CARDIFF UNIVERSITY CONFIDENTIALITY – A GUIDE FOR STAFF October 2012 Confidentiality – A Guide for Staff CONTENTS Introduction What is confidential information? In what circumstances might I come across confidential information at the University? 2 The Data Protection Act Sensitive Personal Data Confidential References 3 Disclosure of Confidential Information Nature of the Information When can I disclose confidential information? Fitness to Practise and Public Interest 4 Duty of Care Involving family and friends So what about duty of care? Getting advice on confidential matters Giving guarantees of confidentiality 5 The Freedom of Information Act 7 Further Information and Advice 7 October 2012 1 Confidentiality – A Guide for Staff CONFIDENTIALITY – A GUIDE FOR STAFF INTRODUCTION What is confidential information? Confidential information is any information to which the common law ‘duty of confidence’ applies. A duty of confidence is created when ‘private’ information has been passed on in such a way that the person receiving the information was aware, or should have been aware, that the information was being imparted on the basis of confidentiality. (The legal test is whether a ‘reasonable’ person would think the recipient ought to have known that the information was confidential). Once you have obtained confidential information in this way, you are under a common law obligation not to disclose it or use it without the consent of the person who provided that information, except in very specific circumstances, as set out below. In what circumstances might I come across confidential information at the University? The University holds confidential information about individuals, i.e. personal information, as well as other ‘non-personal’ confidential information, e.g. information about business finances, strategy and planning. The University routinely holds confidential personal information on its employees and its students. Much of this information will be held by the Human Resources Directorate (staff records) or the Registry (student records) and similar records will be held by the School or Administrative Directorate to which the member of staff or student is affiliated. All staff who are authorised to access those records are under an obligation not to disclose inappropriately confidential information. Students should not normally have access to such records. Staff may well be provided with further confidential information about students during the course of their studies. Staff receiving such information should ensure that it is held in a secure location where other unauthorised staff will not be able to access it without permission. Members of staff performing a supporting role in a professional capacity (e.g. Health Centre medical staff, chaplains and counsellors) will be bound by their professional codes of practice in respect of the maintenance of confidentiality. Additionally students and researchers may have access to confidential information during the course of their studies, for example during research projects or as part of a clinical placement. The NHS (in common with the University) takes the confidentiality of its patient records very seriously and students/researchers should ensure that no inappropriate disclosures of such information are made. October 2012 2 Confidentiality – A Guide for Staff THE DATA PROTECTION ACT Sensitive Personal Data The Data Protection Act only applies to personal information. The Act does not define confidentiality but does define ‘Sensitive Personal Data’. This is information relating to a living, identifiable individual about one or more of the following. His/her: racial or ethnic origin; political opinion; religious or similar beliefs; Trade Union membership; mental or physical health; sexual life; offences or alleged offences; Court or prison records. There are strong restrictions under the Data Protection Act about the use and disclosure of such information. Sensitive Personal Data will not always be confidential (for example the identity of the Chair of the AUT or the religious beliefs of the Pope) and confidential information will not always be Sensitive Personal Data (for example details of bank accounts and financial information). However, a good rule of thumb is to treat any Sensitive Personal Data that has not already been made public, as confidential. Confidential References The Data Protection Act 1998 generally provides a right of access to personal data to the person who is the subject of that data. Although the University may not be required to disclose a confidential reference you have written to the subject of that reference, the organisation to whom you have sent the reference might well do so. Therefore you should always write references in the expectation that they may be disclosed to the subject. You should avoid disclosing confidential or sensitive personal data in your reference unless you have the explicit consent of the subject to do so. If you believe that confidential or sensitive personal data are of relevance to the reference and should be disclosed against the wishes of, or without the knowledge of, the data subject please check with the University's Data Protection Officer in the Governance and Compliance Division. October 2012 3 Confidentiality – A Guide for Staff DISCLOSURE OF CONFIDENTIAL INFORMATION Nature of the information Occasionally you may be asked to keep something confidential that seems to you not to be truly confidential or very important. Unless the information is of a very trivial nature or has already been made public by the subject of that information, you should treat it as confidential and not disclose it inappropriately. There may be good reasons that you do not know about for the information to be kept confidential. When can I disclose confidential information? Confidential information can be discussed with those who are already party to it, and may also be disclosed where the person who provided the confidential information agrees to such a disclosure. If the person who provided the confidential information does not agree to the disclosure, a disclosure can still be made without consent under the following circumstances: when the vital interests of any person are threatened and the disclosure is made to a relevant, appropriate person; when it is in the public interest to do so and the disclosure is made to a relevant, appropriate person. Whenever an obligation of confidence is to be broken without consent, the other party should be informed, unless the grounds are the protection of the other party’s vital interests and this would further endanger them. Fitness to Practise and Public Interest Certain professions, such as doctors and social workers, are regulated to ensure that only those who are ‘fit’ may formally qualify or practice in the discipline. This is for the protection of the public and appropriate disclosures of confidential or sensitive personal data made in the context of concerns regarding fitness to practise will normally be made in the public interest. Further information on what is likely to constitute a disclosure in the public interest can be sought from the Information Rights Manager, Governance and Compliance Division. See also Confidential References (on page 3). Public Interest Disclosures (Whistle-blowing) Staff with concerns relating to the proper conduct of University business, are directed to the Public Interest Disclosure (Whistle-blowing) Policy which is available from the Governance and Compliance Division. October 2012 4 Confidentiality – A Guide for Staff DUTY OF CARE Involving family and friends Sometimes when you know someone has a problem you may want to tell that person’s parents/spouse/friends because you think they can help or that they ‘ought’ to know. However, if the information was imparted to you in confidence, no matter how helpful you think it might be, it is not acceptable to inform friends and relatives without the consent of the person involved. You can only pass on confidential information without consent to any of these people in order to protect someone’s vital interests or where it was in the public interest to do so and they were the appropriate people to be told – see When can I disclose confidential information? (on page 4). Duty of care? The University has a duty of care to protect its staff and students from harm, as far as practicable and foreseeable. This duty of care extends to directing those in need to the appropriate support services and to encouraging them to take up the support available, including that from their friends and family, if appropriate. It would also extend to an appropriate level of follow up with the person. With a student’s agreement, staff can refer a student to the Counselling Service, for example, but the Counselling Service will not pass information about the student’s subsequent attendance back to the member of staff who referred the student. This does not mean that the member of staff cannot ask the student themselves – but the student is not obliged to tell them. Where it is felt that it is important that others who are not party to the confidential information, should know in order that certain beneficial actions can be taken, the aim should be to encourage the person to tell the others directly and to explain the benefits of so doing, or to seek – but not to coerce agreement that they can be told. For example, where a student discloses a disability to an individual member of staff but does not wish anyone else to know, the member of staff should explain the limitations that that may place on being able to make reasonable adjustments and the advantages of being able to pass on the information to other staff for specified purposes. However, the student is under no obligation to agree to such disclosures and where they do object, this should be respected. The member of staff to whom the confidential disclosure was made may keep a record of the fact that the student disclosed ‘confidential information’ to him/her and that the student does not give permission for this information to be shared. Such a record should be dated and held confidentially. The record must not include reference to ‘disability’ or any other terms that reflect the state of mental or physical health of the student, (as this is an item of Sensitive Personal Data – see page 3), without the express consent of the student or unless it is part of a medical record made by a health professional. October 2012 5 Confidentiality – A Guide for Staff Where the person has not given their permission for confidential information to be shared, the duty of confidence applies and a disclosure can only be made when the individual is at serious risk of harm to themselves or at risk of harming other people. Such a disclosure should only be made to relevant, appropriate people. Getting advice on confidential matters It is often possible to discuss cases and seek advice without identifying the individual to whom the information relates. As long as appropriate care is taken to anonymise the case, or the case is discussed in the abstract and it is not obvious to whom it relates, then the confidence has not been broken. For example, a personal tutor is told in the strictest confidence by one of his tutees that she cannot sit an examination because of treatment for a medical condition. Without having to reveal the identity of the student, the tutor can make enquiries about the University’s regulations and the extent of any disclosure that might have to be made if a student wishes to be recorded as absent with good cause. The tutor may also be able to make enquiries about sources of support relating to the medical condition without identifying the student. Giving guarantees of confidentiality In general staff should be very careful when offering to keep information confidential. As spelt out above the implications of such a guarantee are significant. Staff should not offer guarantees of confidentiality without making it clear whether they intend to share the information with any other person. It is important that it is clearly explained before the information is imparted. For example, you might need to share the information on a limited basis with others in order to deliver some beneficial adjustment for a student, and the student should know that these others would also be included in the obligation of confidence. If the student does not agree to the sharing of the information then the information should not be recorded in such a fashion that it might be accessed by anyone else nor should the information be disclosed verbally unless an exceptional circumstance applies such that the vital interests of any person are threatened or it is ‘in the public interest’ to do so. See When can I disclose confidential information? (on page 3). October 2012 6 Confidentiality – A Guide for Staff THE FREEDOM OF INFORMATION ACT The Freedom of Information Act and Confidentiality The Freedom of Information Act gives individuals a general right of access to information held by any public authority. This means that any information held by the University is potentially available to the public on demand. However there are a number of types of information that are exempt from disclosure under the Act and these include personal information where its release is prevented by the Data Protection Act, and information that has been received from a third party in confidence where the release of the information would be an actionable breach of confidence. FURTHER INFORMATION AND ADVICE Further advice on dealing with confidential information can be sought from either the Information Rights Manager or the Records Manager, in the Governance and Compliance Division Unit. October 2012 7