Businesses can't function without confidential information.
The law of confidential information applies in industrial, commercial, government, the workplace, employment and personal contexts, and:
- protects sensitive data and information in all of its forms, regardless of the media that it is recorded
- when it's kept in people’s heads and never written down
- before other forms of intellectual property come into existence to protect it, or never will
What is Confidential Information?
The underlying basis of protection of confidential information is that receivers of confidential information will not be permitted to take unfair advantage of it.
Confidential business information is information which:
- is not in the public domain and common knowledge (which is the opposite of confidentiality)
- not trivial or useless information. It must have some importance or value.
- does not require commercial, financial or monetary value
- must not be too vague. It must be sufficiently developed and "capable of being realised as an actuality"
Aspirational ideas which lack detail do not usually qualify
- would cause harm to the owner or be advantageous to rival businesses, if it was disclosed.
The law of confidential information does not create a personal property right.
The truth is that it's not property at all, in any normal sense.
It's not information belonging to anyone, in the sense that someone might own a car, a pencil or a house. It's a right to keep the information secret - by preventing others from disclosing it or misusing it.
The law of equity will restrain its transmission to another individual or legal person if that would be in breach of some confidential relationship: a breach of confidentiality. That's the cause of action.
- of any particular information is assessed using an objective standard
- the context of commercial usage and practices of the industry in which the owner operates
- does not rely upon the complexity, bulk or market value of the information.
Simple, brief and cheap information can attract protection
For example when a person memorises or reads confidential information, and then:
- makes their own summary of the information, or
- repeats it to a person not entitled to receive it,
that person is headed in the direction of a breach of confidentiality.
Types of Confidential Information
There are well established categories of information which are considered confidential, while it maintains the qualities of confidential information.
All sorts of business information can be classified as confidential information, such as:
- Financial information, such as:
- financial forecasts and projections
- price-sensitive information, operating ratios, capital figures, expenses
- the price to be paid for assets in a joint venture
- Business information
- business plans and strategies
- management information and management accounts
- acquisition costs; average profit figures and net loss ratios
- strategic information, information in relation to clients and staff
- highly customised policies and procedures
- Customer Information
- lists of customers
- their buying preferences
- profit margins and prices charged
- volumes of sales of products or services
- Information Technology
- software and databases
- algorithms, secret formulae, technical processes
- engineering drawings
- data diagrams
- Research and development
- results of product testing
- clinical research
Often, information protected against disclosure is concurrently protected by other intellectual property rights.
For example, information could be in written form or recorded in electronic form. Suppose it contains confidential information.
There's usually no good reason why the words as expressed in the document would not be protected by copyright law, as well as the law of confidential information. Again, for so long as the information remained confidential.
Duty of Confidentiality
There's no fixed template for a duty of confidentiality.
In the UK, the duty of confidentiality is not a property or proprietary right. It's a legal right to prevent its transmission to another person in breach of a confidential relationship.
The duty of confidentiality arises when a person receives information and:
- the person knows, or
- should have known,
the communication contained confidential information in the circumstances of the communication.
So, the duty arises when the information has been imparted in circumstances imposing an obligation of confidence: in such a way that secrecy was to be maintained.
Methods of Receipt
Confidential information can be received in any number of ways. Provided the information was protected as confidential information, a obligation of confidence arises when:
- the receiver was told that information was confidential before they received it
- a reasonable person would expect a duty of confidentiality to exist, such as:
- employment, doctor-patient, accountant-client and solicitor-client relationships. Confidentiality is assumed from the outset in these situations
- commercial arrangements where it was clear or obvious that a duty of confidentiality existed
- parties to a contract have agreed that information exchanged will be confidential
- information protected by a duty of confidentiality is obtained by a person, and an element of dishonesty or underhand conduct exists, such as electronic eavesdropping or dumpster diving
- the recipient of the confidential information in turn passes the information to someone else.
For the obligation of confidence to arise, the information still needs the quality of confidential information (see above).
The law of confidential information affects third parties too.
When a third person knows they have received company confidential information from a confidant, they may be liable for their own use and disclosure.
It includes third persons who:
- are wilfully ignorant of the possibility that the information was obtained in breach of confidence
- closed their eyes to the possibility that the information is confidential, or
- where they have been told the information is confidential.
Sharing Confidential Information
The fact that some members of the public may know the information does not necessarily destroy confidentiality of information.
So when the information is known to a limited number of members of the public does not itself destroy confidentiality in information.
Confidentiality is maintained in information for so long as the information doesn’t fall into the public domain and thereby become public knowledge.
It’s when its disclosed to “a substantial number of people” that confidentiality is lost.
Whether disclosure of company confidential information destroys confidentiality is a question of degree.
There is often more than one person in a ring of people who know confidential information. Sensitive information with limited distribution retains its confidentiality.
For example, depending on the background, disclosures may be made in a context where confidentiality is not lost:
- a research study might be confidential within a department of a university. A client list might be known by dozens of people within a business
- an accountant might send sensitive financial information to another consultant on behalf of the client
- a client of a solicitor may provide witnesses with confidential communications for the purposes of preparing a witness statement
- sales figures may be shared amongst the sale team of a business
That does not necessarily stop the information from being confidential information.
When information is disclosed, and owner of the right of confidentiality fails to specify any restrictions on use, confidentiality is likely to be lost. Courts are not likely to prevent further disclosure unless the confider can show that the recipient should have known the limits on further use.
There are established occasions when a single disclosure destroys information, such as when a document is read by a judge in open court, or a document containing the information is tabled in Parliament.
What is Breach of Confidentiality?
To prove a claim for breach of confidentiality, the claimant must show that the company information:
- is confidential information, ie they have maintained confidentiality of the information
- must have been imparted in circumstances importing an obligation of confidentiality to the confidant
- was used or is threatened to be used in an unauthorised way.
Unauthorised use of information takes place when it is
- misused by the recipient for their own purposes, and/or
- disclosed or disseminated to any other person, without authority
Receiving Company Confidential Information
The way the information was received by the person plays an important part in what might be considered a breach of confidentiality and what might not be.
Confidential information may be received - or disclosed any number of ways, which include:
- from the confidant, directly
- by accident, carelessness, or mistake, either directly from the confidant or through a person in whom the confidant has confided
- from a third party, indirectly (who owes a duty of confidence to the confidant), with or without warning that the information is confidential
- secretly through dishonest, discreditable or reprehensible means or conduct, either directly or indirectly
Where the disclosure or use is authorised, there's not likely to be a breach of confidentiality.
But when it happens without authority or consent, legal rights arise enabling the owner to protect its confidentiality.
Example: Limited Purposes & Unlawful Use
Suppose a recipient of software source code (protected as confidential information) was told that they could only use the software for the purposes of private study. It has been received subject to a condition – the limited purpose of private study.
For the recipient to go off distribute it around his workplace for everyone else’s private study would be an unlawful disclosure of the software. For him to use the information to diagnose errors in computer systems (without disclosing the software to anyone else) would be misuse of the software.
This means that confidential information contained in (say) a document is protected from being passed on by:
- speaking it to an unauthorised recipient
- communicating it by email, instant message or any other means without consent
- using it for a purpose outside the bounds of what is permitted
- making article/object described by the information which is confidential
Mixing Secret and non-secret material
Confidential material shouldn’t be mixed up with non-confidential material.
It’s too hard for courts to decide which are the confidential parts and which aren’t. If a business is not able to delineate confidential information from non-confidential parts, legal action for breach of confidentiality is likely to fail.
Are publicly available materials confidential?
Confidential information may be made up from publicly available material – the hard work of creator is sufficient to protect against disclosure.
Confidentiality depends on the collated information itself, and not upon the quality of its constituent parts.
For example, compilations of information in the public domain may be confidential. The names of customers may be public knowledge, yet a list of customers is likely to be considered confidential while the list of names is kept secret.
Defences to Breach of Confidentiality Claims
The most common defences to claims of misuse of confidential information include:
- The information is not a trade secret or confidential at all: previous disclosures mean that the information is in the public domain
- A restrictive covenant intended to prevent use of confidential information goes further than what is reasonably necessary for the protection of the business, and is therefore void
- The alleged confidential information was not disclosed to the confidant in circumstances there was an obligation of confidentiality, and is therefore no longer confidential
- The alleged confidentiality forms part of an illegal contract or is otherwise unlawful
- The disclosure was in the public interest, such as in respect of a crime or a civil wrong (the motive of discloser not usually relevant)
- Competition law applies to renders the confidentiality void
- The claimant doesn’t come to court with clean hands
- Disclosure is a "qualifying disclosure" under the Public Interest Disclosure Act 1998, s.6 (aka "whistle-blowing").
It's no defence to a breach of this duty to say that the information was publicly available, if the confidential information of the claimant was the version sourced.
For example, the details of customers on confidential lists of customers will be in the public domain. To contact those potential customers using the list itself is misuse of the confidentiality in the list of customers.
The misuse of the confidential information is using the list of names to then search them out and pitch for business: whether by telephone call, email or say advertising services in Facebook groups or on Twitter feeds where those businesses are known to roam, where that would not otherwise have been done for want of knowledge of the contents of the customer list.
Defence: Public Interest Defence
The public interest defence applies when the defendant shows that disclosure should take place to the public at large or to a restricted class of people.
To be available to a defendant, there must be “just cause” for breaking the duty of confidence. The classic statement is that a person cannot be made the "the confidant of a crime or a fraud". Availability of the defence is now quite a bit wider, which includes in the appropriate case:
- illegal or immoral practices
- exposure of hypocrisy
- improper practices or deliberate concealment, such as economic information
- information which corrects a false impression or image and
- sometimes incompetence.
The behaviour to justify the defence will be approaching disgraceful or criminal in the eyes of a court.
European Convention on Human Rights
Article 10 of the European Convention on Human Rights may justify breach of confidence where disclosure is in the public interest. Whether it is justified is highly fact sensitive – it depends on precisely what happened.
Article 10 requires balancing the claimant's right to confidentiality with the defendant's right of freedom of expression.
It must be that the right of freedom of expression is - in the particular circumstances - "necessary in a democratic society". It involves a weighing exercise between the Article 10 rights of the discloser and the holder of the right to confidentiality. It’s not whether the confidential information in question is in the interest of the public.
When relying on public interest defence, a limited disclosure is preferable. That may be to the appropriate industry regulator or dedicated crime authority, rather than to the public at large. It is about proportionality of the disclosure. Going to the media at large is extreme.
Differences: Confidential Information v Copyright
Copyright law only protects against reproducing a “substantial part” of a copyright work. To distribute or reproduce a copyright work without the permission of the copyright owner is an infringement of copyright. It can be restrained by an injunction.
For some context: Let’s say the copyright work describes how to make a new invention.
Let’s say it is an invention that negates gravity: you can float upwards without thrust or propulsion (it would be pretty neat). For this example, assume that if you make the invention to the description, it will work.
For the purposes of copyright law, the description is a literary work.
To photocopy it, email it or publish it without permission would infringe the copyright in the work.
Copyright law does not "care" what is communicated by the copyright work. What it does care about is the precise words used.
If the document is only protected by copyright law, it would not infringe copyright to make the anti-gravity machine to the description.
Confidential copyright works
The contents of the copyright work may or may not be confidential. The description of the invention in the copyright work is protected by the law of confidential information.
That means that the information communicated by the description is confidential.
Confidentiality gives broader - but different - protection than copyright law.
This is so because it protects not just against copying the words, images or other works protected by copyright.
It protects the information contained in or communicated by the copyright work.
How long does protection of confidential information last?
Protection of confidential is indefinite or perpetual.
It's protected by the law of confidential information for so long as the information is kept confidential.
Civil or Criminal Law?
Industrial espionage and genuine theft of information doesn’t exist in this area of law.
There may be a claim under the Theft Act for theft of an object (say the paper that the confidential information is written on), but not of information in its own right.
This is primarily because the right to keep information secret is not a personal property right – it is a right to sue to prevent others from disclosing or misusing information (which is secret).
In technical language, it's a chose in action – an intangible personal property right to sue for enforcement of the duty of confidentiality.
Legal Remedies for Breach
Court based legal remedies for misuse of confidential information or threatened misuse of confidential information include:
- prevent the defendant’s use of the confidential information
- a special kind of injunction, known as a springboard injunction. More on this below.
- injunctions to restrain dissemination of confidential information
- a garden leave injunction to enforce the remainder of a garden leave period upon an employee
- court orders to preserve evidence of wrongdoing
- Enforcement of restrictive covenants
- damages or an account of profits arising from the loss of confidentiality caused by public disclosure
- a constructive trust, whereby a person is ordered that they hold property or assets on behalf of a claimant
- an order for delivery-up of offending material and/or its destruction
- the legal costs of the successful claimant be paid by the unsuccessful party
Threat of Imminent Disclosure
When someone threatens to disclose something that is confidential and is under a real and imminent threat of disclosure, a court has a range of powers to address the threatened breaches and prevent unlawful disclosures and uses of the information and data.
For instance, search orders may be available where it can be shown that there would be a real risk of destruction of evidence of wrongdoing perpetrated.
In some cases, it may be known that confidential information has been obtained by a competitor. But the identity of the person that breached confidentiality and supplied it to them is not known.
In these cases, an order for third party disclosure or a Norwich Pharmacal Application may be used to identify the appropriate defendant to bring action against them, or make an Order against the public at large (ie an injunction contra mundum).
- are designed to prevent wrongdoers from taking advantage of their own breach of confidentiality
- deprive them of the head start that would be gained by using misappropriated confidential information
- are made for a limited period of time expressly for that purpose.
They are usually obtained at an early stage of the dispute: when the wrongdoing is first discovered the wrongdoing.
It's a temporary remedy that protects trade secrets & confidential information.
They're designed to restore the parties to the position they were in before the breach of confidence took place. That is, sterilise the illegitimate competitive advantage which has been alleged by the owner of the confidentiality.
They are not made to otherwise affect the business of the defendant.
Just because an injunction is ordered, doesn’t deprive the innocent party of an award of damages.
As with all injunctions, delay applying for court-based relief is often fatal.
Courts require litigants to act quickly (within days or a small number of weeks, not months). The application must be made while the unlawful behaviour is still being carried out.
Those who say that they suffer serious damage as a result of someone else’s wrongful use of their confidential information to justify making an injunction must take action quickly.
FAQ: Common Questions and Legal Issues
1 Who can sue over an illegal disclosure or misuse?
It is the owner of the right of confidentiality that has the right to sue to enforce the right. This is not necessarily the owner of the confidential information itself.
2 What about joint owners of confidential information?
Unless there is a contractual arrangement to the contrary, joint owners can each do what they want with the confidential information. A joint owner cannot restrain another joint owner from using and/or disclosing the relevant information.
3 What if there is no confidentiality provision in a contract?
It doesn’t follow that just because a confidentiality provision doesn’t appear in a contract, the contract isn’t confidential. Provided the tests for confidentiality is satisfied, the contract itself is confidential.
4 When is confidentiality lost?
Confidentiality is lost when the information is released to the public domain: when it becomes freely accessible to members of the public, whether any member of the public views it or not.
Information which public knowledge cannot be confidential. No matter how confidential it may once have been. Once it’s lost, it’s gone forever.
5 What does "Commercial in Confidence" mean?
"Commercial in Confidence" is usually used at the beginning of correspondence and documents.
The sender of the document or letter is putting the recipient on notice that the sender considers the contents of the document to be confidential. There is no substantial difference between using the term "Commercial in Confidence" and the word "Confidential".
The practice is adopted to:
- put it beyond beyond doubt that the communication retains its confidentiality
- adhere to the common law principle that a recipient must be put on notice before the communication that the information is confidential: not after the information has already been disclosed.
6 How does a business assert confidentiality?
A whole series of formulations of words are frequently used to assert confidentiality.
Some of the terms used to assert confidentiality in a document or communication include:
- "Private and confidential", "Personal and Confidential", "Highly Confidential", "Confidential Proprietary Information", "Confidential Document", "Private and Confidential Information"
They all mean the same thing. The communication is intended to be secret and kept secret.
- "Not for Distribution: confidential": the "not for distribution" part is easily read as an assertion of copyright: the receiver of the document is not granted any licence to distribute it to third parties.
- "Privileged and Confidential". Privileged is a reference to legal professional privilege
- "Without Prejudice and Confidential". With prejudice is a reference to the without prejudice rule, otherwise known as the without prejudice privilege.
Tips to maintain Confidentiality
Business must take “reasonable” steps to protect confidential information against disclosure by employees, consultants, contractors and others that have access to information in the workplace. If the company isn't able to show that it cares about it and impressed its importance on the workplace, no-one else will. From a legal perspective, that is.
A combination of positive steps taken to protect it, which are able to be proven with a witness statement is the best way. Because that it how it would have to be done if it needed to be proved in court: and on the balance of probabilities.
Establish a framework for protection
These days, there are policies and procedures for practically every part of a commercial enterprise. Protecting confidential information in the workplace is no different.
You should document the steps and procedures to protect confidential information that you apply and enforce them where necessary (and audit for effectiveness).
With the GDPR in force and and equivalent on the cards to apply post-Brexit, maintaining confidentiality should be a part of life for most businesses these days.
That’s the first step. The second is to show that the company has a procedure, operates by it and enforces it in the workplace. Then show that that policy or procedure is not just documentary lip service.
Notices and Warnings
Primarily though, it is about putting recipients of confidential information on notice that what they are about to receive is confidential. Tell them it’s secret. Not to be disclosed. Not to be used other than for limited and defined purposes.
Saying that the materials are confidential after disclosure to them has been made is too late (unless it can be shown from the circumstances that disclosure took place in secret and was confidential information). Not an ideal situation.
This sort of ambiguity – where one needs to tell the story of the circumstances of the disclosure – is painful, difficult and not the optimal situation.
This is one of the reasons why expert solicitors suggest that non-disclosure agreements are signed by recipients prior to handing over anything that might be considered confidential.
The writing – ie the contract – makes it clear what may be done with the information received. Ideally, the purposes for which they use it should be limited, with as little latitude as possible in a commercial context. No more than what is needed for the employee or consultant to do their job.
- Email: Using email footers stating that the contents of the communication may contain confidential information, such as:
“This email and any attachments are confidential and may also be privileged. If you are not the named recipient, please notify the sender immediately and do not disclose, use, store or copy the information contained in this email.”
- Letters: Heading up letters with the words “Confidential Information”
- Meetings: Start meetings and give advance notice that the meeting is private and confidential, and information exchanged will be confidential
- Encrypt – with password protection - confidential information at rest and in motion, over the internet and elsewhere such as on storage media
- Notices in procedures for induction of new employees and consultants
- Provisions in employment contracts and freelancer agreements
- Provisions in employee handbooks, and perhaps a confidentiality policy
In Business Contracts
- There are confidentiality agreements, and then there are confidentiality agreements. Not all are equal
- We have advised on our fair share of what look like confidentiality agreements, but they’re not. Many contain wording that mean that the recipient can disclose what they are told, despite all the wording that impresses upon the reader that secrecy is sacrosanct between the parties to the contract
Regulate authority to distribute
- Maintain lists of known persons (by job role, perhaps rather than by name) authorised to release confidential information of different gradings
- Physical procedures, such as locked rooms, safes, and password protected computers and servers
Misuse or Threatened Misuse
- If there is a serious risk of release or misuse of the information, you need to take action. Quickly. Otherwise you lose the ability to obtain urgent injunctive relief to prevent the situation worsening
Non-confidential and Confidential
- Keep non-confidential information separate from information which you say is not confidential where possible. Mixing the two together may be fatal to protecting the secret parts
Our Experience: Breach of Confidentiality Solicitors
Can you sue for breach of confidentiality? Need a firm of confidential information lawyers to assist you keep secret material secret, or bat a paper-thin claim for breach of confidentiality into touch?
We're expert confidential information lawyers and solicitors that help protect confidential information. We do that for a living for small businesses, contractors, consultants, and other business owners.
Confidential information often overlaps with other intellectual property rights to protect information owned by third parties and knowledge-based assets.
We've confidentiality lawyers that have represented companies to recover from breaches of confidence by:
- senior and junior employees taking customer lists and computer source code to set up new businesses
- recovering from innocent and mistaken disclosure of information to third parties
- appeared in court from events where wrongful use and disclosure of confidential information has been made to third parties
Our confidentiality lawyers have advised leaders in markets on developing intellectual property and maximising protections available in negotiations and preserving confidentiality after sale into the public domain, and guarding against reverse engineering which result in breaches of confidential information.
For legal help involving business related breaches of confidentiality and disclosures of confidential information to those who should not receive it, to speak to confidential information solicitors, call +44 20 7036 9282 or email us on firstname.lastname@example.org for an initial chat.