Data Protection & Confidentiality Policy

This policy is to ensure that confidential information held about service users is handled appropriately, correctly and with respect and discretion.

During the course of our work with our client group, they disclose personal information, some of which may cause us to be concerned.  This policy ensures that staff and service users understand what confidentiality means to us as an organisation and more importantly, the parameters of confidentiality.

CXK has a responsibility to ensure that it respects the information that is shared by our client group and that it protects the interests of children, young people and vulnerable adults who we may be working with (please see the Safeguarding Policy). 

  • Anything that a service user chooses to share with a member of staff must be treated with the utmost respect.
  • Staff have a confidential not a secret relationship with service users.  This means that anything shared with a member of staff that may put them or any others at risk, has to be reported appropriately, this may mean that a note is made on a record or that an outside agency is informed, depending on the nature of the information.
  • Staff who do not have any access to the CCIS case management system, currently IYSS, have an obligation to report all issues of a serious nature to their line manager to record, using current recording processes. 
  • If a service user requests information held by CXK this request should be arranged with the consent of line management staff, Safeguarding and Quality Manager and the Data Controller.  Any requests for information should be documented appropriately.
  • Please see the Data Protection Policy for guidance on how to keep data secure and how to manage requests for data.


In order to operate efficiently, CXK Limited has to collect and use information about the people with whom it works, as well as its current, prospective and past employees, volunteers and donors. This personal data must be collected, handled and dealt with lawfully and in accordance with the Data Protection Act. This policy sets out how those managing personal information and data must store and keep secure this information and how individuals who entrust us with their data are to be informed, considered and safeguarded. It highlights the legal penalties for failing to take proper care of personal data and also where further advice can be sought.

This policy sets out CXK’s approach to the safe and appropriate processing of personal data in line with the Data Protection Act 1998.  This policy applies to staff, volunteers, trustees and all other parties who collect and/or process data on behalf of CXK. This includes all contractors, consultants, partners or other servants or agents of CXK.

If employees are in any doubt about what they may or may not do, they should seek advice from their Line Manager. If employees are in doubt and cannot get in touch with their manager or the CXK Data Protection Officer, the information concerned should not be disclosed.  There are 8 Data Protection Principles.  These are that personal data must:

  • Be fairly and lawfully processed
  • Be processed for limited purposes
  • Be adequate, relevant and not excessive
  • Be accurate and up to date
  • Not be kept for longer than is necessary
  • Be processed in accordance with Data Subject’s (individual’s) rights
  • Be securely kept
  • Not be transferred to countries without adequate protection.

In most cases consent must be obtained to process data from the individual to whom it relates.  Parties that are processing personal and sensitive data on behalf of CXK have a responsibility to treat such data in line with the Data Protection Act 1998.

Data Protection & Confidentiality Policy