保密政策

Reviewed:                            07/12/2025

Due:                                      07/12/2027

1. Introduction

The Elm Foundation is committed to protecting all personal, sensitive, and confidential information it holds, processes, or shares. This Confidentiality Policy outlines the legal, ethical, and operational requirements that apply to all employees, volunteers, contractors, and students.

This version strengthens compliance with:

  • UK GDPR and Data Protection Act 2018
  • Common Law Duty of Confidentiality
  • Human Rights Act 1998 (Article 8)
  • Computer Misuse Act 1990
  • ICO Codes of Practice
  • Safeguarding legislation (Children and Adults)

The organisation is legally and ethically required to ensure that confidential information is protected from unauthorised disclosure, accidental loss, misuse, or inappropriate access. This duty applies to all employees, regardless of role.

2. Scope

This policy applies to:

  • All employees (permanent and temporary)
  • Volunteers, trustees, students, and contractors
  • Any person who accesses confidential information in the course of their duties

It covers all forms of information, including:

  • Paper and electronic records
  • Verbal information
  • Emails, messaging systems, recorded media
  • Mobile phones, laptops, tablets, USB devices
  • Photographs, CCTV, and digital images

3. Roles and Responsibilities

3.1 Chief Executive (CEO)

  • Holds ultimate accountability for compliance with confidentiality and information governance
  • Acts as Senior Information Risk Owner (SIRO)
  • Signs off organisational decisions relating to information risk

3.2 Head of Operations

  • Ensures this policy is embedded across operational systems
  • Oversees compliance and ensures breaches are escalated
  • Ensures employees have appropriate training and supervision

3.3 Service Managers

  • Ensure employees contracts include confidentiality clauses
  • Provide induction and ongoing supervision covering confidentiality
  • Report breaches immediately

3.4 All Employees

Every employee must:

  • Complete confidentiality and GDPR training
  • Follow all organisational policies and legal requirements
  • Always safeguard confidential information
  • Report breaches or concerns immediately

A breach of confidentiality may result in disciplinary action up to and including dismissal and may lead to civil or criminal proceedings.

4. Key Principles of Confidentiality

All employees must adhere to the following:

  1. Confidential information must be always protected.
  2. Access must only occur on a strict ‘need-to-know’ basis.
  3. Information must only be used for the purpose for which it was collected.
  4. Information sharing must be lawful, minimal, justified, and documented.
  5. All decisions to share or disclose must be recorded.
  6. Concerns about sharing must be escalated to a manager, Head of Operations, or CEO.

The organisation must always be able to justify any decision to share information.

5. Information Handling and Security Requirements

Employees must ensure:

  • Workspaces are kept clear
  • Confidential documents are stored in locked locations when not in use
  • Electronic information is stored on authorised, encrypted systems only
  • No confidential information is saved to personal devices
  • Personal email accounts are never used for work information
  • Printed confidential documents are shredded.

Employees must never:

  • Leave records visible or unattended
  • Discuss confidential matters in public or open spaces
  • Share passwords or allow others to use their login
  • Access records out of curiosity or without legitimate purpose

Unauthorised access is gross misconduct and may be a criminal offence.

6. Disclosing Personal or Confidential Information

Information must only be disclosed when one of the following conditions applies:

6.1 With Consent

  • Valid, informed, written consent from the individual

6.2 When Required by Law

  • Court orders, statutory requests, or legal duties

6.3 Safeguarding

  • Where a child or adult is at risk of harm
  • MARAC or safeguarding referrals

6.4 Public Interest

  • To prevent serious crime or risks to the public
  • Must be authorised by a Head of Service

6.5 Anonymised Data

  • Information anonymised in accordance with ICO standards

All disclosures must be appropriately recorded and justified.

7. Working Remotely or Offsite

Employees working away from organisational premises must:

  • Minimise the amount of confidential information taken offsite
  • Ensure documents are kept in sealed, non-transparent holders
  • Always keep confidential material on their person while travelling
  • Store documents securely at home (e.g., locked drawer)
  • Never leave documents visible in cars, public areas, or shared homes

Electronic devices must:

  • Be encrypted
  • Never be shared with family members
  • Be locked when not in use

The removal of physical documents from premises must be pre-approved by a manager.

8. Carelessness and Avoidable Breaches

Employees may be personally liable for breaches caused by carelessness.

Examples include:

  • Leaving records unattended
  • Failing to lock screens
  • Discussing confidential information where others may overhear
  • Losing devices containing sensitive information

Password sharing or leaving systems logged in is gross misconduct and may lead to dismissal.

9. Abuse of Privilege

Under no circumstances may employees:

  • Access records of friends, family, or acquaintances
  • Access information out of personal curiosity

Such access is:

  • A breach of contract
  • A breach of the Data Protection Act 2018
  • Potentially a criminal offence under the Computer Misuse Act 1990

Audits will be conducted to identify inappropriate access.

10. Reporting Breaches

All employees must report confidentiality breaches immediately to:

  • Their Service Manager
  • Head of Operations
  • CEO (all breaches must be brought to the CEO’s attention)

Reportable breaches include:

  • Unauthorised system access
  • Loss or theft of documents or devices
  • Mis-sent emails
  • Unlawful disclosures
  • Password sharing
  • Incorrect disposal of confidential waste

11. Training

All employees must complete:

  • Induction confidentiality training
  • GDPR refresher training
  • Additional training where role-specific risks apply

Training compliance will be monitored.

12. Monitoring and Audit

Compliance with this policy will be monitored through:

  • Internal audits
  • External audits by commissioners and accreditation bodies
  • Line management oversight
  • Incident reports and lessons learned

Audit findings will be reviewed by the Board of Trustees.

13. Dos and Don’ts

Do:

  • Protect all personal and confidential information
  • Validate identity before sharing information
  • Share the minimum necessary
  • Record decisions to share without consent
  • Report breaches immediately

Don’t:

  • Share information without lawful basis
  • Store confidential material at home unless authorised
  • Use personal devices for organisational work
  • Keep information longer than necessary
  • Forward work emails to personal accounts

14. Appendices (Retained and Expanded)

Appendix A: Legislation Summary

Appendix B: Examples of Breaches

Appendix C: Definitions

Appendix A

The Elm Foundation is obliged to abide by all relevant UK and European Union

legislation. The requirement to comply with this legislation shall be devolved to

employees of The Elm Foundation, who may be held personally accountable for any

breaches of information security for which they may be held responsible. The Elm

Foundation shall comply with the following legislation and guidance as appropriate:

GDPR and DPA 2018

Regulate the use of “personal data” and sets out six principles to ensure that

personal data is:

1. Processed lawfully, fairly and in a transparent manner in relation to individuals

2. Collected for specified, explicit and legitimate purposes and not further

processed in a manner that is incompatible with those purposes; further

processing for archiving purposes in the public interest, scientific or historical

research purposes or statistical purposes shall not be considered to be

incompatible with the initial purposes

3. Adequate, relevant and limited to what is necessary in relation to the

purposes for which they are processed

4. Accurate and where necessary kept up to date

5. Kept in a form which permits identification of data subjects for no longer than

is necessary for the purposes for which the personal data are processed

6. Processed in a manner that ensures appropriate security of the personal data,

including protection against unauthorised or unlawful processing and against

accidental loss, destruction or damage, using appropriate technical or

organisational measures.

▪ The duty to share information can be as important as the duty to protect

patient confidentiality

Article 8 of the Human Rights Act (1998)

Refers to an individual’s “right to respect for their private and family life, for their

home and for their correspondence”. This means that public authorities should take

care that their actions do not interfere with these aspects of an individual’s life. 11

The Computer Misuse Act (1990)

Makes it illegal to access data or computer programs without authorisation and

establishes four offences:

▪ Unauthorised access to data or programs held on a computer e.g. to obtain or

view information about friends and relatives.

▪ Unauthorised access with the intent to commit or facilitate further offences

e.g. to commit fraud or blackmail.

▪ Unauthorised acts with intent to impair, or with recklessness so as to impair,

the operation of a computer e.g. to modify data or programs held on computer

without authorisation; and

▪ Making, supplying or obtaining articles for use in offences 1-3

Common Law Duty of Confidentiality

Information given in confidence must not be disclosed without consent unless there

is a justifiable reason e.g. a requirement of law or there is an overriding public

interest to do so.

Appendix B

What should be reported?

Misuse of personal data and security incidents must be reported so that steps can be

taken to rectify the problem and to ensure that the same problem does not occur

again.

All breaches should be reported to a Service Manager, Head of Operations or CEO.

The CEO should be informed of all breaches.

If employees are unsure whether a particular activity amounts to a breach of an information

governance or IT security policy, they should discuss their concerns with their

Service manager. The following list gives examples of breaches of this policy which

should be reported:

▪ Sharing of passwords

▪ Unauthorised access to systems either by employees or a third party

▪ Unauthorised access to person-identifiable information where the member of

employees does not require access or have a need to know 12

▪ Disclosure of person-identifiable information to a third party where there is no

justification and you have concerns that it is not in accordance with data

protection legislation.

▪ Sending person-identifiable or confidential information in a way that breaches

confidentiality

▪ Leaving person-identifiable or confidential information lying around in a public

area

▪ Theft or loss of person-identifiable or confidential information

▪ Disposal of person-identifiable or confidential information in a way that

breaches confidentiality i.e. disposing of person-identifiable information in an

ordinary waste paper bin.

Seeking Guidance

It is not possible to provide detailed guidance for every eventuality. Therefore, where

further clarity is needed, the advice of a Service Manager should be sought.

Appendix C

Person-identifiable information is anything that contains the means to identify a

person, e.g. name, address, postcode, date of birth, NHS number, National

Insurance number etc. Any data or combination of data and other information, which

can indirectly identify the person, will also satisfy the definition.

Confidentiality

A duty of confidence arises where one person discloses information to another (e.g.

patient to clinician) in circumstances where it is reasonable to expect that the

information will be held in confidence.

Special categories of personal information (previously known as ‘sensitive’

personal data) as defined by GDPR and the DPA 2018 refers to personal

information about:

▪ Race or ethnic origin

▪ Political opinions

▪ Religious or philosophical beliefs 13

▪ Trade union membership

▪ Genetic and Biometric data

▪ Health data

▪ Sexual history and/or sexual orientation

▪ Criminal convictions data

Non-person-identifiable information can also be classed as confidential such as

confidential business information e.g. financial reports; commercially sensitive

information e.g. contracts, trade secrets, procurement information, these should also

be treated with the same degree of care.