Presentation is loading. Please wait.

Presentation is loading. Please wait.

Confidentiality—training materials

Published byTodd Alexander Adams Modified over 6 years ago

Similar presentations

Presentation on theme: "Confidentiality—training materials"— Presentation transcript:

1 Confidentiality—training materials
[Name and details of speaker] Summary: This seminar covers significant legal and practical issues to consider in relation to confidentiality. Purpose of slides/seminar: The slides are intended for a general rather than specialist audience. These slides may be used as part of a wider discussion of information security, including sector-specific requirements (eg in the healthcare or financial services industry) and data protection compliance or personal privacy requirements. However, these slides focus on how to address duties of confidentiality generally. Staff training is a key way of ensuring compliance with confidentiality obligations in practice, instead of purely legal measures. Confidentiality, once breached, is difficult to remedy or control and therefore this is an area where ‘prevention is better than cure’. These issues are addressed in more detail in the slides. How to use these ‘Speaker notes’: Under each slide there are ‘Speaker notes’ which summarise the point the slide is intended to address for the benefit of the person presenting the seminar. These notes are not intended for distribution to the audience as they are likely to contain more legal information than is desirable for a general audience. How to use the slides: It is anticipated that each slide may take between three and five minutes to explain. Given that there are 18 slides, it not intended that a single seminar should necessarily contain all these slides as that may last too long. The speaker should select those slides which are most appropriate to reflect the particular seminar to be given. Alternatively the speaker can use all the slides over a series of two seminars. Additional material: In addition to these slides, a large amount of detail on the issues covered by the slides is contained in relevant Lexis®PSL practice notes and precedents. See in particular Lexis®PSL Commercial practice note: Confidential information. How to insert company logo select ‘View’ from the menu select ‘Slide Master’ click on the footer on slide 0 edit the text to insert the company name and/or select ‘Insert’ from menu and ‘Picture’ to upload a logo

2 Contents Law: Meaning of confidential information
Effect of breach of confidentiality Laws governing confidentiality Confidentiality agreements: Format Specifying confidential information Parties and recipients Reciprocity and consideration Purpose and duration Remedies Boilerplate Practical considerations: Generally Handling breaches of confidentiality Arrangements with subcontractors This slide lists a variety of confidentiality issues that can be addressed in a seminar—not all of these will be appropriate for a single seminar. The presentation is split into three parts: The law governing confidential information Issues to address in confidentiality agreement Practical considerations to prevent loss of confidential information

3 Law

4 Meaning of confidential information
Information that is: (i) confidential in nature; and (ii) disclosed in circumstances giving rise to a duty of confidentiality (eg financial or health data) Not common knowledge or information in the public domain Parties may agree what is ‘confidential’. But beware of restraint of trade Confidential information—see practice note: ‘Confidentiality’ in Lexis®PSL In House Advisor for more details of common law definition of confidential information. Confidential information must be both inherently confidential in nature (eg financial or health data) and must have been disclosed in circumstances where it would be reasonable to expect the confidentiality to be maintained. This will not apply to information which is already in the public domain or common knowledge as that information is by definition ‘public’ and not ‘confidential’. The parties may also agree specific types of information that are to be treated as ‘confidential’. For example, a party may wish to make clear that confidentiality obligations do not apply to information that the recipient has already in its possession or lawfully receives from a third party. The parties may expressly choose to exclude this type of information from the ‘confidential information’ as defined in the agreement.

5 Effect of breach of confidentiality
Legal: breach of contract (eg employment and commercial contracts) and regulatory sanctions Reputational: loss of reputation and embarrassment Commercial: loss of customers Breach of confidence can give rise to legal liability for breach of contract (eg breach of duties of trust and confidence implied into employment contracts). This can also lead to regulatory enforcement action (eg from the FSA for regulated financial services entities in respect of their duties of confidentiality owed to their customers). Apart from legal exposure, breach of confidence can also lead to reputational damage and loss of goodwill from customers (eg in the event of loss of financial data).

6 Laws governing confidentiality
Common law: no unauthorised disclosure third parties must not induce breach of confidence for example, employment and service agreements, licences and JVs Statutory: sectoral (FS COB Rules), data protection, HRA (personal privacy) and FOI obligations overlap but differ Relevant rules include both common law (eg contractual) and statutory duties of confidence. Each case involves first of all considering whether confidential information has been provided subject to an express or implied duty of confidence. This will depend on the facts of each case. Where information has been provided to someone under a contractual duty of confidence, third parties must not seek to obtain unlawful disclosure of that information, where doing so may constitute an unlawful tortious inducement to breach of contract. Information provided in confidence should be kept confidential unless otherwise agreed by the disclosing party or required by law (eg a court order). Employment and service contracts, licensing and joint venture agreements typically include both express and implied confidentiality obligations. For example, a duty of ‘trust and confidence’ is automatically implied into employment contracts. In additional to common law duties of confidentiality, statutory duties of confidentiality may arise as a result of various overlapping laws and regulations. These include, for example, so-called ‘SYSC’ (Systems and Controls) Conduct Of Business (‘COB’) rules imposed on regulated financial services organisations, which require them to keep information held on their systems secure. Under data protection rules, data controllers must process personal data (which may or may not be ‘confidential’) securely in accordance with appropriate ‘technical and organisational security measures’ under the seventh data protection principle of the Data Protection Act 1998 (DPA). The Human Rights Act 2000 (HRA) grants individuals the right to ‘respect for their private and family life’. Certain confidential information is exempt from the right of access to information held by public authorities under the Freedom of Information Act 2000 (FOI). These (and other) statutory rules controlling use of confidential information may overlap depending on the circumstances of each case. For example, personal financial details may, depending on the facts of each case, be subject to confidentiality restrictions under the FSA, DPA, HRA and FOI. These slides focus on common law duties of confidentiality but it is also important to consider whether statutory information security obligations may also apply to the information in question.

7 Confidentiality agreements

8 Confidentiality agreements—general
Format Specifying the ‘confidential information’ Parties, authorised users and recipients Reciprocity and consideration Purpose and duration Remedies Boilerplate This slide summarises the main issues to consider in confidentiality agreements. These issues are dealt with in more detail on the following slides.

9 Confidentiality agreements—format
Format of the agreement: HOT MOU NDA standalone confidentiality agreement confidentiality clauses Balance between legal certainty, practicality and cost Contractual confidentiality obligations can arise in a number of different formats. These can range from a standalone Heads of Terms (HOT), a Memorandum of Understanding (MOU) or Non-Disclosure Agreement (NDA) to confidentiality clauses integrated into a larger document. In each case, consider what is the most suitable format of agreement, given the purpose of disclosing confidential information. For example, a comprehensive, one-sided confidentiality agreement may provide legal certainty but may be commercially unattractive to negotiate where two parties are in the early stages of a relationship. Therefore it is not unusual for parties to move from an initial informal confidentiality undertaking to a more comprehensive NDA, to be replaced by a fuller collaboration agreement containing detailed confidentiality clauses. It is important at each stage to consider what form of confidentiality agreement is most appropriate.

10 Specifying confidential information
Format–all information disclosed or only if marked as such? Exclusions–information confidential unless: public domain prior possession independently developed required by law Evidential burden to show exclusions apply When drafting an agreement consider exactly what information will be deemed to be ‘confidential’ for the purposes of the agreement. Often the definition of confidential information includes all information disclosed by the parties (subject to the exclusions below), but sometimes the parties may prefer confidentiality undertakings only to relate to information that is expressly marked or stamped as ‘confidential’. This has the advantage of clarity but puts a heavy onus on the disclosing party to ensure that all disclosed confidential information is clearly marked as such. Information that is typically expressly stated as falling outside confidentiality restrictions includes information that: is already in the public domain prior to disclosure the receiving party can demonstrate was already in its possession prior to disclosure a party can demonstrate that it developed independently without reference to the disclosed confidential information a party is required to disclose by law (eg in response to a court order in the context of litigation) It is important to be clear what level of evidential proof a party wishing to disclose confidential information will be required to show. For example, a party wishing to disclose confidential information may be required to ‘demonstrate to the reasonable satisfaction of the other party that information was already in the public domain, in its prior possession, or independently developed by it or lawfully acquired from a third party, or is required to be disclosed by [English] law.’

11 Agreements—parties and recipients
Parties: two or more? If multiparty, exclude joint liability and consider rights to termination and effect of breach Authorised recipients: parties, employees, affiliates, professional advisers, others Responsibility for recipients The number of parties to the agreement is typically two, but can be more where, for example, a number of different people or entities are exchanging information in anticipation of a future joint transaction (for example in a university spin-out situation). In that case there may be three or more parties to the agreement and it needs to be clear what their respective liability will be if one of the parties then breaches the agreement. Will any of the parties have joint and several liability? Will termination of the agreement between two parties have the effect of terminating the agreement between all parties? Separately to the question of the parties to the agreement, it is also necessary to consider whether any third parties (such as professional advisers) will have access to confidential information disclosed under the agreement, and if so which. Consider whether any financial, legal, accounting or other adviser will have access to confidential information or only named ones will. In any event, the agreement should make clear that each party will have responsibility for any acts or omissions of any third parties to whom they disclose confidential information, and must ensure that those third party recipients abide by confidentiality undertakings in the agreement.

12 Reciprocity and consideration
Confidentiality undertakings can be: one-way reciprocal multi-party Ensure there is adequate consideration where disclosure is not reciprocal Add notional consideration or use deed The disclosure of confidential information under the agreement can be reciprocal or only one-way. Where the agreement is a multi-party confidentiality agreement, clarify to what extent (if at all) any parties will have joint and several liability and what the effect of breach of confidentiality by one party will have on the each of the other parties to the agreement. Always ensure that there is sufficient consideration flowing between the parties to the agreement to ensure that the agreement is mutually enforceable. If not, add notional consideration or ensure that the agreement is executed as a deed. For example, if only one party is disclosing confidential information, what consideration is being provided by the other parties to the agreement?

13 Agreements—purpose and duration
Clarify purpose, eg initial evaluation in anticipation of sale Ensure duration is consistent with stated purpose Excessive duration may be anti-competitive Ensure obligations survive earlier expiry or termination Clarify the purpose(s) for which disclosed information may be used. For example, a confidentiality agreement may typically arise where parties wish to disclose information to each other (eg about confidential business plans) to decide whether to enter into a more long-term agreement. This ‘purpose’ may be either long or short-term and will affect the duration of the confidentiality undertakings. Make sure it is clear for how long after disclosure the relevant confidentiality obligations apply (eg possibly for one, three, five or more years) and make sure that this period is not excessively long given the stated purpose of the agreement and the nature of the information in question. If, for example, a consultant is required to keep confidential information that it has obtained about a company for 20 years after termination of a consultancy contract with that company, that might unduly affect its ability to operate in future and constitute an unenforceable restraint on trade. In other words, it is not necessarily in the interests of either party for confidentiality obligations to continue for too long. Ensure that where appropriate confidentiality undertakings survive any earlier termination of the agreement.

14 Agreements—remedies Remedies: indemnity or limitation of liability?
Also consider: injunction, liquidated damages, account of profits, destruction and delivery up Consider whether either party’s liability for breach of confidence will be limited or whether this is inappropriate given the likely damage that will flow from breach. On the one hand, parties may want certainty about how much liability they may incur under a contract. On the other, it is arguable that the effects of a breach of confidentiality are impossible to foresee, and on that basis this open-ended risk should properly be borne by the party in breach of confidence, not the innocent party. Therefore it is not unusual for parties to agree that there should not be a cap on liability for breach of confidentiality. Also consider specifying either party’s right to seek equitable relief by injunction, or liquidated damages, as well as rights to claim for an account of profits, destruction and delivery in the event of termination or breach.

15 Agreements—boilerplate
Return/destruction of information on termination Non-solicitation of staff Minimum security standards Audit rights This slide covers some common provisions that typically arise in confidentiality agreements, including: the right to require the return or destruction of confidential information on termination of the agreement prohibitions on either party soliciting the other’s staff minimum security standards to be applied to disclosed information rights of each party to audit the other’s books and records (and confidential information) to ensure compliance with the terms of the agreement

16 Practical considerations

17 Practical considerations generally
Limiting disclosure (virtual data rooms) Recording disclosure Security controls (eg encryption and password controls) Training and awareness Policies: consider wider information security policies Appropriate technical and organisational security measures should be taken when dealing with confidential information. In practice, the best way to protect confidentiality is to keep information secure, rather than seeking to sue under a contract after the event. So wherever possible, seek to keep disclosure of confidential information to a minimum. Rather than handing confidential papers to another party, grant them access to systems (eg virtual data rooms) so that their access and use of that information can be controlled and terminated. Implement appropriate encryption technology on, for example, work laptops and tablets, so that if these are lost or left on the train then confidentiality will still be maintained. Staff should be notified of their information security obligations in a general security policy and related policies. From a practical viewpoint, there are various means for limiting unnecessary disclosure of confidential information. Examples of these are listed on the slide.

18 Handling breaches of confidentiality
Breach management policies—involve management, IT, legal, HR and customer relations personnel Consider obligations to report breaches Mitigate loss: change passwords, injunctions Consider international aspect Staff should be clear what they need to if they become aware that a loss of confidential information has occurred, which should, for example, include notifying breaches to their line managers. It is sensible to implement a confidentiality breach escalation procedures to be followed by those responsible for handling breaches. Confidentiality breach management should involve central management, legal, HR, IT and marketing/external relations personnel as appropriate. Following a breach, the first step will be to stop the breach from continuing. This means taking immediate steps to change passwords, issue injunctions, cancel security clearance for relevant individuals etc. Note that there are various ‘breach notification laws’ implemented (eg in California) or due to be implemented around the world. Consider where the breach occurred and which people or organisations in which jurisdictions might be affected and whether local laws may require notification of affected parties.

19 Subcontractors Need to replicate and implement comprehensive confidentiality obligations when using a subcontractor Restrictions on use and audit rights Indemnities Where third parties have access to a company’s confidential information, appropriate confidentiality wording must be included in relevant contracts with those third parties, such as subcontractors and suppliers. These will include restrictions on use of relevant information and rights to audit compliance. Consider also seeking indemnities for breach of confidence.

20 Summary Legal measures Practical controls Policies/warnings
Awareness and training In summary, confidentiality is protected through a combination of legal measures (such as contractual rights), practical controls (eg technology and access controls), policies and warnings (so that those with access to information appreciate the risks of misuse of that information) and training. This does not happen by accident, but by careful planning and controls which ensure that information is protected at all times. This means that a cross-functional team co-ordinated by a central information security officer should be set up in most reasonably-sized businesses to ensure that valuable information is properly protected. Once confidentiality is lost, the damage cannot easily be undone. So prevention is better than cure.

21 Final comments Any questions?

Download ppt "Confidentiality—training materials"

Similar presentations

CHAPTER 3 Implied terms of law. Implied terms of law Some terms may be implied into all contracts of employment. This means that some obligations must.

CHAPTER 3 Implied terms of law. Implied terms of law Some terms may be implied into all contracts of employment. This means that some obligations must.
Mark Radford, Partner, Colin Biggers & Paisley, Australia Conflicts of interest faced by reinsurance brokers and duties owed by producing and placing brokers.

Mark Radford, Partner, Colin Biggers & Paisley, Australia Conflicts of interest faced by reinsurance brokers and duties owed by producing and placing brokers.
IIT Office of General Counsel Education Program Non-Disclosure/Confidentiality Agreements.

IIT Office of General Counsel Education Program Non-Disclosure/Confidentiality Agreements.
© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.

© 2013 Sri U-Thong Limited. All rights reserved. This presentation has been prepared by Sri U-Thong Limited and its holding company (collectively, “Sri.
©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.

©2008 Perkins Coie LLP Game Industry Roundtable Privacy Developments for the Game Industry Thomas C. Bell September 24, 2008.
Drafting and Reviewing Confidentiality Agreements West LegalEdcenter 2012.

Drafting and Reviewing Confidentiality Agreements West LegalEdcenter 2012.
HIPAA Basics Brian Fleetham Dickinson Wright PLLC.

HIPAA Basics Brian Fleetham Dickinson Wright PLLC.
HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)
Www.dataprotection.gov.je The Data Protection (Jersey) Law 2005.

The Data Protection (Jersey) Law 2005.
Trade Secrets and Confidential Information

Trade Secrets and Confidential Information
Time for a new standard - AS General Conditions of Contract

Time for a new standard - AS General Conditions of Contract
Www.oaic.gov.au Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.

Introduction to the APPs and the OAIC’s regulatory approach Presented by: Este Darin-Cooper Director, Regulation and Strategy May 2015.
Version 6.0 Approved by HIPAA Implementation Team April 14, 2003 1 HIPAA Learning Module The following is an educational Powerpoint presentation on the.

Version 6.0 Approved by HIPAA Implementation Team April 14, HIPAA Learning Module The following is an educational Powerpoint presentation on the.
ISO 9001 Interpretation : Exclusions

ISO 9001 Interpretation : Exclusions
20050113 Confidentiality Agreements at Ryerson … or “if I tell you, I’ll have to kill you!” Heather Gallant, ORS.

Confidentiality Agreements at Ryerson … or “if I tell you, I’ll have to kill you!” Heather Gallant, ORS.
Data Protection Overview

Data Protection Overview
Insurance provisions under JCT 1998 and JCT Standard Building Contract 2005 Brian Lewis – QBE CAR.

Insurance provisions under JCT 1998 and JCT Standard Building Contract 2005 Brian Lewis – QBE CAR.
Data Protection for Church of Scotland Congregations

Data Protection for Church of Scotland Congregations
HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.

HIPAA Trading Partners, Legal Relationships October 2, 2001 presented by Peter B. Goldstein, Esq. Cap Gemini Ernst & Young, US LLC.
2010 Case Study – A Pig of a Day Document Risk Management.

2010 Case Study – A Pig of a Day Document Risk Management.

Similar presentations

Ads by Google