{{org_field_logo}}

{{org_field_name}}

Registration Number: {{org_field_registration_no}}

---

Confidentiality and Information Sharing Policy

1. Purpose

The purpose of this policy is to explain how {{org_field_name}} protects confidential information and shares information lawfully, fairly, securely and only where there is a clear need to do so.

{{org_field_name}} is committed to complying with all applicable data protection, confidentiality, employment and safeguarding requirements relevant to a temporary staffing agency operating in England, including the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and other applicable legislation and guidance in force from time to time. Where relevant to the services provided, this policy also supports compliance with the Employment Agencies Act 1973, the Conduct of Employment Agencies and Employment Businesses Regulations 2003, safeguarding obligations, right to work requirements, equality obligations and lawful information sharing duties.

This policy applies to all personal data and confidential information processed by {{org_field_name}} in relation to applicants, candidates, temporary workers, employees, contractors, former staff, client organisations, client contacts, referees, complainants, witnesses and other individuals whose information {{org_field_name}} handles in the course of its business.

Where {{org_field_name}} supplies workers into health or social care environments, this policy also requires staff to have regard to sector-specific confidentiality expectations, including the Caldicott Principles where relevant to health and care information sharing. However, this policy does not assume that {{org_field_name}} is itself a regulated care provider unless expressly stated elsewhere in the organisation’s governance documents.

2. Scope

This policy applies to:

• all employees, directors, temporary workers, agency workers, contractors, consultants and any other person acting on behalf of {{org_field_name}};
• all personal data and confidential information processed by {{org_field_name}} in paper, electronic, verbal, visual or any other format;
• information relating to job applicants, candidates, temporary workers, employees, former workers, client organisations, client contacts, referees, next of kin and emergency contacts;
• special category data and criminal offence data processed for lawful recruitment, onboarding, payroll, compliance, safeguarding, right to work, occupational health, equality monitoring, complaints handling, incident management and business administration purposes; and
• information shared with client organisations, payroll providers, umbrella companies, occupational health providers, regulators, the police, local authorities, safeguarding bodies, courts, legal advisers, insurers and other third parties where there is a lawful basis to do so.

3. Principles of Confidentiality and Data Protection

{{org_field_name}} will process personal data and confidential information in accordance with the following principles:

• Lawfulness, fairness and transparency: personal data will only be processed where {{org_field_name}} has identified an appropriate lawful basis under Article 6 UK GDPR and, where special category data is processed, an additional condition under Article 9 UK GDPR and any relevant requirement under the Data Protection Act 2018. Privacy information will be provided to individuals in a clear and accessible way.
• Purpose limitation: information will only be used for specified, explicit and legitimate business purposes, including recruitment, supply of temporary workers, compliance, payroll, safeguarding, health and safety, complaints, investigations and legal or regulatory obligations.
• Data minimisation: only the minimum personal data necessary for the relevant purpose will be collected, used, shared or retained.
• Accuracy: records must be accurate, relevant and, where necessary, kept up to date.
• Storage limitation: information will not be kept for longer than necessary and will be retained and securely destroyed in accordance with {{org_field_name}}’s retention schedule and legal obligations.
• Integrity and confidentiality: appropriate technical and organisational measures will be used to protect information against unauthorised or unlawful processing, accidental loss, destruction or damage.
• Accountability: {{org_field_name}} will be able to demonstrate compliance through policies, training, contracts, record-keeping, access controls, incident reporting, audits and governance arrangements.

4. Types of Confidential Information

Confidential information processed by {{org_field_name}} may include, but is not limited to:

• identity and contact details;
• CVs, application forms, interview notes, references and qualifications;
• right to work records and immigration status check evidence;
• payroll, bank account, tax, National Insurance and pension information;
• availability, assignment history, timesheets, pay rates and holiday records;
• disciplinary, grievance, conduct, complaint and investigation records;
• special category data, including health information, disability information, equality monitoring data and occupational health information where lawfully required;
• criminal offence data, including DBS certificate information and barred list information where legally permitted and necessary for the role;
• safeguarding concerns, incident reports, whistleblowing reports and risk assessments;
• client contact details, booking information, contractual and commercial information; and
• any other information which is confidential by law, contract, professional duty or organisational classification.

5. Responsibilities

Directors and Senior Management: are responsible for ensuring that {{org_field_name}} has appropriate governance, resources, systems, contracts, training, supervision and assurance arrangements in place to comply with confidentiality and data protection requirements.

Data Protection Lead / Data Protection Officer: is responsible for oversight of data protection compliance, advice, breach handling and support with data subject rights.

Managers: must ensure that staff only access information on a strict need-to-know basis, follow this policy, escalate concerns promptly and maintain appropriate local controls.

Employees, Agency Workers and Contractors: must keep information confidential, follow all policies and training, use information only for authorised purposes, report incidents immediately and never access or disclose information without a legitimate business reason.

IT and Systems Administrators / Service Providers: must maintain appropriate security, access management, backup, resilience, monitoring and secure disposal arrangements for systems and devices used by {{org_field_name}}.

6. Information Sharing Guidelines

{{org_field_name}} will only share personal data or confidential information where there is a clear and documented lawful basis, where the sharing is necessary and proportionate, and where appropriate safeguards are in place.

Information may be shared, as appropriate, in the following circumstances:

• where sharing is necessary to take steps at the request of a candidate or worker before entering into a contract, or to perform a contract;
• where sharing is necessary for compliance with a legal obligation, including employment, tax, immigration, safeguarding, court, regulatory or law enforcement requirements;
• where sharing is necessary for the legitimate interests of {{org_field_name}} or a third party, provided those interests are not overridden by the rights and freedoms of the individual;
• where sharing is necessary to protect the vital interests of an individual or another person;
• where sharing is necessary for the establishment, exercise or defence of legal claims;
• where special category data is involved, only where an additional lawful condition applies, such as employment, social security and social protection law obligations, safeguarding, substantial public interest, occupational health, legal claims, or explicit consent where genuinely appropriate; and
• where criminal offence data is involved, only where processing is authorised by law and strictly necessary for a lawful purpose.

{{org_field_name}} will not rely on consent where another more appropriate lawful basis applies, particularly in employment or recruitment relationships where consent may not be freely given.

Before sharing information, staff must consider:

1. what information is necessary;
2. who needs to receive it;
3. the lawful basis and, where relevant, special category or criminal offence condition;
4. whether the disclosure is proportionate;
5. whether the individual should be informed;
6. whether there is any immediate safeguarding or serious harm issue; and
7. how the decision and rationale will be recorded.

7. Lawful Bases and Conditions for Processing

Depending on the circumstances, {{org_field_name}} may rely on one or more of the following lawful bases under Article 6 UK GDPR: contract, legal obligation, legitimate interests, vital interests, consent, or another lawful basis permitted by law.

Where {{org_field_name}} processes special category data, it will identify an additional condition under Article 9 UK GDPR and, where required, a condition under Schedule 1 to the Data Protection Act 2018. These may include employment, social security and social protection obligations, occupational medicine or assessment of working capacity, safeguarding, substantial public interest, legal claims, or explicit consent where appropriate.

Where {{org_field_name}} processes criminal offence data, including DBS-related information, it will do so only where authorised by law, necessary for the relevant role, and handled with additional confidentiality and access controls.

8. Secure Handling of Information

{{org_field_name}} will implement appropriate technical and organisational measures to protect personal data and confidential information. These measures include, where appropriate:

• role-based access controls and least-privilege access;
• secure passwords, multi-factor authentication and prompt removal of access when no longer required;
• encryption of devices, portable media and electronic transmissions where appropriate;
• secure email practices, including verification of recipient details before sending confidential information;
• secure remote working arrangements and restrictions on downloading or storing information on personal devices unless authorised;
• secure storage of paper files in locked cabinets or controlled-access areas;
• confidential disposal of records through shredding or approved disposal arrangements;
• audit trails, monitoring and access reviews where appropriate;
• written contracts with processors and service providers handling personal data on behalf of {{org_field_name}}; and
• regular staff training, confidentiality agreements and incident reporting arrangements.

9. Data Subject Rights

Individuals whose personal data is processed by {{org_field_name}} have rights under data protection law, subject to legal exemptions and limitations. These rights may include the right to:

• be informed about how their data is used;
• request access to their personal data;
• request rectification of inaccurate or incomplete data;
• request erasure in certain circumstances;
• request restriction of processing in certain circumstances;
• object to processing in certain circumstances, including some processing based on legitimate interests;
• request data portability where the legal conditions for that right are met; and
• complain to the Information Commissioner’s Office if they believe their information rights have been infringed.

10. Personal Data Breaches and Reporting

A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

All data breaches must be assessed promptly and recorded in the organisation’s breach log, whether or not they are reportable to the ICO.

Where a personal data breach is likely to result in a risk to the rights and freedoms of individuals, {{org_field_name}} will notify the ICO without undue delay and, where feasible, within 72 hours of becoming aware of the breach. Where the breach is likely to result in a high risk to the rights and freedoms of individuals, {{org_field_name}} will also inform affected individuals without undue delay unless a lawful exception applies.

{{org_field_name}} will investigate the cause of each breach, take remedial action, document lessons learned and, where necessary, update systems, controls, contracts or training.

11. Retention and Disposal

{{org_field_name}} will retain personal data and confidential information only for as long as necessary for the purpose for which it was collected, taking account of legal, regulatory, contractual, safeguarding, tax, employment, limitation and insurance requirements.

Retention periods will be set out in a separate retention schedule or records management procedure. At the end of the retention period, records will be securely deleted, anonymised or destroyed, unless there is a lawful reason to retain them for longer.

Staff must not keep duplicate, excessive or unofficial records outside approved systems.

12. Controller, Processor and Third-Party Sharing

{{org_field_name}} will identify whether it is acting as a controller, joint controller or processor in relation to each category of personal data it handles.

In most cases, {{org_field_name}} will act as controller for recruitment, compliance, onboarding, assignment management, payroll-related administration under its control, incident management and internal HR data.

Where {{org_field_name}} uses third-party processors, including software providers, payroll providers, document storage providers, communication platforms, occupational health providers or other service providers, it will ensure that appropriate written contracts and security measures are in place.

Where personal data is shared with client organisations, the parties will clarify their respective responsibilities and only share the information necessary for lawful recruitment, placement, supervision, payment, safeguarding, regulatory compliance or related legitimate business purposes.

13. Right to Work, DBS and Safeguarding Information

{{org_field_name}} will process right to work, DBS, safeguarding and related compliance information only where necessary and permitted by law.

Right to work checks will be completed in line with current Home Office requirements and recorded in a way that supports the organisation’s statutory excuse where applicable.

DBS certificate information, barred list information and other criminal offence data will only be requested, used, shared and retained where the role is eligible and the processing is lawful, necessary and proportionate. Access to such information will be strictly limited to authorised personnel.

Where safeguarding concerns arise, information may be shared without consent where necessary to protect a child, young person or adult at risk, or where otherwise justified by law. Such decisions must be documented clearly, including the reason for sharing, the recipient, the information shared and the lawful basis relied upon.

14. Disciplinary Actions for Breaches of Confidentiality

Failure to comply with this policy may result in disciplinary action, removal from duties or assignments, termination of engagement, referral to professional or regulatory bodies, reporting to clients, reporting to the ICO or other authorities, and where appropriate civil or criminal action.

The action taken will depend on the seriousness of the breach, whether it was deliberate or negligent, the level of harm or risk caused, and any previous concerns regarding conduct or compliance.

15. Related Policies and Documents

This policy should be read together with, where applicable:

• Privacy Notice for Candidates and Workers
• Privacy Notice for Clients and Business Contacts
• Data Protection Policy
• Data Retention and Records Management Policy
• Data Subject Rights / Subject Access Request Procedure
• Personal Data Breach Procedure
• IT and Cyber Security Policy
• Recruitment and Compliance Policy
• Right to Work Checking Procedure
• DBS / Criminal Records Checking Procedure
• Safeguarding Policy
• Equality, Diversity and Inclusion Policy
• Whistleblowing Policy
• Key Information Document process and worker terms documentation
• Complaints Policy

16. Policy Review

This policy will be reviewed at least annually and sooner where required by changes in law, ICO guidance, Home Office guidance, case law, regulatory expectations, business operations or lessons learned from incidents, complaints, audits or investigations.

---

Responsible Person: {{org_field_registered_manager_first_name}} {{org_field_registered_manager_last_name}}
Reviewed on: {{last_update_date}}
Next Review Date: {{next_review_date}}
Copyright © {{current_year}} – {{org_field_name}}. All rights reserved.