What are you looking for?
Keywords
Category
Activities
Engaging with others
Institutional development
NPM Models
Topic
Multiple bodies
Designation of an NPM
Strategy and Planning
Handling complaints
National Human Rights Institutions
Dialogue with authorities
Coordination with other monitoring bodies
Recommendations and Follow-Up Strategies
Dealing with Torture and Other Serious Human Rights Violations
Engaging with civil society
Finances
Annual Reports
Confidentiality and data protection
Interaction with the SPT
Interactions with international / regional bodies
Internal Rules
Legal and policy work
New specialised institutions
Preventive visits
Profile and skills of NPM members and staff
Selection of NPM Members and Staff
Thematic and other reports
Using Indicators and Measuring Progress
Visit reports
Working with Courts and the Judiciary
Communication and Working with the Media
Building the NPM's identity
Working with external experts
Reset
Confidentiality and data protection
Confidentiality and data protection
Institutional development

What internal procedures to put in place regarding confidential information?

NPM should  develop policies, processes and procedures addressing how confidential information is handled, starting by identifying what type of information will be classified internally as confidential and the level of protection it should receive.  These types of policies might include information on: the NPM’s legal basis (when including articles regarding the confidentiality of information), procedures to handle confidential information, distribution and maintenance of information/records, how the NPM processes and stores personal data, who it might be shared with, and the rights of individuals relating to their data. 

NPMs may want to have clear practices and procedures in place on how to protect and store confidential information (for both digital information and information that is recorded on paper documents), including:

  • Where how and for how long it is stored, including both physical storage (locked rooms, safes or cabinets) and data storage (encryption and other data protection measures) 
  • Who has access to what information 
  • Who outside the NPM can it be shared with and when 
  • What IT security services are need 
  • NPM staff may be trained on these practices and procedures. 

A good tool for instilling a respectful vision and guarantee of these issues in the staff, is the creation of Codes of Conduct that address the issue. In this regard, a common practice is to have a confidentiality commitment document as part of the Code of Conduct that can be signed by staff and by those involved in the work of the NPM. This document might include a requirement that staff members shall not disclose personal or sensitive information, or information they have obtained through their official duties, to anyone who is not authorized to receive it. Such a document can form a part of NPM’s internal rules. Contracts of staff and members of an NPM can also include clauses relating to the obligation to protect confidential information.

Interpreters, external experts (and sometimes CSOs) that work with the NPM should also sign a contract and / or code of conduct, before they start working, guaranteeing that they will not disclose confidential information. 

NPMs handle a large amount of information and sometimes this information is for internal and external use (when shared with authorities). In these cases, NPMs may carry out a classification of the information to determine which of it is public, for internal use, confidential and highly confidential. As well as an analysis of with whom this information may be shared and under what circumstances both at the external and internal level. 

Institutional development

What does confidentiality mean in practice?

According to Article 21 of the OPCAT, NPMs have a duty to preserve confidential information and the confidentiality of personal data. Protection by the NPMs of personal data is important to ensure that the work of the NPM does not violate the privacy rights of individuals and to ensure that all individuals feel they can be open with the NPM. In practice, this means that NPMs should take measures to identify and protect confidential information, in particular when it includes sensitive personal data. 

This may include ensuring that information enabling the identification of individuals is not disclosed without their free and informed consent. This includes not sharing such information with the authorities or in public reports. NPMs should, however, have the ability to publish data about individuals where the individual has given their consent and / or when the data is anonymized, including through the use of pseudonyms. 

Explaining to individuals how the information they provide will be used is of outmost importance for their protection, as well as for building trust, particularly during interviews.   

In some situations, including when interviewing children or persons with learning disabilities or psychosocial conditions that may make obtaining consent difficult, NPMs should nevertheless do their best to explain their mandate and the use of information, including if relevant to obtain consent. 

As the SPT has noted, NPMs should assess with particular caution whether sharing information with a third party related to a particular situation or offence would inevitably involve the disclosure of personal data, or the identification of a person who has not given his or her express consent for his or her personal data to be made public. 

Institutional development

What principles apply when dealing with confidential information?

The protection of confidentiality is closely linked with the ‘"do no harm" principle. This is about making sure that NPMs do not put detainees (and staff) at additional risk because of their work. The main risks are linked with reprisals, retaliation or inter detainee violence. This principle should guide the entire information management process, from collection, to storage and any transmission to third parties. 

Improper handling of information can lead to identification of sources, unauthorized disclosure, modification or loss of information and to risks to the safety of detainees and others and violations of the rights to privacy. For example, neglecting the way in which data on the sexual orientation and gender identity of persons deprived of their liberty is collected can lead to discriminatory and stigmatizing practices towards this population. Information about the charges that detainees face or the reasons for their detention can also put them at significant risk, including of interdetainee violence. 

In addition to the do no harm principle, following principles may also serve as a reference for NPMs: 

  • Lawfulness: information must be processed in a lawful and transparent manner. 
  • Consent: obtain consent before gathering certain information, in particular when is related to personal data. 
  • Information: to inform the person about the processing of information, including what information or data will be collected and why. 
  • Quality: strive to ensure that the information collected is accurate, complete, relevant and up to date. 
  • Proportionality: only collect and store as much information or data as needed for the fulfillment of the NPMs mandate. 
Institutional development

What information collected by NPMs may be considered confidential?

Information gathered by NPMs can include sensitive personal data, including medical records, discipline records, or information that may allow the identification of a person without their consent. 

References to the type of information that may be confidential by NPMs may be found in domestic NPM legislation, as well as data protection and privacy laws, and in international instruments on treatment of detainees such as the Nelson Mandela Rules and the Bangkok Rules. 

Institutional development

What is confidentiality and data protection for NPMs?

Article 20 (a) of the OPCAT gives NPMs the power to access a wide range of information to fulfil their mandate. The authorities must provide NPMs with access to information including: information about the number of persons deprived of liberty, the places where people are detained, and their treatment and conditions. Large amounts of this information is collected through monitoring, including through interviews in private with detainees and staff and the examination of registers and other documents in detention. 

NPMs, contrary to the SPT, are not bound by a general principle of confidentiality and publish visits reports and recommendations, as well as annual reports.   

These wide-ranging powers, however, come with the corresponding responsibility, to ensure that “Confidential information collected by the national preventive mechanism shall be privileged. No personal data shall be published without the express consent of the person concerned.” (Article 21). This article should be read in concert with the do no harm principle, which guides all aspects of NPM work. Confidentiality is one of the key principles of preventive monitoring. Ensuring that confidentiality is respected, and explaining how the information gathered by NPMs will be used, is of paramount importance in protecting detainees and creating trust. 

NPMs, in implementing their preventive mandate, must be careful to maintain the confidentiality of information, especially when this information includes personal data and/or sensitive data. In practice, this means that NPMs should establish internal guidelines and procedures regarding the collection, storage, access and use of confidential information and personal data.