Purpose of policy:
The purpose of this policy is to enable the UK Research Integrity Office (UKRIO) to:
- protect the users of UKRIO’s services, in particular those using our Advisory Service;
- protect UKRIO’s staff, volunteers, other individuals and subscribers; and
- protect the organisation from the consequences of a breach of its responsibilities.
A PDF version of this policy is available at: http://ukrio.org/wp-content/uploads/UKRIO-Confidentiality-policy-May-2018.pdf
What information is confidential?
In general terms, confidentiality applies to:
- Information about other organisations, since Data Protection and GDPR only applies to information about individuals.
- Information which is not recorded, either on paper or electronically.
- Information held on paper, but in a sufficiently unstructured way that it does not meet the definition of a ‘relevant filing system’ in the Data Protection Act.
- Information about UKRIO that is not publicly available. For example, its plans or finances.
- Information about the use of UKRIO’s services. In particular, this includes information relating to the use of UKRIO’s Advisory Service. The additional confidentiality provisions relating to the Advisory Service are given below.
Exceptions to information about the use of UKRIO’s services would be:
- Any anonymised, aggregate data which we may publish to illustrate the work of UKRIO. However, such information would not identify any individuals or organisations.
- Any case studies which we may publish as training or educational material. Case studies will always be anonymised and published with the permission of the service user(s) who brought the matter to our attention.
- Note that UKRIO also creates fictional scenarios for educational and training purposes. These illustrative ‘case study’ scenarios draw upon UKRIO’s experiences in assisting with issues of research integrity but are not based on any particular real-life situation. No individuals or organisations are named in these scenarios.
How is confidential information stored?
Who has access to confidential information?
UKRIO is a small charity. It has minimal staff and a small group of volunteers. Access to confidential information is based on whether that information is relevant to a person’s work. In addition, regardless of whether a person can access confidential information or not, that information must always be stored and communicated in a secure fashion: right to access information does not obviate security requirements.
In general terms, UKRIO staff and volunteers have access to confidential information as follows:
- The Board of Trustees directs and oversees the strategy and programme of work of UKRIO. It also has responsibility for matters of organisational administration and the management of the Office team. The Trustees include the Chair and two Vice-Chairs of UKRIO.
Accordingly, the Board of Trustees may access whatever confidential information it needs to discharge its responsibilities. This includes, but is not limited to, detailed information about UKRIO’s finances, matters relating to the employment and management of staff, matters relating to the recruitment and management of volunteers, strategic and operational plans, and the operation and use of UKRIO’s services.
Trustees have access to information relating to UKRIO’s Advisory Service as necessary. Information relating to specific enquiries will normally be anonymised but Trustees can access unanonymised data if required.
- The Advisory Board consists of the Trustees of UKRIO and other Members selected for their expertise in research integrity and related issues, as well as independent and lay Members. Its function is to advise on, and oversee, the strategy and programme of work of UKRIO. Formal decisions are taken by the Board of Trustees, since the Advisory Board has no formal authority over the charity, but are made after advice from the Advisory Board and reported to them. The Advisory Board includes Members from the research community as well as independent and lay members. Collectively the Advisory Board possesses significant expertise in the promotion of research integrity and in addressing poor practice and misconduct. Advisory Board Members hold no legal responsibility for the organisation.
Members of the Advisory Board have a broadly similar level of access to the Trustees but generally see less detailed information. For example, they would receive summary financial data rather than detailed accounts.
As Members do not have a role in the management of staff or volunteers, they would not normally have access to confidential information relating to the employment and management of staff or to the recruitment and management of volunteers. Members assisting in the recruitment of staff or volunteers would be given appropriate access as necessary.
- The Register of Advisers provides an expert resource which UKRIO draws upon when responding to enquiries on issues of research conduct. Recognising their broad experience in research matters, Advisers also give feedback on the wider work of UKRIO on request and are given the opportunity to contribute to other elements of the programme of work. Advisers hold no legal responsibility for the organisation. Some Advisers are also Trustees and/or Members of the Advisory Board.
The main role of Advisers is to assist UKRIO in formulating responses to requests for assistance. Advisers therefore have access to information regarding specific enquiries made to UKRIO’s Advisory Service; however, this would normally be anonymised information only. Further information is provided under ‘Confidentiality relating to UKRIO’s Advisory Service’, below.
- The Office team provides administrative, policy, research and technical support to the Trustees and carries out UKRIO’s programme of work of the project under their direction.
Members of the Office team have access to confidential information that is appropriate to their duties. This can include personal data relating to service users and volunteers, and information regarding UKRIO’s Advisory Service, including specific enquiries.
Sharing information with organisations that fund, subscribe to, or otherwise support, UKRIO
UKRIO was initially funded as a pilot project by a broad stakeholder group, including the UK Higher Education Funding Councils, the UK Departments of Health, the Research Councils, the Royal Society, research charities and a variety of other organisations. In line with the original proposal for UKRIO, we have expanded the pool of funders, and are seeking support from universities, NHS organisations the Department of Health, other Government Departments and research organisations such as public and private sector research institutes and industry. A list of the organisations which fund us can be found here and our funding policy is available here.
Our policy is that external funding will not divert UKRIO from its agreed aims and values. Donations to UKRIO do not entitle any individual or organisation to decision-making authority and no individual funding source should be of a magnitude that would allow it to exercise control or compromise in any significant way the independence of UKRIO.
Confidentiality relating to UKRIO’s Advisory Service
The following confidentiality provisions apply to information relating to UKRIO’s Advisory Service, including but not limited to: information about service users; any information provided by service users; and information about our responses to enquiries made to the Advisory Service.
- UKRIO will keep a confidential record of any requests for assistance and all subsequent discussions.
- No other parties will be informed without the enquirer’s consent, unless clear evidence of criminal activity has been presented, there is an immediate need to involve others to prevent further risk or harm to people, animals or the environment, or UKRIO is otherwise under a legal obligation to do so.
- UKRIO also reserves the right to disclose details of our advice and correspondence if that advice is later misrepresented by the enquirer.
- The above provisions are communicated to users of UKRIO’s Advisory Service, via emails acknowledging requests for assistance and the enquiry submission form on UKRIO’s website (http://www.ukrio.org/get-advice-from-ukrio/ ), for example. Service users are also provided with information on UKRIO’s role and remit.
When an enquiry is received by UKRIO, it is assessed to determine whether:
- It concerns a situation that may require immediate action to prevent further risk or harm to research participants, patients or other persons, improper treatment of animal subjects of research, improper use or storage of human tissue, materials or personal data, or negative environmental consequences (a ‘Situation’).
- It may involve criminal activity.
If the enquiry fulfils any of the above criteria, the Chief Executive, liaising with the Chair, takes appropriate action to address the issue(s) in question, informing the enquirer and recording the actions taken and the reasons for his/ her decisions in writing.
- If an enquiry involved criminal activity or a Situation, we would first strongly encourage the enquirer to report the matter to appropriate organisation(s), which we would identify for them.
- If this did not take place in a timely manner, UKRIO, despite its role as a confidential advisory body, reserves the right in such circumstances to make disclosures, in confidence if necessary, to relevant external bodies. Such a decision would be taken by the Chief Executive and the Chair, consulting with UKRIO’s Board of Trustees, Advisory Board, staff or volunteers with relevant expertise, and/or legal counsel, as appropriate. In some cases, UKRIO may be legally required to make such disclosures. We also reserve the right to disclose details of our advice and correspondence if that advice is later misrepresented by an enquirer.
If a third party would be able to work alongside UKRIO to resolve an enquiry, or would be a more appropriate source of support, then UKRIO would approach that body only with permission from the person(s) making the enquiry. The exception to this, again, would be if there was clear evidence of criminal activity or a Situation, as described above.
When seeking views on an enquiry from members of our Register of Advisers, we would normally provide an anonymised summary of the matter. An exception would be when anonymisation would require the redaction of so much information as to make it impossible for Advisers to give any useful views on the matter. Regardless, all information about enquiries to UKRIO is provided to our Advisers in the strictest confidence.
UKRIO may publish anonymised, aggregate data to illustrate the work of the Advisory Service. However, such information would not identify any individuals or organisations.
Similarly, UKRIO may publish or otherwise circulate case studies for use as training or educational material. Case studies will always be anonymised and published with the permission of the service user(s) who brought the matter to our attention.
In addition, UKRIO may create fictional scenarios for educational and training purposes. These illustrative ‘case study’ scenarios draw upon UKRIO’s experiences in assisting with issues of research integrity but are not based on any particular real-life situation. No individuals or organisations are named in these scenarios.
Communication with staff and volunteers
Staff and volunteers will be required to sign a short statement indicating that they have been made aware of their confidentiality responsibilities (see Appendix A, below).
Staff training and acceptance of responsibilities
Documentation / related policies
This policy should be read in conjunction with the following UKRIO policies/ procedures:
- UKRIO Protocol for Responding to Requests for assistance
Available from: http://ukrio.org/privacy-and-cookies/
- UKRIO website: Terms and conditions for use of website, seeking advice from UKRIO and booking places at UKRIO events
Available from: http://www.ukrio.org/terms-and-conditions/
All staff who have access to any kind of personal data will have their responsibilities outlined during their induction procedures.
Staff will provide opportunities for staff to explore Data Protection issues through training, team meetings, and supervisions.
Procedure for staff and volunteers signifying acceptance of policy
Staff and volunteers will be asked to sign to accept the provisions of this policy.
Policy operational date: December 2010 (included in ‘Data Protection and Confidentiality Policy July 2013’)
Date of last review: May 2018 (created from above policy)
Date of next review: May 2019
A PDF version of this policy is available at: http://ukrio.org/wp-content/uploads/UKRIO-Confidentiality-policy-May-2018.pdf
Appendix A: Confidentiality statement for staff and volunteers
When working for UKRIO, you will often need to have access to confidential information which may include, for example:
- Personal information about individuals who are users of UKRIO’s services, members of UKRIO subscriber institutions or otherwise involved in the activities organised by UKRIO (note that this type of information is not normally shared with volunteer Advisers).
- Information about the internal business of UKRIO.
- Personal information about colleagues working or volunteering for UKRIO.
UKRIO is committed to keeping this information confidential, in order to protect people and UKRIO itself. ‘Confidential’ means that all access to information must be on a need to know and properly authorised basis. You must use only the information you have been authorised to use, and for purposes that have been authorised. You should also be aware that under the Data Protection Act and the General Data Protection Regulation, unauthorised access to data about individuals is a criminal offence.
You must assume that information is confidential unless you know that it is intended by UKRIO to be made public. Passing information between the UKRIO office and volunteers (note that volunteer Advisers are not normally provided with unanonymised information about requests for UKRIO’s help) or vice versa does not count as making it public, but passing information to another organisation does count.
You must also be particularly careful not to disclose confidential information to unauthorised people or cause a breach of security. In particular you must:
- not compromise or seek to evade security measures (including computer passwords);
- be particularly careful when sending information between the UK office and volunteers;
- not gossip about confidential information, either with colleagues or people outside UKRIO; and
- not disclose information — especially over the telephone — unless you are sure that you know who you are disclosing it to and that they are authorised to have it.
If you are in doubt about whether to disclose information or not, do not guess. Withhold the information while you check with an appropriate person whether the disclosure is appropriate.
Your confidentiality obligations continue to apply indefinitely after you have stopped working for UKRIO.
I have read and understand the above statement. I accept my responsibilities regarding confidentiality.
Signed …………………………………… Date ……………………………………
Please return this form to UKRIO once completed.