Patakaran sa Pagiging Kumpidensyal
Reviewed: 07/12/2025
Due: 07/12/2027
1. Introduction
The Elm Foundation is committed to protecting all personal, sensitive, and confidential information it holds, processes, or shares. This Confidentiality Policy outlines the legal, ethical, and operational requirements that apply to all employees, volunteers, contractors, and students.
This version strengthens compliance with:
- UK GDPR and Data Protection Act 2018
- Common Law Duty of Confidentiality
- Human Rights Act 1998 (Article 8)
- Computer Misuse Act 1990
- ICO Codes of Practice
- Safeguarding legislation (Children and Adults)
The organisation is legally and ethically required to ensure that confidential information is protected from unauthorised disclosure, accidental loss, misuse, or inappropriate access. This duty applies to all employees, regardless of role.
2. Scope
This policy applies to:
- All employees (permanent and temporary)
- Volunteers, trustees, students, and contractors
- Any person who accesses confidential information in the course of their duties
It covers all forms of information, including:
- Paper and electronic records
- Verbal information
- Emails, messaging systems, recorded media
- Mobile phones, laptops, tablets, USB devices
- Photographs, CCTV, and digital images
3. Roles and Responsibilities
3.1 Chief Executive (CEO)
- Holds ultimate accountability for compliance with confidentiality and information governance
- Acts as Senior Information Risk Owner (SIRO)
- Signs off organisational decisions relating to information risk
3.2 Head of Operations
- Ensures this policy is embedded across operational systems
- Oversees compliance and ensures breaches are escalated
- Ensures employees have appropriate training and supervision
3.3 Service Managers
- Ensure employees contracts include confidentiality clauses
- Provide induction and ongoing supervision covering confidentiality
- Report breaches immediately
3.4 All Employees
Every employee must:
- Complete confidentiality and GDPR training
- Follow all organisational policies and legal requirements
- Always safeguard confidential information
- Report breaches or concerns immediately
A breach of confidentiality may result in disciplinary action up to and including dismissal and may lead to civil or criminal proceedings.
4. Key Principles of Confidentiality
All employees must adhere to the following:
- Confidential information must be always protected.
- Access must only occur on a strict ‘need-to-know’ basis.
- Information must only be used for the purpose for which it was collected.
- Information sharing must be lawful, minimal, justified, and documented.
- All decisions to share or disclose must be recorded.
- Concerns about sharing must be escalated to a manager, Head of Operations, or CEO.
The organisation must always be able to justify any decision to share information.
5. Information Handling and Security Requirements
Employees must ensure:
- Workspaces are kept clear
- Confidential documents are stored in locked locations when not in use
- Electronic information is stored on authorised, encrypted systems only
- No confidential information is saved to personal devices
- Personal email accounts are never used for work information
- Printed confidential documents are shredded.
Employees must never:
- Leave records visible or unattended
- Discuss confidential matters in public or open spaces
- Share passwords or allow others to use their login
- Access records out of curiosity or without legitimate purpose
Unauthorised access is gross misconduct and may be a criminal offence.
6. Disclosing Personal or Confidential Information
Information must only be disclosed when one of the following conditions applies:
6.1 With Consent
- Valid, informed, written consent from the individual
6.2 When Required by Law
- Court orders, statutory requests, or legal duties
6.3 Safeguarding
- Where a child or adult is at risk of harm
- MARAC or safeguarding referrals
6.4 Public Interest
- To prevent serious crime or risks to the public
- Must be authorised by a Head of Service
6.5 Anonymised Data
- Information anonymised in accordance with ICO standards
All disclosures must be appropriately recorded and justified.
7. Working Remotely or Offsite
Employees working away from organisational premises must:
- Minimise the amount of confidential information taken offsite
- Ensure documents are kept in sealed, non-transparent holders
- Always keep confidential material on their person while travelling
- Store documents securely at home (e.g., locked drawer)
- Never leave documents visible in cars, public areas, or shared homes
Electronic devices must:
- Be encrypted
- Never be shared with family members
- Be locked when not in use
The removal of physical documents from premises must be pre-approved by a manager.
8. Carelessness and Avoidable Breaches
Employees may be personally liable for breaches caused by carelessness.
Examples include:
- Leaving records unattended
- Failing to lock screens
- Discussing confidential information where others may overhear
- Losing devices containing sensitive information
Password sharing or leaving systems logged in is gross misconduct and may lead to dismissal.
9. Abuse of Privilege
Under no circumstances may employees:
- Access records of friends, family, or acquaintances
- Access information out of personal curiosity
Such access is:
- A breach of contract
- A breach of the Data Protection Act 2018
- Potentially a criminal offence under the Computer Misuse Act 1990
Audits will be conducted to identify inappropriate access.
10. Reporting Breaches
All employees must report confidentiality breaches immediately to:
- Their Service Manager
- Head of Operations
- CEO (all breaches must be brought to the CEO’s attention)
Reportable breaches include:
- Unauthorised system access
- Loss or theft of documents or devices
- Mis-sent emails
- Unlawful disclosures
- Password sharing
- Incorrect disposal of confidential waste
11. Training
All employees must complete:
- Induction confidentiality training
- GDPR refresher training
- Additional training where role-specific risks apply
Training compliance will be monitored.
12. Monitoring and Audit
Compliance with this policy will be monitored through:
- Internal audits
- External audits by commissioners and accreditation bodies
- Line management oversight
- Incident reports and lessons learned
Audit findings will be reviewed by the Board of Trustees.
13. Dos and Don’ts
Do:
- Protect all personal and confidential information
- Validate identity before sharing information
- Share the minimum necessary
- Record decisions to share without consent
- Report breaches immediately
Don’t:
- Share information without lawful basis
- Store confidential material at home unless authorised
- Use personal devices for organisational work
- Keep information longer than necessary
- Forward work emails to personal accounts
14. Appendices (Retained and Expanded)
Appendix A: Legislation Summary
Appendix B: Examples of Breaches
Appendix C: Definitions
Appendix A
The Elm Foundation is obliged to abide by all relevant UK and European Union
legislation. The requirement to comply with this legislation shall be devolved to
employees of The Elm Foundation, who may be held personally accountable for any
breaches of information security for which they may be held responsible. The Elm
Foundation shall comply with the following legislation and guidance as appropriate:
GDPR and DPA 2018
Regulate the use of “personal data” and sets out six principles to ensure that
personal data is:
1. Processed lawfully, fairly and in a transparent manner in relation to individuals
2. Collected for specified, explicit and legitimate purposes and not further
processed in a manner that is incompatible with those purposes; further
processing for archiving purposes in the public interest, scientific or historical
research purposes or statistical purposes shall not be considered to be
incompatible with the initial purposes
3. Adequate, relevant and limited to what is necessary in relation to the
purposes for which they are processed
4. Accurate and where necessary kept up to date
5. Kept in a form which permits identification of data subjects for no longer than
is necessary for the purposes for which the personal data are processed
6. Processed in a manner that ensures appropriate security of the personal data,
including protection against unauthorised or unlawful processing and against
accidental loss, destruction or damage, using appropriate technical or
organisational measures.
▪ The duty to share information can be as important as the duty to protect
patient confidentiality
Article 8 of the Human Rights Act (1998)
Refers to an individual’s “right to respect for their private and family life, for their
home and for their correspondence”. This means that public authorities should take
care that their actions do not interfere with these aspects of an individual’s life. 11
The Computer Misuse Act (1990)
Makes it illegal to access data or computer programs without authorisation and
establishes four offences:
▪ Unauthorised access to data or programs held on a computer e.g. to obtain or
view information about friends and relatives.
▪ Unauthorised access with the intent to commit or facilitate further offences
e.g. to commit fraud or blackmail.
▪ Unauthorised acts with intent to impair, or with recklessness so as to impair,
the operation of a computer e.g. to modify data or programs held on computer
without authorisation; and
▪ Making, supplying or obtaining articles for use in offences 1-3
Common Law Duty of Confidentiality
Information given in confidence must not be disclosed without consent unless there
is a justifiable reason e.g. a requirement of law or there is an overriding public
interest to do so.
Appendix B
What should be reported?
Misuse of personal data and security incidents must be reported so that steps can be
taken to rectify the problem and to ensure that the same problem does not occur
again.
All breaches should be reported to a Service Manager, Head of Operations or CEO.
The CEO should be informed of all breaches.
If employees are unsure whether a particular activity amounts to a breach of an information
governance or IT security policy, they should discuss their concerns with their
Service manager. The following list gives examples of breaches of this policy which
should be reported:
▪ Sharing of passwords
▪ Unauthorised access to systems either by employees or a third party
▪ Unauthorised access to person-identifiable information where the member of
employees does not require access or have a need to know 12
▪ Disclosure of person-identifiable information to a third party where there is no
justification and you have concerns that it is not in accordance with data
protection legislation.
▪ Sending person-identifiable or confidential information in a way that breaches
confidentiality
▪ Leaving person-identifiable or confidential information lying around in a public
area
▪ Theft or loss of person-identifiable or confidential information
▪ Disposal of person-identifiable or confidential information in a way that
breaches confidentiality i.e. disposing of person-identifiable information in an
ordinary waste paper bin.
Seeking Guidance
It is not possible to provide detailed guidance for every eventuality. Therefore, where
further clarity is needed, the advice of a Service Manager should be sought.
Appendix C
Person-identifiable information is anything that contains the means to identify a
person, e.g. name, address, postcode, date of birth, NHS number, National
Insurance number etc. Any data or combination of data and other information, which
can indirectly identify the person, will also satisfy the definition.
Confidentiality
A duty of confidence arises where one person discloses information to another (e.g.
patient to clinician) in circumstances where it is reasonable to expect that the
information will be held in confidence.
Special categories of personal information (previously known as ‘sensitive’
personal data) as defined by GDPR and the DPA 2018 refers to personal
information about:
▪ Race or ethnic origin
▪ Political opinions
▪ Religious or philosophical beliefs 13
▪ Trade union membership
▪ Genetic and Biometric data
▪ Health data
▪ Sexual history and/or sexual orientation
▪ Criminal convictions data
Non-person-identifiable information can also be classed as confidential such as
confidential business information e.g. financial reports; commercially sensitive
information e.g. contracts, trade secrets, procurement information, these should also
be treated with the same degree of care.