With today’s increasingly litigious and highly competitive workplace, confidentiality is important for a host of reasons. Failure to properly secure and protect confidential business information can lead to the loss of business or clients. In the wrong hands, confidential information can be misused to commit illegal activity e.g fraud or discrimination, which can in turn result in costly lawsuits for the employer. Many countries have laws protecting the confidentiality of certain information in the workplace. The disclosure of sensitive employee and management information can lead to a loss of employee trust, confidence and loyalty. This will almost always result in a loss of productivity.
Confidential workplace information can generally be broken down into three categories: employee information, management information, and business information. Confidential management information includes discussions about employee relations issues, disciplinary actions, impending layoffs/reductions-in-force, terminations, workplace investigations of employee misconduct, etc. While disclosure of this information isn’t necessarily “illegal,” it is almost always counterproductive and can seriously damage the collective “psyche” of a workplace.
Employee Information: Many states have laws which govern the confidentiality and disposal of “personal identifying information” e.g an employee’s Social Security number, home address or telephone number, e-mail address, Internet identification name or password, parent’s surname prior to marriage or driver’s license number.
Confidential business information / proprietary information or trade secrets refers to information that’s not generally known to the public and would not ordinarily be available to competitors except via illegal or improper means. Common examples of “trade secrets” include manufacturing processes and methods, business plans, financial data, budgets and forecasts, computer programs and data compilation, client/customer lists, ingredient formulas and recipes, membership or employee lists, supplier lists, etc. “Trade secrets” does not include information that a company voluntarily gives to potential customers, posts on its website, or otherwise freely provides to others outside of the company.
Develop written confidentiality policies and procedures: Every business or organization should have a written confidentiality policy typically in its employee handbook describing both the type of information considered confidential and the procedures employees must follow for protecting confidential information. At the very least, we recommend employers adopt the following procedures for protecting confidential information:
- Separate folders should be kept for both form I-9s and employee medical information.
- All confidential documents should be stored in locked file cabinets or rooms accessible only to those who have a business “need-to-know.”
- All electronic confidential information should be protected via firewalls, encryption and passwords.
- Employees should clear their desks of any confidential information before going home at the end of the day.
- Employees should refrain from leaving confidential information visible on their computer monitors when they leave their work stations.
- All confidential information, whether contained on written documents or electronically, should be marked as “confidential.”
- All confidential information should be disposed of properly e.g., employees should not print out a confidential document and then throw it away without shredding it first.
- Employees should refrain from discussing confidential information in public places.
- Employees should avoid using e-mail to transmit certain sensitive or controversial information.
- Limit the acquisition of confidential client data e.g., social security numbers, bank accounts, or driver’s license numbers unless it is integral to the business transaction and restrict access on a “need-to-know’ basis.
- Before disposing of an old computer, use software programs to wipe out the data contained on the computer or have the hard drive destroyed.
A confidentiality policy should also describe the level of privacy employees can expect relating to their own personal property e.g., “for your own protection, do not leave valuable personal property at work and do not leave personal items — especially your purse, briefcase or wallet unattended while you are at work” and personal information e.g., “your medical records are kept in a separate file and are kept confidential as required by law”.
Finally, train management and employees on confidentiality policy: Oftentimes, simply having a written confidentiality policy is not enough. In order for the confidentiality policy to be effective, managers, supervisors and employees must be educated on confidentiality issues and the company’s policies and procedures. Management and employees should be allowed an opportunity to ask questions about the policies, and everyone should be trained to avoid putting sensitive information in e-mails. Many companies and organizations include this training as part of the new-hire/orientation process.
Management should also be instructed as to the proper way of communicating with the company’s inside and outside counsel so as to ensure that certain work-related documents and e-mails are protected by the attorney-client privilege. This is one of the most important steps a business or organization can take to protect its confidential information, and unfortunately, it’s oftentimes the one step that is ignored. All the policies, procedures and training in the world will not matter if those policies and procedures are not enforced. In order for a confidentiality policy to have “teeth,” employees who violate the policy must be disciplined in accordance with an employer’s corrective action procedures.
“Non-Disclosure” Agreements or proprietary information agreement.” are contracts designed to protect the confidential “business information” described above e.g., “trade secrets”. These agreements are vital to most businesses today, especially considering the ease in which employees can now electronically transfer large amounts of information, much of which would be incredibly damaging in the hands of a competitor.
When it comes to confidentiality, prevention and deterrence is key. The first question we ask our clients when they contact us in response to a potential confidentiality breach is “do you have a confidentiality policy or non-disclosure agreement?” The stronger your policies and agreements, the better you are prepared to take quick and effective action to protect your business/organization. Of course, we are always available to counsel employers in the area of confidentiality and to develop policies and agreements that provide businesses with the proper safeguards.