OFFICIAL

EMS Security
Information Sharing Agreement

This Information Sharing Agreement is between:

Electronic Monitoring Services (EMS)

and

Lincolnshire Police

Release Version V1.1

Release Date 30 January 2019

EMS Security – Information Sharing Agreement

V1.1
1 of 8

OFFICIAL
 OFFICIAL

1 Introduction
1.1 Overview
1.1.1.1 Under the General Data Protection Regulation (EU 2016/679) and the Data Protection Act
2018, all Data Controllers have a legal responsibility to ensure data is processed lawfully
and fairly, and to put appropriate protective measures in place to prevent the unauthorised
use or disclosure of that data.
1.1.1.2 Electronic Monitoring Services (EMS), as a Data Processor, is contracted by the Ministry
of Justice (the Authority) to implement and provide monitoring of people who have been
assigned curfews or location monitoring orders as part of a criminal justice process.
1.1.1.3 In order to meet the requirements of the Authority, EMS may need to obtain additional
information from other agencies. Additionally, EMS may be required to share information
with other agencies as part of the Electronic Monitoring Orders, or for other legal reasons.

1.2 Purpose
1.2.1.1 This Agreement covers the arrangement to share, process and protect data between the
two named parties as outlined in the contents of this agreement and that further sharing or
processing of that data shall only be permitted where it is in compliance with the General
Data Protection Regulations (GDPR) and the Data Protection Act 2018.
1.2.1.2 Where consent for change has been acquired, this Agreement must be updated and re-
issued.

1.3 Sharing Objectives

1.3.1.1 EMS has the following objectives with regard to the sharing of the information outlined in
this agreement:
To ensure that people subject to Electronic Monitoring orders are correctly identified so they can be
fitted with the monitoring equipment and successfully complete the order.
Failure to tag the correct person could allow a third party to imitate the subject and assist someone
in avoiding their order. This could present significant risk to the public and/or specific individuals,
and could result in further serious offences being committed.
In cases where no photographic identification can be provided, a custody photo will be requested
and EMS shall use this photo to confirm the identity of the person.
This information sharing will facilitate:
 A coordinated approach that supports and enables public protection.
 A coordinated approach to take action against crime and anti-social behaviour.
 The lawful collection and exchange of relevant information.
 The correct person being monitored and the order of the Court or Prison can be carried out
correctly.

1.4 Legal Basis for Sharing

1.4.1.1 The legal basis for sharing is:
For the Administration of Justice, as defined in the Law Enforcement Processing section of the Data
Protection Act 2018.

EMS Security – Information Sharing Agreement

V1.1
2 of 8

OFFICIAL
 OFFICIAL

1.5 Duration of Agreement

1.5.1.1 This agreement is expected to remain in place whilst EMS are responsible for the provision
of Electronic Monitoring Services on behalf of the Ministry of Justice.
1.5.1.2 This agreement must be reviewed when changes are made to legislation or requirements,
and in the event of no changes, a review must be performed annually.

1.6 Key Contacts

1.6.1.1 The following are the contacts for all parties, with reference to Data Protection issues and
the processing of the shared information.
1.6.1.2 EMS
EMS Information Security Manager
EMS, PO Box 170, Urmston, Manchester, M41 7XZ
Infosec@ems.co.uk.cjsm.net (0161 8621000)

1.6.1.3 Lincolnshire Police

Data Protection Supervisor
Lincolnshire Police, PO Box 999, Lincoln, LN5 7PH
Disclosure@lincs.pnn.police.uk

1.7 Data Controller and Processor

1.7.1.1 The Data Controller for EMS information is:
Electronic Monitoring General Enquiries,
Ministry of Justice,
102 Petty France,
London,
SW1H 9AJ

1.7.1.2 EMS and Lincolnshire Police confirms they have authorisation to share the information
outlined in this agreement for the purpose for which it is being shared.
1.7.1.3 EMS shall act as a Data Processor on behalf of the Ministry of Justice for any information it
receives and will refer all applicable data-related decisions not outlined in this agreement
to the appropriate Data Controller.
1.7.1.4 The Data Controller for Lincolnshire Police is:
Chief Constable
Lincolnshire Police,
PO Box 999,
Lincoln,
LN5 7PH

1.8 Responsibilities
1.8.1.1 It is the responsibility of each signatory to ensure that:

EMS Security – Information Sharing Agreement

V1.1
3 of 8

OFFICIAL
 OFFICIAL

 Information is shared and secured in accordance with all applicable law.

 This agreement does not give an automatic right to receive or provide information
beyond that expressly detailed in this agreement.
 Information sharing must only take place where it is proportionate, necessary and
legally justified. Any restrictions on the sharing of information in this agreement
must be cleared noted.

 A single point of contact is provided.

 Appropriate staff training and awareness sessions are provided in relation to this
agreement. Information is shared responsibly and in accordance with professional
and ethics standards.

 Information is requested and received in compliance with the requirements

documented in this agreement.

 Information exchanges must be recorded, such that an auditable record can be

provided.

 A current Information Security Policy is available and can be provided to the other
party on request.

EMS Security – Information Sharing Agreement

V1.1
4 of 8

OFFICIAL
 OFFICIAL

2 Information Sharing
2.1 Data Classification and Data Types
2.1.1.1 Unless otherwise stated, all data transferred is agreed to be classified using the
Government Security Classifications, at a level of OFFICIAL, with all data containing
sensitive information classified specifically as OFFICIAL-SENSITIVE.

2.2 Sharing and Processing

2.2.1.1 The following information details the sharing and processing of information.
EMS shall only request a custody photo relating to a person who has been given an Electronic
Monitoring order where a visit to that person has been unable to successfully identify the person by
any other means.
EMS shall provide the following information to allow the Police Force to match custody photos to
persons, including:
 Offender name as provided on the court order
 Date of Birth
 PNC Number (where available)
 Address to which the offender is subject to the curfew
 Offence for which the curfew order has been made (where available)
 Court that issued the order
On receipt of a request, the Police Force shall find and supply the photo (if available) via secure
mail, to EMSIDCustodyPhoto@ems.co.uk.cjsm.net, in a JPEG (or similar) format.
On receipt of the photo, EMS shall store the image on the subject’s electronic file and use it for the
sole purpose of confirming the subject’s identity.
Requests will be made by EMS during standard office hours (Mon-Fri 9-5) and a response time for
the photographs to be provided will be no later than 3 working days from the request being made.

2.3 Method of Transfer

2.3.1.1 The following channels must be used for all communications:
All information must be sent and received via secure mail.
This can include, for example, the use of Criminal Justice Secure Mail (CJSM) or the Public
Services Network (PSN), or the use of Transport Layer Security (TLS) as recommended by the
National Cyber Security Centre (NCSC).

2.4 Further Sharing Allowed (if any)

2.4.1.1 Unless otherwise stated, both parties agree that no further sharing of information provided
or received by EMS as part of this agreement shall take place.

2.5 Data Retention

2.5.1.1 In accordance with the Data Protection Act 2018, the following applies:
a) Information shall only be held whilst a lawful basis for doing so can be
demonstrated.

EMS Security – Information Sharing Agreement

V1.1
5 of 8

OFFICIAL
 OFFICIAL

b) The minimum amount of data necessary to complete the purpose shall be retained.
c) Where a lawful basis for processing can no longer be demonstrated, the data shall
be deleted.
2.5.1.2 Specific to this agreement, the following data retention requirements apply:
Once the Electronic Monitoring order has come to an end, EMS shall delete the image in a secure
manner.
On the termination of this agreement, all shared data shall be securely deleted.

2.6 Data Protection Requests

2.6.1.1 As part of this agreement, all parties agree to inform the relevant other(s) should they
receive a request to rectify or delete data, or a complaint under GDPR and/or the Data
Protection Act that relates to information provided by the other parties.

2.7 Incidents and Breaches

2.7.1.1 Any breach of security, confidentiality or other violations relating to the shared data must
be reported to the owning party as soon as possible, and unless otherwise stated, within
24 hours.
2.7.1.2 Signatory parties are responsible for their own breaches, including any misuse and the
consequences of such action. This includes ensuring the Data Controller is aware of any
incidents that need to be reported to the Information Commissioner’s Office (ICO).
2.7.1.3 Any unauthorised access or disclosure of information by an employee will be subject to
internal investigation and be treated in a serious manner.
2.7.1.4 To assist in investigations, each party will provide assistance to each other where it is
reasonable and necessary. In the event of a dispute or claim concerning the processing of
the Shared Personal Data against either or both party, the parties will inform each other
about any such activity and cooperate with a view to settling them amicably in a timely
fashion.
2.7.1.5 Specific to this agreement, the following applies:
N/A

2.8 Additional Information

2.8.1.1 Specific to this agreement, the following additional information applies:
N/A

2.9 Security Controls

2.9.1.1 Security controls are essential to the protection of information. All parties shall implement
appropriate security controls, based on an assessment of the risks to the information.
2.9.1.2 These controls shall include cyber security controls and physical security controls where
appropriate to ensure the unauthorised access to, or modification of the information related
to this agreement and/or the associated systems.
2.9.1.3 Whilst not exhaustive, the following are controls that will help to establish the required
security level for this information:

EMS Security – Information Sharing Agreement

V1.1
6 of 8

OFFICIAL
 OFFICIAL

 Risk Management
 Perimeter Controls
 Secure Configuration
 Access Control
 Malware Protection
 Patch Management
 Monitoring
 Threat Assessment and awareness
 Physical Security
 Personnel Security, e.g. screening

2.10 Specific Obligations

2.10.1.1 Specific to this agreement, the following further obligations apply:
No additional obligations are recorded for this agreement.

EMS Security – Information Sharing Agreement

V1.1
7 of 8

OFFICIAL
 OFFICIAL

3 Signatures
The following signatures indicate an acceptance of each party to accept and adhere to this
agreement.

Breaches of this agreement will lead to a review and possible termination of this agreement,
including the destruction of all previously shared information.

Any signatory may withdraw from this agreement by giving written notice to the other parties. The
withdrawing signatory will be bound to comply with relevant terms of this agreement beyond the
termination.

Where signatories leave an organisation, there is no immediate need to re-sign the ISA. However,
each party must be made aware of the change of contact and the new contact details.

Signed on behalf of Electronic Monitoring Services (EMS)

NAME DATE

21st February 2019

POSITION SIGNATURE

Information Security Manager Original Signed

Signed on behalf of Lincolnshire Police

NAME DATE

11th February 2019

POSITION SIGNATURE

Assistant Chief Officer Original Signed

EMS Security – Information Sharing Agreement

V1.1
8 of 8

OFFICIAL