Internal Data Obligation

Staff Data Security and Confidentiality Agreement

This applies to all individuals working for or on behalf of Wupwoo Ltd and will include: non-fixed contracts, agency, volunteers, temporary personnel including students, work placements/work experience etc.

In the course of your work with Wupwoo Ltd you may come across, or have access to, sensitive and confidential information concerning patients, staff, the business of the organisation and other third parties such as E-commerce shops.  

Everyone has the right to expect their information to be dealt with using the highest possible level of confidentiality. In dealing with this type of information you must work within the law, in particular the recent GDPR regulation (an overview of which can be found on our Wiki page). Or below is a link to The Information Commissioner’s website

In addition to this, this document sets out the expectations with regard to confidentiality of information, your responsibilities and consequences of a breach of confidentiality. 

Confidentiality – General Guidelines

All documents held in Google Drive must be set to Do Not Share, so that you must explicitly make the document available to share.

We sometimes need to work with personal data about patients, staff and other third parties, as well as business sensitive information, such as financial or contractual information. If you have any doubts about the confidentiality of information, regard it as confidential unless you are advised otherwise by your line manager. 

You must not use any personal or business sensitive data you come into contact with or as part of your duties, for any reason other than as part of your job role.

You must not reveal or disclose personal or business sensitive data to friends or relatives. You must not discuss personal information with your friends or relatives. 

Computers must not be left unattended when there is a possibility that the information or data that is displayed might be compromised or give unauthorized access to it. Documents that may contain restricted information must be filed away in a locked cabinet as soon as possible and not left on display.

Care must be taken to respect confidentiality if discussing personal details in public areas.

You must not reveal or disclose personal or business sensitive data to any individual or agency (including via social media) without the permission of your line manager.

  Access to a patient’s medical record for code development and testing purposes is strictly forbidden, unless a specific agreement has been made with the data controller and the data subject. Only our allocated anonymous dummy test patients may be accessed for the purpose of testing and development.  

Enquiries from the press or media seeking information should be directed to the Managing Director. If he is not available then another member of the Board of Directors must be contacted. Enquiries from the Police seeking information should be directed to your line manager or a member of the Board of Directors.

The identity of all callers must be verified. Request a telephone number so that a staff member can return their call.

You may only download any business sensitive data onto personal devices, such as USB sticks, phones, cameras, laptops etc, with the prior consent of the Managing Director and only if he is satisfied with the security of your device and its whereabouts during non-office hours. Any transfer of data between the NHS, Ourselves, Contactors and our other Partners must be undertaken in a secure way and when required encrypted.

You must not allow individuals to be identified during training, only dummy data should be used when demonstrating a system for training purposes.

Your duty of confidentiality continues to apply indefinitely even after your work with the  Wupwoo Ltd has ceased.

All confidential records, including computerised material, documents and other papers, together with any copies or extracts thereof, made or acquired by you in the course of your employment are the property of the Wupwoo Ltd and must be returned on the subsequent cessation of your placement.

General Legal and Professional Principles

The General Data Protection Regulations (GDPR), Human Rights Act 1998 and the Common Law Duty of Confidentiality all refer to the protection of privacy and confidentiality.  You will be required to adhere to this legislation at all times.

Personal data under GDPR, obtaining or disclosing such information without appropriate authority and consent is a criminal offence.

You should be aware that you will be personally liable for any contravention of the above legislation and that the duty of confidence lasts indefinitely.  

The Computer Misuse Act 1990 establishes three offences which refer to unauthorised access, either casually or for a more sinister purpose, to the modification of information and introduction of malicious programmes:

  1. It is an offence to knowingly cause a computer to perform any function with intent to secure unauthorised access to any programme or data held in any computer;
  2. An offence under point 1 is committed with the intent to commit or facilitate a further offence, whether by the offender or by another person;
  3. Knowingly to do any act which causes an unauthorised modification of the contents of any computer; to impair the operation of any computer; to prevent or hinder access to any program or data held and to impair the operation of the program or the reliability of the data.

Breaches of Confidentiality

Data Breach

Should a data breach be identified, Wupwoo Ltd will put the details through the ICO report checker, then we have a statutory obligation to inform the Information Commissioner’s Office (ICO) if the breach is serious. Tel 0303 123 1113 

What information will we need to provide?

Rights to Access Information

People have the right to access any personal data that is being kept about them on computer and also have access to paper-based data held in certain manual filing systems. 

Any person who wishes to exercise this right should make the request in writing to the Wupwoo Ltd Data Protection Officer. Wupwoo Ltd will make a charge of £15 on each occasion that access is requested.

Wupwoo Ltd aims to comply with requests for access to personal information as quickly as possible, but will ensure that it is provided within 40 days of receipt of a written request unless there is good reason for delay. In such cases, the reason for delay will be explained in writing to the individual making the request.

 Wupwoo Limited Designated Data Officer

Name: Peter Martin


Wupwoo Ltd is registered as Tier 1 under the Act and is therefore ultimately responsible. Any questions or concerns about the interpretation or operation of this policy should be taken up in the first instance with the Company Data Controller.

Any concerns you have in respect of any of the above issues should be raised with the person you are reporting to. This agreement is to be kept in your personnel section in your Google Drive.

Version 2
Review. 2020