MGREC Archives

MGREC-POL-CONF-202503-01

CONFIDENTIALITY POLICY

                                                                     Article 1.        INTRODUCTION

Section 1.1.        Purpose of the Policy

The purpose of this Confidentiality Policy is to establish a clear and consistent framework for the protection, handling, and disclosure of confidential information within the Mayaro/Guayaguayare/Rio Claro Education Council (hereinafter referred to as “the Council”). As a legally registered non-profit organisation in the Republic of Trinidad and Tobago, the Council is entrusted with sensitive information relating to students, staff, volunteers, donors, partners, and community stakeholders.

This policy aims to:

  • Safeguard personal, financial, operational, and strategic information from unauthorized access, use, or disclosure in accordance with the Council’s Data Privacy Policy (MGREC-POL-PRIV-202503-01).
  • Ensure compliance with applicable laws and regulations, including the Data Protection Act, 2011, Children Act, 2012, and other relevant statutes.
  • Promote a culture of integrity, trust, and accountability within the Council.
  • Provide clear guidance to all stakeholders on their responsibilities regarding confidentiality  in accordance with the Council’s Volunteer Management Policy (MGREC-POL-VM-202503-01).

Section 1.2.        Scope and Applicability

This policy applies to all individuals and entities who, by virtue of their association with the Council, may have access to confidential information. This includes but is not limited to:

  • Members of the Executive Board
  • Employees (full-time, part-time, and temporary)
  • Volunteers and interns
  • Contractors, consultants, and service providers
  • Partner organisations and affiliates
  • Any other individuals or entities granted access to Council information

The policy covers all forms of information, whether oral, written, electronic, or otherwise recorded, that is created, received, stored, or transmitted in the course of the Council’s operations. It applies to information held on physical documents, digital systems, cloud platforms, and verbal communications.

Section 1.3.        Definitions of Key Terms

For the purposes of this policy, the following definitions shall apply:

  • “Confidential Information” Any data or information, regardless of format, that is not publicly available and is protected by law, contract, or ethical obligation. This includes personal data, financial records, strategic plans, internal communications, and third-party information.
  • “Personal Data” Information relating to an identified or identifiable individual, including but not limited to names, addresses, identification numbers, contact details, and educational or employment records or any definition provided in the Council’s Data Privacy Policy (MGREC-POL-PRIV-202503-01).
  • “Data Subject” An individual to whom personal data relates.
  • “Disclosure” The act of making confidential information available to individuals or entities not authorized to access it.
  • “Breach of Confidentiality” – Any unauthorized access, use, disclosure, or loss of confidential information, whether intentional or accidental.
  • “Need-to-Know Basis” A principle whereby access to confidential information is granted only to individuals who require it to perform their official duties.
  • “Data Protection Officer (DPO)” The individual designated by the Council to oversee compliance with data protection and confidentiality obligations.

Section 1.4.        Guiding Principles

The Council is committed to upholding the highest standards of confidentiality through the following guiding principles:

  • Legality: All confidentiality practices shall be in full compliance with the laws of the Republic of Trinidad and Tobago, including the Data Protection Act, 2011, and other applicable legislation.
  • Integrity: Confidential information shall be maintained in a manner that ensures its accuracy, reliability, and protection from unauthorized alteration.
  • Accountability: All individuals with access to confidential information shall be held accountable for its proper handling and protection in accordance with the Council’s Internal Controls Policy (MGREC-POL-ICP-202503-01).
  • Transparency: The Council shall ensure that data subjects are informed of how their information is collected, used, stored, and disclosed.
  • Proportionality: Access to confidential information shall be limited to what is necessary for the performance of duties, in accordance with the principle of data minimization.
  • Security: Appropriate technical and organizational measures shall be implemented to safeguard confidential information from unauthorized access, loss, or misuse.
  • Respect for Privacy: The Council recognizes the fundamental right to privacy and is committed to protecting the dignity and autonomy of all individuals whose information it holds in accordance with the Council’s Data Privacy Policy (MGREC-POL-PRIV-202503-01).

                                                           Article 2.         LEGAL FRAMEWORK

Section 2.1.        Overview of Relevant Laws of the Republic of Trinidad and Tobago

The Council’s confidentiality obligations are governed by a suite of national laws that collectively protect personal data, uphold the right to privacy in accordance with the Council’s Data Privacy Policy (MGREC-POL-PRIV-202503-01) as the internal policy that operationalizes the Data Protection Act, 2011, and regulate the handling of sensitive information. These laws apply to all individuals and entities operating within the jurisdiction of Trinidad and Tobago and are binding on non-profit organisations, including the Council.

    Subsection 2.1.1.        Constitution of the Republic of Trinidad and Tobago (Right to Privacy)

The Constitution enshrines the right to privacy as a fundamental human right. Section 4(c) guarantees the right of the individual to respect for their private and family life. This constitutional protection forms the bedrock of all confidentiality practices, requiring the Council to ensure that personal and sensitive information is not disclosed without lawful justification.

   Subsection 2.1.2.        Data Protection Act, 2011

The Data Protection Act, 2011 (Act No. 13 of 2011) is the primary legislation governing the collection, processing, storage, and dissemination of personal information. Key provisions include:

  • General Privacy Principles (Part I): Mandate that personal data must be collected fairly, used for lawful purposes, and kept secure.
  • Rights of Data Subjects: Individuals have the right to access and correct their personal data.
  • Information Commissioner: The Act establishes an oversight body to ensure compliance.

Although not fully proclaimed, the Act provides a framework that the Council voluntarily adheres to in anticipation of full enforcement.

   Subsection 2.1.3.        Freedom of Information Act, 1999

The Freedom of Information Act (FOIA), 1999 (Act No. 26 of 1999) promotes transparency in public authorities while balancing the need for confidentiality. It:

  • Grants individuals the right to access official documents in accordance with the Council’s Whistleblower Policy (MGREC-POL-WB-202503-01).
  • Exempts disclosure of information that would constitute an unreasonable invasion of personal privacy or breach confidentiality agreements.
  • Requires public authorities to publish certain categories of information and maintain records in a manner that facilitates access.

  Subsection 2.1.4.        Children Act, 2012

The Children Act, 2012 (Act No. 12 of 2012) imposes strict confidentiality obligations regarding the identity, records, and welfare of minors. It prohibits the publication or disclosure of any information that may lead to the identification of a child involved in legal or welfare proceedings, except under judicial authority or statutory mandate and the obligations of volunteers in accordance with the Council’s Volunteer Management Policy (MGREC-POL-VM-202503-01).

   Subsection 2.1.5.        Education Act, Chapter 39:01

The Education Act (Ch. 39:01) governs the administration of education in Trinidad and Tobago. While it does not explicitly address confidentiality, it implies a duty of care in the handling of student records, disciplinary matters, and internal communications. The Council, as an education-focused non-profit, aligns its practices with the Act’s intent to protect the welfare and dignity of students and educators.

  Subsection 2.1.6.        Non-Profit Organisations Act, 2019

The Non-Profit Organisations Act, 2019 (Act No. 7 of 2019) requires registered non-profits to maintain accurate records, ensure transparency in operations, and implement internal controls to prevent misuse of funds and data. It also mandates compliance with Anti-Money Laundering and Counter-Terrorism Financing (AML/CFT) obligations, which include safeguarding donor and beneficiary information.

   Subsection 2.1.7.        Cybercrime Act, 2023

The Cybercrime Act, 2023 addresses offences related to unauthorized access, data interference, and cyber breaches. It criminalizes:

  • Unauthorized access to computer systems or data.
  • Interception of communications.
  • Disclosure of unlawfully obtained data.

The Council must implement robust cybersecurity protocols to prevent breaches and report incidents in accordance with the Act.

Section 2.2.        International Standards and Best Practices

While operating under national laws, the Council also aligns with international data protection and confidentiality standards, including:

  • General Data Protection Regulation (GDPR) principles, especially regarding consent, data minimization, and accountability.
  • UN Convention on the Rights of the Child (CRC), which emphasizes the right of children to privacy.
  •  ISO/IEC 27001 standards for information security management systems.

These frameworks guide the Council in adopting globally recognized best practices.

Section 2.3.        Alignment with Council’s Legal Obligations

The Council ensures compliance by:

  • Embedding legal requirements into its internal policies and procedures.
  • Conducting regular training for staff and volunteers on confidentiality and data protection.
  • Appointing a designated officer to oversee legal compliance and risk management.
  • Reviewing and updating its confidentiality practices in response to legislative changes.

                                             Article 3.         CONFIDENTIAL INFORMATION

Section 3.1.        Definition of Confidential Information

Confidential Information refers to any data, record, communication, or material—whether oral, written, electronic, or otherwise—that is not publicly available and is obtained, created, or maintained by the Council in the course of its operations. This includes information that, if disclosed without authorization, could result in harm to individuals, compromise the Council’s operations, or breach legal or ethical obligations.

Such information may relate to individuals (e.g., students, staff, donors), internal governance, financial transactions, strategic initiatives, or third-party relationships. Confidential Information is protected under national laws, including the Data Protection Act, 2011, and must be handled with the highest standards of care and discretion.

Section 3.2.        Categories of Confidential Information

The Council recognizes the following primary categories of Confidential Information:

   Subsection 3.2.1.        Student Records and Personal Data

This includes all information relating to students who are beneficiaries of the Council’s educational programmes or services in accordance with the Council’s Data Privacy Policy, and Volunteer Management Policy for handling student data by volunteers. Examples include:

  • Full name, date of birth, and contact details
  • Academic records, assessments, and progress reports
  • Disciplinary records and behavioral assessments
  • Health and psychological evaluations
  • Family background and socio-economic data
  • Photographs and video recordings
  • Any information protected under the Children Act, 2012 or the Education Act, Ch. 39:01

  Subsection 3.2.2.        Staff and Volunteer Information

This pertains to personal and professional data of individuals engaged in the Council’s operations. It includes:

  • Employment contracts and volunteer agreements
  • Identification documents and contact information
  • Background checks and police certificates of character
  • Performance evaluations and disciplinary records
  • Payroll and benefits information
  • Medical or disability disclosures in accordance with the Council’s Health, Safety, Security and Environment Policy (MGREC-POL-HSSE-202503-01A)
  • Internal communications and grievances

  Subsection 3.2.3.        Financial Records and Donor Information

This category encompasses all financial data and donor-related information, including:

  • Bank account details and financial statements
  • Grant applications and funding agreements
  • Donation records and donor identities
  • Tax exemption certificates and audit reports
  • Internal budgets and expenditure reports
  • Information protected under the Non-Profit Organisations Act, 2019

 Subsection 3.2.4.        Council Deliberations and Strategic Plans

This includes internal discussions, decisions, and documents that guide the Council’s governance and long-term direction:

  • Minutes of Board and Committee meetings
  • Strategic and operational plans
  • Risk assessments and internal evaluations
  • Legal opinions and compliance reports
  • Internal policies and draft proposals
  • Communications regarding sensitive or unresolved matters

  Subsection 3.2.5.        Third-Party Agreements and Partnerships

This refers to information shared with or received from external entities under conditions of confidentiality, such as:

  • Memoranda of Understanding (MOUs)
  • Service-level agreements and contracts
  • Proprietary materials or intellectual property
  • Partner reports and evaluations
  • Confidential correspondence with government agencies, funders, or collaborators
  • Information subject to non-disclosure agreements (NDAs)

Section 3.3.        Exclusions from Confidential Information

The following types of information are generally not considered confidential under this policy, unless otherwise specified by law or agreement:

  • Information that is already in the public domain or publicly accessible
  • Information that has been lawfully disclosed with the consent of the data subject or relevant authority
  • Aggregated or anonymized data that cannot be traced back to an individual
  • Information required to be disclosed under applicable laws, such as the Freedom of Information Act, 1999, provided such disclosure complies with statutory exemptions
  • Information disclosed in the context of whistleblower protections or lawful reporting of misconduct in accordance with the Council’s Whistleblower Policy

It is important to note that even excluded information must be handled responsibly to avoid reputational harm or unintended consequences.

                                            Article 4.         ROLES AND RESPONSIBILITIES

Section 4.1.        Executive Board Members

The Executive Board of the Mayaro/Guayaguayare/Rio Claro Education Council holds ultimate responsibility for ensuring that the organisation upholds the highest standards of confidentiality. Board members are entrusted with sensitive strategic, financial, and personnel information and are expected to:

  • Uphold the principles and provisions of this Confidentiality Policy.
  • Sign and adhere to the Council’s Confidentiality Agreement upon appointment.
  • Exercise discretion in all discussions, deliberations, and decisions involving confidential matters.
  • Ensure that confidentiality is embedded in the Council’s governance, risk management, and compliance frameworks.
  • Oversee the implementation of appropriate safeguards for the protection of confidential information.
  • Refrain from disclosing confidential information during and after their term of service, unless legally required.

Section 4.2.        Staff and Volunteers

All staff and volunteers, regardless of their role or duration of service, are required to maintain strict confidentiality in the performance of their duties. Their responsibilities include:

  • Signing the Council’s Confidentiality Agreement prior to commencing service.
  • Handling personal, financial, and operational information with discretion and care.
  • Accessing confidential information strictly on a need-to-know basis.
  • Reporting any suspected or actual breaches of confidentiality to their supervisor or the designated officer.
  • Participating in training sessions on data protection and confidentiality protocols.
  • Ensuring that confidential information is not discussed in public or informal settings, including social media.

Section 4.3.        Contractors and Consultants

External service providers, including contractors and consultants, may be granted access to confidential information in the course of delivering services to the Council. Their responsibilities include:

  • Entering into a legally binding Confidentiality or Non-Disclosure Agreement (NDA) prior to engagement.
  • Using confidential information solely for the purposes of fulfilling contractual obligations.
  • Implementing appropriate technical and organisational measures to safeguard data.
  • Returning or securely destroying all confidential materials upon completion of services.
  • Not disclosing any information to third parties without the Council’s prior written consent.

Section 4.4.        Partner Organisations

The Council may collaborate with other non-profits, government agencies, educational institutions, or private entities. In such partnerships, the following confidentiality obligations apply:

  • All parties must agree to and sign a Memorandum of Understanding (MoU) or partnership agreement that includes confidentiality clauses.
  • Shared information must be limited to what is necessary for the partnership’s objectives.
  • Each partner is responsible for protecting the confidentiality of shared data in accordance with applicable laws and this policy.
  • Breaches of confidentiality by a partner organisation must be reported immediately and may result in termination of the partnership.

Section 4.5.        Duty of Care and Fiduciary Responsibility

All individuals associated with the Council—whether in a governance, operational, or advisory capacity—owe a duty of care and fiduciary responsibility to the organisation and its stakeholders. This includes:

  • Acting in good faith and in the best interests of the Council.
  • Protecting the integrity, reputation, and trustworthiness of the organisation.
  • Avoiding conflicts of interest that may compromise confidentiality.
  • Ensuring that decisions involving confidential information are made with due diligence and legal awareness.
  • Recognising that breaches of confidentiality may result in disciplinary action, legal liability, or reputational damage to the Council.

                                         Article 5.         CONFIDENTIALITY OBLIGATIONS

Section 5.1.        General Duty of Confidentiality

All individuals associated with the Council—whether in a governance, operational, or contractual capacity—are bound by a general duty of confidentiality. This duty entails:

  • Protecting all confidential information acquired through their role or association with the Council.
  • Refraining from disclosing, reproducing, or using such information for personal gain or any purpose outside the scope of their official duties.
  • Continuing to uphold confidentiality obligations even after the termination of their relationship with the Council.
  • Recognizing that breaches of this duty may result in disciplinary action, legal liability, or reputational harm to the Council.

This duty is grounded in ethical standards and reinforced by statutory obligations under the Data Protection Act, 2011, the Children Act, 2012, and the Cybercrime Act, 2023.

Section 5.2.        Handling of Sensitive Information

Sensitive information must be handled with heightened care and discretion. The following protocols apply:

  • Access to sensitive data is restricted to individuals with a legitimate need-to-know.
  • Physical documents containing sensitive information must be stored in locked cabinets or secure rooms.
  • Sensitive conversations should occur in private settings and never in public or informal environments.
  • Printed materials must be disposed of using secure shredding or destruction methods.
  • When transporting sensitive documents, appropriate safeguards (e.g., sealed envelopes, password-protected devices) must be used.
  • Any accidental exposure or mishandling must be reported immediately to the designated officer.

Section 5.3.        Communication Protocols

To ensure confidentiality in all forms of communication, the Council adopts the following protocols:

  • Email: Confidential information must only be sent via secure, Council-approved email platforms. Sensitive attachments should be encrypted or password-protected.
  • Telephone and Video Calls: Discussions involving confidential matters should be conducted in private settings. Calls should not be recorded without consent.
  • Written Correspondence: Letters containing confidential content must be clearly marked “Confidential” and addressed to specific recipients.
  • Meetings: Agendas and minutes of meetings containing sensitive topics must be distributed only to authorized participants.
  • Messaging Apps and Social Media: Confidential information must never be shared via personal messaging platforms or social media channels.

All communication must adhere to the Council’s Acceptable Use and ICT Policies.

Section 5.4.        Storage and Security of Records

The Council is committed to maintaining the integrity and security of its records through the following measures:

  • Physical Records: Stored in secure, access-controlled environments with limited personnel access.
  • Electronic Records: Maintained on encrypted servers with password protection and role-based access controls.
  • Retention Schedules: Records are retained only for as long as necessary to fulfill legal, operational, or contractual obligations.
  • Archiving and Disposal: Obsolete records are archived securely or destroyed in accordance with the Council’s Records Management Policy.
  • Backups: Regular backups are performed to prevent data loss and ensure business continuity.

Section 5.5.        Digital Confidentiality and Cybersecurity Measures

Given the increasing reliance on digital systems, the Council enforces robust cybersecurity protocols to protect electronic data. These include:

  • Use of firewalls, antivirus software, and intrusion detection systems.
  • Mandatory use of strong passwords and multi-factor authentication for all systems.
  • Regular updates and patching of software and hardware.
  • Encryption of sensitive files and communications.
  • Restrictions on the use of personal devices for accessing Council data.
  • Immediate reporting and investigation of suspected cyber incidents or data breaches.

These measures are aligned with the Cybercrime Act, 2023 and international standards such as ISO/IEC 27001.

Section 5.6.        Disclosure to Third Parties

Disclosure of confidential information to third parties is strictly regulated and permitted only under the following conditions:

  • Legal Requirement: Disclosure is mandated by law, court order, or regulatory authority (e.g., under the Freedom of Information Act, 1999 or Children Act, 2012).
  • Informed Consent: The data subject has provided explicit, written consent for the disclosure.
  • Contractual Obligation: Disclosure is necessary to fulfill a contractual agreement with a third party, and appropriate confidentiality clauses or NDAs are in place.
  • Public Interest: Disclosure is necessary to prevent serious harm or protect the welfare of a child or vulnerable person, in accordance with legal and ethical standards.

All disclosures must be documented, justified, and approved by the Council’s designated officer or legal advisor.

                                                Article 6.         CONSENT AND DISCLOSURE

Section 6.1.        Informed Consent Requirements

The Council is committed to obtaining informed consent prior to collecting, using, or disclosing any personal or sensitive information. Informed consent is a foundational principle of ethical practice and legal compliance, particularly under the Data Protection Act, 2011.

Key requirements include:

  • Voluntariness: Consent must be given freely, without coercion or undue influence.
  • Clarity: Individuals must be clearly informed about the nature, purpose, and scope of the information being collected or disclosed.
  • Specificity: Consent must relate to a specific purpose and cannot be assumed for unrelated uses.
  • Documentation: Consent must be recorded in writing or electronically, and retained securely for audit purposes.
  • Right to Withdraw: Individuals may withdraw their consent at any time, and the Council must respect such withdrawal unless legally obligated to retain or disclose the information.

Special care must be taken when obtaining consent from minors or vulnerable persons. In such cases, consent must be obtained from a parent, legal guardian, or authorized representative, in accordance with the Children Act, 2012.

Section 6.2.        Disclosure under Legal Obligation

There are circumstances in which the Council is legally required to disclose confidential information, regardless of consent.

  • These include:
    •                 Compliance with a court order or subpoena issued by a competent judicial authority.
    • Requests from law enforcement agencies under statutory authority.
    • Obligations under the Freedom of Information Act, 1999, where applicable and not exempted.
    • Mandatory reporting requirements under laws such as the Children Act, 2012 or Cybercrime Act, 2023.
  • In such cases, the Council will:
    • Verify the legitimacy and scope of the legal request .
    • Limit disclosure strictly to the information required.
    • Notify the affected individual(s) where legally permissible.
    • Document the disclosure process for accountability and audit purposes in accordance with the Council’s latest published version of the Operating Reserve Policy (MGREC-POL-OR-202503-01).

Section 6.3.        Exceptions to Confidentiality

While confidentiality is a core principle, there are limited and clearly defined exceptions where disclosure may be necessary without prior consent. These exceptions are grounded in law and public interest considerations.

  Subsection 6.3.1.        Court Orders and Legal Proceedings

The Council may be compelled to disclose confidential information in response to:

  • Court orders, subpoenas, or warrants issued by a judge or magistrate.
  • Legal proceedings in which the Council is a party or witness.
  • Investigations by statutory bodies, such as the Integrity Commission or the Financial Intelligence Unit.

In such instances, the Council will seek legal advice to ensure compliance while minimizing unnecessary exposure of sensitive information.

  Subsection 6.3.2.        Mandatory Reporting (Child Protection, Criminal Activity)

  • Under the Children Act, 2012, the Council has a legal obligation to report any suspected or confirmed cases of:
  • Child abuse, neglect, or exploitation.
  • Sexual offences involving minors.
  • Situations where a child is at risk of significant harm.

Additionally, under the Cybercrime Act, 2023 and other applicable laws, the Council must report:

  • Unauthorized access to or disclosure of personal data.
  • Suspected criminal activity involving Council systems or stakeholders.

Such reports must be made promptly to the appropriate authorities, including the Trinidad and Tobago Police Service, the Children’s Authority, or the Office of the Information Commissioner.

  Subsection 6.3.3.        Public Interest Exceptions

In rare and exceptional cases, the Council may disclose confidential information without consent if it is necessary to:

  • Prevent serious harm to an individual or the public (e.g., threats of violence, suicide, or public health risks).
  • Protect the life, health, or safety of a person in immediate danger.
  • Comply with ethical obligations in situations where non-disclosure would result in significant injustice or harm.

Such disclosures must be:

  • Justified by a clear and imminent risk.
  • Approved by the NPO Controllers or designated senior officers.
  • Documented with a rationale for the decision and the steps taken to mitigate harm.

                                            Article 7.         BREACH OF CONFIDENTIALITY

Section 7.1.        Definition of Breach

A breach of confidentiality occurs when confidential information is accessed, disclosed, shared, altered, lost, or destroyed without proper authorization, whether intentionally or unintentionally. Breaches may involve physical documents, digital data, verbal communications, or any other medium through which sensitive information is handled.

Examples of breaches include:

  • Unauthorized sharing of student or staff records.
  • Loss or theft of devices containing confidential data.
  • Sending confidential emails to unintended recipients.
  • Discussing sensitive matters in public or unsecured environments.
  • Failing to report a known or suspected breach.

Breaches undermine trust, expose the Council to legal liability, and may cause harm to individuals or the organisation.

Section 7.2.        Reporting Procedures

All individuals associated with the Council have a duty to report suspected or actual breaches of confidentiality promptly. The following procedure must be followed:

  • Immediate Notification: The individual who discovers or suspects a breach must notify their supervisor or the designated Confidentiality Officer without delay.
  • Written Report: A written incident report must be submitted within 24 hours, detailing:
    • The nature of the breach
    • The type of information involved
    • The individuals affected
    • The date, time, and location of the incident
    • Any immediate actions taken
  • Escalation: The Confidentiality Officer will escalate the matter to the NPO Controllers and, where necessary, to legal counsel or relevant authorities.
  • Containment: Immediate steps will be taken to contain the breach and prevent further unauthorized access or disclosure.

All reports will be treated with discretion and without retaliation against the reporting party.

Section 7.3.        Investigation Process

Upon receipt of a breach report, the Council will initiate a formal investigation to determine the scope, cause, and impact of the incident. The process includes:

  • Preliminary Assessment: Conducted within 48 hours to determine whether a full investigation is warranted.
  • Fact-Finding: Collection of evidence, interviews with involved parties, and review of relevant records or systems.
  • Risk Assessment: Evaluation of the potential harm to individuals, the Council, and third parties.
  • Corrective Action Plan: Development of measures to mitigate harm, prevent recurrence, and improve controls.
  • Documentation: All findings and actions will be documented in an incident report and retained for audit purposes.
  • Notification: Affected individuals and, where required, regulatory bodies will be notified in accordance with applicable laws.

Investigations will be conducted impartially, confidentially, and in a timely manner.

Section 7.4.        Disciplinary Measures

If a breach is found to have occurred due to negligence, misconduct, or willful disregard of this policy, disciplinary action will be taken in accordance with the Council’s Human Resource and Volunteer Management Policies. Disciplinary measures may include:

  • Verbal or written warnings
  • Mandatory retraining on confidentiality protocols
  • Suspension or reassignment of duties
  • Termination of employment, volunteer service, or contractual engagement
  • Legal action where warranted

The severity of the disciplinary action will correspond to the nature, intent, and impact of the breach.

Section 7.5.        Legal Consequences under Trinidad and Tobago Law

Breaches of confidentiality may expose the Council and responsible individuals to legal consequences under the laws of Trinidad and Tobago, including but not limited to:

  • Data Protection Act, 2011: Unauthorized disclosure of personal data may result in civil penalties and enforcement actions by the Information Commissioner.
  • Children Act, 2012: Unlawful disclosure of information relating to minors may constitute a criminal offence.
  • Cybercrime Act, 2023: Unauthorized access to or interference with digital data may lead to prosecution, fines, and imprisonment.
  • Non-Profit Organisations Act, 2019: Failure to safeguard donor or beneficiary information may result in sanctions or deregistration.
  • Common Law: Individuals may pursue civil claims for breach of confidence, negligence, or defamation.

The Council will cooperate fully with legal authorities and regulatory bodies in the event of a breach and will take all necessary steps to protect the rights of affected individuals.

                                               Article 8.         TRAINING AND AWARENESS

Section 8.1.        Staff and Volunteer Training

All staff and volunteers of the Council are required to undergo structured confidentiality training as part of their onboarding process and at regular intervals thereafter.

  • The objectives of this training are to:
    • Ensure understanding of the Council’s Confidentiality Policy and related procedures.
    • Familiarize personnel with relevant laws, including the Data Protection Act, 2011, Children Act, 2012, and Cybercrime Act, 2023.
    • Equip individuals with practical skills for handling, storing, and transmitting confidential information securely.
    • Raise awareness of potential risks, including data breaches, social engineering, and improper disclosures.
    • Clarify reporting procedures in the event of a suspected or actual breach.
    • Training will be tailored to the roles and responsibilities of participants and may include:
  • Interactive workshops and scenario-based learning
  • E-learning modules and quizzes
  • Policy handbooks and quick-reference guides
  • Annual refresher sessions and compliance assessments

Attendance and completion of training will be documented and monitored by the Human Resources Department.

Section 8.2.        Board Orientation

Executive Board Members are entrusted with high-level strategic and sensitive information. As such, they will receive a dedicated orientation session upon appointment, which includes:

  • A comprehensive briefing on the Confidentiality Policy and legal obligations under Trinidad and Tobago law.
  • Review of fiduciary duties and ethical responsibilities related to information governance.
  • Guidance on managing confidential discussions, documents, and digital communications.
  • Signing of the Board Member Confidentiality Agreement.
  • Overview of the Council’s risk management and data protection frameworks.

Periodic updates will be provided to Board Members to reflect changes in legislation, policy, or emerging risks.

Section 8.3.        Ongoing Awareness Campaigns

To reinforce a culture of confidentiality, the Council will implement continuous awareness initiatives, including:

  • Monthly bulletins or newsletters highlighting best practices, recent incidents, and policy updates.
  • Confidentiality Week or themed campaigns to engage staff and volunteers through activities, quizzes, and guest speakers.
  • Visual reminders such as posters, infographics, and digital signage in offices and shared spaces.
  • Confidentiality Champions within departments to serve as peer educators and first points of contact.
  • Feedback mechanisms to gather suggestions and concerns related to information security and confidentiality.

These campaigns aim to keep confidentiality top-of-mind and foster proactive compliance across all levels of the organisation.

Section 8.4.        Confidentiality in Digital Communication

Given the Council’s increasing reliance on digital platforms, all personnel must adhere to strict protocols when communicating electronically in accordance with the Council’s latest published versions of the Data Privacy Policy (MGREC-POL-PRIV-202503-01), and Internal Controls Policy (MGREC-POL-ICP-202503-01). Key expectations include:

  • Use of Council-authorized email accounts for all official correspondence.
  • Encryption of sensitive documents and use of password protection when transmitting confidential files.
  • Avoidance of public Wi-Fi or unsecured networks when accessing Council systems.
  • Regular updates to passwords and use of multi-factor authentication.
  • Prohibition on sharing confidential information via personal messaging apps or social media platforms.
  • Use of secure cloud storage and collaboration tools approved by the Council’s IT team.
  • Immediate reporting of suspicious emails or cyber threats to the designated IT or cybersecurity officer.

Training on digital confidentiality will be integrated into all staff and volunteer development programmes and updated in response to evolving cyber threats.

                                          Article 9.         MONITORING AND COMPLIANCE

Section 9.1.        Internal Audits

The Council shall conduct periodic internal audits to assess the effectiveness of its confidentiality practices and ensure adherence to this policy, and the Council’s latest published versions of the Operating Reserve Policy (MGREC-POL-OR-202503-01), Procurement Policy (MGREC-POL-PROC-202503-01), and Internal Controls Policy (MGREC-POL-ICP-202503-01). These audits will be coordinated by the designated Compliance Officer or an appointed internal audit team and will include:

  • Review of access logs for physical and digital records.
  • Evaluation of data handling procedures across departments.
  • Verification of staff and volunteer compliance with confidentiality agreements and training requirements.
  • Assessment of breach reporting mechanisms and incident response records.
  • Testing of cybersecurity controls and data protection measures.

Audit findings will be documented in a formal report, presented to the Executive Board, and used to inform corrective actions and policy updates.

Section 9.2.        Compliance with National Laws

The Council is legally obligated to comply with all applicable laws of the Republic of Trinidad and Tobago that govern confidentiality, data protection, and information security. These include, but are not limited to:

  • Data Protection Act, 2011 – governing the collection, processing, and disclosure of personal data.
  • Children Act, 2012 – protecting the identity and welfare of minors.
  • Cybercrime Act, 2023 – addressing unauthorized access, data breaches, and digital threats.
  • Non-Profit Organisations Act, 2019 – mandating internal controls and responsible data stewardship.
  • Freedom of Information Act, 1999 – balancing transparency with the protection of sensitive information.

The Council will monitor legislative developments and ensure that its policies and practices are updated to reflect any amendments or new legal requirements. Legal counsel may be consulted to interpret complex provisions and ensure full compliance.

Section 9.3.        External Oversight and Reporting

As a registered non-profit organisation, the Council is subject to oversight by regulatory and funding bodies. To maintain transparency and accountability, the Council will:

  • Cooperate fully with external audits conducted by government agencies, donors, or independent assessors.
  • Submit required reports on data protection, financial management, and governance as mandated by law or funding agreements.
  • Disclose breaches or incidents to relevant authorities, such as the Office of the Information Commissioner, the Children’s Authority, or the Financial Intelligence Unit, where legally required.
  • Respond promptly to external inquiries related to confidentiality, privacy, or data handling practices in accordance with the Council’s Data Privacy Policy (MGREC-POL-PRIV-202503-01).

The Council will maintain detailed records of all external reviews and ensure that recommendations are addressed in a timely and transparent manner.

Section 9.4.        Continuous Improvement

The Council is committed to fostering a culture of continuous improvement in its confidentiality and data protection practices. This includes:

  • Regular policy reviews (at least annually) to ensure relevance and effectiveness.
  • Stakeholder feedback mechanisms to identify gaps, concerns, or suggestions for enhancement.
  • Benchmarking against national and international standards, such as ISO/IEC 27001 and GDPR principles.
  • Investment in technology and training to strengthen information security infrastructure.
  • Incorporation of lessons learned from audits, breaches, and external reviews into future planning.

By embedding continuous improvement into its operational ethos, the Council ensures that confidentiality remains a living, evolving priority across all levels of the organisation.

                                                 Article 10.         POLICY ADMINISTRATION

Section 10.1.        Review and Amendment Procedures

To ensure continued relevance, legal compliance, and operational effectiveness, this Confidentiality Policy shall be reviewed on an annual basis or more frequently if required by changes in law, organisational structure, or operational needs.

The review process shall include:

  • Initiation by the Compliance Officer or NPO Controllers, who will coordinate the review timeline.
  • Consultation with key stakeholders, including Board Members, staff representatives, legal advisors, and programme leads.
  • Assessment of recent incidents, audit findings, and legislative updates to identify areas for improvement.
  • Drafting of proposed amendments, which must be clearly documented and justified.
  • Presentation of revisions to the Executive Board for discussion and approval.

All amendments shall be recorded in a version control log and communicated promptly to all affected parties. Updated versions will supersede previous iterations and be made accessible via the Council’s internal platforms.

Section 10.2.        Approval and Adoption by the Council

This Confidentiality Policy, including any subsequent amendments, shall be formally approved by the Executive Board of the Mayaro/Guayaguayare/Rio Claro Education Council.

The approval process includes:

  • Review of the final draft by the NPO Controllers, Executive Board’s Governance or Management Subcommittee.
  • Board resolution to adopt the policy during a duly convened meeting.
  • Recording of the approval date and resolution number in the official minutes.
  • Circulation of the adopted policy to all staff, volunteers, and relevant stakeholders.

The policy becomes binding upon formal adoption and must be implemented in full by all individuals and entities associated with the Council.

Section 10.3.        Effective Date and Duration

This Confidentiality Policy shall take effect on the date of its formal adoption by the Executive Board and shall remain in force until it is amended, replaced, or repealed.

  • Effective Date: 05th March, 2025
  • Review Cycle: Annually, or as required by legal or operational developments
  • Supersession: This version supersedes all previous confidentiality-related policies or guidelines issued by the Council.

All personnel are required to comply with the current version of the policy and will be notified of any changes in a timely manner.

Section 10.4.        Contact Information for Queries

For questions, clarifications, or concerns regarding this Confidentiality Policy, individuals may contact the designated officer as follows:

Confidentiality and Compliance Officer
 Mayaro/Guayaguayare/Rio Claro Education Council
 bpTT Mayaro Resource Centre
 Phone: 1 (868) 284-3316
 Email: info@mgrectt.com
 Office Hours: Monday to Friday, 8:00 AM – 4:00 PM AST

Alternatively, queries may be directed to the NPO Controllers or submitted through the Council’s internal feedback and reporting channels.

Leave a Reply

Your email address will not be published. Required fields are marked *