In this article
What is confidential information?
Confidential information includes non-public information disclosed or made available to the receiving party, directly or indirectly, through any means of communication or observation.
Examples of confidential information are:
- Medical information.
- Names, dates of birth, addresses, contact details (of staff, clients, patients, pupils, etcetera).
- Personal bank details and credit card information.
- Images of staff, pupils or clients that confirm their identity and can be linked to additional personal information.
- National Insurance numbers.
- Payroll numbers.
- Exam results.
- Business and marketing plans.
- Information received from third parties.
- Company initiatives.
- Customers’ information and lists.
- Company financial accounts information.
- Information relating to intellectual property, invention or patent.
- Research data.
- Passwords and related IT information.
Why is confidentiality important?
Confidentiality is important because:
- It builds trust.
- It promotes confidence (in the healthcare system, in the school system, in the workplace etcetera).
- It prevents misuse of confidential information (illegal or immoral use).
- It protects reputation.
- Employment may depend on it (e.g. non-disclosure agreement).
- It ensures compliance with the law.
What is confidentiality in health and social care?
In relation to the health and social care sector, confidentiality refers to personal information about patients and restricts who has access to it.
The patient should be informed on what his or her information is being used for and who has access to it, and they should give consent for it to be used in this way. A health system with strong privacy mechanisms promotes public confidence in healthcare services.
A valid example can be found on the National Health Service (NHS England) website with a dedicated page outlining how confidential patient information is used.
The Health and Social Care Information Centre (now called National Health Service Digital) has created a professional guide to confidentiality in health and social care.
The guide is focused on five main confidentiality rules:
1. Confidential information about service users or patients should be treated confidentially and respectfully.
2. Members of a care team should share confidential information when it is needed for the safe and effective care of an individual.
3. Information that is shared for the benefit of the community should be anonymised.
4. An individual’s right to object to the sharing of confidential information about them should be respected.
5. Organisations should put policies, procedures and systems in place to ensure confidentiality rules are followed.
There is also legislation in place on confidentiality in the health and social care sector which sets out rules on how to treat patient information and identifies when information can be legally disclosed (for example in the case of a safeguarding concern).
The main pieces of legislation related to confidentiality in health and social care are:
- The Human Rights Act 1998.
- The Care Act 2014.
- The Data Protection Act 2018.
- Common Law on confidentiality.
In the United Kingdom information about an individual’s Human Immunodeficiency Virus (HIV) status is kept confidential within the National Health Service. This is established by the law, the National Health Service Constitution and in key National Health Service rules and procedures.
What is patient confidentiality?
It is important to clarify that confidentiality in health and social care does not include only medical records and personal data.
According to the principle of patient confidentiality, a doctor or medical practitioner cannot reveal anything said to them by their patients during a consultation or a treatment as long as it remains capable of identifying the individual it relates to.
Patient confidentiality is necessary for building trust between patients and medical professionals.
Patients disclose private and confidential information to their doctor or medical practitioner so that they can be treated and they are more likely to do so if they trust their doctor.
With better information doctors can make better-informed decisions that lead to better health outcomes.
On the other hand, if patients were not guaranteed patient confidentiality they would not be so keen on disclosing certain information for fear of judgement and their treatment being impacted.
What is confidentiality in schools?
Confidentiality of student information protects pupils and their families from personal information disclosure.
Schools play a key role in creating a safe environment for children where they feel valued and that they belong. If disclosed, some information about children and families may lead to discrimination or compromise families’ or pupils’ safety in some cases.
A system with strong confidentiality measures promotes positive emotional wellbeing, trust and respect and generates public confidence in the education system.
This makes it possible for children to open up about their problems and for schools to support them in a safe and non-stigmatised way.
This is not just best practice. In fact, schools need to adhere to the General Data Protection Regulation (GDPR) guidelines and protect personal information and “special category data” information efficiently.
You can learn more about data protection in schools in our knowledge base.
What is considered confidential information in the workplace?
Workplace confidentiality refers to any confidential information related to the business or its employees which the company or its employees have access to during the course of their employment.
Personal and sensitive data
When employing a member of staff the employer needs to comply with privacy and confidentiality laws in the UK.
The Data Protection Act from 2018 outlines how personal data must be handled:
- Personal data can be used for fair and lawful purposes that are clear and specific.
- Personal data should only be used and stored for as long as it is necessary.
- Personal data should be stored in a secure place and updated if and when relevant.
There are stricter rules for handling “sensitive data” like ethnicity, race, religious beliefs and data about biometrics.
The law also gives people the right to know:
- What information is stored about them.
- How it’s being used.
- How to access their own personal data.
The Chartered Institute of Personnel and Development (CIPD) has outlined guidance on data protection law in the UK, covering employers’ obligations and individual rights to access the information.
Confidential information about the company and trade secrets
Companies often ask their employees (or contractors and professionals hired for specific projects) to sign a non-disclosure agreement at the beginning of their employment to prevent them from sharing business secrets and sensitive information with the public or with competitors.
This information often includes secret formulas, processes and methods used in production that gives the company an advantage over others that do not know the information.
This is often not an option but a condition for employment (or to work) with that company.
In fact, allowing even one employee (or contractor or professional) to refuse to sign the agreement and still get the job would undermine the validity of the same agreement signed by others.
A non-disclosure agreement is a legal contract that restricts the use of ideas and information to a specific permitted purpose for a specific period of time, after which the information can be disclosed.
It is common to limit the non-disclosure agreement to three to five years, but some information could be kept confidential without a time limit. Examples are non-patentable know-how, secret recipes (e.g. Coca-Cola), lists of customers or personal information about individuals involved in a project.
Non-disclosure agreements are different from confidentiality agreements.
Non-disclosure agreements are used when the obligation to keep information secret is unilateral, while confidentiality agreements are used when multiple parties have to keep each other’s “secrets” confidential.
A strong system of reciprocal confidentiality between a company and its employees (or contractors and professionals) builds trustworthy working relationships underpinned by mutual respect.
What is considered confidential and proprietary information?
Confidential information refers to information that is meant to be kept secret within a certain circle of people and not intended to be made public.
Proprietary information relates to property or ownership, as proprietary rights.
All trade secrets (secret formulas, processes and methods used in production that gives the company owning them an advantage over others that do not know the information) and confidential information are proprietary information, but proprietary information may also include intellectual property rights such as copyrighted information and patents which are not necessarily kept secret.
It is important for employers to develop and implement confidential and proprietary information policies. During the course of their employment, employees may inevitably have access to their employer’s confidential and proprietary information as well as confidential information (including personal data) about customers, clients, suppliers, partners or colleagues.
A policy should establish some ground rules on how to handle this information as well as the consequences for unauthorised disclosure or use of confidential information.
What is a confidentiality policy?
Confidentiality policies are needed to:
- Ensure employees, clients and users understand how their own personal data is being used and who has access to it.
- Clarify how employees should handle confidential information which is disclosed to them during the course of their employment.
Failure to protect and secure confidential information may not only lead to the loss of business or clients, but it also unlocks the danger of confidential information being used to commit illegal or immoral activities.
A confidentiality policy should include:
- The scope: organisations set out confidentiality policies mainly to comply with the law (e.g. personal data protection and patient confidentiality) and to protect their competitive advantage.
- What is considered confidential information: depending on the organisation, confidential information could include bank details, patients’ test results, pupils’ exam results, payroll numbers, secret formulas, client lists and contacts, passwords etcetera.
- Confidentiality measures in place: how personal data is handled and how workers should handle personal information disclosed to them. Some examples could include locking away or securing confidential information at all times, putting non-disclosure agreements in place, and not keeping confidential documents when no longer needed.
- Exceptions: when confidential information can be disclosed for legitimate reasons (e.g. in case of a safeguarding concern, if it is required by the law or for public safety) and what procedure should be followed on these occasions.
- What a breach of confidentiality is and how to report it.
- Disciplinary consequences for breach of confidentiality policy: disciplinary action, dismissal and potentially legal action.
A great example of a confidentiality policy is the one outlined by the National Health Service (NHS England) including all the principles that must be observed by all who work within the organisation and have access to person-identifiable information or confidential information.
What is a breach of confidentiality?
A breach of confidentiality is when private information is disclosed to a third party without the owner’s consent.
A breach of confidentiality can result in:
- Court cases.
- High costs: fines and loss of trade.
- Tarnished reputation.
Some examples of breach of confidentiality are:
- Sending an email containing sensitive information to the wrong address.
- Leaving a document containing someone’s personal data on a photocopier.
- Throwing a document containing confidential information in general waste instead of shredding it.
It can happen accidentally to anyone.
Protecting confidential information is essential for maintaining trust and ongoing business with clients.
British Airways was fined £20m by the Information Commissioner’s Office for a data breach which affected more than 400,000 customers. The breach took place in 2018 and affected both personal and credit card data.
The average compensation awarded for GDPR data breaches is between £1,000 and £42,900, however in some cases, if the breach has caused distress, the claimant can claim compensation for that.
Breaching confidentiality in healthcare, in the legal profession or in matters of state security is particularly significant as it is considered a common law offence.
There are exceptions as to when confidential information can be disclosed for legitimate reasons. It is very important that these exceptions are outlined in detail in confidentiality agreements, confidentiality policies and non-disclosure agreements, together with the procedure to follow on these occasions.
Cyber data breach
A cyber data breach occurs when someone maliciously (without authorisation) attacks an organisation’s computer networks (“cyber space”) and accesses data and confidential information.
According to the latest report published by the International Business Machine Corporation (IBM) in July 2021, the cost of cyber data breach hit a record high during the pandemic. Cyber criminals very quickly used the pandemic to their advantage.
The global study suggests that data breach incidents became more costly and harder to contain, with costs rising 10% compared to the previous year.
The reasons for this cost increase were found on:
- Drastic operational shifts in some industries (healthcare, retail, hospitality and consumer manufacturing /distribution).
- Remote working. According to the study, working from home has led to more expensive data breaches as behaviour is monitored less, and common practices like locking a laptop when walking away have disappeared.
Compromised credentials were the most common cause for the breaches, according to the study, and customers’ personal data was the most common type of information exposed.
The adoption of artificial intelligence, security analytics and encryption were the top three mitigating factors shown to reduce the cost of a breach. Other factors that helped to reduce and contain the cost were found on a “zero trust” approach and cloud migration.
Data breaches in healthcare were the most expensive by industry, followed by the financial sector and pharmaceuticals.
Retail, media, hospitality and the public sector experienced a large increase in costs compared to the previous year.
According to a global survey carried out in 2020 by PricewaterhouseCoopers (PwC), 28% of the consumers interviewed said their trust in technology used by the companies has been falling and 60% expect a data breach.
These reports clearly show that there is some way to go to offer better data protection; all the while, hackers are coming up with new ways to attack.