Technical Competency
Confidentiality and Information Protection
Performance Review
Often performance reviews will be founded both on a job description or Terms of Reference (see the Anchoring section for suggestions) and on annual work plans or objectives (which can include soft skills or values). It is important that concrete criteria and expectations are set. Here is a reminder of the job description/Terms of Reference provisions suggested for this competency:
“Assess information risks (including evaluating contextual factors) and determine appropriate risk mitigation and protection measures to adequately address those risks in all relevant contexts.”
“Maintain strict confidentiality and safeguards survivor data in line with ethical and legal standards.”
“Develop protocols to inform approach to national laws which limit confidentiality or may allow access to information and when not to collect information if it cannot be handled confidentially.”
“Apply data minimisation principles: collect and retain only the information necessary for programme delivery, monitoring, and reporting.”
“Contact and communicate with survivors remotely or in person to uphold confidentiality, privacy and discretion.
“Maintain confidential and secure communications.”
“Ensure clear, accurate and updated record and tracking of informed consent related to survivor information.”
These could be incorporated into an annual plan or review using the Deep Dive table and a scale such as:
Exceeds Expectations: anticipates information risks and updates protocols regularly; models unwavering commitment and good practice in all forms of confidential communication including proactively using advanced secure methods (e.g. encryption, access controls), trains peers, and spots vulnerabilities before they become issues; intervenes and proactively catalyses team reflection and changes in light of any potential breaches or risks; analyses complex legal/policy environments, develops clear SOPs or guidance for colleagues and advises management on when not to collect data; maintains meticulous, survivor-centred consent records and ensures informed consent is refreshed when contexts change; supports team with tools/templates.
Meets Expectations: consistently maintains confidentiality and follows required procedures for safeguarding survivor data; consistently identifies key risks and applies appropriate standard mitigation measures aligned with organisational policy, adjusts to context when prompted; understands applicable laws and organisational standards, follows established protocols, and seeks guidance when unclear; collects and retains only information necessary for programme delivery, monitoring, and reporting (and based on survivor consent); keeps accurate and updated records of informed consent as per organisational standards. (See relevant Deep Dive columns.)
Needs Improvement: misses or underestimates important information risks; applies generic mitigation without contextualisation or individualisation for survivors; shares sensitive information inappropriately or careless about security of information/confidentiality risks; collects any data they can obtain without consideration of relevance, consent or other confidentiality implications; does not take or retain consent records which would allow consultation before sharing or use of information. (See relevant Deep Dive columns.)
You can choose to focus on specific aspects or tailor the expected behaviours specifically to the job or tasks and include these more specific expectations in an annual work plan or job description.
It is important to include free-narrative boxes for evidence-based assessment and explanations both for a person’s own self-assessment of their work, and for the line-manager’s/supervisor’s constructive comments.