Data protection and confidentiality policy

Data protection

The above policy assists the organisation to meet the requirements of the Data Protection Act 1998. BME United Limited has ‘notified’ the Information Commissioner. BME United Limited has adopted the Data Protection Principles produced by the Information Commissioner.

The Act embraces all information whether stored in a manual or computerised database. It requires “appropriate” measures to be taken to ensure the security of information held. In practice, this means that manual lists should be locked in a desk/drawer when not in use. Computerised lists should not be stored on a hard disk or any back-up equipment and floppy disks should be locked away when not in use.

Key points are that:-

  • Data should only be collected and stored with the knowledge and permission of the data subject
  • The data should only be used for the purpose it was originally collected
  • It should only contain the information necessary for the purpose it was originally collected
  • It should be accurate
  • It should only be kept for as long as is necessary for the purpose for which it was collected
  • The data subject has the right to see any information held about them, however stored.

Security of Information

Hard copy of confidential information such as staff personnel files are kept in a locked filing cabinet and access is restricted to the Chief Executive and the Chief Executive’s Personal Assistant.

In the event of the absence of the Chief Officer, access may be delegated to another senior member of staff. Hard copy of payroll records are kept in the Finance Officer’s office, which is normally kept locked when not in use.

Information stored electronically which includes:-

  • Payroll information for staff and other organisations
  • Accounts and book-keeping records
  • Membership list

Is stored on computers with coded password access only. Only those officers who need access to the databases will be given the password. Information stored on floppy disks will be stored in locked drawers when not in use.

Out of office hours the building is secured with internal and external doors being locked and there is an intruder alarm system.

Should staff become aware that there has been a breach of security, an investigation into the cause and scale of the breach will be carried out and measures identified and introduced to ensure that there is no recurrence.


BME United Limited’s Confidentiality Policy is consistent with our commitment to the development and implementation of the Equal Opportunities Policy of the organisation.

BME United Limited is committed to maintaining high standards of confidentiality in all aspects of its work. This includes records and information pertaining to the Group’s staff, volunteers, Trustees and service users. Breaches of confidentiality will be consequently subject to disciplinary proceedings.


In all but defined cases (e.g. disciplinary procedures) the ultimate reference point for deciding who should be informed of confidential information is the individual or organisation to whom it pertains.

It is important, however, that where consent is given it is informed consent. For this to be the case it is necessary to share with the person concerned why there is a need to share information, with whom and with what likely consequences. Once consent has been obtained, it is the responsibility of the person passing on the information to ensure that disclosure only takes place on the terms agreed.

Disclosure of confidential information may require written authorisation. In very exceptional circumstances it may be necessary to break confidentiality. These are:

  1. When there is a danger to self or others;
  2. When not to do so would be breaking the law.


It is essential that all people involved with the Organisation are made aware of the need and reasons for maintaining confidentiality. Training will be given to ensure an understanding of the procedures for staff, volunteers and Board Members.

Breaches of confidentiality

Any breaches of confidentiality will be seen as a serious issue. Any breach by a member of staff will be discussed at a Board meeting.

The Board will decide what action, if any, needs to be taken within the terms of the disciplinary procedure. Any breach by a Board Member or volunteer will be discussed at a Board meeting and the Board will decide if the person should continue in their position and remain in the organisation.

Breaches of confidentiality by staff will normally be treated as gross misconduct, and all instances will be thoroughly investigated and dealt with accordingly as set out in the disciplinary procedure.

Any member of staff (including volunteers) who feels information has been shared inappropriately or that confidentiality has been broken should take the matter up with their Line Manager. If still dissatisfied, they should invoke the grievance procedure.

The BME United Ltd Advice Service recognises that occasions may arise where the individual advisers feel the need to breach confidentiality. These would be: - when there is a danger to the client or to others - when not doing so would be breaking the law, e.g. under the Prevention of Terrorism Act - when the BME United Ltd Advice Service discovers that it is advising both parties to a dispute and needs to disclose the fact in order to avoid a conflict of interest.

The BME United Ltd Advice Service understands that any breach of confidentiality may damage the reputation of its services and therefore has to be treated with the most serious of approaches.

On occasions where an adviser feels that confidentiality should be breached, the following steps should be taken.

- The adviser should raise the matter immediately with the Senior Caseworker or BME United Ltd’s Chief Executive Officer.

- They must discuss the issues involved and explain why confidentiality should be breached and what would be achieved by breaching confidentiality.

- A written note should be made of the discussion and kept with the case file.

- A full written report should be made by the Senior Caseworker or Chief Executive Officer in discussing the case with the Board, it should be ensured that confidentiality is not breached in doing so.

If there is an immediate threat to the safety of the client or others and it is not possible to consult the Senior Caseworker or Chief Executive Officer, then all those involved in the above procedure should be notified as soon as possible.

Any complaints arising from a breach of confidentiality shall be dealt with through the BME United Ltd’s complaints procedure.

Review of Policy

This policy will be reviewed annually. The Chief Executive Officer is responsible for ensuring that the review takes place, although the work may be delegated to another adviser. The reviewer will ensure that the policy meets statutory and legal requirements including the Data Protection Act, Children’s Act, Rehabilitation of Offenders Act and Prevention of Terrorism Act.

Records and Files Covered by the Policy

This policy covers all records and information held by the Organisation concerning staff, volunteers, Board/Management Committee and Service Users.

Board Members

New Board Member will be sent a copy of the Confidentiality Policy and asked to take responsibility for implementing it in relation to papers and information discussed at all Organisation’s meetings.

All committee and sub-committee papers will be considered confidential and marked ‘Private and Confidential’.

When recruiting new Board Member, application forms are kept confidential to the Organisation. Any information about an applicant, whether contained in the application form or revealed in an interview, is not to be discussed outside of the Organisation.


Staff should never divulge a colleague’s personal circumstances to anyone without the permission of the individual concerned.

When recruiting new staff, application forms are kept confidential to the Organisation. Any information about an applicant, whether contained in the application form or revealed in an interview, is not to be discussed outside of the Organisation.

Photocopies of an application form may be made for short-listing purposes. The only people to have access to the copies are those sitting on the short-listing panel. Once short-4

listing is over, photocopies must be destroyed and originals kept in a secure place for three months (in case of an appeal).

BME United Limited will keep a file on each member of staff containing a record of all papers relating to the staff’s employment at the Organisation. The Chief Executive Officer and the individual staff member may have access to his or her file, which will be kept in a secure cabinet. The Management Board have the right to see the personnel files on request.

Where the Chief Executive Officer believes that disclosure of information is absolutely necessary, although against the wishes of the member of staff, the Chief Executive Officer must first consult the Chair and one other Board Member before any further action can be taken.

The organisation is committed and fully complies with the General Data Protection Regulation (GDPR) legislation where vast quantity of personal data is collected in a variety of ways. Also adheres to the set of rules on data handling and processing for the digital age to enhance the protection of EU citizens’ personal data, and increasing the obligations of the organisation to deal with that data in transparent and secure ways.

All staff will be given a copy of the Confidentiality and Data Protection Policy as part of their induction during which the implications of the policy for their work will be explained.

M. Nazir - CEO

January 2020