Haemophilia Scotland operates a policy of confidentiality, which requires employees and key personnel (both paid and unpaid) to:
- Maintain the privacy of personal information they may receive or have access to as part of their work in accordance with the Data Protection Act which gives individuals important rights over how their personal information is used.
The Data Protection Act
The Data Protection Act 2018 is the UK’s implementation of the General Data Protection Regulation (GDPR). It sets out rules for processing personal information (known as personal data) and applies to many paper records as well as those held on computer.
The Act requires data controllers to comply with the rules of good information handling practice, known as the data protection principles. The principles require, amongst other things, that personal data are processed fairly and lawfully, are accurate and relevant and are subject to appropriate security
There are six principles put in place by the Data Protection Act 2018 to make sure that your information is handled properly. They say that data must be:
- used fairly, lawfully and transparently
- used for specified, explicit purposes
- used in a way that is adequate, relevant and limited to only what is necessary
- accurate and, where necessary, kept up to date
- kept for no longer than is necessary
- handled in a way that ensures appropriate security, including protection against unlawful or unauthorised processing, access, loss, destruction or damage
By law, data controllers have to keep to these principles. There is stronger legal protection for more sensitive information
Why a Policy?
People who use our service have a right to know what happens to the information that they choose to share with us. Knowing that there is an agreed policy allows trust to develop. Written and agreed policy is required because people define confidentiality differently.
- Employees/volunteers will be aware that they cannot disclose information about service users that are known to be confidential, without that service user’s consent.
- Employees/volunteers will ensure that a team approach to confidentiality must be handled sensitively and that any discussion about service users will be held in private and in focused form and not in public areas.
- Information will not be divulged to third parties without service user consent or, in exceptional cases, without prior discussion and authorisation from the CEO.
- Employees/volunteers need to know that any breaches of confidentiality out with the ‘need to know’ basis will be dealt with under disciplinary procedures.
Please sign to indicate you have read, understood and agree to this Confidentiality, Personal Information and Data Protection policy.