Confidentiality policy

Current version: 2.0

Last updated: April 2025

Approved by: Board, CEO

Introduction

1) This policy sets out the protocols for maintaining confidentiality in all aspects of Bridge Group work.

2) It is a contractual requirement that all Bridge Group colleagues (including employees, interns, Associate Researchers, Fellows and other contractors) engaged to undertake Bridge Group research adhere to this policy.

3) This policy is to be read in conjunction with the Information Security Policy, BG Data Privacy and GDPR Guidelines, IT Use Policy and website privacy policy.

Policy

4) Confidential Information in this policy is defined as: 

4.1) Any data provided by clients for research purposes. This will most commonly take the form of demographic workforce / student / alumni data.

4.2) Any data collected by the Bridge Group on behalf of a client. This will include information collected via Bridge Group surveys and interviews, and the contact details of participants.

4.3) Other forms of research data held or processed as part of our work, such as purchased data sets (from UCAS, HESA etc.). 

4.4) HR records relating to Bridge Group colleagues and trustees, including contact details, salary information, promotion details, disciplinary proceedings and development review notes.

4.5) Contact details of clients and other stakeholders.

4.6) Contact details of newsletter subscribers.

4.7) Any other information held that is marked confidential, or is reasonably understood to be confidential, whether received from a client / third party, or produced internally. This might include commercially sensitive or protected materials, images or video files obtained in the course of research or embargoed documents shared prior to publication (which will cease to be confidential after publishing).

4.8) Any wider, non-written knowledge (i.e. obtained verbally) that was described as confidential, or might reasonably assumed to be confidential by its nature. 

5) Where there is any doubt about the confidentiality or sensitivity of any document, image, dataset or other form of physical or digital information, it should be treated as if confidential.

6) Confidential Information, whether physical, digital or non-written, must not be shared outside the organisation. The only exceptions are where:

6.1) The owner / provider of the Confidential Information, data subject (in the case of Personal Data), or Bridge Group CEO (in the case of Bridge Group Confidential Information), agrees, in writing, that it may be shared, and sharing does not breach the confidentiality of any other non-consenting party, or break any applicable laws.

6.2) The Confidential Information becomes freely available in the public domain due to a planned release, or through other legitimate means not relating to a breach of confidentiality by a Bridge Group employee, intern or contractor, or a third party.

6.3) An employee, intern or contractor is required to share the Confidential Information by law, regulation or reasonable request by the government or judiciary.

7) Confidential Information should always be transferred / collected, stored and disposed of securely, as outlined in the Bridge Group Information Security Policy and in compliance with the charity’s Cyber Essentials certification. Access will be limited to the fewest number of colleagues required.

8) Confidential Information in physical or digital form should also be categorised as MEDIUM or HIGH sensitivity (see the Information Security Policy regarding information categorisation). The level of confidentiality applied will dictate the level of protection the information is granted when storing, processing or transferring.

9) Some clients may set out additional stipulations regarding confidentiality and data security as part of their contract with the Bridge Group, or will request the Bridge Group signs a separate confidentiality, data security and/or data sharing agreement. Bridge Group colleagues must take these additional requirements into consideration when working with their Confidential Information. Where any conflict arises between this policy and the stipulations of the client, this should be communicated to the client so an agreed approach can be established. The requirements of this policy should always be adhered to, even where the stipulations of the client are less rigorous or detailed.

10) Confidential Information containing Personal Data* processed** for research or other purposes, will also be subject to the UK Data Protection Act 2018 and UK General Data Protection Regulation (GDPR), and should be treated in line with the principles set out in the Bridge Group’s Data Privacy and GDPR Guidelines and our Website Privacy Policy. This includes:

10.1) Only collecting and storing the Personal Data needed to undertake its work (its necessity should be well evidenced).

10.2) Only holding the Personal Data for as long as it is required and only using it in accordance with any agreement signed with the third party transferring the information, or in the case of interviews or surveys, in accordance with the terms agreed with the participants.

10.3) Only sharing the Personal Data with agreed third parties.

11) Colleagues collecting research data directly from participants must also follow the Research Ethics Policy, to ensure participants are able to give informed consent and suffer no negative effects from participating.

12) All transfer of Confidential Information between the Bridge Group and a third party must be covered by a Confidentiality Agreement, or a Confidentiality Clause in a contract.

13) Where the Confidential Information constitutes data covered by GDPR, this must be covered by a Data Processing (for a Controller / Processor relationship) or Data Sharing (for a Joint Controller relationship) Agreement, or by data processing terms that feature as part of a wider contract.

14) Upon leaving the organisation, an employee, intern or contractor of the Bridge Group must draw up a plan for the secure transfer and / or removal of all files from devices containing Confidential Information. This plan must be reviewed by the Head of Operations and, where relevant, the employee’s line manager, and executed, in collaboration with the Finance and Operations Officer prior to that colleague’s departure. 

15) All access to Bridge Group e-mail and shared drives should be removed within twenty-four hours of a colleague’s departure.

16) All colleagues must maintain confidentiality after leaving the Bridge Group. Colleagues who disclose Confidential Information (including verbally revealing matters known to be confidential) outside of the circumstances set out in Paragraph 6, may be subject to legal proceedings.

* ‘Personal Data’ means any information relating to an identified or identifiable person (‘data subject’) as set out in the UK Data Protection Act 2018. An identifiable person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more features specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

** Processing means doing any of the following to data: collecting; recording; organising; structuring; storing; adapting; altering; retrieving; consulting; using; disclosing; transmitting; disseminating; making available; aligning; combining; restricting; erasing; and destroying.