Confidentiality in the Workplace

It’s an unfortunate reality for business owners that employees are a potential source of commercial risk.

While it’s rare that a breach of confidentiality at work will occur intentionally, even an honest mistake can result in severe consequences.

This makes it business-critical to take certain measures to protect your commercial interests, such as using confidentiality clauses in employment contracts and having effective confidentiality policies and procedures in place.

In this guide for employers, we discuss the potential threats presented by breaches of confidentiality in the workplace and the measures employers can take to help mitigate these risks.

 

Why is confidentiality at work important?

 

Confidentiality laws work to protect information that is shared on the basis it will remain private property. An agreement doesn’t need to be signed for this law to apply, although companies will usually include a confidentiality clause in employment and client contracts.

Workplace confidentiality refers to any confidential information that you come across in the course of business. The information could relate to proprietary information, employee information collected by their employer or personal information of clients and customers captured through the course of business.

In this article, we focus on commercially-sensitive proprietary information, although employers also have to ensure compliance in respect of personal information under the GDPR.

In the UK, the general public is also protected by the General Data Protection Regulation – more commonly known as ‘GDPR’. The implementation of these regulations means that any business using personal data is responsible for using the information lawfully, transparently and securely. Failing to adhere to these laws and regulations can result in fines and legal action.

 

What is confidential information?

 

For information to be considered ‘confidential,’ the owner must believe it would be detrimental to them for it to be leaked, that the information is not already in the public domain, there is no consent to share it, or it is marked as confidential in some way. Examples of confidential information could include:

 

• Existing and prospective activities of the business e.g:
  • Business plans
  • Financial information
  • Existing and prospective customers
  • Customer lists
  • Existing and prospective suppliers
• Existing and prospective marketing information e.g:
  • Plans
  • Strategies
  • Tactics
  • Timing
  • Research and development activities
• Any information given to the employer or employee in confidence by:
  • Customers
  • Suppliers
  • Employees
  • Other business contacts

 

Consequences of a confidentiality breach

 

Regardless of whether sensitive information has been intentionally leaked or unintentionally or negligently shared, the implications of a confidentiality breach can be hugely damaging and costly.

As a business, a breach of confidentiality could result in sizeable compensation pay-outs or legal action, depending on the scale of the breach.

Beyond the financial implications, it can be incredibly damaging to the company’s reputation and existing relationships. If it becomes public knowledge that private information was shared without consent or you experience a data breach, you could lose trust not only from your existing clients but from prospective ones too. Recovering from a data breach can be costly and takes a strong PR strategy to get back on track.

For example, if an employee left their work laptop on a train, any sensitive information stored on it is then available for somebody else’s viewing pleasure. Or it could even be something as simple as sending a private email to the wrong person.

As an employee, the consequences of breaking confidentiality agreements could lead to termination of employment. In more serious cases, they can even face a civil claim, if a third party involved decides to press charges for the implications experienced from the breach.

 

Confidentiality clauses in employment contracts

 

 

Preventing breaches of confidential information in the workplace

 

Employers should take steps to support confidentiality in the workplace and manage the risk of breaches.

 

Confidentiality clauses in employment contracts

Confidentiality clauses or agreements should be included within employment contracts. This should be read and signed by all new starters, to confirm they legally agree to keep confidential information private. It’s important for them to understand why it’s essential to protect private data and what the procedures are for keeping information safe.

Non-disclosure, or confidentiality agreements, have become very popular and are commonplace in most larger companies. Some of the most popular clauses include:

 

• Employees cannot discuss certain trade secrets with anyone including their families
• Employees cannot work for a competitor brand for a specified time after leaving their current position.
• Concepts produced while in their position will be the property of the company

 

Employees could risk termination of their contracts, or even claims made by their employer if any part of their non-disclosure contract is breached.

Confidentiality clauses should be reviewed regularly and adapted to suit the changing needs of the business. Boilerplate, one size fits all text rarely works or provides the required protection.

If the employer wants to amend an existing employment agreement to deal with, for example, confidential information in detail, it will need the employee’s written consent.

If an employee withholds consent to the change to his employment agreement unreasonably there may be grounds for dismissal.

 

Non-Disclosure Agreements/ Confidentiality Agreements

Confidential information can sometimes make its way outside of the workplace – so you want to make sure you’re protected from that too.
Even though you may not be formally engaging with someone as an employee or contractor, you might still be sharing business information through commercial discussions.

For example, an investor may be interested in your business or a contractor may be undertaking work for you.

This could involve a series of discussions where you might be disclosing lots of confidential business information to make your business look good – from your financial data to clientele and sales strategy.

If this is the case, it is always a good idea to have a Non Disclosure Agreement (NDA), or a Confidentiality Agreement, to make sure that investor doesn’t use or share that confidential information anywhere else.

 

Confidentiality policies

It’s important that employees understand their roles, responsibilities and obligations. Well-drafted confidentiality policy can help ensure your workplace guidelines are consistent and practical. This should be supported by adequate training for employees. For example, highlighting how social media and gossiping may lead to confidentiality breaches.

While it may seem like common sense not to share private documents with third parties, it’s all too easy to let one’s guard down during casual conversations or on social media. Gossiping about a co-worker interviewing for a rival company or repeating something that another person said about their boss – these are both examples of sharing information you were told in confidence.

 

IP Assignment Deeds

This is a type of legal document that completely transfers ownership of any intellectual property (IP) created by one person to another person. IP is key to the success of many businesses – and making sure that your IP is protected also makes sure that your business is protected.

In business, having this legal contract will make sure that any employees, shareholders or contractors who access or contribute to any intellectual property made within the course of your business will therefore assign that IP right back to you. For example, if you hire a contractor to help create your company logo, you want to make sure that company logo belongs to your company. Otherwise, that contractor will have every right to resell and distribute that logo to other businesses. Under an IP Assignment Deed, that contractor will assign all rights of the logo to your company, so that only you and your company have an exclusive right to use it.

 

Insurance & indemnity

Having professional indemnity cover and cyber and data risk cover as part of your business insurance policy can help to cover costs incurred in the event of a confidentiality breach.

 

Security & tech

In today’s world, technology has made it easier to access sensitive and confidential information within a business. This means it’s critical to have security and procedures in place to effectively protect your company from the potential consequences of confidentiality breaches.

For example, encrypting files and databases with passwords, using a secure storage platform that prohibits outside access or potential security threats, and systems that restrict access and permissions to certain information and documents within your business. This helps to manage and restrict who can access commercially-sensitive and confidential information, and also promotes a workplace culture of confidentiality. For example, you could restrict all the accounts and financial data of your business to the specific people who work with this information directly. This avoids other workers from accidentally (or intentionally) stumbling across this sensitive information, which may invite bias, discrimination and criticism.

 

Does a departing employee have a duty of confidentiality?

 

Can an employer deter an employee and new employer from using its confidential information? Unfortunately, without express written agreement from the former employee, the employer can be in difficulty.

It is an implied term of employment that whilst employed and afterwards that an employee must not:

 

• Disclose to third parties the employer’s confidential information and trade secrets, if
• Obtained during and as a result of, the employment;
• Use the employer’s confidential information for their own purposes.

 

Employers should draw attention to this implied duty of confidentiality during employment, through training and workplace policies. To reduce risk, emphasise this contractual duty post-termination.

Once employment ends, however, the implied duty of confidentiality survives only to protect genuine trade secrets.

Relying on an implied duty does not put the employer in as good a position as relying on an express duty. Reliance on an implied duty is very limiting for employers in practice. There will be resistance from the employee as to what is covered and what is not. A number of important clauses such as not to copy client databases and use them are not automatically implied into any employment agreement.

It is best practice for employers to define ‘confidential information’ sufficiently widely in the contract of employment to include everything your employees may create or access whilst employed.

A contract term requiring an employee to delete and return confidential information is usually enforceable. Courts do order the destruction of confidential information on ex-employee’s work and personal electronic devices. If necessary, the court order could stretch to their new employer’s devices.

 

Absence of clause in employment contract

In practice, it can be difficult to control the deletion of confidential information if there is no express agreement. Employers can expect employees to resist interference with their personal devices unless the employer has reserved the ability.

 

Settlement agreement

Employers can restate confidentiality obligations in a settlement agreement. This is useful if the employment contract was wrong, or the employer wishes to enhance the original obligations.

To be legally effective, if you restate the obligations then the ex-employee should receive payment in return. The payment for the re-stated obligations is taxable under PAYE. There is often little guidance as to the re-stated obligation’s taxable value.

 

Need Assistance?

 

As business employment lawyers, we advise employers on the effective use of confidentiality terms and agreements within employment contracts. Taking a proactive approach to managing the risk of confidentiality breaches is the best way to protect your commercial interests by detering breaches and providing you with access to remedies in the event you are the victim of a breach. For specialist advice, contact us.

 

Confidentiality at Work FAQs

 

What constitutes a breach of confidentiality in the workplace?

A breach of confidentiality occurs when sensitive or private information is disclosed without proper authorisation. This could include sharing employee personal details, company trade secrets, or confidential business information with unauthorised parties.

 

Can an employer be held liable for a confidentiality breach?

Employers can be held liable if they fail to implement adequate measures to protect confidential information. This includes ensuring that employees are trained on confidentiality protocols and that data is stored securely in compliance with GDPR and the Data Protection Act 2018.

 

What should an employee do if they suspect a confidentiality breach?

Employees should report any suspected breaches to their line manager or the HR department immediately. It is important to follow the company’s internal procedures to ensure the matter is handled properly and in accordance with legal requirements.

 

Is it necessary to include confidentiality clauses in employment contracts?

Including confidentiality clauses in employment contracts is highly recommended. These clauses explicitly outline the expectations and obligations of employees regarding the handling of sensitive information, and they provide legal recourse in case of a breach.

 

How can confidentiality be maintained in a remote working environment?

To maintain confidentiality while working remotely, employers should implement secure communication channels, ensure that employees use company-approved devices, and provide training on best practices for handling sensitive information outside the office.

 

What are the potential consequences for employees who breach confidentiality?

Consequences for employees who breach confidentiality can range from disciplinary actions, such as warnings or demotion, to dismissal for gross misconduct. In some cases, legal action may also be taken against the employee.

How does GDPR affect workplace confidentiality?

GDPR imposes strict rules on how personal data must be handled, requiring employers to ensure that all employee data is processed lawfully, kept secure, and only accessed by authorised personnel. Non-compliance with GDPR can result in significant fines and legal consequences.

 

Can confidential information be shared with third parties?

Confidential information can only be shared with third parties if there is a legitimate business reason, and if the third party is bound by confidentiality agreements or legal obligations to protect the information. Employers must ensure that any sharing of information complies with GDPR and other relevant laws.

 

What steps can employers take to prevent confidentiality breaches?

Employers can prevent breaches by conducting regular training sessions, implementing strict access controls, using secure data storage systems, and ensuring that all employees are aware of their confidentiality obligations. Regular audits and reviews of confidentiality practices can also help identify potential risks.

 

Glossary

 

Term	Definition
Confidentiality	The obligation to protect private or sensitive information from unauthorised disclosure, particularly in a workplace setting.
GDPR (General Data Protection Regulation)	A regulation in EU law on data protection and privacy that applies to the handling of personal data within the European Union and the European Economic Area.
Data Protection Act 2018	The UK law that complements the GDPR, providing a legal framework for data protection and ensuring the privacy of individuals’ personal data in the UK.
Confidentiality Clause	A provision in an employment contract that outlines the obligations of employees to maintain the confidentiality of sensitive information.
Breach of Confidentiality	The unauthorised disclosure or sharing of private or sensitive information, which can have legal and professional consequences.
Access Control	Mechanisms and processes that restrict access to confidential information, ensuring that only authorised individuals can view or handle it.
Remote Working	The practice of working from a location other than the traditional office, often requiring additional measures to maintain confidentiality.
Disciplinary Action	A response by an employer to an employee’s misconduct, which may include warnings, demotion, or termination, particularly in cases of confidentiality breaches.
Trade Secrets	Confidential business information that provides a company with a competitive edge, often protected by law from disclosure.
Secure Data Handling	The practice of managing, storing, and transmitting data in a way that protects it from unauthorised access or breaches.
Legal Recourse	The right to seek legal action or remedy, often in response to breaches of confidentiality or other contractual obligations.
Employee Training	The process of educating employees on their responsibilities and best practices regarding confidentiality and data protection.
Sensitive Information	Data that is private or confidential, including personal details, financial records, or proprietary business information, which requires protection from disclosure.
Third Parties	External entities or individuals who are not directly employed by the company but may have access to confidential information under certain conditions.