing an information sharing protocol
A review of the multi-agency meeting information sharing protocol should involve the following steps:
- A thorough read through of the document.
- Contact with the other attending agencies to confirm whether there:
- is still a requirement to keep the information sharing as documented
- have been any material changes to the purposes for which the information is being shared
- have been any material changes to the use of the information shared
- are any issues with the quality of the information shared.
- Work with the other attending agencies to make the necessary amendments to the protocol.
- Sign off the amendments and update the protocol.
- Provide a copy of the signed updated protocol to all attending agencies.
- Ensure all attending agency representatives are aware of the changes and understand what those changes mean for them.
Information for people attending a multi-agency meeting
If you’ve been invited to attend a multi-agency meeting there are a number of things to think about before attending.
Use this checklist to help you prepare and give you confidence around:
- what information you can share
- with whom and for what purpose
- the legal authority under which you’ll be sharing the information.
Who should attend?
To ensure the multi-agency meeting is productive and the right information can be shared with the right people, the right people need to attend.
Think about the following:
- Are you the right person to attend the meeting?
- Is your role one where you have access to the information that might need to be shared (either prior to, during or after the meeting)?
- Do you have sufficient knowledge about the supports and interventions that your agency can provide?
- Do you have any conflict of interest (perceived or actual) that may impact your ability to participate in the meetings?
What information can I share?
You should only share information that’s relevant to the purposes of the multi-agency meeting.
- Ask for a copy of the information sharing protocol — it’s important that you’re aware of this protocol and understand what information you can share and for what purpose.
- Ensure you’re familiar with the legal authority under which you’re sharing and using information. This will give you confidence that you’re sharing information appropriately and help you navigate any judgement calls you may have to make about whether certain information should be shared or not.
- Understand whether there are any limitations or restrictions on the information you’re sharing. Is the information up to date and accurate? Does the information have a security classification that requires additional handling requirements? Is the information subject to any tikanga? Does the information have a legal definition that the other attending agencies should be aware of?
If you’re in any doubt about whether personal information can or should be shared at a multi-agency meeting, check with your privacy, information sharing or legal team.
What information can I use?
You should only use information shared at a multi-agency meeting for the purposes set out in the multi-agency meeting information sharing protocol.
- Again, this should be clear from the information sharing protocol.
- When information is shared with you at a multi-agency meeting, make sure you understand why the information is being shared with you, and what you’re allowed to do with it.
- If the multi-agency meeting is one where attending agencies are tasked to undertake certain actions (for example, to contact a named person to undertake a welfare check), ensure you only use the shared information for that purpose.
How do I share information with the members of the meeting?
It’s important that you share information with other attending agencies in a secure manner.
- Ask for a copy of the information sharing protocol – it’s important that you know how information has agreed to be shared securely with other attending agencies.
- If information is to be shared using email:
- understand your agency’s policies around emailing personal information to external parties.
- think about whether emailing the information is appropriate in the circumstances – do you need to password protect more sensitive information in an attachment? Should you verbally share the information at the meeting? Should you follow up with a secure email to the relevant attending agencies after the meeting?
- think about whether you need to attach a security classification to your email? Do the recipients of the email have the necessary security clearance to receive the information within your email?
- are you required to use SEEMail (or similar) functionality? If so, do you know how to use SEEMail (or similar) functionality?
- We recommend that you do not take hard copies of information to a multi-agency meeting. However, if this cannot be avoided ensure you:
- keep the hard copy information secure at all times, especially if the meeting is held in a location outside of your agency
- securely destroy all hard copy information at the end of the meeting
- do not provide the hard copy information to attending agency representatives.
- If you’re attending a multi-agency meeting virtually do not put personal information in the chat function, do not record the meeting, and do not take screenshots of information shared using the share screen functionality.
- If the multi-agency meeting is supported by a business system (for example, the Family Safety System) or secure online collaboration space (for example, Microsoft Teams, Colab), ensure you understand how the business system or collaboration space works. Do not share your access credentials with other people.
Before you share information at a multi-agency meeting check your agencies policies and requirements for emailing personal information to external parties.
How do I manage a conflict of interest?
If you attend a multi-agency meeting and information is being requested and shared about a person you know, this may create a conflict of interest for you. If this occurs you should:
- inform the multi-agency meeting facilitator as soon as you become aware of the conflict of interest
- refer the request for information to another person within your agency to action and respond to
- remove yourself from the meeting when information is being shared about the individual that creates the conflict of interest.
Can I share information about the interventions or supports my agency has provided?
Multi-agency meeting information sharing protocol template
Multi-Agency Meeting — Information Sharing Protocol Template (DOCX, 1MB)
Last updated