This document outlines the procedures that should be followed where sensitive or person identifiable information is being transferred to or from the company. These procedures are in place to help prevent unauthorised access to information, loss of information, unauthorised disclosure of information or breach of legislation. These procedures apply to all staff working in the Company.
Maintaining Confidentiality of Data Received (Safe Havens)
The term safe haven is a term used to explain either a secure physical location or the agreed set of administrative arrangements that are in place within the Company to ensure confidential personal information is communicated safely and securely.
The LSUK Booking System, CRM, Email, Cloud Drive or Physical Filing Cabinet is this Company’s ‘safe-haven’ and is the location for people information to be securely stored, processed and or transferred. All forms or correspondence for example emails, faxes, post, containing client sensitive information should be dealt with securely.
A .When paper-based information is received it should be stored securely, as soon as practical, for example:
- Be careful where you site your computer screen: ensure any confidential information cannot be accidentally or deliberately seen by visitors or staff who do not have authorised access. Be especially careful with computer screens in the consultation area.
- Always keep your password confidential and do not write it down. Do not share passwords.
B .Computers should not be left on view or accessible to unauthorised staff:
- Password protected screensavers should be used where possible.
- Laptop computers should be locked up when not in use.
C. Ensure that confidential conversations are held where they cannot be overheard by members of the public. Ensure that sensitive issues are only discussed in the consultation area.
Only Transferring Data where Appropriate
A .The personal information contained in transfers should be limited to those details necessary in order for the recipient to carry out their role.
B .Before transferring data, consider whether there are any client consent requirements that must be met before the transfer is made:
- A record of consent should be maintained (where required) on the relevant form where available
- A client has the right to choose whether or not to agree to the use or disclosure of their personal information and the client has the right to change their decision about a disclosure before it is made. If the client indicates refusal to consent.
- Only staff authorised by the director should have responsibility for obtaining consent.
- If the client has detailed questions about consent, they should be referred to the Director.
- If circumstances change, relevant to the sharing of consent, for example if there is a change of recipient, consent should be reaffirmed.
Securely Transferring Data
Consideration needs to be given to the mode of transfer and whether any specific controls are required to maintain the confidentiality of the data e.g. encryption on electronic transfers.
A .Verbal Communication
- Be careful about leaving confidential messages on answer-phones. It might not be heard only by the intended recipient.
- Be careful when taking messages off answer-phones. Ensure that the messages cannot be overheard inappropriately when being played back.
- When receiving calls requesting personal information: a) verify the identity of the caller, for example, where this is not a known contact, this can be done by taking the relevant phone number, double checking that it is the correct number for that individual / organisation and then calling the recipient back b) ask for the reason for the request, c) if in doubt about whether the information can be disclosed, tell the caller you will call them back, and then consult with your manager.
- Where information is transferred by phone, or face to face, care should be taken to ensure that personal details are not overheard by other people, including staff who do not have a “need to know”. Where possible, such discussions should take place in private locations and not in public areas, for example staff room.
- Messages containing confidential / sensitive information should not be left on notice boards that could be accessed by non-authorised staff.
- Ensure envelopes are marked “Private & Confidential”
- Double check the full postal address of the recipient.
- Carefully consider the method for sending confidential information based on risk of loss.
- When necessary, ask the recipient to confirm receipt.
- If faxing personal or confidential information: a) double check the fax number, b) ensure that you mark the fax header “Private & Confidential”. Always identify a named person, not a team, who needs to receive the fax.
- If faxing personal information to an organisation that doesn’t have a ‘safe haven’ fax machine where information can be received securely, take extra precautions for example, let the recipient know when the fax will be sent, ask them to wait by the fax machine and confirm receipt. Most faxes will allow ‘report’ sheets to be generated which also confirm the transmission was okay.
- If a particular fax number is going to be used regularly, store the number in the fax machines memory where possible to reduce the risk of typing errors.
- Don’t send faxes to an organisation outside of their working hours where there is no-one present to receive.
D. Communication by email
- Transfer of personal information by email should be avoided other than company official email addresses.
- If client identifiable information must be sent other than company's email address, then that conversation must be encrypted.
- The email header should make it clear that the information contains confidential information
Other Forms of Information Exchange (e.g. text messages, e-mail, IP phones etc)
All types of text messages via mobile phones, or social media accounts (Facebook, Twitter, WhatsApp and Viber shall be processed / recorded securely. All information (after being securely saved in the safe folders) needs to deleted from open access devices.