In essence and put simply it is information which parties to a contract or arrangement require not to be made public or disclosed to third parties. It is clear that, as stated, the aforementioned definition is very broad and in reality varies from business to business. For instance the following information and data can be classified as confidential;
- Business plans.
- Technical data.
- Financial and accounting data.
- Information regarding customers/clients.
- Information on products including designs, drawings or development plans.
- Information relating to marketing.
- Information relating to presentations.
- Information relating to methodologies, know-how and procedures utilised in the business.
- Information relating to suppliers and/or other third parties.
- Information regarding other employees.
The ability of employees to access confidential information and potentially release said information to third parties is an issue which has been quite topical over the past two months largely due to the case concerning the ex-Nama employee which came before the High Court in September this year. The aforementioned case concerned an ex-Nama employee who during his employment with Nama accessed confidential and commercially sensitive information and allegedly sent it via e-mail to his wife and third parties involved in property management and investment. The aforementioned information allegedly included a master spreadsheet of all loans acquired by Nama and all properties acquired as security for the loans along with a specific asset disposal strategy in relation to certain Nama debtors and was thus clearly of a highly confidential nature and the financial implications of its disclosure were clearly very serious for Nama. Nama were granted an injunction by the High Court compelling the ex-employee involved to hand over all documents, communications and materials containing confidential information relating to the agency. The aforementioned case clearly shows the very serious and constant concerns that exist for employers whose employees have access to confidential information. The fact is that the release of such confidential information can have very serious financial, public relations and business repercussions.
The concerns and potential dangers that exist for employers whose employees have access to confidential information have increased greatly over the past number of years with the onset of the social media era. This is due to the fact that there is the potential that employees can divulge confidential information on a social media site, resulting in the damage caused to the business being exponentially greater than it would have been previously. Businesses risk employees or web-users intentionally or unintentionally revealing confidential information or broadcasting negative remarks to the entire worldwide web. The fact is that once something is posted to a social media site there is the potential that it will become viral within minutes and thus there can be very serious repercussions which are very difficult to reverse. An example of confidential information being leaked through the use of social media was given in 2010 when a Royal Dutch Shell employee leaked, to a blogger who was critical of the company, highly-confidential personal information about thousands of Royal Dutch Shell employees who worked in dangerous parts of the world. This exposed the company to significant social and media criticism and obviously had serious public relations and business repercussions.
In light of the foregoing it is clear that employers must take appropriate steps to ensure that their potential exposure to the release of confidential information by employees is kept at a minimum. In particular the following steps should be taken;
One of the best ways to ensure confidentiality is restrict access to confidential information. Only employees with a legitimate “need to know” should have access to confidential information. For example, only certain sales staff should have access to customer files; only human resources and appropriate managers should see employee files.
It should be ensured that confidential information is treated as such as if a business doesn’t treat it as confidential it is unlikely that a court will. Accordingly confidential documents or files should be marked “confidential,” and treated that way (i.e., by keeping them under lock and key or passwording computer files to regulate limited access).
A confidentiality policy which puts staff on notice that information is in fact confidential and should not be distributed outside of the business or used other than in the course of employment should be included in the company handbook. This policy should set out in broad terms what constitutes confidential information – ie business information, client or customer information, employee information, etc. The aforementioned policy should also include an express provision that prohibits employees from posting business information on the internet via social media sites, etc. The employers social media policy and disciplinary policy should also make express reference to the fact that divulging confidential information will result in disciplinary action being taken.
It may be necessary to get certain employees to sign a confidentiality or non-disclosure agreement at the commencement of their employment. In essence such an agreement prohibits an employee from divulging secret or protected information disclosed during employment or other business transactions. In the event that the agreement is breached the business, as per the terms of said agreement, will have the power to go to Court to seek an Order to enforce same or sue for damages as a result of the breach.
As was recently exemplified in the Nama case, as referenced above, the internet makes it easy for information to escape as confidential information can simply be emailed to another or to oneself at home. However, employers can (and should) monitor their employee computer and email usage to check what employees have on their work computers and what they send and to whom from their work email. Monitoring employee’s communications can help avoid careless, as well as deliberate, release of confidential information. However employees must be put on notice that they are being monitored as the monitoring of their email or internet access involves the processing of personal data and, as such, data protection law applies to such processing. In order to ensure that they are compliant with the Data Protection Acts 1988-2003, employers must ensure that any monitoring of an employees e-mail and internet policy is proportionate to the likely damage to the employers legitimate interests. Also an acceptable usage policy should be adopted reflecting this balance and employees should be notified of the nature, extent and purposes of the monitoring specified in the policy.
It is readily apparent from all of the above, that employees ability to access confidential information is an issue which has the potential to cause a myriad of problems for employers. However and as outlined above, employers can minimise the occurrence of these problems by implementing appropriate procedures and policies.