Confidentiality and Data sharing Policy

Version: 1.0

Effective Date: 13 March 2026

Review Date: 13 March 2027

Approved by: [Director/Board]

1. Purpose

The purpose of this policy is to ensure that all information relating to young people, staff, volunteers, and partner organisations is handled in a lawful, ethical, and secure manner.

The policy establishes clear expectations for confidentiality and responsible data sharing, ensuring that:

  • Personal information is treated with respect and handled sensitively
  • Confidential information is only accessed by authorised individuals
  • Data is shared appropriately to support service delivery and safeguarding
  • Legal and regulatory requirements are met, including UK GDPR and safeguarding legislation

This policy supports the organisation’s commitment to protecting the privacy, dignity, and wellbeing of young people while ensuring that information can be shared appropriately to protect individuals from harm and support effective partnership working.

2. Scope

This policy applies to all individuals working with or on behalf of the organisation, including:

  • Permanent employees
  • Fixed-term employees
  • Contractors and consultants
  • Volunteers
  • Trustees / Directors
  • Interns, apprentices, and trainees
  • Partner organisations handling shared information

The policy applies to all information relating to:

  • Young people participating in programmes or services
  • Parents, carers, and families
  • Staff and volunteers
  • Partner agencies and stakeholders

It covers all formats of information, including paper records, digital records, email communications, case notes, safeguarding records, and monitoring data.

3. Legal Framework

The organisation processes personal information in accordance with relevant UK legislation and guidance, including:

  • UK General Data Protection Regulation (UK GDPR)
  • Data Protection Act 2018
  • Children Act 1989 and 2004
  • Safeguarding Vulnerable Groups Act 2006
  • Working Together to Safeguard Children (statutory guidance)
  • Human Rights Act 1998

4. Definitions

Confidential Information:

Any information that is not publicly available and relates to identifiable individuals or sensitive organisational matters.

Personal Data:

Information that identifies or could identify a living individual.

Special Category Data:

Sensitive personal data such as health information, ethnicity, disability, or safeguarding concerns.

Data Sharing:

The disclosure of information from one organisation or individual to another for a specific purpose.

Safeguarding:

Protecting children and young people from abuse, neglect, exploitation, or harm and promoting their welfare.

5. Principles of Confidentiality and Data Sharing

The organisation operates according to the following principles:

  • Respect for Privacy – personal information will be treated with dignity and sensitivity.
  • Need-to-Know Basis – information will only be accessed by those who require it to perform their role.
  • Lawful Processing – data will only be collected and processed where there is a legal basis.
  • Transparency – young people and families will be informed how their data may be used.
  • Data Minimisation – only the necessary information will be collected or shared.
  • Safeguarding Priority – confidentiality cannot be maintained where there is risk of harm.

6. Responsibilities

Directors / Board

  • Approve and review this policy
  • Ensure compliance with legislation
  • Provide governance oversight

Project Managers / Program Leads

  • Ensure staff understand confidentiality procedures
  • Monitor information handling within projects

Safeguarding Lead / Data Protection Lead

  • Provide guidance on confidentiality decisions
  • Manage safeguarding disclosures

Staff and Volunteers

  • Handle information responsibly and securely
  • Maintain confidentiality
  • Report concerns about misuse of data

7. Confidentiality with Young People

Staff must explain confidentiality clearly to young people at the start of engagement.

Young people should understand:

  • What information will be recorded
  • How their information will be used
  • Who may access it
  • When confidentiality may need to be broken

Confidentiality cannot be guaranteed where:

  • A young person is at risk of harm
  • Another person is at risk of harm
  • There is a safeguarding concern
  • There is a legal obligation to share information

Staff must never promise absolute confidentiality to a young person, as information may need to be shared with safeguarding professionals to protect them or others from harm.

8. Data Sharing

Information may be shared with other organisations when necessary to:

  • Safeguard a young person
  • Provide support services
  • Meet legal obligations
  • Prevent or detect serious crime

Possible partners include schools, youth services, local authorities, health services, social care, and police.

Only relevant information will be shared and only the minimum necessary data disclosed.

9. Secure Storage and Handling of Information

Paper Records

  • Stored in locked cabinets
  • Accessible only to authorised personnel
  • Digital Records
  • Stored on password-protected systems
  • Access restricted based on role
  • Protected through appropriate cybersecurity measures

Safeguarding records should be stored separately from general records where appropriate.

10. Record Keeping

The organisation will maintain appropriate records relating to engagement with young people participating in programmes or services.

Records may include:

  • Attendance registers or participation logs
  • Case notes relating to mentoring or support conversations
  • Safeguarding concerns or disclosures
  • Incident or welfare reports
  • Referrals to external services

Not every informal interaction requires a formal record. However, any interaction involving support, advice, safeguarding concerns, welfare issues, referrals, or agreed follow-up actions must be recorded.

Where records are made, they should include:

  • Date and time of interaction
  • Name of the young person (or ID reference where used)
  • Name of the staff member recording the interaction
  • Factual summary of the conversation or event
  • Any actions taken or agreed
  • Any safeguarding concerns raised

Records must:

  • Be accurate and factual
  • Avoid personal opinion or speculation
  • Be dated and attributed to the staff member making the record
  • Be stored securely in line with data protection requirements

Safeguarding records must be shared with the Designated Safeguarding Lead and stored securely.

11. Data Breaches

A data breach may occur if personal information is lost, accessed by unauthorised individuals, shared incorrectly, or destroyed improperly.

Any suspected breach must be reported immediately to the Project Manager or Data Protection Lead.

The organisation will investigate breaches and report them to the Information Commissioner’s Office (ICO) where legally required.

12. Training and Awareness

All staff and volunteers will receive training on confidentiality, data protection responsibilities, safeguarding procedures, and secure handling of information.

13. Monitoring and Review

Compliance with this policy will be monitored to ensure effective safeguarding, secure data management, and adherence to legal requirements.

The policy will be reviewed annually or when legislation or organisational practices change.

14. Breaches

Failure to follow this policy may result in investigation, disciplinary action, or termination of contracts where appropriate.

15. Version Control

Version: 1.0

Date: 13 March

Change: Initial draft

Author: Mel Dorlin

Approved By: [Director/Board]