Has anyone ever said to you, “This is confidential, so I really shouldn’t be telling you, but …” – and then they go on to give you a choice bit of gossip? Does anyone who takes that approach to confidentiality work for you? If so, does it matter?
Confidentiality can be a slippery subject, and it has a long legal history. A duty of confidentiality can be created by contract, and it can also arise under common law. Most employment contracts include a section on confidentiality. Even if they don’t, the common law duty of confidentiality is automatically implied into an employment contract.
So far so good.
Employees have a duty of confidentiality to their employer
But what does that mean? How do employees know what information they have to treat as confidential? This is where the organisation needs a confidentiality policy. If you want your employees to behave properly, you have to make it clear to them how they can tell whether information is confidential or not.
Typically, all information about clients or service users and about donors or supporters will be confidential. Most of the information about employees will be confidential, but not necessarily all: it may be policy to publish contact information and photographs of staff on the website, and maybe even details of the remuneration of senior staff. Some information about the organisation’s finances, commercial arrangements, plans for the future and other matters is also likely to be confidential.
What if information is confidential?
Basically that means that you care who knows it. Confidentiality is not the same as secrecy; it’s about knowing who you can share the information with. A common definition of confidentiality is that it is about sharing information strictly on a need to know basis. If people don’t need to know the information you shouldn’t share it with them – even if you trust them not to share it any further.
So again we need to look at the confidentiality policy. This should make it clear to employees how they can tell who to share information with and who not to – as well as how their own information will be handled. For example, when someone is off sick will all their colleagues be told what is wrong with them? This is where the ‘need to know’ test is helpful. Colleagues need to know that someone is not at work, and possibly for how long they are expected to be away, but most of them don’t need to know precisely why.
Volunteers should also be considered. They can’t have a contractual duty of confidentiality, but you can create a common law duty by getting them to sign a suitable confidentiality pledge.
And don’t forget that if a breach of confidentiality involves personal data this could also amount to a breach of the Data Protection Act. A GP surgery was fined £40,000 in August this year for wrongly disclosing information about a woman to her ex-partner.
The stakes are high when it comes to confidential matters, so it’s important we get it right.
About Paul Ticher
Paul has over 20 years’ experience in the voluntary sector, as an information worker, manager and Board member in local and national charities. He is a well-known independent consultant specialising in Data Protection, information management and IT strategy. He is also a widely-respected trainer, researcher and author.