Recent proceedings brought before the Lloyd’s Enforcement Board are a reminder that confidentiality issues may have a regulatory relevance as well as a legal relevance. The Board recently considered an employee’s actions when emailing confidential information to her personal email account.
The employee had, in the two months prior to tendering her resignation, sent emails from her work email address to her personal account without authorisation from her employer. These emails contained confidential information relating to her work and were of commercial value to her employer.
In this instance, the circumstances surrounding such transmission attracted a regulatory review.
Whilst she did not benefit financially or in any other way as a result of her actions, the employee accepted that her conduct was in breach of the duties she owed to her employer and accepted the charge against her. She agreed to be censured and to pay a fine of £23,000 (taking into account a discount for an early agreement) and over £14,000 of costs.
There is a broad framework of case law which has established that information that is classified as confidential must not be used or disclosed (without authorisation) whilst employment continues. There is also an implied duty in all employment contracts that employees will conduct themselves with fidelity and good faith including an obligation to respect the confidentiality of an employer’s commercial information. The extent of this implied duty will depend to a large extent upon what the information is, whether it has been made clear that this information is confidential or whether is it is obviously confidential. Despite the implied duty, many employers will also ensure it is specifically covered in both the employment contract and communication / information policies. Equally, mere confidential information is not automatically protected once employment is terminated so express covenants should also be imposed. There may be entirely reasonable circumstances in which an individual may need to send information to a personal account, such as for remote access when away from the office. However good practice would dictate that even this purpose should be authorised first and should be in line with the employer’s policies.