Policies

Confidentiality Policy

Version: 2
Date effective from: 16 May, 2023

The Responsible Jewellery Council (the “Council”) is committed to the highest standards of information security and treats confidentiality and data security extremely seriously in order to protect the privacy of its members, employees, auditors, non-industry committee members, other stakeholders and the integrity of the Council. Confidentiality is one of the key principles underpinning the RJC’s activities, and is central to the trust between the Council and its stakeholders.

The purpose of this Confidentiality Policy is to lay down the principles that must be observed by all who work at, or with the Council, and have access to confidential information including personal information. This policy supplements the RJC’s Privacy Notice and Anti-Trust Policy.

This policy was approved by:
David Bouffard Melanie Grant
RJC Chairman RJC Executive Director

Scope of this policy

This policy applies to all staff, including directors, officers, committee members, contractors, interns, volunteers, apprentices and consultants, who must be familiar with this policy and comply with its terms.

The information covered by this policy includes all written, spoken and electronic information held, used or transmitted by or on behalf of the Council, in whatever media. This includes information held on computer systems, removable storage devices for example CD/DVD or USB sticks, hand-held devices, phones, paper records.

Definitions

The Council information covered by this policy may include:

personal information relating to staff, members, directors and committee members, auditors, consultants and suppliers;
other business information; and
confidential information.

For the purposes of this Policy:

Business information	means business-related information other than personal information regarding members, clients, suppliers and other business contacts of the Council;
Confidential information	means trade secrets or other confidential information (either belonging to the Council or to third parties) that is collected, processed and/or stored by the Council and includes: Commercially sensitive information as defined by the Antitrust Policy Statement; Members’ Annual Relevant Sales; Dues paid by members; Members certification coverage (number of employees and full address of the facilities covered by certification); Members full audit reports; Oversight assessment reports (member company name and details of the RJC witnessed audit); Refiners’ mine of origin data, except when member consent for data sharing has been obtained; Information collected about member performance for the purpose of monitoring and evaluation; Information about member management systems, performance and certification collected by way of surveys or during in-house or external research; Information submitted or gathered in connection with the investigation of a complaint under the Council’s Complaint’s Mechanism or under the Whistleblower Policy; Information related to disciplinary proceedings against members or auditors; Information covered by confidentiality agreements; Personnel records of Council employees or any other information of a personal nature; Any other information that is provided in confidence, or would be reasonably considered to be confidential based on generally accepted ethical and business practice;
Personal information	(sometimes known as personal data) means information relating to an individual who can be identified (directly or indirectly) from that information;
Sensitive personal information	(sometimes known as ‘special categories of personal data’ or ‘sensitive personal data’) means personal information about an individual’s race, ethnic origin, political opinions, religious or philosophical beliefs, trade union membership (or non-membership), genetic information, biometric information (where used to identify an individual) and information concerning an individual’s health, sex life or sexual orientation.

Principles of this policy

This policy covers confidential information relating to the Council’s activities. It is based on the premise that all such information should be treated as confidential and on the principles described below:

Confidential information is subject to a legal duty of confidence. In addition to the requirement of their contractual responsibilities, all employees working for the Council are bound by a legal duty of confidence to protect confidential and personal information they may come into contact with during the course of their work as per the Common Law Duty of Confidentiality and General Data Protection Regulation 2018 (GDPR).
All confidential information is to be treated as commercially valuable and protected from loss, theft, misuse or inappropriate access or disclosure.
Confidential information, and sensitive personal information, must be protected against unauthorised and/or unlawful processing and against accidental loss, destruction or damage, by the use of appropriate technical and organisational measures.
Confidential information is disclosed to colleagues and other professionals/agencies on a need to know basis, when there is a clear, legitimate reason for doing so.
Confidential information must be used only in connection with work being carried out for the Council and not for other commercial or personal purposes.
Confidential information must be used only for the specified, explicit and legitimate purposes for which it is collected.
In addition, all information collected, used and stored by the Council must be:
- adequate, relevant and limited to what is necessary for the relevant purposes; and
- kept accurate and up to date;
Personal information must be processed in accordance with the Council’s privacy policy and all other relevant policies. In relation to personal information, under Regulation (EU) 2016/679, General Data Protection Regulation (GDPR), the Council must:
- use technical or organisational measures to ensure personal information is kept secure, including protection against unauthorised or unlawful processing and against accidental loss, destruction or damage;
- implement appropriate technical and organisational measures to demonstrate that it has considered and integrated data compliance measures into the Council’s data processing activities; and
- be able to demonstrate that it has used or implemented such measures.
The Council will take appropriate technical and organisational measures to ensure that confidential and personal information is kept secure and protected against unauthorised or unlawful processing, and against accidental loss, destruction or damage.
Where the Council uses third parties to perform its activities, confidential information may be shared with them as required. In these cases, the same standards of confidentiality will apply.

Retention period

Confidential information will be stored in accordance with legal requirements or, where there is no such legal requirement, for an appropriate period of time commensurate with the requirements related to the performance of the Council’s activities.

Application

Information security is the responsibility of all staff. The Council’s IT Operations Manager (in collaboration with the Council’s Data Protection Officer as applicable) is responsible for:

monitoring and implementing this policy;
monitoring potential and actual security breaches;
ensuring that staff and concerned parties are aware of their responsibilities; and
ensuring compliance with the requirements of Regulation (EU) 2016/679, GDPR and other relevant legislation and guidance.

Breach of this policy

The Council takes compliance with this policy very seriously. Failure to comply with it puts both staff and the Council at significant risk. The importance of this policy means that failure to comply with any requirement of it may lead to disciplinary action, which may result in dismissal or termination of the contract in the case of consultants and other third parties.

Review

The Council will review and update this policy from time to time.