CONFIDENTIALITY AND DATA PROTECTION POLICY
1. Protecting Individual Privacy
We believe that respecting and protecting a person’s privacy is of the utmost importance. We apply the principles of the current Data Protection Act 1998, the Freedom of Information Act 2000 and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR) across all our activities. We are also mindful of and working towards the implementation of the General Data Protection Regulations (GDPR) that come in to effect on 28th May 2018.
The Data Protection Act 1998 principles apply across all our activities. The detailed procedures, processes and practices for implementing these principles vary depending on the activity e.g. the provision of an information and support service; a fundraising initiative; the recruitment and supervision of employees and volunteers; Trustee business. These processes and practices are detailed separately as Confidentiality and Data Protection Procedures for each department, team or group. Team managers are responsible for their implementation and monitoring and report to the Board as required.
The Data Protection Act 1998 principles that each team, department or group must adhere to are that information must be:
- Obtained and processed fairly and lawfully
We must have legitimate grounds for collecting and using personal data and be transparent about how the information will be used. People’s personal data must be handled only in ways they would reasonably expect us to use it. This includes giving individuals clear statements about how we use and protect their information.
- Held only for specified purposes
We must be clear why we are collecting personal data and what we intend to do with it. We must ensure that if we wish to use or disclose the personal data for any purpose which is different or additional to the original purpose, then the new use is agreed as fair by the owner of the information and/ or a senior colleague.
- Adequate, relevant and not excessive
Any personal data we hold about an individual must be sufficient for the purpose for which we hold it. We must not hold more information than we need.
- Accurate and up to date
We must take reasonable steps to ensure that personal data obtained is correct and not misleading and consider whether or when it is necessary to update the information.
- Not kept longer than necessary
We must keep under review the length of time we hold personal data. This may be for longer in some cases than others depending on the purpose for which the data was obtained. We must regularly review personal data and delete in a secure way information that is no longer needed. Individuals may at any time request that their personal information is removed. Such requests should be responded to promptly. All database entries should be deleted in a secure manner and hard copy information should be shredded.
- Processed in accordance with the Act
Individuals have a right to ask for a copy of the information we hold about them in our records.
- Kept secure and protected
We must have appropriate security systems and practices that prevent personal data we hold being accidentally or deliberately compromised. Personal data must be stored only on SMA Support UK’s computer database and computer system and be protected by secure passwords. Those who have access to systems holding personal data are expected to update and change their passwords regularly. Any hard copy personal information must be stored securely.
- Not transferred out of Europe
This final principle must also be adhered to.
If anyone is unsure about any aspect of how to handle personal data, they should ask their line manager or Chair of Trustees for guidance.
2. Protecting the interests of SMA Support UK
Employees and trustees must not disclose to any unauthorised person any confidential information about the interests or business of the charity, its staff, trustees, beneficiaries, funders or other partners.
A non-exhaustive list of the information which SMA Support UK considers confidential, unless such information is already legitimately in the public domain, includes information held in relation to:
- Funding applications, grant applications, joint ventures, project initiatives, strategic plans etc.
- Security arrangements
- Individual salaries or other confidential information relating to contracts of employment.
When employees or trustees leave SMA Support UK, they must immediately return any files, documents reference books and other papers relating directly or indirectly to the charity or its staff, beneficiaries, funders or other partners. Any emails and electronic documents relating to the organisation should be deleted from personal computers.
Employees and trustees must be particularly alert to requests from the press or other media and should refer such requests to the Managing Director, Support Services Manager, or Chair of Trustees before disclosing any information in response to such enquiries.
3. Restricted information within SMA Support UK
Confidential and sensitive information is restricted to those who need the information in the course of their work for the organisation. Any restricted information must not be disclosed to anyone else, whether inside or outside the charity. Restricted information, whether communicated orally, electronically or in writing should always be identified as ‘Confidential’ and where appropriate ‘for (recipient’s) eyes only. Such information might include:
- Proposals or plans for the future
- Special forthcoming events or projects before they have been announced
- Financial and statistical information
- Sensitive business information
- Sensitive personal information
- Information relating to employees, volunteers and staff including applicants for positions, leavers or joiners prior to any public announcement.
4. General Rules
All employees and trustees are required NOT to:
- Leave confidential information (in paper or electronic form) where it is easily visible in the office or elsewhere.
- Use computer software or programmes or any electronic equipment unless they are authorised by SMA Support UK
- Give any press interviews or statements on or off the record without first discussing this with the Managing Director or Chair of the Board
- Write personal letters on SMA Support UK’s headed paper or under SMA Support UK’s banner
- Discuss with others the business of other service users, volunteers, staff, trustees or funders except as strictly required by their job.
- Conduct confidential conversations (including over the phone) where they may be overheard
Employees and trustees, whether paid or unpaid, who leave the charity will continue to be bound by their obligations of confidentiality even after the termination of their SMA Support UK post, whatever the reason.
Nothing in this policy will prevent an individual from making a ‘protected disclosure’ within the meaning of the Public Interest Disclosure Act 1998 (i.e. a legitimate, good faith ‘whistleblowing’ disclosure).
Breaches of this policy by employees will be dealt with through the SMA Support UK’s disciplinary procedures. Breaches by trustees will be dealt with under the process laid down in the trustee code of conduct.
Our Peer Support Volunteers (PSVs) are carefully recruited and receive training from our Peer Support Coordinator. This includes the topics of confidentiality and boundaries. They know not to share the personal details of the person / family they are supporting, nor the contents of any conversations and Emails, nor to leave any confidential information (in paper or electronic form) where it is easily visible. They know that this applies during their time as a PSV and thereafter as well. They know to always check that they have the person’s specific permission before they discuss or do anything on their behalf. If they have any doubts, they know to ask the Peer Support Coordinator who is there in an ongoing support role or any member of the Support Services team for guidance.
Peer Support Volunteers also know that safeguarding of children and adults at risk takes priority over confidentiality.
5. Making the confidentiality policy known
All staff and trustees are given a copy of this policy and, where appropriate, any relevant implementation guidelines, when they join the Trust. They have an opportunity for discussion with their manager or mentor.
Anyone visiting our website is able to read a summary of how we implement this policy via the Privacy and Cookies link at the bottom of the Home Page.
Anyone using our Information and Support Services is also advised how we implement the relevant aspects of this policy and the related Support Services Policy via the Privacy Notice linked to the Information and Support page of our website.
Last reviewed and updated May 2017.