How can employers mitigate the risk of employees misusing sensitive commercial information during their employment and after its termination?

The role of HR has evolved significantly in recent years and is increasingly being seen as the gateway to managing business risk.

One key risk that should be managed by HR is the potential disclosure of commercially sensitive information by employees, during their employment or after termination. The disclosure of confidential information can have a devastating impact on a business so it is important that HR puts appropriate protections in place.

Here are our six top tips on how HR can help to mitigate the risk of an employee inadvertently, or deliberately, disclosing confidential business information.

1. Contractual protections

It is highly recommended that employers include express confidentiality provisions within each employee’s contract of employment, to help ensure that its sensitive commercial information is adequately protected (particularly post-termination).

Such provisions can specify:

i. what information is to be considered confidential; ii. state that the disclosure of such information is forbidden (unless the employer provides its prior written consent); and iii. confirm that the employer will be entitled to seek damages or injunctive relief if the employee discloses it.

If the employer is aware that its current workforce is not subject to express confidentiality obligations, the employer can update the employment contracts (or prepare separate non-disclosure agreements) and re-issue these to the relevant employees – perhaps around pay review time, to incentivise the employees to sign up. Alternatively, the employer can include express confidentiality provisions within a settlement agreement.

2. Non-contractual protections

A confidentiality policy (within a staff handbook or otherwise) – which sets out the employer’s expectations of the employee in respect of handling sensitive commercial information – can be a really useful tool to bolster any contractual protections in place.

The policy can provide examples as to what is, and, importantly, what is not, appropriate behaviour when dealing with confidential information.

3. Mark documents as confidential

Employers should mark any documents containing commercially sensitive information as “confidential”. This should put any employee in contact with that document on notice that it contains information of a confidential nature and should not be disclosed to any third parties.

4. Restrict employee’s access to confidential information

Employers should consider password protecting any documents containing commercially sensitive information and/or putting in place other protections to limit the number of employees who could access such information unnecessarily.

5. Monitor employee’s use of confidential information

It may be appropriate for employers to monitor its employees’ use of confidential information – for example, by logging in and out any hard-copy documents containing confidential information and/or by monitoring employees’ communications whilst at work.

It is important to note that employers should only access an employee’s personal email account in exceptional circumstances and before doing so, employers should carry out an impact assessment, to help ensure and check that they have achieved the correct balance between protecting employees’ privacy and the interests of the business.

An employer should also ensure that it has a comprehensive IT policy in place – detailing the circumstances in which the employer may be justified in monitoring and accessing the employee’s communications whilst at work.

6. Reminder during exit interview

An employer should utilise the opportunity to remind a departing employee of his/her on-going obligations relating to the employer’s confidentiality information during the exit interview.