Client lists, research and development, plans and strategies, pricing models, source code, what customers will pay for a product or service, prototypes, product testing, and a whole host of other information.
It's all sensitive information. Businesses can't function without it.
It can all be protected and kept safe with the law of confidential information.
The same principles apply in commercial, employment and non-employment situations with small differences.
It applies to a wide range of information.
That's regardless of the media that it is recorded. Or whether it is just kept in people’s heads and never written down.
What’s more, confidential information can protect information before other forms of intellectual property come into existence, or never will.
What is confidential information?
A person receiving confidential information in circumstances of confidentiality is not entitled to use or disclose the information to others, without consent.
They're under a legal duty to keep it secret other than where a defence to the disclosure is available.
When is confidential Information protected?
The well-known elements were summarised in Coco v AN Clark (Engineers) Ltd (1969):
- Information must be confidential: The information must have the necessary “quality of confidence” – or confidentiality - in the sense that:
- it is not publicly available or commonplace
- not trivial or useless information. It has some importance or value. Not necessarily financial value
- release to public would cause harm to the owner, or be advantageous to rival businesses
These factors are assessed using an objective standard, and within the usage and practices of the industry in which the owner operates.
Protection does not rely upon the complexity, bulk or market value of the information – simple, brief and cheap information can be sufficient to attract protection.
i. the general skill and knowledge of an employee is not protectable as either a trade secret or by a restrictive covenant
ii. confidential information which is not of the calibre of a trade secret can be protectable by contractual restrictive covenant, if it is reasonable in all the circumstances
- Circumstances are confidential: The information must have been imparted in circumstances imposing an obligation of confidence. So, the information must be communicated in circumstances where secrecy of it was to be maintained.
I expand on this below.
- Unauthorised use: The recipient must be using (or threatening to use) the information to the detriment of the claimant, without permission.
The detriment does not need to be reflected in actual or potential financial loss to get a legal remedy.
There is a special form of injunction available to prevent those that receive confidential information. It is known as a springboard injunction.
What the law of protects against
Once the criterion above are satisfied, the confidential information is protected against:
- misuse by the recipient for their own purposes;
- disclosure or dissemination to any other person, without authority.
The way the information was received by the person plays an important part in how information may be used by the receiver. Information can be received:
- from the confidant, directly
- from a third party, indirectly (who owes a duty of confidence to the confidant), with or without warning that the information is confidential
- by accident, carelessness, or mistake, either directly from the confidant or through a person in whom the confidant has confided
- secretly through dishonest, discreditable or reprehensible means or conduct, either directly or indirectly
Protection is available when the recipient of the information knows or ought to know that it is fairly or reasonably to be regarded as confidential.
Where the disclosure or use is authorised, there is no problem. But when it happens without authority or consent, legal rights arise enabling the owner to protect its confidentiality.
There is often more than one person in a ring of people who know confidential information. Information with limited distribution retains its confidentiality.
For instance, a research study might be confidential within a department of a university. A client list might be known by dozens of people within a business. That does not stop it from being confidential information.
Lawful Use and Unlawful Disclosure: Limited Purposes
Suppose a recipient of software source code (protected as confidential information) was told that they could only use the software for the purposes of private study. It has been received subject to a condition – the limited purpose of private study.
For the recipient to go off distribute it around his workplace for everyone else’s private study would be an unlawful disclosure of the software. For him to use the information to diagnose errors in computer systems (without disclosing the software to anyone else) would be misuse of the software.
This means that confidential information contained in (say) a document is protected from being passed on by:
- speaking it to an unauthorised recipient (disclosure)
- communicating it by email, instant message or any other means without consent (disclosure)
- using it for a purpose outside the bounds of what he is permitted to use it for (misuse)
- (in an appropriate case) making article/object described by the information which is confidential (misuse).
When the duty of confidentiality arises
A duty of confidence arises when information is received in circumstances where the person known or should have known the information was confidential. The case law usually involves situations where:
- the receiver was told that it was confidential.
- a reasonable person would ordinarily expect a duty of confidentiality to exist, such as:
- employment, doctor-patient and solicitor-client relationships. Confidentiality is assumed from the outset in these situations.
- commercial arrangements where it was clear or obvious that a duty of confidentiality existed.
- an element of dishonesty or underhand conduct exists, such as electronic eavesdropping or dumpster diving
- the recipient of the confidential information in turn passes the information to someone else. That third person are themselves are subject to a duty of confidentiality when they are told it is confidential.
A duty of confidence exists as an equitable obligation. It may affect third parties too.
When a third person knows they have received confidential information, in breach of confidence they may be liable for their own use and disclosure. It includes third persons who are 'wilfully ignorant' of the possibility that the information was obtained in breach of confidence.
Mixing secret and non-secret material
Confidential material shouldn’t be mixed up with non-confidential material. It’s too hard for courts to decide which are the confidential bits and which aren’t. It’s your claim. If you’re not able to delineate one piece of confidential information from another, and its parts, the claim will likely fail. If you can’t separate it out, courts won’t solve the problem from you.
Publicly Available materials confidential?
It’s OK for secrets to be made up from publicly available material – the hard work of creator is sufficient to obtain protection. The confidentiality depends on the collated information itself, and not upon the quality of its constituent parts.
An example is compilations of information, such as customer lists. All the names may be in the public domain, but the list of names can be kept secret, and protected.
What is a trade secret exactly?
The difference between confidential information and trade secrets is an important one. If it is a trade secret, employees aren’t allowed to use the information for their future employment. It doesn’t matter whether they were involved in creating it or not.
Why are trade secrets special?
A trade secret is a special type of confidential information. It is highly confidential information.
The starting point is that employers can’t protect the skill, experience, know-how and general knowledge acquired by an employee as part of their job during employment. An employee can lawfully recall materials using their memory and skills, which were confidential while an employee. They can use the materials after the employment contract ends.
When is it a trade secret
Whether it qualifies as a trade secret depends on a series of factors. If you claim you have a trade secret you must:
- identify what is the highly confidential information which is said to be a trade secret. Failure to do so will almost certainly result in losing your case.
- show the information used in the business has had restricted and limited distribution and dissemination, and certainly not widely published
- demonstrate the information can be fairly regarded as your property (in a general sense). That means separate to the skill, experience, know-how and general knowledge of the employee
- not mix the highly confidential information with non-confidential material. That’s important enough to repeat
If these criteria are satisfied, it is considered unfair to permit an employee to use it for their own purposes.
The employee environment
This means that the factors that come into play include:
- the nature of the employment. Were they a senior employee, director or junior employee
- the character of the information sought to be protected
- the restrictions imposed on distribution of the information
- the extent of use of the information in the public domain
- the damage likely to be caused by its use and disclosure by rivals in competition to the employer.
Types of trade secrets
All sorts of business information can be classified as trade secrets, including:
- highly customised policies and procedures
- financial forecasts and projections
- Business plans
- business and management information and management accounts,
- Price-sensitive information, such as combined operating ratios, capital figures, expenses and acquisition costs; average profit figures and net loss ratios
- strategic information, information in relation to clients and staff,
- customer lists and client information such as products sold to customers and prices, and databases)
- software, secret formulae, technical processes and know-how
- engineering drawings
Often though, it often doesn't matter whether the information is just confidential or a trade secret.
If information is part of a trade secret, the ex-employee is prevented from using it for their own purposes, in the absence of a restrictive covenant (ie an express contractual promise) by the employee to keep information secret after their employment contract comes to an end.
These are the sorts of clauses that read along the lines of:
"for the term of your employment and for 12 months thereafter you shall not:
- [solicit the customers of the Employer]”
- [entice or attempt to entice away any person to cease doing business with the Employer]”
- [work with a rival trader within the area of [specialist skill set]] within the M25".
As you can imagine, restrictive covenants are really important to employers. The more senior employee, the more important they are. That’s because senior employees are exposed to more business sensitive information.
For business, protection of confidential information is a legitimate interest (which is the test for a valid restrictive covenant). The restrictive covenant however can’t be so wide that it goes further than protecting the legitimate business interests of the employer. Otherwise, it will be void and of no legal effect.
Defences to a breach of confidence claim
The most common defences to claims of misuse of confidential information are:
- the information is not a trade secret or confidential
- an express restrictive covenant that prevents use of confidential information is not reasonably required for protection of claimant, and is therefore void
- the confidential information was not disclosed to the confidant in circumstances there was an obligation of confidence
- the said confidentiality forms part of an illegal contract or is otherwise unlawful
- it is the public interest to disclose the information, such as in respect of a crime or a civil wrong (the motive of discloser not usually relevant)
- competition law applies to renders the confidentiality void
- the claimant doesn’t come to court with clean hands
- disclosure is a 'qualifying disclosure' under the Public Interest Disclosure Act 1998, s.6 (aka "whistle-blowing").
It is no defence to a breach of this duty to say that the information was publicly available. The details of customers on confidential customer list will be in the public domain. To contact those potential customers using the list itself is misuse of the confidentiality in the list.
Public Interest Defence
The public interest defence applies when the defendant shows that disclosure should take place to the public at large or to a restricted class of people.
To be available to a defendant, there must be “just cause” for breaking the duty of confidence. The classic statement is that a person cannot be made the "the confidant of a crime or a fraud". Availability of the defence is now quite a bit wider, which includes in the appropriate case:
- illegal or immoral practices
- exposure of hypocrisy
- improper practices or deliberate concealment, such as economic information
- information which corrects a false impression or image and
- sometimes incompetence.
The behaviour to justify the defence will be approaching disgraceful or criminal in the eyes of a court.
European Convention on Human Rights
Article 10 of the European Convention on Human Rights may justify breach of confidence where disclosure is in the public interest. Whether it is justified is highly fact sensitive – it depends on precisely what happened.
Article 10 requires balancing the claimant's right to confidentiality with the defendant's right of freedom of expression.
It must be that the right of freedom of expression is - in the particular circumstances - "necessary in a democratic society". It involves a weighing exercise between the Article 10 rights of the discloser and the holder of the right to confidentiality. It’s not whether the confidential information in question is in the interest of the public.
When relying on public interest defence, a limited disclosure is preferable. That may be to the appropriate industry regulator or dedicated crime authority, rather than to the public at large. It is about proportionality of the disclosure. Going to the media at large is extreme.
Differences: Confidential Information v Copyright
Copyright law only protects against reproducing a “substantial part” of a copyright work. To distribute or reproduce a copyright work without the permission of the copyright owner is an infringement of copyright. It can be restrained by an injunction.
For some context: Let’s say the copyright work describes how to make a new invention.
Let’s say it is an invention that negates gravity: you can float without upwards thrust or propulsion (it would be pretty neat). For this example, assume that if you make the invention to the description, it will work.
For the purposes of copyright law, the description is a literary work.
To photocopy it, email it or publish it without permission would infringe the copyright in the work.
Copyright law does not "care" what is communicated by the copyright work. What it does care about is the precise words used.
If the document is only protected by copyright law, it would not infringe copyright to make the anti-gravity machine to the description.
Confidential copyright works
The contents of the copyright work may or may not be confidential. Let’s say the description of the invention in the copyright work protected by the law of confidential information.
That means that the information communicated by the description is confidential.
Confidentiality gives broader - but different - protection than copyright law.
This is so because it protects not just against copying the words of the copyright work. It protects the information contained in the copyright work. If you were to read and memorise the description and repeat it to anyone, or write it down, you’re headed in the direction of a breach of confidential information.
How long does protection of confidential information last?
Protection of confidential is indefinite or perpetual. Information is protected by the law of confidential information for so long as the information is kept confidential.
Civil or Criminal Law?
Industrial espionage and genuine theft of information doesn’t really exist in this area of law.
There may be a claim under the Theft Act for theft of an object (say the paper that the confidential information is written on), but not of information in its own right.
This is primarily because the right to keep information secret is not a personal property right – it is a right to sue to prevent others from disclosing or misusing information (which is secret).
In technical language, it is a “chose in action” – an intangible right to sue for enforcement of the duty of confidentiality.
Legal remedies for breach of Confidential Information
Court based legal remedies for misuse of confidential information or threatened misuse of confidential information include:
- Disclose the defendant’s use of confidential information – ie enable customer contact to notify of wrongdoing
- a special kind of injunction, known as a ‘springboard’ injunction. More on this below.
- injunctions to restrain dissemination of confidential information
- a garden leave injunction to enforce the remainder of a garden leave period of an employee
- Orders to preserve evidence of wrongdoing
- Enforcement of restrictive covenants
- Damages or an account of profits arising from the loss of confidentiality caused by public disclosure;
- a constructive trust, whereby a person is ordered that they hold property or assets on behalf of a claimant
- an order for delivery-up of offending material and/or its destruction
- the legal costs of the successful claimant be paid by the unsuccessful party
When confidential information is under a real and imminent threat of disclosure, a court has an impressive range of powers to address the breaches and prevent further unlawful disclosures.
For instance, search orders may be available where it can be shown that there would be a real risk of destruction of evidence of the wrongdoing perpetrated.
In some cases, it may be known that confidential information has been obtained by a competitor. But it is not known who supplied it to them. In these cases, an order for third party disclosure or a Norwich Pharmacal Application may be used to identify the appropriate defendant to bring action against them, or make an Order against the public at large (ie an injunction contra mundum).
Springboard injunctions are designed to prevent wrongdoers from taking advantage of their own wrongdoing. It deprives them of the head start that would be gained by using misappropriated confidential information. These injunctions are made for a limited period of time expressly for that purpose.
They are usually obtained at an early stage of the dispute: when the wrongdoing is first discovered the wrongdoing.
It's a temporary remedy.
They're designed to restore the parties to the position they were in before the breach of confidence took place. That is, sterilise the illegitimate competitive advantage which has been alleged by the owner of the confidentiality.
They are not made to otherwise affect the business of the defendant.
Just because an injunction is ordered, doesn’t deprive the innocent party of an award of damages.
As with all injunctions, delay applying for court-based relief is often fatal. Courts require litigants to act quickly (within days or a small number of weeks, not months). The application must be made while the unlawful behaviour is still being carried out. Those who say that they suffer serious damage as a result of someone else’s wrongful use of their confidential information to justify making an injunction must take action quickly.
FAQ: Common Questions and Legal Issues
1 Who can sue over an illegal disclosure or misuse?
It is the owner of the right of confidentiality that has the right to sue to enforce the right. This is not necessarily the owner of the confidential information itself.
2 What about joint owners of confidential information?
Unless there is a contractual arrangement to the contrary, joint owners can each do what they want with the confidential information. A joint owner cannot restrain another joint owner from using and/or disclosing the relevant information.
3 What if there is no confidentiality provision in a contract?
It doesn’t follow that just because a confidentiality provision doesn’t appear in a contract, the contract isn’t confidential. Provided the tests for confidentiality is satisfied, the contract itself is confidential.
4 When is confidentiality lost?
Confidentiality is lost when the information is released to the public domain: when it becomes freely accessible to the public. Information is which public knowledge cannot be confidential. No matter how confidential it may once have been. Once it’s lost, it’s gone forever.
Tips to maintain confidentiality
Your business must take “reasonable” steps to protect confidential information. If you are not able to show that you care about it, no-one else will. From a legal perspective, that is. Including the person that takes it.
A combination of positive steps which are able to be proven with a witness statement is the best way. Because that it how it would have to be done.
Establish a framework for protection
These days, there are policies and procedures for practically every part of a commercial enterprise.
You should document the steps and procedures that you apply and enforce them where necessary (and hopefully audit for effectiveness).
With the GDPR and equivalent on the cards to apply post-Brexit in the UK, confidentiality should be a part of life for most businesses these days.
That’s the first step. The second is to show that you have a procedure that exists. Then show that it is not documentary lip service.
Notices and Warnings
Primarily though, it is about putting recipients of confidential information on notice that what they are about to receive is confidential. Tell them it’s secret. Not to be disclosed. Not to be used other than for limited purposes.
Saying that the materials are confidential after disclosure to them has been made is too late (unless it can be shown from the circumstances that disclosure took place in secret and was confidential information). Not an ideal situation.
This sort of ambiguity – where one needs to tell the story of the circumstances of the disclosure – is painful, difficult and not the optimal situation.
This is one of the reasons why expert solicitors suggest that non-disclosure agreements are signed by recipients prior to handing over anything that might be considered confidential. The writing – ie the contract – makes it clear what may be done with the information received. The permissions should be as limited as possible. No more than what is needed.
- Email: Using email footers stating that the contents of the communication may contain confidential information, such as:
“This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained in this email.”
- Letters: Heading up letters with the words “Confidential Information”
- Meetings: Start meetings and give advance notice that the meeting will be conducted in private and information exchanged will be confidential
- Encrypt – with password protection - confidential information at rest and in motion, over the internet and elsewhere such as on storage media
- Notices in procedures for induction of new employees and consultants
- Provisions in employment contracts and freelancer agreements
- Provisions in employee handbooks, and perhaps a confidentiality policy
In Business Contracts
- There are confidentiality agreements, and then there are confidentiality agreements. Not all are equal. I’m sad to say that we have advised on our fair share which look like confidentiality agreements, but they’re not. Many contain wording that mean that the recipient can disclose what they are told, despite all the wording that impresses upon the reader that secrecy is sacrosanct between the parties to the contract
Regulate authority to distribute
- Maintain lists of known persons (by job role, perhaps rather than by name) authorised to release confidential information of different gradings
- Physical procedures, such as locked rooms, safes, and password protected computers and servers
Misuse or Threatened Misuse
- If there is a serious risk of release or misuse of the information, you need to take action. Quickly. Otherwise you lose the ability to obtain urgent injunctive relief to prevent the situation worsening
Non-confidential and Confidential
- Keep non-confidential information separate from information which you say is not confidential where possible. Mixing the two together may be fatal to protecting the secret parts