Intellectual Property Rights – Confidentiality
A small business guide to confidentiality: What you need to know as a business owner and employer
‘Confidential information’ is any information that a business regards as secret. It can include financial information, such as business plans, or technical information, such as specifications or computer software. Confidential information may have a significant commercial value and needs to be protected as an asset.
Anyone who receives confidential information from someone else is under a common law duty not to take unfair advantage of it. In other words they can’t make use of the information to the disadvantage of the person who gave it, unless they consent. To be protected in this way, the information must be confidential in nature, for example, not something which is public knowledge. It must also have been disclosed in circumstances which imply obligations of confidence.
Despite this common law protection, it’s good commercial practice to ensure that a written agreement protects all your exchanges of confidential information with third parties like your customers or suppliers. This type of agreement is commonly referred to as a non-disclosure agreement (NDA). It may also be called a confidentiality agreement.
The guidelines below will help you to handle confidential information within your business:
- Put protection in place before disclosing
- Respect the confidentiality requirements of other parties
- Take practical steps to preserve confidentiality
Put protection in place before disclosing
You’re not legally required to enter into non-disclosure agreements (NDAs) before disclosing confidential information to someone else. However, it’s good commercial practice to make sure that your confidential information is adequately protected. It’s important too that your business doesn’t inadvertently accept unreasonably restrictive obligations in relation to the confidential information that it receives from others.
Before you disclose confidential information, you should ensure that your business has entered into an appropriate NDA with the other party or parties. If you do make a disclosure before entering into an NDA, you may find that the other party’s willingness to enter into an NDA may quickly evaporate (particularly if your confidential information is commercially very valuable).
Depending on the type of disclosure, you can use one of the following agreements:
- Non-disclosure agreement (mutual);
- Non-disclosure agreement (one-way); or
- Non-disclosure agreement (multi-party).
You will need to decide how long you want the NDA to last for. A period of between three and five years is typical, but it would be unusual for an NDA to have a longer term (unless the information being disclosed really is very sensitive and genuinely justifies protection for a longer period).
If your business will be disclosing particularly sensitive confidential information, as well as entering into an NDA you might want to insist on the other party getting its employees to sign a confidentiality undertaking. This isn’t strictly necessary, as the other party is legally responsible for the actions of its employees and you would be able to take legal action against the other party under the NDA. Nevertheless, it can be useful to underline to the individual employees their personal responsibility in keeping your information confidential. You can use the Confidentiality undertaking for employees for this purpose. Someone who is disclosing confidential information to your business may also require you to get your employees to sign a confidentiality undertaking.
If you are proposing to disclose any confidential information that is the subject of a registered design or patent application made by your business, speak to your lawyer before disclosing such information.
Respect the confidentiality requirements of other parties
When you receive confidential information from someone else, you’ll need to ensure that your business treats it in confidence and complies with the obligations set out in the NDA. If your business fails to do this, it could be sued for damages for breach of contract, or made subject to an injunction preventing it from using the confidential information further, or both.
If your business has received confidential information from someone else, but hasn’t entered into an NDA, this doesn’t mean that you can use the information that you have received in any way you choose, or that you don’t have to take appropriate care of it and protect it from disclosure. If the information you have received is marked ‘confidential’ (or similar), or it’s obviously confidential in nature, your business will be under a common law duty to treat that information in confidence. Misusing it may also constitute a breach of copyright.
Take practical steps to preserve confidentiality
As well as making sure that an NDA is signed before any confidential information is disclosed, there are a number of measures you can take to establish and maintain confidentiality in your business.
- Restrict access to confidential information. Make sure that information is distributed on a ‘need-to-know’ basis and that documents are marked confidential, but only if they are genuinely confidential, as using the term indiscriminately may devalue your protection.
- Restrict access to confidential information to areas of the business where confidential processes are carried out, or developments are being made.
- Consider staggered disclosure when making disclosures in the context of negotiations. In other words, hold back any crucial information until you have reached an advanced stage of proceedings.
- Consider disclosing only hard copies of confidential information. You could number these and collect them back when they’re no longer required for the particular project or transaction concerned.
Make sure employees keep information confidential
- Make sure that your employee contracts contain clear and appropriate confidentiality provisions.
- Give employees practical guidance about keeping information confidential. For example, advise them not to discuss company business when they’re out and about in public places.
- Train employees about IT issues, such as the meta-data which is left in tracked documents, that is, documents used in revision mode or with tracked changes. Many revision mode programs will reveal the name of the person making the revisions, and the date and time the revision was made. As well as this, previous changes may be hidden away in the document where they can be accessed by unauthorised parties. A way of avoiding this is to save the changes in a new document or to use a pdf document instead.
Make security a priority
- Implement policies across your business for protecting your know-how.
- Ensure that security is appropriate. Think about both physical security, such as locking important information away and securing your business premises, and electronic security such as firewalls, secure emails or encryption.
- Keep records that show what projects each employee or consultant has worked on.
- Remind departing employees and consultants of their obligations of confidentiality. Ask them in writing to confirm that they have returned all company property, and so far as possible check that they have done so.
- Audit your security procedures frequently to ensure that they are adequate and up to date.
- Keep a contemporaneous written record of developments, this will help you if you have to prove your case in court.
The law as it is established by the courts of England in their judgements of cases, rather than the statute law (Acts of Parliament).
An award of money made by a court, which in a breach of contract case is intended to put the recipient in the same position as they would have been in had the contract performed, so that they are effectively compensated for the loss of their bargain.
A court order prohibiting a person from taking a particular action (a prohibitory injunction), or requiring them to take a particular action (a mandatory injunction).
Q. Do I need to enter into a non-disclosure agreement (NDA), or is it enough just to mark a document as ‘confidential’?
A. Ideally, you should always enter into an NDA. Although the recipient of confidential information is under a common law duty to keep it confidential, there is too much scope for argument as to whether the information really is confidential in nature, and what steps the recipient is required to take in order to protect it.
Q. What is the difference between a confidentiality agreement and an NDA?
A. There’s no difference. They are simply different names for documents with the same contents.
Q. Can I set the term of the NDA for longer than the recommended maximum of five years?
A. Yes. You should bear in mind, though, that information that’s considered confidential today loses its value relatively quickly and, in most cases, won’t need protecting for longer than five years. You should also bear in mind that complying with the terms of an NDA is a significant obligation, which will need to be complied with for however long the NDA lasts.
Q. Once an NDA has been entered into, can my business disclose any information it sees fit, without fear of it being ‘leaked’ or misused by the other party?
A. No. An NDA dictates how the recipient can use confidential information and prohibits the recipient from disclosing it or misusing it, but it won’t actually prevent the recipient from doing this if they decide to breach the terms of the NDA, regardless of the consequences. You may be able to get an injunction to prevent further disclosures or misuse and/or damages for the harm caused, but this may be of little comfort if the damage to your business is irreparable.
Q. If I am disclosing confidential information to another business, do I need to insist that all of their employees who will have access to the information sign a separate confidentiality undertaking?
A. No. This isn’t generally necessary, as the NDA will be enforceable against the business receiving the information and that business will be legally responsible for the actions of its employees. However, you may wish to insist on individual undertakings if the information being disclosed is particularly sensitive.
Q. How do I get the NDA signed, particularly if there is an urgent need to share confidential information?
A. An NDA is a formal legal document and must be properly signed. It is preferable for it to be entered into by original hard copy (either in person or through the post), although it can be entered into by fax or scanned image if it needs to be completed quickly.
Two copies of the NDA should be prepared as the objective is for each party to end up with an original copy signed by both parties. Ideally, the other party should sign before your business. So, in the case of an NDA being exchanged by post, you should have the other party sign and return two original copies to you. When you get these back, the two original copies of the NDA should be signed (and dated) by your business and you should return one to the other party, retaining the other copy for your records.
One copy of the NDA should be prepared as the objective is for each party to end up with a faxed copy of the (dated) NDA as signed by both parties. So you will need to arrange the signing and faxing/emailing between the parties of the copy so as to achieve this result. Again, the other party should preferably sign before your business.
This article was written by Riverview Solicitors