Confidentiality and Data Protection Policy

Confidentiality and Data Protection Policy




Date approved by Board

25 July, 2019

Review period

One year

Review date (internal audit)

August 2020

Sources of guidance used

  • Information Commissioner
  • General Data Protection Regulation (Regulation (EU) 2016/679)
  • Employment Practices Code (Information Commissioner)


1.       General Principles. 

1.1    The organisation, its directors, staff and volunteers will treat all personal information, however obtained, in line with the common law duty of confidence. In general, this means that any information about an individual given or received in confidence for one purpose may not be used for a different purpose or passed to anyone else without their explicit consent. 

1.2    The organisation will comply with all relevant legislation, and is responsible for, and be able to demonstrate compliance with, the principles of the Data Protection Act 2018 and the General Data Protection Regulation with regard to information about individuals which should be: 

  • processed lawfully, fairly and in a transparent manner
  • collected and processed only for specified, explicit and legitimate purposes
  • adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed

accurate and, where necessary, kept up-to-date

  • kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed
  • processed in  a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage
  • kept secure against unauthorised or unlawful use and against accidental loss, destruction or damage
  • not transferred outside the European Economic Area unless the rights and freedoms of the person are adequately protected 

1.3    The organisation will have in place comprehensive but proportionate governance measures. 

1.4    The organisation will notify the Information Commissioner, and data will be processed only within the organisation’s notification, which must be kept up-to-date. 

1.5    Broadly, “processing” includes obtaining, disclosing, recording, holding, using, erasing or destroying personal information. 

1.6    Within their work, directors, staff and volunteers might get or have access to personal information. They should treat all such information in the strictest confidence in accordance with this Policy. 

1.7    The organisation may use such information (in aggregated and/or statistical form where possible) to plan, deliver and improve its work. Only those who need to know this information will have access to it. 

1.8    Every individual about whom the organisation holds personal information should be fully informed about what information is held on them and the identity of the person who controls it. When the organisation records personal information, it should tell the individual to what uses it may be put and obtain their explicit consent for this. 


2.       Legal basis for processing personal data. 

2.1    For processing to be lawful, the organisation must determine its legal basis for processing personal data and document this. 

2.2    Conditions for lawful processing are: 

(a)     consent of the data subject

(b)     processing is necessary for the performance of a contract with the data subject or to take steps to enter into a contract

(c)     processing is necessary for compliance with a legal obligation

(d)     processing is necessary to protect the vital interests of a data subject or another person

(e)     processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the data controller

(f)      processing is necessary for the purposes of legitimate interests pursued by the data controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject 

2.3    There may also be conditions for lawful processing that apply to special categories of data.


3.       Consent. 

3.1    Consent must be freely given, specific, informed and an unambiguous indication of the individual’s wishes. 

3.2    Any privacy notice must be written in a clear, plain way that the data subject will understand. 

3.3    Consent requires some form of clear affirmative action. Silence, pre-ticked boxes, inactivity or equivalent does not constitute consent. 

3.4    Consent must be verifiable. This means that some form of record must be kept of how and when consent was given. 

3.5    An individual has the right to withdraw consent at any time. 

3.6    If the organisation collects personal data about a child, it must verify their age and obtain the parent or guardian’s consent in order to process the data. Consent must be verifiable, and the privacy notice must be written in a way that a child will understand.


4.       Individual rights. 

4.1    An individual has these rights: 

(a)     right to be informed – the obligation to provide ‘fair processing information’, typically through a privacy notice 

(b)     right of access - confirmation that their data is being processed; access to their personal data; and other supplementary information (that should be provided in a privacy notice) 

(c)     right to rectification - entitlement to have personal data rectified if it is inaccurate or incomplete 

(d)     right to erasure – the ability to request the deletion or removal of personal data whether there is no compelling reason for its continued processing 

(e)     right to restrict processing – the right to block or suppress processing, with personal data stored but not further processed 

(f)      right to data portability – the right to obtain and reuse personal data for the individual’s own purposes across different services 

(g)     right to object – to processing based on legitimate interests or the performance of a task in the public interest or exercise of official authority (including profiling); to direct marketing (including profiling); and to processing for purposes of scientific or historical research and statistics

(h)     rights in relation to automated decision-making and profiling – safeguarding an individual against the risk that a potentially damaging decision is taken without human intervention


5.       Safeguarding information. 

5.1    Ensuring the security and accuracy of information about individuals is the responsibility of all staff and volunteers.

5.2    The storage and disposal of all information about individuals (in whatever form) must protect confidentiality. To prevent any unauthorised access to such information, all staff and volunteers will:

(a)     store it in secure, locked cabinets or containers

(b)     when received, immediately give it to the relevant person or lock it away until they can give it to them, and

(c)     when disposed, permanently destroy it by shredding or other effective means 

5.3    Security measures must be in place to protect computerised information. All staff and volunteers must make sure that:

(a)  only they can access records on computer about individuals, and

(b)  any work in progress about confidential matters is not left unattended and accessible on computer terminals 

5.4    All staff and volunteers should make sure that unintentional breaches of confidence do not occur by:

(a)     not leaving work in progress on confidential matters unattended

(b)     sending information about individuals only to secure sources, marked confidential

(c)     double-checking for accuracy any transmission of information – including all contact numbers and addresses – against a reliable source before it is sent

(d)     not holding conversations or interviews about confidential matters in situations where unauthorised persons may hear them (while ensuring the safety of themselves and others) 

5.5    Where any agency or individual other than directors, staff or volunteers is involved in carrying out the organisation’s functions, they must confirm that they will act in accordance with this Policy. 

5.6    The organisation will have in place appropriate procedures to detect, report and investigate any personal data breach. In most cases, the organisation should directly notify an individual whose personal data has been breached. Any breach in which the individual is likely to suffer some form of damage (such as through identity theft or a confidentiality breach) must be reported to the Information Commissioner’s Office.


6.       Access to information about individuals. 

6.1    Unless the law directs otherwise, only the individual concerned and appropriate staff will have access to information that:

(a)     is about the individual, or

(b)     might enable the individual to be identified or appear to be identified 

6.2    Such information will only be revealed to someone else if:

(i)       the individual gives their explicit and informed consent (preferably written) to this for a particular purpose, or

(ii)      on a ‘need to know’ basis if the use of the information (anonymised where possible) can be justified for use in helping to deliver, plan and manage services effectively, or

(iii)    the information is required by statue or court order, or

(iv)    it can be justified for other reasons (usually for the protection of the public) 

6.3    Only in exceptional circumstances, and where reasonable, will the organisation reveal information without the individual’s consent. In such circumstances, the Chief Executive will be the only person with the authority to reveal such information. They will do this only after seeking appropriate advice (which is likely to include legal advice). 

6.4    If there is any doubt about a person’s right of access to information about an individual, this should be checked with the Chief Executive, who will get advice as appropriate. Similarly, if there is any doubt about a person’s identity, this should be confirmed beyond doubt before they get access to any such records or information. 

6.5    The organisation will communicate nothing to any other body or person without the individual concerned having clearly approved this.


7.       Keeping individuals informed. 

7.1    When the organisation holds personal information about an individual it will seek to ensure, so far as practicable, that the individual has, is provided with, or has made readily available to them:

(a)     a description of what information is held about them and its source(s)

(b)     a description of the purpose(s) for which the information is intended to be used

(c)     the identity of the person responsible for the information

(d)     the identity of any other person nominated as their representative

(e)     a description of those to whom the information will or may be disclosed

(f)      any further information which is necessary, given the specific circumstances, to enable use of the information to be fair

(g)     notification of this Policy and how to get access to it

7.2    This should be:

(i)       done, where possible, before the individual is asked to give information

(ii)      presented in forms understandable to the individual, and

(iii)    where appropriate, available for general purposes as well as for individuals 

7.3    All information relating to an individual will be made available to them promptly on request (together with a statement of their rights and the specific legal basis for processing their personal data), and in any case within one month, with no fee being be charged. The only exception will be manifestly unfounded or excessive requests.


8.       Monitoring at Work. 

8.1    Any monitoring of staff will work to these principles (which also apply to volunteers as appropriate):

(i)       Staff have legitimate expectations that they can keep their personal lives private and are entitled to a degree of privacy in the work environment.

(ii)      If the employer wishes to monitor one or more workers, it should be clear about the purpose and satisfied that the particular monitoring arrangement is justified by the real benefits that will be delivered.

(iii)    Any monitoring should be proportionate to the legitimate business needs of the organisation.

(iv)    Staff should be aware of the nature, extent and reasons for any monitoring, unless (exceptionally) covert monitoring is justified. 

8.2    Only the Chief Executive may authorise any monitoring of staff (including any interception of communications), which will be done in accordance with the law. Any benefits must justify any adverse impact that is likely. 

8.3    Any personal information collected through monitoring must be used only for the purposes for which the monitoring was introduced, unless:

(a)     it is clearly in the individual’s interest to do so; or

(b)     it reveals activity that no employer could reasonably be expected to ignore 

8.4    If information gathered from monitoring might have an adverse impact on staff, this should be presented to them. They should be allowed to make representations before taking action. 

8.5    Anyone making, sending or receiving communications to or from staff should be made aware of any monitoring and the purpose behind it, unless this is obvious. 

8.6    Communications that are clearly private or personal should not be accessed. Any information about private or person communications should not be used, unless it reveals activity that no employer could reasonably be expected to ignore. 

8.7    If it is necessary to check electronic communication accounts of staff in their absence, every reasonable effort should be made to make them aware that this will happen. 

8.8    With regard to covert monitoring:

(i)       Before authorisation, the Chief Executive (in consultation with the Chair of the Board committee for people and workforce issues) should satisfy themselves that there are grounds for suspecting criminal activity or equivalent malpractice and that notifying one or more individuals about the monitoring would prejudice its prevention or detection.

(ii)      Any covert monitoring must be strictly targeted at obtaining evidence within a set timeframe and must not continue after the investigation is complete.

(iii)    No covert audio or video monitoring will be used in areas which staff would genuinely and reasonably expect to be private.

(iv)    Any information obtained through covert monitoring must be used only for the prevention or detection of criminal activity or equivalent malpractice. Any other information collected in the course of such monitoring should be disregarded – and, where feasible, deleted – unless it reveals information that no employer could reasonably be expected to ignore.


9.       Non-executive directors and confidentiality. 

9.1    For the normal execution of their duties, non-executive directors do not need to know information about individuals and should not seek it. If individuals willingly reveal such information during discussions, non-executive directors should receive this in the strictest confidence. They should not after that, without clear legal advice to the contrary, use this information without the explicit consent of the individual concerned. 

9.2    Non-executive directors will not be given access to information that identifies any individual without their explicit and informed consent. In very exceptional circumstances, the Chief Executive may reveal such information without the individual’s consent to the Chair on a “need to know” basis. This will only occur after the Chief Executive has obtained the appropriate advice (which is likely to include legal advice). This action will normally occur only when the Chair needs:

(a)     to consider a breach of an individual’s confidentiality without their consent, or

(b)     to consider the withdrawal of services from an individual, or

(c)     to investigate a complaint against a non-executive Director, employee or volunteer, or

(d)     to investigate an allegation by an employee relating to the organisation’s functions that someone has abused or threatened them and/or someone else 

9.3    Non-executive directors may be given anonymised information about people – in aggregated and/or statistical form where possible – where they need this to fulfil their duties. It should not be possible to identify any individual from this. 

9.4    Non-executive directors will not act in any way to undermine the undertakings made by staff or volunteers for the confidentiality of personal information.


10.    Policy implementation and review. 

10.1 The Chief Executive is responsible for ensuring that this Policy is carried out. Every designated manager is responsible for its implementation in their own service and with their own staff, wherever appropriate. 

10.2 Any responsibilities of the Chair and Chief Executive described in this Policy shall, in their absence, be undertaken when necessary by the Vice-Chair and deputy respectively. 

10.3 At least once every year, the Board will review this Policy and compliance with it.