Version Control Sheet
DATE OF IMPLEMENTATION/REVIEW: 01/09/2021
IMPLEMENTED AND AUDITED BY: Alex Hashash
COMMENTS: To be reviewed 01/09/2022
This policy outlines and clarifies the obligations of the Company towards the protection of Clients’ confidential information in line with the Data Protection Act 2018 and relevant features of the General Data Protection Regulation 2018.
The Company understands and accepts its legal, moral and ethical duty to protect information which is confidential to its Clients, employees and all others with whom it comes into contact during the course of its operations. Everyone employed within the Company is under a strict obligation to adhere to the practices and principles outlined within this policy statement. Any breaches will be dealt with under the Company’s disciplinary policy.
Procedure and Guidance
The following types of information are classed as confidential. This list is not exhaustive:
Person-identifiable information is anything that contains the means to identify a person, e.g., name, address, postcode, date of birth, NHS number, National Insurance number etc. Even a visual image (e.g., photograph) is sufficient to identify an individual. Any data or combination of data and other information, which can indirectly identify the person, will also fall into this definition.
Sensitive/confidential personal information refers to personal information about:
Confidential information within a healthcare environment is commonly thought of as health information; however, it can also include information that is private and not public knowledge or information that an individual would not expect to be shared. It can take many forms including employee records, occupational health records, etc. It also includes confidential business information.
Non-person-identifiable information can also be classed as confidential such as confidential business information e.g., financial reports; commercially sensitive information e.g., contracts, trade secrets, procurement information, which should also be treated with the same degree of care.
All employees working in the Company are bound by a legal duty of confidence to protect personal and/or confidential information they may come into contact with during the course of their work. This is not just a requirement of their contractual responsibilities but also a requirement within the common law duty of confidence, the Data Protection Act 2018 and relevant features of the General Data Protection Regulation.
The Company will operate under the following governing principles, each of which must be strictly adhered to:
Disclosing Personal/Confidential Information
It is important to consider how much confidential information is needed before disclosing it and only the minimal amount necessary is disclosed. Information can be disclosed:
Care must be taken in transferring information to ensure that the method used is as secure as it can be. Staff must ensure that appropriate standards and safeguards are in place in respect of telephone enquiries, e-mails, faxes and surface mail. Taking home/removing paper documents that contain person-identifiable or confidential information from Company premises is discouraged and always kept to a minimum.
To ensure safety of confidential information staff must keep them on their person at all times whilst travelling and ensure that they are kept in a secure place if they take them home or to another location. Confidential information must be safeguarded at all times and kept in lockable locations. If staff do need to carry person-identifiable or confidential information they must ensure the following:
If staff do need to take person-identifiable or confidential information home they have personal responsibility to ensure the information is kept secure and confidential. This means that other members of their family and/or their friends/colleagues must not be able to see the content or have any access to the information. Staff must NOT forward any person-identifiable or confidential information via email to their home e-mail account. Staff must not use or store person-identifiable or confidential information on a privately owned computer or device.
All staff have a legal duty of confidence to keep person-identifiable or confidential information private and not to divulge information accidentally.
Staff may be held personally liable for a breach of confidence and must not:
Steps must be taken to ensure physical safety and security of person-identifiable or business confidential information held in paper format and on computers. Passwords must be kept secure and must not be disclosed to unauthorised persons. Staff must not use someone else’s password to gain access to information. Action of this kind will be viewed as a serious breach of confidentiality. If you allow another person to use your password to access computer data, this constitutes a disciplinary offence and is gross misconduct which may result in your summary dismissal.
Abuse of Privilege
It is strictly forbidden for employees to knowingly browse, search for or look at any personal or confidential information relating to their own family, friends or other persons, without a legitimate purpose. Action of this kind will be viewed as a breach of confidentiality and of the Data Protection Act 2018.
KLOE Reference for this Policy: Caring
Regulations directly linked to this Policy: Regulation 9: Person-centred care; Regulation 10: Dignity and respect
Regulation(s) relevant to this Policy:
Annex 1 - Confidentiality Dos and Don’ts
Annex 2 - The Legal Framework
The Company will comply with the following legislation and guidance as appropriate:
The Data Protection Act (2018) regulates the use of “personal data” and sets out six principles to ensure that personal data is:
The Caldicott Report (1997) recommended that a series of principles be applied when considering whether confidential patient-identifiable information should be shared:
Article 8 of the Human Rights Act (1998) refers to an individual’s “right to respect for their private and family life, for their home and for their correspondence”.
The Computer Misuse Act (1990) makes it illegal to access data or computer programs without authorisation and establishes three offences:
Common Law Duty of Confidentiality Information given in confidence must not be disclosed without consent unless there is a justifiable reason e.g., a requirement of law or there is an overriding public interest to do so.