Non-disclosure agreements (NDAs) are frequently used to enable the sharing of confidential information in the context of Intellectual Property (IP) deals. For example, businesses will enter into NDAs prior to discussing new inventions with potential investors. Confidential information often has significant economic value and it is important for businesses to understand how NDAs can be used to protect it, as well as understanding their limitations.
This article looks at some of the key points to consider when using NDAs.
Should the confidential information be disclosed at all?
Of course, the best way to keep information confidential is not to disclose it in the first place. Prior to disclosing confidential information, it is important to consider whether you trust the third party to keep it confidential and whether benefits of disclosure outweigh the risks. NDAs can be difficult to enforce and simply having an NDA in place does not provide complete protection against the misuse of confidential information. Having in place effective measures to keep information confidential can be as, if not more, important in practice. Key steps to consider include:
- ensuring confidential information is only disclosed on a need to know basis by:
- redacting particularly sensitive information
- staggering disclosure to hold back highly sensitive or valuable information to a late stage in the negotiation
- using code names
- restricting access to those directly involved in the relevant project;
- applying appropriate and up to date security measures to ensure both the physical and electronic security of confidential information;
- ensuring employee contracts contain appropriate confidentiality provisions;
- training staff on security issues, including the dangers of working on confidential documents, discussing confidential matters in public places and leaving meta data in documents;
- implementing organisation wide policies and procedures for know-how protection and carrying out regular audits to ensure procedures are appropriate and being complied with; and
- having a security breach plan in place to deal promptly and effectively with any breaches.
Where you need to disclose confidential information you should ensure you first have an NDA in place that restricts the third party’s use and disclosure of such confidential information. This is particularly important if you are disclosing an invention that you may wish to patent since you will lose your right to a patent if you disclose your invention other than under an obligation of confidentiality. In addition, for know-how and trade secrets to be protected in law they must be kept confidential. If licensed know-how or trade secrets enter the public domain this may deprive the licensee and licensor of the benefit of the licensed technology. A licensee is unlikely to be willing to continue paying royalties for the use of technology that is publicly available and competition law may prevent the licensor from insisting on it.
Key provisions in the NDA
- Purpose of the disclosure. It is important for the party disclosing to specify clearly the purpose for which the receiving party may use the confidential information. This should be done carefully and generally very narrowly. The disclosing party will wish to avoid leaving the receiving party free to use the confidential information to develop a product that competes with the disclosing party's product.
- Definition of confidential information. The NDA should define the scope of information that is to be treated as confidential. The disclosing party will want this to be wide and should be wary of any limits on the form the confidential information can take. In particular, any requirement that anything disclosed orally will not be protected unless subsequently reduced to writing, marked "confidential" and provided to the receiving party. The disclosing party will want to avoid this since such a provision shifts the burden of demonstrating that information disclosed should benefit from protection under the NDA on to the disclosing party. The NDA will also define what information is beyond the scope of the obligations of confidentiality. This usually includes information in the public domain, information that is independently produced by the receiving party and information received from a person who owes no obligation of confidentiality. If the information being disclosed includes any personal data, this will be subject to data protection law including the General Data Protection Regulation (GDPR) introduced on 25 May 2018. When disclosing personal data the disclosing party will need to comply with all the GDPR data protection principles, including having a lawful basis for processing, the requirements relating to transparent communication to data subjects and those addressing international transfers. In this situation, the NDA should include provisions to deal with the protection of personal data and to demonstrate compliance with data protection law. The NDA should also place obligations on the recipient to notify the disclosing party if there is a data breach or it receives any communication from a data subject or from a data regulator such as, in the UK, the Information Commissioner’s Office (ICO).
- Measures to maintain confidentiality. In addition to an obligation to keep the confidential information secret and use it only for the permitted purpose, the NDA should set out the security measures that the receiving party should take with regard to the confidential information. This might simply provide that the disclosing party will take all proper and reasonable measures. An alternative would be to require the receiving party to take the same measures regarding the disclosing party's confidential information as it does with its own. This is more subjective and assumes the receiving party has sufficient and adequate procedures in place, which should be checked. If the confidential information is particularly valuable or sensitive then the disclosing party may wish to set out in the NDA specific security measures that the receiving party must take, for example, by reference to the ISO 270001 standard for information security management.
- Disclosure of the information within the receiving party’s organisation. Unless the confidential information is highly sensitive, generally the NDA will allow the receiving party to disclose the information to those of its employees, officers (or directors) and professional advisors who need to know in order to carry out the permitted purpose. This is subject to those individuals being bound by obligations of confidentiality. The disclosing party should be wary of giving the receiving party a general right to disclose to its ‘agents’ or ‘contractors’ without knowing who this might be (and confirming they are not competitors). If an agent or contractor needs access to the confidential information this should be dealt with on a case by case basis.
- Return or destruction of information on termination. The disclosing party should provide for the return or destruction of the confidential information upon request and/or upon termination or expiry of the project. The return of information provided electronically may be particularly difficult since copies may exist in multiple locations for example the email server of the receiving party, downloaded to the receiving party’s laptop(s) or mobile device(s) and in off-site back-up files. This can make the obligation to return or destroy time consuming or, in some cases, even impossible. One way of managing this would be for the NDA not to require the return or destruction of automatically created, securely stored computer archive files, but require the receiving party to undertake not to access such files following termination, which will remain subject to confidentiality and non-use obligations indefinitely.
- Duration of the obligations of confidentiality. Many NDAs limit the period during which the confidentiality obligations will continue, although there are sound reasons that the confidentiality obligations should continue for as long as the information remains confidential. If the receiving party insists on having a fixed term for the confidentiality obligations, consideration needs to be given as to the appropriate period in light of the nature of the information. For business, marketing and financial information a period of between three and five years may be acceptable. For production techniques and manufacturing know-how a much longer period is likely to be appropriate as these will often have lasting value, in some cases beyond the term of patent protection for the product itself. In any event, if the NDA limits the period during which the confidentiality obligations apply, the NDA should also include a carve out to provide that in the case of trade secrets the obligations of confidentiality will continue indefinitely.
Despite their limitations, a well-drafted NDA is a key document for businesses seeking to protect valuable and commercially sensitive information. It creates a contractual right and provides certainty as to the parties’ rights and obligations. If potentially patentable inventions are being disclosed, putting in place an NDA prior to making any disclosures is crucial. Once confidentiality is lost it is gone forever, so protecting it through practical steps and a well drafted NDA is essential.