Confidentiality policy

How we take responsibility for the confidentiality of person-identifiable data.

Published: 28 July 2022

Version: 2.0




The purpose of this Confidentiality Policy is to lay down the principles that must be observed by all who work within the NHS Counter Fraud Authority (NHSCFA) and have access to person-identifiable or confidential information (see Appendix D). All staff need to be aware of their responsibilities for safeguarding confidentiality and preserving information security.

All staff working in the NHS are bound by a legal duty of confidence to protect personal information they may come into contact with during the course of their employment. This is not just a requirement of their contractual responsibilities but also a requirement within the common law duty of confidence and data protection legislation in the UK - the General Data Protection Regulation (GDPR) and Data Protection Act 2018 (DPA 2018). Confidentiality is also a requirement within the NHS Care Record Guarantee, produced to assure patients regarding the use of their information.

It is important that NHSCFA protect and safeguard all person-identifiable information and confidential business information that it gathers, creates, processes and discloses; in order to comply with the law, relevant NHS mandatory requirements and to provide assurance to the public and its stakeholders. This policy sets out the requirements placed on all staff when sharing information within the NHS and between NHS and non-NHS organisations.

Person-identifiable information is anything that contains the means to identify a natural living person, e.g. name, address, postcode, date of birth or NHS number.

Confidential information within the NHS is commonly thought of as health information; however, it can also include information that is private and that is not public knowledge or information that an individual would not expect to be shared. It can take many forms including patient level health information, staff records, occupational health records, etc. It also includes NHSCFA confidential business information.

Information can relate to patients and staff (including temporary staff), however stored. Information may be held on paper, CD/DVD, USB stick, computer file or paper printout, electronic devices (laptops, tablets, mobile phones, digital cameras) or even by word of mouth. Confidential or personally identifiable information must not be stored on removable media unless it is appropriately encrypted. A summary of Confidentiality Do’s and Don’ts can be found at Appendix A.

The legal and NHS mandated frameworks for confidentiality which form the key guiding principles of this policy can be found at Appendix B. How to report a breach of this policy and what should be reported can be found at Appendix C. Definitions of the classes of confidential information can be found at Appendix D.


The Board and all staff without exception, are subject to the scope of this policy.

Roles and Responsibilities

The Chief Executive

The Chief Executive has overall responsibility for strategic and operational management, including ensuring NHSCFA policies comply with all legal, statutory and best practice guidance requirements.

The Caldicott Guardian

A senior person responsible for protecting the confidentiality of patient and service user information and enabling appropriate information sharing by providing advice to professionals and staff.

Senior Information Risk Owner (SIRO)

The SIRO signs off and takes accountability for risk-based decisions and reviews regarding the use, disclosure or processing of confidential data in the operating functions of NHSCFA.

Data Protection Officer (DPO)

Provides advice to the organisation and its employees on data protection issues which can include confidentiality issues which, where appropriate will be reviewed in collaboration with the Caldicott Guardian as appropriate to ensure the organisation's compliance with data protection legislation.


HR are responsible for ensuring that the contracts of all staff (permanent and temporary) are compliant with the requirements of the policy and that confidentiality is included in corporate inductions for all staff.

Senior Manager Team (SMT)

Are responsible for ensuring that the policy and its supporting standards and guidelines are built into local processes and that there is on-going compliance. They must ensure that any breaches of the policy are reported, investigated and acted upon via the Information Security Incident Reporting Process.

Corporate Governance Manager & Board Secretary

Has overall responsibility for ensuring the policy is kept up to date, providing advice on request to any member of staff on the issues covered within it, and ensuring that training is provided for all staff to further their understanding of the principles and their application.

Leadership Team (LT)

Are responsible for ensuring that there are agreed standard operating procedures (SOPs) in place, within their business areas and these are followed by staff.

All staff

Confidentiality is an obligation for all staff. Staff should note that they are bound by the Confidentiality: NHS Code of Practice 2003. There is generally a confidentiality clause in contracts of employment and it is mandatory to participate in induction, e-learning and awareness raising sessions carried out to inform and update staff on confidentiality issues.

Any deliberate breach of confidentiality, inappropriate use of health data, staff records or business sensitive/confidential information, or abuse of computer systems is a disciplinary offence, which could result in dismissal and must be reported to an appropriate line manager and via the NHSCFA Information Security Incident reporting process. Where a duty of confidence is broken or breached, civil legal action may be taken against those responsible in order to secure financial recompense.

Section 170 (1) of the Data Protection Act 2018 - Unlawful obtaining etc. of personal data, states it is an offence for a person knowingly or recklessly:

  1. to obtain or disclose personal data without the consent of the controller
  2. to procure the disclosure of personal data to another person without the consent of the controller, or
  3. after obtaining personal data, to retain it without the consent of the person who was the controller in relation to the personal data when it was obtained.

It is important to note that there may be situations where both the organisation and the individual concerned can be held liable.

Corporate Level Procedures


All staff must ensure that the following principles are adhered to:

  • Person-identifiable or confidential information must be effectively protected against improper disclosure when it is received, stored, transmitted or disposed of
  • Access to person-identifiable or confidential information must be on a needto-know basis
  • Use of person identifiable or confidential information must be limited to that purpose for which it was acquired
  • Recipients of disclosed information must be informed that it is given to them in confidence
  • Any decision taken to either disclose or without information, seek consent or rely on another justifiable ground, must be appropriately recorded and documented
  • Any concerns about disclosure of information must be discussed with either the Line Manager or the F & GC Information Governance Team.

NHSCFA is responsible for protecting all the information it holds and must always be able to justify any decision to share information. Person-identifiable information wherever appropriate, must be anonymised by removing as many identifiers as possible whilst not unduly compromising the utility of the data.

Access to offices and rooms where terminals are present, or person-identifiable or confidential information is stored must be controlled. Doors must be locked with keys, keypads or accessed by swipe card. In mixed office environments measures should be in place to prevent oversight of person-identifiable information by unauthorised parties.

All staff should clear their desks at the end of each day. In particular, they must keep all records containing person-identifiable or confidential information in recognised filing and storage places that can be locked. Unwanted printouts containing person-identifiable or confidential information must be put into confidential waste bins. Discs, removable media, tapes and printouts etc. containing personal data and/or confidential information must not be left lying around but be filed and locked away when not in use. NHSCFA’s contract of employment makes clear that every staff member is now personally liable to protect the confidentiality of the information they enter, process or encounter. Breaches of confidentiality could be regarded as gross misconduct and may result in serious disciplinary action up to and including dismissal or civil legal action.

Disclosing Personal/Confidential Information

To ensure that information is only shared with appropriate persons in appropriate circumstances, care must be taken to check that we have a legal basis for accessing and disclosing the information and the recipient has a legal basis for receiving it. It is important to consider how much confidential information is needed before disclosing it and only the minimal amount necessary to achieve the purpose should be disclosed.

Information can be disclosed:

  • When effectively anonymised in accordance with the Information Commissioner’s Office Anonymisation Code of Practice.
  • When the information is required by law or under a court order. In this situation staff must in the first instance notify the Information Governance (IG) team. The IG team will if necessary, consult the Caldicott Guardian before advising
  • In identifiable form, when it is required for a specific legal purpose, or with the data subject’s written consent
  • Where disclosure can be justified for another purpose, this is usually for the protection of the public and is likely to be in relation to the prevention and detection of serious crime. In this situation staff must in the first instance notify the IG team. The IG team will if necessary, consult the Caldicott Guardian before advising.
  • For any proposed routine disclosures of personal/confidential information, please consult the NHSCFA’s Information Sharing Agreements Policy

If staff have any concerns about disclosing information, they must in the first instance raise it with the IG team. The IG team will if necessary, consult the Caldicott Guardian before advising.

Care must be taken in transferring information to ensure that the method used is the most secure. Data sharing agreements provide a way to formalise arrangements between organisations. For further information on Information Sharing Agreements contact the IG team and/or see the Information Sharing Agreement Policy.

Staff must ensure that appropriate standards and safeguards are in place to protect against inappropriate disclosures of confidential personal data. When transferring patient information or other confidential information by email, methods that meet appropriate NHS encryption standards must be used.

Emails between NHS Mail accounts meet this requirement ( to Emails between NHS Mail and other secure government domains also meet this requirement (e.g.

Personally identifiable information and Official-Sensitive information CAN be sent in a standard email so long as the email is classified as ‘Official-Sensitive’ by the sender. Egress will automatically encrypt the entire email when sent to a non-approved recipient domain thereby negating the need to password-protect attachments.

Working Away from the Office Environment

There will be times when staff may need to work remotely, from another office location or whilst travelling. This means when doing so staff may need to carry NHSCFA information with them which could be confidential in nature e.g. on a laptop, USB stick or paper documents. Please refer to the organisation’s Mobile Working Policy.

The taking home/removal of physical documents that contain person-identifiable or confidential information from NHSCFA premises is discouraged unless considered absolutely necessary. To ensure the safety of confidential information, staff must always keep them on their person whilst travelling and ensure that they are kept in a secure place if they take them home or to another location. Confidential information must be safeguarded at all times and kept in lockable locations when not in use.

When working away from NHSCFA locations staff must ensure that their working practice continues to comply with the organisation’s policies and procedures. Any electronic removable media must be encrypted as per current practice. Staff must minimise the amount of person-identifiable information that is taken away from NHSCFA premises. If staff need to carry person-identifiable or confidential information they must ensure the following:

  • Any personal information is in a sealed non-transparent holder i.e. windowless envelope, suitable bag, etc. prior to being taken off NHSCFA premises.
  • Confidential information is kept out of sight whilst being transported and/or kept away from prying eyes whilst being worked on in transit.

If staff need to take person-identifiable or confidential information home, they have personal responsibility for ensuring the information is kept secure and confidential. This means that other members of their family, friends or colleagues must not be able to view the content or have any access to the information. It is particularly important that confidential information in any form is not left unattended at any time, for example in a vehicle where it could be viewed by a member of the public through a window.

Staff must NOT forward any person-identifiable or confidential information via email to personal e-mail accounts. Staff must not use or store person-identifiable or confidential information on privately-owned electronic devices.


All staff have a legal duty of confidence to keep person-identifiable or confidential information private and to ensure such information is not divulged accidentally. Staff may be held personally liable for a breach of confidence and must not:

  • Talk about person-identifiable or confidential information in public places or where they can be overheard
  • Leave any person-identifiable or confidential information lying around unattended, this includes telephone messages, printouts or other documents
  • Leave a computer terminal unattended and with screen unlocked when logged on to a system where person-identifiable or confidential information can be accessed

Steps must be taken to ensure physical safety and security of person-identifiable or confidential/sensitive business information held in physical format and on computers. Passwords must be kept secure and must not be disclosed to anyone. Staff must not use someone else’s password to gain access to information. Action of this kind will be viewed as a serious breach of confidentiality. If you allow another person to use your password to access the network, this constitutes a disciplinary offence and is gross misconduct which may result in your summary dismissal. This could also constitute an offence under the Computer Misuse Act 1990.

Abuse of Privilege

It is strictly forbidden for staff to knowingly browse, search for or look at any personal or confidential information about themselves without a legitimate purpose, unless it is through established self-service mechanisms where such access is permitted (e.g. viewing your ESR record). Under no circumstances should staff attempt to access records relating to family members, friends or other known persons without a legitimate purpose and it being undertaken by an independent third party. Action of this kind will be viewed as a breach of confidentiality and may be an offence under the Data Protection Act 2018. When dealing with person-identifiable or confidential information of any nature, staff must be aware of their personal responsibility, contractual obligations and undertake to abide by the policies and procedures of NHSCFA.

Confidentiality audits provide mechanisms that allow an organisation that processes person-identifiable or confidential information to test the processes it has in place to highlight actual or potential confidentiality breaches of their systems and the procedures to evaluate the effectiveness of their system controls. This function may be performed by external auditors or internally by the Governance and Assurance (G&A) team through a programme of agreed audits.

Distribution and Implementation

Distribution Plan

This document will be made available to all staff via the intranet site.

Training Plan

The Learning & Development Unit’s training programme for e-learning, incorporates a training needs analysis for all NHSCFA staff. Based on the findings of that analysis, appropriate training will be provided to staff as required.


Compliance with the policies and procedures laid down in this document will be monitored via the Finance & Corporate Governance (F & CG) Unit and may be subject to internal G & A audit or external audit.

The Information Governance Lead is responsible for the revision and updating of this document on at least a biennial basis or sooner where the need arises.

Associated Documents

The following documents will provide additional information:

  • Acceptable Use Policy
  • Records Management (Primary) Policy
  • GDPR Data Protection Act Policy
  • Information Governance Policy
  • Information Security Incident Reporting Policy
  • Information Sharing Agreement Policy
  • Mobile Working Policy
  • Information Security Policy
  • Source Protection Policy
  • SIT Dissemination Process Standard Operating Procedure
  • Information Breach Reporting Policy

Help us improve

Tell us what's happened so we can fix the problem. Please do not provide any personal, identifiable or sensitive information.


Thanks for the feedback!