Scope of this Policy
This policy covers the actions and obligations of the organisation’s trustees, staff members and volunteers in relation to the handling of all types of information. This will include not only “personal information” (information about specific individuals), which is subject to strict legal restrictions under the Data Protection Act, but also other privileged information which may be obtained as a result, for example, of a person’s role within the organisation or any external role on planning or advisory bodies.
Statement of Intent
All trustees, staff members and volunteers have a general duty of confidentiality. They are expected to act with good faith and honesty in not disclosing confidential information to third parties, as this may cause harm or distress to users of the service and/or damage to the interests or reputation of the organisation. The only exceptions to this duty are where there is a higher duty of disclosure either to protect vulnerable people from abuse, as set out in our Safeguarding policies, or to prevent a serious act of violence or self-harm (as set out below).
All trustees, staff members and volunteers should be guided by the Caldicott principles relating to personal information:
- Every proposed use or transfer of personally identifiable information within or from the organisation should be clearly defined and justified
- Personally identifiable information items should not be used unless there is no alternative
- Where the use of personally identifiable information is considered to be essential, each individual item of information should be justified with the aim of reducing identifiability
- Access to personally identifiable information should be on a strict need to know basis
- Everyone should be aware of their responsibilities to respect client confidentiality
- Every use of personally identifiable information must be lawful
All trustees, staff members and volunteers should therefore be aware of their legal duties under the Data Protection Act 1998 to ensure that personal information is:
- Fairly and lawfully processed (i.e. with explicit or implied consent and in order to provide a service to the “data subject”);
- Processed for limited purposes;
- Adequate, relevant and not excessive;
- Accurate and up to date;
- Not kept for longer than is necessary;
- Processed in line with your rights (i.e. data subject’s right of access);
- Secure (e.g. internet security, back-up media, locked filing cabinets);
- Not transferred to other countries without adequate protection.
In relation to other types of information, trustees, staff members and volunteers should show awareness of the context in which they have acquired information and of the implied or explicit consents that are attached to this, i.e. whether the information is regarded by the person disclosing it as strictly confidential, non-attributable, embargoed until a specific time, or in the pubic domain. When in doubt as to the level of consent, they should either seek clarification from the discloser or err on the side of confidentiality.