CARDIFF UNIVERSITY
CONFIDENTIALITY – A GUIDE FOR STAFF
October 2012
Confidentiality – A Guide for Staff
CONTENTS
Introduction
 What is confidential information?
 In what circumstances might I come across confidential
information at the University?
2
The Data Protection Act
 Sensitive Personal Data
 Confidential References
3
Disclosure of Confidential Information
 Nature of the Information
 When can I disclose confidential information?
 Fitness to Practise and Public Interest
4
Duty of Care
 Involving family and friends
 So what about duty of care?
 Getting advice on confidential matters
 Giving guarantees of confidentiality
5
The Freedom of Information Act
7
Further Information and Advice
7
October 2012
1
Confidentiality – A Guide for Staff
CONFIDENTIALITY – A GUIDE FOR STAFF
INTRODUCTION
What is confidential information?
Confidential information is any information to which the common law ‘duty of
confidence’ applies. A duty of confidence is created when ‘private’
information has been passed on in such a way that the person receiving the
information was aware, or should have been aware, that the information was
being imparted on the basis of confidentiality. (The legal test is whether a
‘reasonable’ person would think the recipient ought to have known that the
information was confidential).
Once you have obtained confidential information in this way, you are under a
common law obligation not to disclose it or use it without the consent of the
person who provided that information, except in very specific circumstances,
as set out below.
In what circumstances might I come across confidential information at
the University?
The University holds confidential information about individuals, i.e. personal
information, as well as other ‘non-personal’ confidential information, e.g.
information about business finances, strategy and planning.
The University routinely holds confidential personal information on its
employees and its students. Much of this information will be held by the
Human Resources Directorate (staff records) or the Registry (student records)
and similar records will be held by the School or Administrative Directorate to
which the member of staff or student is affiliated. All staff who are authorised
to access those records are under an obligation not to disclose inappropriately
confidential information. Students should not normally have access to such
records.
Staff may well be provided with further confidential information about students
during the course of their studies. Staff receiving such information should
ensure that it is held in a secure location where other unauthorised staff will
not be able to access it without permission. Members of staff performing a
supporting role in a professional capacity (e.g. Health Centre medical staff,
chaplains and counsellors) will be bound by their professional codes of
practice in respect of the maintenance of confidentiality.
Additionally students and researchers may have access to confidential
information during the course of their studies, for example during research
projects or as part of a clinical placement. The NHS (in common with the
University) takes the confidentiality of its patient records very seriously and
students/researchers should ensure that no inappropriate disclosures of such
information are made.
October 2012
2
Confidentiality – A Guide for Staff
THE DATA PROTECTION ACT
Sensitive Personal Data
The Data Protection Act only applies to personal information. The Act does
not define confidentiality but does define ‘Sensitive Personal Data’. This is
information relating to a living, identifiable individual about one or more of the
following. His/her:








racial or ethnic origin;
political opinion;
religious or similar beliefs;
Trade Union membership;
mental or physical health;
sexual life;
offences or alleged offences;
Court or prison records.
There are strong restrictions under the Data Protection Act about the use and
disclosure of such information.
Sensitive Personal Data will not always be confidential (for example the
identity of the Chair of the AUT or the religious beliefs of the Pope) and
confidential information will not always be Sensitive Personal Data (for
example details of bank accounts and financial information).
However, a good rule of thumb is to treat any Sensitive Personal Data that
has not already been made public, as confidential.
Confidential References
The Data Protection Act 1998 generally provides a right of access to personal
data to the person who is the subject of that data. Although the University may
not be required to disclose a confidential reference you have written to the
subject of that reference, the organisation to whom you have sent the
reference might well do so. Therefore you should always write references in
the expectation that they may be disclosed to the subject.
You should avoid disclosing confidential or sensitive personal data in your
reference unless you have the explicit consent of the subject to do so.
If you believe that confidential or sensitive personal data are of relevance to
the reference and should be disclosed against the wishes of, or without the
knowledge of, the data subject please check with the University's Data
Protection Officer in the Governance and Compliance Division.
October 2012
3
Confidentiality – A Guide for Staff
DISCLOSURE OF CONFIDENTIAL INFORMATION
Nature of the information
Occasionally you may be asked to keep something confidential that seems to
you not to be truly confidential or very important. Unless the information is of
a very trivial nature or has already been made public by the subject of that
information, you should treat it as confidential and not disclose it
inappropriately. There may be good reasons that you do not know about for
the information to be kept confidential.
When can I disclose confidential information?
Confidential information can be discussed with those who are already party to
it, and may also be disclosed where the person who provided the confidential
information agrees to such a disclosure.
If the person who provided the confidential information does not agree to the
disclosure, a disclosure can still be made without consent under the following
circumstances:


when the vital interests of any person are threatened and the
disclosure is made to a relevant, appropriate person;
when it is in the public interest to do so and the disclosure is made
to a relevant, appropriate person.
Whenever an obligation of confidence is to be broken without consent, the
other party should be informed, unless the grounds are the protection of the
other party’s vital interests and this would further endanger them.
Fitness to Practise and Public Interest
Certain professions, such as doctors and social workers, are regulated to
ensure that only those who are ‘fit’ may formally qualify or practice in the
discipline. This is for the protection of the public and appropriate disclosures
of confidential or sensitive personal data made in the context of concerns
regarding fitness to practise will normally be made in the public interest.
Further information on what is likely to constitute a disclosure in the public
interest can be sought from the Information Rights Manager, Governance and
Compliance Division.
See also Confidential References (on page 3).
Public Interest Disclosures (Whistle-blowing)
Staff with concerns relating to the proper conduct of University business, are
directed to the Public Interest Disclosure (Whistle-blowing) Policy which is
available from the Governance and Compliance Division.
October 2012
4
Confidentiality – A Guide for Staff
DUTY OF CARE
Involving family and friends
Sometimes when you know someone has a problem you may want to tell that
person’s parents/spouse/friends because you think they can help or that they
‘ought’ to know. However, if the information was imparted to you in
confidence, no matter how helpful you think it might be, it is not acceptable to
inform friends and relatives without the consent of the person involved.
You can only pass on confidential information without consent to any of these
people in order to protect someone’s vital interests or where it was in the
public interest to do so and they were the appropriate people to be told – see
When can I disclose confidential information? (on page 4).
Duty of care?
The University has a duty of care to protect its staff and students from harm,
as far as practicable and foreseeable. This duty of care extends to directing
those in need to the appropriate support services and to encouraging them to
take up the support available, including that from their friends and family, if
appropriate. It would also extend to an appropriate level of follow up with the
person.
With a student’s agreement, staff can refer a student to the Counselling
Service, for example, but the Counselling Service will not pass information
about the student’s subsequent attendance back to the member of staff who
referred the student. This does not mean that the member of staff cannot ask
the student themselves – but the student is not obliged to tell them.
Where it is felt that it is important that others who are not party to the
confidential information, should know in order that certain beneficial actions
can be taken, the aim should be to encourage the person to tell the others
directly and to explain the benefits of so doing, or to seek – but not to coerce agreement that they can be told.
For example, where a student discloses a disability to an individual member of
staff but does not wish anyone else to know, the member of staff should
explain the limitations that that may place on being able to make reasonable
adjustments and the advantages of being able to pass on the information to
other staff for specified purposes. However, the student is under no obligation
to agree to such disclosures and where they do object, this should be
respected.
The member of staff to whom the confidential disclosure was made may keep
a record of the fact that the student disclosed ‘confidential information’ to
him/her and that the student does not give permission for this information to
be shared. Such a record should be dated and held confidentially. The
record must not include reference to ‘disability’ or any other terms that reflect
the state of mental or physical health of the student, (as this is an item of
Sensitive Personal Data – see page 3), without the express consent of the
student or unless it is part of a medical record made by a health professional.
October 2012
5
Confidentiality – A Guide for Staff
Where the person has not given their permission for confidential information
to be shared, the duty of confidence applies and a disclosure can only be
made when the individual is at serious risk of harm to themselves or at risk of
harming other people. Such a disclosure should only be made to relevant,
appropriate people.
Getting advice on confidential matters
It is often possible to discuss cases and seek advice without identifying the
individual to whom the information relates. As long as appropriate care is
taken to anonymise the case, or the case is discussed in the abstract and it is
not obvious to whom it relates, then the confidence has not been broken.
For example, a personal tutor is told in the strictest confidence by one of his
tutees that she cannot sit an examination because of treatment for a medical
condition. Without having to reveal the identity of the student, the tutor can
make enquiries about the University’s regulations and the extent of any
disclosure that might have to be made if a student wishes to be recorded as
absent with good cause. The tutor may also be able to make enquiries about
sources of support relating to the medical condition without identifying the
student.
Giving guarantees of confidentiality
In general staff should be very careful when offering to keep information
confidential. As spelt out above the implications of such a guarantee are
significant.
Staff should not offer guarantees of confidentiality without making it clear
whether they intend to share the information with any other person. It is
important that it is clearly explained before the information is imparted.
For example, you might need to share the information on a limited basis with
others in order to deliver some beneficial adjustment for a student, and the
student should know that these others would also be included in the obligation
of confidence. If the student does not agree to the sharing of the information
then the information should not be recorded in such a fashion that it might be
accessed by anyone else nor should the information be disclosed verbally
unless an exceptional circumstance applies such that the vital interests of any
person are threatened or it is ‘in the public interest’ to do so.
See When can I disclose confidential information? (on page 3).
October 2012
6
Confidentiality – A Guide for Staff
THE FREEDOM OF INFORMATION ACT
The Freedom of Information Act and Confidentiality
The Freedom of Information Act gives individuals a general right of access to
information held by any public authority. This means that any information held
by the University is potentially available to the public on demand. However
there are a number of types of information that are exempt from disclosure
under the Act and these include personal information where its release is
prevented by the Data Protection Act, and information that has been received
from a third party in confidence where the release of the information would be
an actionable breach of confidence.
FURTHER INFORMATION AND ADVICE
Further advice on dealing with confidential information can be sought from
either the Information Rights Manager or the Records Manager, in the
Governance and Compliance Division Unit.
October 2012
7