Data-Protection-Policy-MAY 2018 updated for July 2022 staffing.docx

Confidentiality Policy

1. General principles


1.1. SCA recognises that colleagues (employees, volunteers, trustees, secondees and students) gain information about individuals and organisations during the course of their work or activities. In most cases such information will not be stated as confidential and colleagues may have to exercise common sense and discretion in identifying whether information is expected to be confidential. This policy aims to give guidance but if in doubt, seek advice from the Student Community Action manager.

1.2. Volunteers are able to share information with the Volunteer Co-ordinator or SCA Manager in order to discuss issues and seek advice.

1.3. Volunteers should avoid exchanging personal information or comments (gossip) about individuals with whom they have a professional relationship.

1.4. Volunteers should avoid talking about organisations or individuals in social settings.

1.5. Volunteers will not disclose to anyone, other than Volunteer Co-ordinator or SCA Manager, any information considered sensitive, personal, financial or private in connection with organisations without the knowledge or consent of the individual, or an officer, in the case of an organisation.

1.6. There may be circumstance where volunteers would want to discuss difficult situations with each other to gain a wider perspective on how to approach a problem. Consent must be sought before discussing the situation, unless the volunteer is convinced beyond doubt that the individual or organisation would not object to this. Alternatively, a discussion may take place with names or identifying information remaining confidential.

1.7. Where there is a legal duty to disclose information, the person to whom the confidentiality is owed will be informed that disclosure has or will be made.

2. Why information is held


2.1. Most information held by Student Community Action relates to clients and volunteers.

2.2. Information is kept to enable Student Community Action colleagues to understand the history and activities of users in order to deliver the most appropriate services.

2.3. Student Community Action has a role in putting people in touch with volunteers and keeps contact details, which are passed on, to the volunteer, except where the organisation or client expressly requests that the details remain confidential.

2.4. Information about volunteers (with their consent) is given to clients or statutory agencies, which request volunteers, but is not disclosed to anyone else.

2.5. Information about ethnicity and disability of users is kept confidentially for the purposes of monitoring our equal opportunities policy and also for reporting back to funders.

2.6. Please see attached at the top of this page our GDPR Privacy Policy.

3. Access to information


3.1. Information is confidential to Student Community Action as an organisation and may be passed to colleagues or trustees only where necessary to ensure the best quality service for users.

3.2. Where information is sensitive, i.e. it involves disputes or legal issues, it will be confidential to the employee dealing with the case and their line manager. Such information should be clearly labelled ‘Confidential’ and should state the names of the colleagues entitled to access the information and the name of the individual or group who may request access to the information. If sent electronically, it should be password protected.

3.3. Colleagues will not withhold information from their line manager unless it is purely personal.

3.4. Users may have sight of Student Community Action records held in their name or that of their organisation. The request must be in writing to the Student Community Action Manager giving 14 days’ notice and be signed by the individual, or in the case of an organisation’s records, by the Chair of the Executive Committee. Sensitive information as outlined in para 3.2 will only be made available to the person or organisation named on the file.

3.5. Employees may have sight of their personnel records by giving 14 days’ notice in writing to the Chair of the Management Committee. Records are held for 6 years after the employee has ceased working for SCA and they are then destroyed.

3.6. When photocopying or working on confidential documents, colleagues must ensure they are not seen by people in passing. This also applies to information on computer screens.

4. Storing information


4.1. General non-confidential information about organisations is kept in unlocked filing cabinets with open access to all Student Community Action colleagues.

4.2. Information about volunteers, students and other individuals will be kept confidentially in filing cabinets by the colleague directly responsible. These colleagues must ensure line managers know how to gain access. Electronic files including the database must be password protected and not accessed on public devices.

4.3. Employees’ personnel information will be kept in lockable filing cabinets and made accessible to relevant line managers on request.

4.4. Files or filing cabinet drawers bearing confidential information should be labelled ‘confidential’.

4.5. In an emergency situation, the Chair of the Executive Committee may authorise access to files by other people.

4.6. Confidential information stored on computer will be protected by use of a password.

5. Duty to disclose information


5.1. There is a legal duty to disclose some information including:

5.1.1. Child abuse MUST be reported to the Social Services Department. For the most up to date process for recording concerns you can call Cambridgeshire children social services on: 0345 045 5203.

5.1.2. Drug trafficking, money laundering, acts of terrorism or treason will be disclosed to the police.

5.2. In addition colleagues believing an illegal act has taken place, or that a user is at risk of harming themselves or others, must report this to the Chair of the Executive Committee who will report it to the appropriate authorities.

Disclosure of Public Interest Matters

5.3. Users should be informed of this disclosure.

6. Disclosures


6.1 Student Community Action complies fully with the DBS Code of practice regarding the correct handling, use, storage, retention and disposal of Disclosures and Disclosure information.

6.2 Disclosure information is always kept separately from an applicant’s personnel file in secure storage with access limited to those who are entitled to see it as part of their duties. It is a criminal offence to pass this information to anyone who is not entitled to receive it.

6.3 Documents will be kept for a year and then destroyed by secure means. Photocopies MUST not be kept. However, Student Community Action may keep a record of the date of issue of a Disclosure, the name of the subject, the type of Disclosure requested, the position for which the Disclosure was requested, the unique reference number of the Disclosure and the details of the recruitment decision taken.

7. Data Protection Act 1988


7.1. Information about individuals, whether on computer or on paper, falls within the scope of the Data Protection Act and must comply with the data protection principles. These are that personal data must be:

· Obtained and processed fairly and lawfully.
· Held only for specified purposes.
· Adequate, relevant and not excessive.
· Accurate and up to date.
· Not kept longer than necessary.
· Processed in accordance with the Act.
· Kept secure and protected.
· Not transferred out of Europe.

8. Breach of confidentiality


8.1. Employees who are dissatisfied with the conduct or actions of other colleagues should raise this with the Chair of the Executive Committee using the grievance procedure, if necessary, and not discuss their dissatisfaction outside Student Community Action.

8.2. Colleagues accessing unauthorised files or breaching confidentially may face disciplinary action, which would involve summary dismissal for gross misconduct. Ex-employees breaching confidentiality may face legal action.

8.3. Student Community Action Trustees who are dissatisfied with the conduct or actions of other Trustees should raise this with the Chair in the first instance.

9. Monitoring


9.1 The effectiveness of this policy and of confidentiality at Student Community Action is monitored on a regular basis. This is done by:

· Recording all complaints about breaches of confidentiality
· Addressing issues of breaches or possible breaches of confidentiality directly with the person

The findings will be used to highlight any shortfalls in this policy or in Student Community Action personnel training.

Overall responsibility for day-to-day implementation and monitoring rests with the Chair of the Executive Committee.

10. Retention periods for key financial information


Document type Required retention period
Accounting records 6 years
Income tax and NI returns, tax records, correspondence with Inland Revenue 6 years after the end of the financial year to which they relate
Wage / salary records 6 years
Statutory Sick Pay records 6 years after the end of the tax year to which they relate
Statutory Maternity Pay records 6 years after the end of the tax year to which they relate


Document type Required retention period
Accident books 3 years after the date of the last entry
Employment Application forms and interview notes (for unsuccessful applicants) 1 year
Personnel files and training records (including disciplinary records and working time records) 6 years after employment ceases
Redundancy details, calculations of payments, refunds, notification to the Secretary of State 6 years from the date of redundancy
Senior executives’ records Permanently for historical purposes
Trade union agreements 10 years after ceasing to be effective
Volunteer records and sign up sheets 3 years after last contact
Client records and referral forms 3 years after last contact