Handling Confidential Information

Every business must be aware of the types of information that it handles and whether this constitutes personal, sensitive personal and/or confidential information, in order that it can comply with all applicable legal obligations. The starting point in ascertaining such obligations must be to conduct a thorough information audit. This will produce a snapshot of all information processed by a business at any one time. Where possible, this should be carried out by independent auditors but whether this is appropriate will depend upon the size of the business.

Regular internal audits can be extremely effective as a management and training tool. The audit should focus on identifying which information is processed and how, which regulations and legislation apply to such processing and then which policies and procedures are in place. This will ensure that all legislative requirements are met and whether and to what extent such policies and procedures are adequate, up to date, known by staff/contractors etc and are being complied with.

The following practical tips relate to how confidential information may be safeguarded, communicated and legally used by a business, and are a good starting point when devising a business’ policies and procedures.

Safeguarding information

There should be at least one person who is responsible for each document containing confidential information. This could be a supervisor, who’s permission and authorisation is necessary before such information is disclosed, modified or even read. Hard copies of information should be kept in secure, locked filing cabinets or strong rooms and the recipients of all keys should be recorded. The building itself should have adequate security, by employing security guards or having a coded entry system.

Electronic information should be firewall and password protected and a record kept of all passwords, which should be changed regularly, particularly when members of staff leave. When sending confidential information by email, special precautions should be taken such as encryption if the information is sensitive enough (see our Guide to Emails and Confidential Information for more guidance). If the information is personal, all modifications of it should be recorded and it should be kept up to date and regularly checked for accuracy. Spare or out of date copies should be immediately destroyed after use. All such information should be kept for the minimum time necessary and then returned to the owner or destroyed. Copies that are to be kept for evidential or tax purposes must be kept securely and the owner or subject informed.

Communicating information

All confidential information should be clearly labelled as such. In addition, the recipient of the information should be expressly told that it is confidential. It may be necessary to ask the recipient to sign a confidentiality or non-disclosure agreement, depending on the circumstances and such an agreement may even be justified for staff and contractors if the level of risk and degree of sensitivity require it. The information should be disclosed to the minimum number of people as is necessary and only to those authorised to receive it as evidenced by their job description or as a result of an express permission from management.

A record should be kept showing to whom such information has been disclosed, how many copies have been produced and who has each copy in their possession at any time. This should apply to email and electronic documents as well as to hard copies. It may be necessary to monitor emails to ensure that information is being communicated in accordance with procedures (see our Guide to website security in relation to the monitoring of staff). Staff and contractors should be trained so that they are aware of what they can and cannot do with confidential information both during and after their employment/engagement. They should be informed of the ongoing nature of their confidentiality obligations and that action can be taken against them even after they have left, for example for stealing information from customer lists etc when they depart.

Policing of information

It is not sufficient just to have procedures and systems in place to protect confidential information. These must be tried and tested and continually monitored to ensure compliance. Staff should be trained to report to their supervisors all actual or potential breaches of confidentiality immediately, whether it be the sending of a confidential email to an unauthorised recipient or the discovery of an unauthorised hard copy of a document lying around.

An investigation and assessment of the impact of the breach should be conducted, including ascertaining what measures can be taken to reduce any resulting damage. Disciplinary measures may or may not be appropriate depending upon how the breach arose or the system may need fixing and/or policies re-assessing. Passwords may need to be changed again. As soon as the immediate aftermath has been dealt with, a report should be drawn up explaining what occurred and why and highlighting what changes/improvements are necessary to prevent similar breaches from happening again in the future. Breaches of confidentiality can be extremely costly for businesses so it is important to act quickly and not to be complacent when any failings do come to light.