Data - How should businesses go about protecting their data?

 

The Data Protection Act (DPA) 2018 controls how your personal information is used by organisations, businesses or the government. The Data Protection Act 2018 is the UK's implementation of the General Data Protection Regulation (GDPR).

Anyone responsible for using personal data has to follow strict rules called 'data protection principles'. They must make sure the information is:

• Used fairly, lawfully and transparently;
• Used for specified, explicit purposes;
• Used in a way that is adequate, relevant and limited to only what is necessary;
• Accurate and, where necessary, kept up to date;
• Kept for no longer than is necessary; and
• Handled in a way that ensures appropriate security, including protection against unlawful or unauthorized processing, access, loss, destruction or damage.

 

There is stronger legal protection for more sensitive information, such as:

• Staff pay data;
• Ethnic background;
• Trade union membership;
• Biometrics (where used for identification); and
• Health.

 

In respect of business information there are four circumstances in which the disclosure of information gives rise to an obligation of confidence:

• An obligation that is implied due to the circumstances of the disclosure. This is the case when it is determined that a reasonable man in the same situation would have realised that the information was being given to him/he business in confidence.
• An obligation of “trust and confidence” that is implied because of the type of relationship between the parties involved. This is most commonly seen in employer/employee relationships. An employee cannot use confidential information for its own benefit or give it to a third party.
• A contractual obligation - such as a non-disclosure agreement or in a contract.
• If a printer knows that a report they are printing is confidential then the prineter will have an implied duty of confidentiality.

 

How should this law be disseminated to employees and what can go wrong for employers who choose to take no preventative steps?

Employers need to provide adequate training and support to their staff and implement appropriate systems and security throughout the workplace. Employers must also use contractual means to ensure that employees do not divulge confidential information.

 

Contractual means

The best way of ensuring that confidential information is recognised and treated as such is by contract. Thus, employers should put confidentiality clauses into employment contracts and make employees aware of the extent of the duty of confidentiality owed under the clause. Employers should also consider bespoke contracts for particular customer accounts to reinforce the need for confidentiality. Explicitly raising the aforementioned confidentiality clause in exit correspondence (and requiring the return of it) is another useful way to ensure the dissemination of the law of the protection of confidential information.

 

How should employers protect information - contractually and procedurally (physically)? 

In order to protect information, all employers should be able to answer the following questions:

• What IT security systems have you got in place to prevent data theft?
• What measures are in place to prevent data theft by employees?
• Are there any easy ways to detect a data theft?
• Do your employment contracts contain a sufficiently robust definition of confidential information and restrictive covenants which are relevant to your business?
• Does your company have a handbook which contains policies dealing with the use of social media?
• Are employees aware of, and regularly reminded of, their duties of confidentiality?

Employees have a duty of confidentiality implied by law to keep employers confidential information confidential. However, there is very limited general protection for confidential information on a wider level ( eg business to business). Thus, businesses should seek to enter into non-disclosure agreements where disclosing confidential information (NDA) or have confidentiality clauses in contracts to protect their confidential information. An NDA is a contract through which the parties agree not to disclose information covered by the agreement. AN NDA creates a confidence relationship between the parties to protect any type of confidential information or trade secrets. Furthermore, a company can also protect its intellectual property (such as trademark and patents) by both registering it and protecting it in contracts through appropriate terms and clauses.

 

Two Particular Cases to look out for:

To guard against the disgruntled employee wanting to harm the business it is important;-

• To have robust systems in place that detect details being copied or removed;
• To ensure employees rotate or take holidays - most frauds or wrongdoing are found when employees are on holiday;
• To educate employees against such behaviour- training which points out personal liability and educate them to spot and report suspicious behaviour; and
• To take tough action to deter others. So be seen to take decisive action.

 

To guard against the budding entrepreneur taking business with them ensure that you;-

• Have robust and enforceable restrictions in place such as confidentiality obligations and non-compete and non-solicitation of business clauses in their employment contracts;
• Implement protections, for example putting a few little 'bombs' in your customer database which may then alert you to a breach or theft of data. For example, put the personal email address or home address of the Finance Director or HR Director in the database so that if there is a blanket mailshot, they get to know. It's rare for an employee to check the names in their excitement to win business. Also remind people when they leave that they have  post termination restrictions and a duty of confidentiality; and
• Take a hard line with anyone who goes rogue - this will deter others.

 

 

For all the latest law updates, subscribe to our mailing list.