What internal procedures to put in place regarding confidential information?
NPM should develop policies, processes and procedures addressing how confidential information is handled, starting by identifying what type of information will be classified internally as confidential and the level of protection it should receive. These types of policies might include information on: the NPM’s legal basis (when including articles regarding the confidentiality of information), procedures to handle confidential information, distribution and maintenance of information/records, how the NPM processes and stores personal data, who it might be shared with, and the rights of individuals relating to their data.
NPMs may want to have clear practices and procedures in place on how to protect and store confidential information (for both digital information and information that is recorded on paper documents), including:
- Where how and for how long it is stored, including both physical storage (locked rooms, safes or cabinets) and data storage (encryption and other data protection measures)
- Who has access to what information
- Who outside the NPM can it be shared with and when
- What IT security services are need
- NPM staff may be trained on these practices and procedures.
A good tool for instilling a respectful vision and guarantee of these issues in the staff, is the creation of Codes of Conduct that address the issue. In this regard, a common practice is to have a confidentiality commitment document as part of the Code of Conduct that can be signed by staff and by those involved in the work of the NPM. This document might include a requirement that staff members shall not disclose personal or sensitive information, or information they have obtained through their official duties, to anyone who is not authorized to receive it. Such a document can form a part of NPM’s internal rules. Contracts of staff and members of an NPM can also include clauses relating to the obligation to protect confidential information.
Interpreters, external experts (and sometimes CSOs) that work with the NPM should also sign a contract and / or code of conduct, before they start working, guaranteeing that they will not disclose confidential information.
NPMs handle a large amount of information and sometimes this information is for internal and external use (when shared with authorities). In these cases, NPMs may carry out a classification of the information to determine which of it is public, for internal use, confidential and highly confidential. As well as an analysis of with whom this information may be shared and under what circumstances both at the external and internal level.