Confidentiality and data protection

Confidentiality must be maintained as far as possible in all aspects of the procedure for raising concerns.  Staff need to know that their identity will not be shared with anyone other than the people they have agreed can know it, unless the law says that it can or must be.  The name of the person raising the concern must not be routinely or automatically shared at any point, either during the investigation or afterwards.  There are, however, times when information about the person raising a concern will become clear to others, or when it will be necessary to share this information in order to put things right or continue with an investigation.

It is important that all aspects of confidentiality are discussed when the person first raises the concern, as not doing so may lead to the organisation breaking data-protection law.  The person should be given clear information by the person that is applying the Standards and processing their personal data (or personal information) about what might or will happen to their data and about the lawful basis for processing it.

The discussion should include:

  • recording the concern, and who will have access to this information
  • who the concern will be shared with and why
  • who the person raising the concern is happy for their identity to be shared with, and in what circumstances
  • who else might need to know their identity and why
  • if there is a high risk that their identity could become clear to others, are there ways of reducing that risk 
  • what action could be taken to limit the number of people who are made aware of the concern, while still taking appropriate action.

It is important that all of the issues raised in the investigation are treated confidentially unless there is a lawful basis or requirement for sharing information with others. 

To protect the identity of the person raising the concern, managers and clinical leads should look for ways to investigate the concern without making others suspicious.  For example, making the investigation appear like carrying out business as usual or a random spot check. 

There is more information available under Governance: Reporting and recording, on the organisation’s responsibilities in relation to data protection and information sharing.  

Next: Anonymity and unnamed concerns >>

Related reading

Updated: July 20, 2021