How to keep information confidential in the workplace

In the last decade, we have seen a massive switch from paper to digital record keeping in the workplace. Today, virtually all administrative, marketing and business work takes place online.

With more companies adapting digital efficiencies, the challenge in preserving trade secrets, client lists and business operations becomes greater. In other words, there are higher confidential risks with storing sensitive material online or in a company database, especially if a company’s greatest asset is their intellectual property.

In business, intellectual property (IP) often refers to proprietary software, marketing strategies, exclusive products, processes for manufacturing products, corporate branding and more.

Intellectual property is an asset worth protecting, but it is not the only sensitive material that can be compromised. Corporate documents, mailing lists, business plans, financial records, employee information and project proposals also need to be protected.

Unfortunately, employees pose the biggest risk to company confidentiality by divulging ideas, digital records and other private information. For this reason, there are some ways in which an employer can preserve the company’s integrity and reputation by proactively mitigating privacy risks in the workplace.

1. Use Employment Contracts with Confidentiality Clauses

In the agreement, it’s important to define what is and what isn’t considered confidential information to eliminate any misunderstanding of the terms. Another consideration involves the ownership of newly created material, known as “work made for hire”. This is the material an employee creates while working for a company. The agreement should specify whether the company (owner) retains rights to the material after the employee has left the business.

It is considered a breach of contract when an employee discloses sensitive information after signing the employment agreement. In this case, the employer would terminate the employee or remedy the situation as specified in the agreement. Note that confidential clauses are only as effective as the employer’s ability to enforce them.

If your business regularly hires independent contractors, such as accountants, web programmers, writers, painters, plumbers and more, you would use an Independent Contractor Agreement instead of an employment agreement.

An Independent Contractor Agreement is similar to an Employment Contract but is tailored to contractor’s services specifically. It addresses the same confidentiality terms, such as non-compete, non-solicitation and protection of private information. This agreement is especially vital if the contractor will be directly exposed to sensitive content, such as a company’s finances. A written contract is the best way to lower risk and prevent any disclosure of materials to competitors or the public.

Be mindful that since contractors are not considered employees, they may retain the intellectual property rights to the material they create. For this reason, discuss who will retain these rights before doing business and specify ownership rights in the agreement to avoid misunderstandings.

2. Develop Confidentiality Training & Policies

Confidentiality training should be a key component in every company’s on-boarding process. These programs can be integrated as part of the employee handbook, through lectures or online training.

In addition to teaching employees how to handle and dispose of sensitive material, include information about confidentiality laws and the legal repercussions of violating company privacy policies. As your company grows, keeping this material up-to-date becomes more important to maintain legal protection.

There are two policies employers should try to implement as part of their confidentiality training:

Social Media Policy

The social web can have harmful effects on a company’s reputation and confidentiality. Yet only 29% of companies have social media policies.

The first risk is reputation. Take the case of Domino’s Pizza in 2009. Two of its employees recorded a video of making pizza while performing crude and unsanitary behavior. They uploaded the video to YouTube and soon it had 1 million views. As a result the employees were terminated, but Domino’s reputation was already damaged.

Simply put, you don’t want employees airing their grievances on Facebook, Twitter or any other social network.

The second risk is employees sharing private information in cyberspace, such as coworker personal information, potential business deals, client information, or current projects. What might seem like a harmless status update could result in severe liability for the company.

Establish a social media policy as part of your company’s efforts to preserve reputation and confidentiality. Clearly indicate the ethical guidelines for social media usage, if and how employees can speak about the company online, use of privacy settings, respecting copyright, what constitutes as confidential information, how to exercise proper judgment and the consequences of divulging information online.

If social media is part of your company’s marketing plan, designate trusted individuals to manage this space and ensure they also understand the policies inside and out.

Mobile Phone Policy

Personal mobile phone use in the workplace allows employees to instantly communicate with friends, family or competitors, and compromise data in ways that don’t seem obvious, such as taking photos, dispelling private information and uploading sensitive material to their device.

A mobile phone policy should cover permitted and prohibited uses of communication devices in the workplace, as well as the consequences for violation of the policy.

3. Create a Response Plan & Employee Exit Procedure

Devise a response or contingency plan in the event confidential information becomes revealed. Plan for specific situations, such as published trade secrets or an employee divulging information to competitors. The more circumstances you cover, the more prepared you will be should confidentiality violations occur.

Assemble a team for the process and address how to assess the damage or risk. Include steps to secure the information or remedy the situation. Such examples may include removing information from the source, locating copies of sensitive material, taking legal action, as well as carrying out the consequences you noted in your agreement if the compromise was a result of employee negligence.

In addition to a solidified response plan, create a standardized exit process for employees. Again, this is to ensure they don’t take any confidential material with them. Standard exit processes include an exit interview in which employees are required to submit all prior work and return company property. The exit process should also disable all employee accounts, emails, and remote cloud access to business records.

In Conclusion

After you have informed your employees of confidential policies, it’s important to generate a trusting relationship with them. Although this won’t provide any guarantees, it won’t make you any enemies — which can lead to mutual respect regarding company information.

If you are concerned about confidentiality in the workplace, take proactive steps to protect your business through written agreements. And for extremely sensitive material, only permit access to those who you can trust completely.

When handling confidential information in your business, whether it's relating to your customers or employees, you have a duty to take the necessary steps to protect it. Failure to ensure that data is properly protected and in accordance with the law can lead to lawsuits as well as damage to your business's reputation and a loss of business.

Below are some of the best ways to better protect the confidential information that your business handles.

1. Control access

For any information that's stored digitally it's incredibly important that you control access to it by using passwords, firewalls and encryption. This is especially important when the information is contained on smaller storage devices such as USB drives that are easily misplaced.

When using passwords to control access to confidential information, you must ensure that they're both secure and changed regularly. Using easy-to-guess passwords is a mistake that many businesses make and something that you should avoid doing if you want to keep your confidential information secure. The best type of passwords to use are a combination of upper and lower case letters and as well as special characters.

2. Use confidential waste bins and shredders

As prominent as digital data has become, most businesses still deal with a lot of paperwork on a day-to-day basis. If you need to dispose of sensitive documents, then be sure to shred them or use a confidential waste bin. Issues such as identity theft mean that you should never assume that because a document has been put in the bin, it will not be viewed by anyone else.

3. Lockable document storage cabinets

If you need to permanently destroy confidential documents, then a shredder works well but what about documents you need to keep on hand? In this case the best option is to have lockable storage cabinets that only a few select people have the key for.

To provide an added level of protection, it's also a good idea to keep any lockable storage cabinets in a locked room that cannot be accessed by everyone.

4. Secure delivery of confidential documents

Storing confidential documents safely on your own premises is one thing but if they need to be delivered then it's extremely important that this is done in a secure manner. If it's physical documents that need to be delivered, then it's a good idea to use a trusted courier service or ideally have them delivered by someone you trust within your organisation.

For digital documents that need to be sent to a third party, you can either email or use a file sharing program. If you use a file sharing program, then it's very important to encrypt the documents and make sure you use a trusted service provider.

5. Employee training

When it comes to confidential data being leaked, often it's a company's own employees who are the biggest risk. This isn't necessarily due to malicious reasons either; often it's simply because the right training was not provided.

When training your employees about protecting confidential information, it's a good idea to start first with explaining why data confidentiality is so important and then provide training about the practical aspects of data protection i.e. using secure passwords, destroying of documents etc.

When training your employees about data confidentiality you can either do it in-house or hire a third-party company to provide the training. It may be more practical to do your own training in-house regarding the non-technology aspects of this, but if you want some assistance on passwords, phishing or other IT aspects then you'll probably want some expert advice from an external IT company such as ourselves.

If you'd like more information on IT security and to find out how Grant McGregor can help your business more secure, please don't hesitate to get in touch.

Photo credit: Rosmarie Voegtli via Foter.com / CC BY