CONFIDENTIALITY AND DATA PROTECTION POLICY
PART 1 – CONFIDENTIALITY POLICY
Our Sansar Limited recognises that colleagues gain information about individuals and organisations during the course of their work or activities. In most cases this will not be explicitly labelled as confidential and the exercise of common sense and discretion will be vital in determining the confidentiality of the information. This policy aims to give some guidance. If there is any doubt, seek advice from your director.
This policy comprises two sections: (1) the Confidentiality Policy and (2) the Data Protection Policy, and a final statement to be signed by all colleagues. Please read all of them and sign the statement to indicate your acceptance of the principles contained in the policies and agreement to abide by them.
- Colleagues are able to share information with their line manager in order to seek advice.
- Colleagues should not engage in "gossip".
- Colleagues should avoid talking about individuals/organisations in a social setting.
- Colleagues will not disclose to anyone, other than their line manager, any information which is sensitive, private, financial or personal without the knowledge and consent of the individual or organisation concerned.
- Where individual cases are to be discussed more widely for educational or other purposes, the discussion will take place in an anonymised, case study format, or with the express permission of the individual concerned.
- Where there is a legal duty to disclose information, the person to whom the confidentiality is owed will be told that the disclosure has taken or will take place, unless it is unsafe or unlawful to do so. It is the responsibility of the senior managers/ management committee (not the individual colleague) to make the decision to make an uninformed disclosure, in the event it is deemed unsafe or unlawful to inform the individual concerned.
This section deals with the duty of confidentiality towards all confidential information, including personal information which comes into the possession of colleagues. It also deals with exceptional circumstances in which it will be appropriate to disclose such information.
Where colleagues obtain information of a confidential nature relating to another colleague you must treat this in confidence and comply with this guidance, even if the information is disclosed informally by the individual concerned or discovered accidently, for example overheard in conversation.
The only exceptions to this are as follows:
- Where a colleague feels unable/unqualified to deal with the information disclosed they may seek the advice of the director as to the best way to address any concerns.
- There is a duty to disclose some information, including:
- Child abuse.
- Drug trafficking, money laundering, acts of terrorism or treason.
- Suspicions of other illegal activity, or where there is a reasonable belief that an individual is at risk of harming themselves or others.
In any of these circumstances, colleagues should report the matter to the director who will take appropriate action.
Other confidential information
Confidential information given to the organisation by external organisations must be kept confidential. This is important so that the organisation is seen as trustworthy. Internal information of a confidential nature relating to the organisation must also be treated with an appropriate degree of confidentiality.
Breaches of confidentiality
Colleagues accessing unauthorised files or breaching confidentiality may face disciplinary action and ex-colleagues might face legal action.
Colleagues concerned there has been a breach of confidentiality should raise this with their line manager, using the grievance procedure if necessary. They must not discuss this outside the organisation.
Where a member of staff has concerns regarding illegal activity within the organisation they may discuss this directly with the chair without recourse to the usual grievance procedure.
PART 2 – DATA PROTECTION POLICY
This part of the policy is concerned with personal data. It applies to personal data which comes into the possession of colleagues while they are working for the organisation; it also applies to the way in which the organisation uses the personal data of members and volunteers.
Definitions of specific terms used in this section:
- Consent – the specific, freely given and informed consent of a data subject (and consented should be read accordingly) – silent acquiescence does not amount to consent
- Data subject – an individual to whom personal data relates
- DPO – Our Sansar’s internal data protection officer.
- Personal data – information that relates to an identifiable living individual, and is held either (i) on computer or in other electronic or automatically processable form, or (ii) in a paper filing system arranged by reference to individuals or criteria relating to them (e.g. date of birth) to facilitate access to information relating to particular individuals.
- Process – to collect, store, analyse, use, disclose, delete or do absolutely anything else with personal data (and processing and processed should be read accordingly).
- Sensitive personal data – personal data consisting of information as to racial or ethnic origin, political opinion, religious or other similar beliefs, trade union membership, physical or mental health or condition, sexual life, the commission or alleged commission of any offence, or any proceedings for any offence committed or alleged to have been committed, the disposal of those proceedings or the sentence of any court in those proceedings.
What information does this policy cover?
All information about an identifiable living individual is personal data and should be treated in accordance with this policy. This includes seemingly innocuous information such as names, addresses, contact details and employment history (including information relating to a colleague’s work for Our Sansar Limited), as well as bank account details and medical history.
Guidelines applicable to all personal data
All personal data will be treated in the following manner:
- Our Sansar will process personal data fairly.
- Only necessary information which is relevant for the purpose will be collected. It will only be processed in a manner which is consistent with the purpose for which it was collected.
- Personal data may only be processed for a legitimate purpose of Our Sansar Limited, and then only if it does not prejudice the rights, freedoms or legitimate interests of the individuals concerned.
- Personal data will be securely stored.
- Access to personal data will be given on a need to know basis.
- Personal data will only be retained as long as necessary for the purpose it was collected. However contact details of colleagues will be placed on file and retained for a reasonable period in case needed. After this period they will be deleted unless the data subject has agreed that Our Sansar may retain them.
- Our Sansar will make reasonable efforts to ensure that all personal data held is as accurate as possible and that it is kept up to date.
- If a colleague receives a request from anyone to access the personal data held about them, or otherwise to exercise their rights under data protection law, that request should promptly be passed onto the DPO
- Our Sansar will establish and follow procedures to ensure that individuals whose personal data are processed are aware of:
- Our Sansar’s identity,
- the purposes for which the personal data will be processed, and
- any other information to ensure that the processing is fair, for example, information about the right to access and correct the data, whether providing the data is optional or compulsory and the consequences of not providing it, and any categories of person to whom personal data might be disclosed.
However, Our Sansar will not provide individuals with information of which they are already aware. Where personal data are collected indirectly (i.e. from another person), Our Sansar will not provide information to the individual to whom the personal data relate if to do so would involve effort disproportionate to the value to that individual of receiving such information.
There may be other circumstances in which individuals do not need to be informed of the processing of their personal data – for example, if Our Sansar needs to disclose the information as part of a police investigation and to inform the data subject might prejudice the investigation. Before relying on this, or any other exception, however, the DPO should be consulted.
- Personal data will not be transferred to a country outside the European Economic Area without the consent of the data subject or the approval of the DPO.
- Before outsourcing any processing of personal data to a third party, this must be approved by the DPO.
Guidelines applicable to sensitive personal data
Sensitive personal data will not be processed without the consent of the data subject, or, exceptionally, with the approval of the DPO on the basis that appropriate steps have been taken to ensure the processing complies with the law.
The following types of sensitive personal data are collected from colleagues as part of the recruitment procedure:
- Monitoring information: we collect information about ethnic origin. This is for statistical purposes only and will be held in anonymous form.
- Medical information: this must be kept strictly confidential and accessed on a ‘need to know’ basis only. Where it is not relevant to the individual’s role within the organisation, it should be destroyed.
- Criminal record check results: these will be destroyed once a decision has been made regarding recruitment and will not be divulged outside the recruitment team. However a record of the result (positive or negative) will be kept.