IT security teams need to know about confidentiality clauses in contracts.
The law of confidentiality is one of the cornerstones of legal protection for information, and is a double-edged sword: it can be used to protect your own information, but it can also be used against you if your security measures are not all they should be.
The first thing to note is that your organisation's liability to others for a disclosure of confidential information may have arisen in circumstances that you, as guardian of its confidential information, may not have been aware of. Even in the absence of a written agreement, there can be an automatic liability to third parties under the law of confidence.
For information to be classed as confidential, it must have the "necessary quality of confidence" and be disclosed in circumstances implying a duty of confidence. The phrase "necessary quality of confidence" in broad terms means the information is worthy of protection: it is not trivial or obvious, or already public knowledge.
There are certain relationships where it is established that a duty of confidence automatically exists, such as the relationship between doctor and patient. However, in other relationships the matter hinges around whether the discloser had a reasonable expectation that the information would be kept confidential, and whether that was reasonably evident to the recipient. There is no handy checklist for determining whether these factors exist, and there will be an element of judgement involved, however.
Finally, for information to be deemed to be confidential there must be some detriment to the party that "owns" it in the event that the information is disclosed or misused.
The second thing to note is that a duty of confidence can arise under a contract. Most organisations will have a large number of agreements with suppliers, customers and other bodies on various matters. All these agreements are likely to contain confidentiality clauses. Failure to observe these clauses is a breach of contract, which is actionable if a loss ensues.
The great advantage of a contractual confidentiality clause is that it takes the guesswork out of determining what information is protected. Many confidentiality clauses are so wide that they cover all information disclosed, whether it is confidential in the common law sense discussed above, or not. However, where the information is not confidential in the common law sense, disclosure or misuse in contravention of the agreement is less likely to lead to a loss on the part of the "owner" and therefore it is unlikely that an action for breach of contract could be sustained.
But the rub is that express confidentiality clauses vary in their terminology. Some of the more complex clauses require the recipient to keep confidential information separate from other types of information, and many require an organisation to only disclose the other party's confidential information to those employees that need to have access to it. A business that does not consult its IT team with a view to setting up access protocols to police these obligations internally is likely to find itself in breach of them. Another common term in confidentiality clauses is that the recipient will treat the confidential information with no less care than it does its own information. Again, if the IT team is not made aware of this obligation, it is unlikely to be fulfilled.
What is clear is that the IT team cannot fully protect an organisation from risk unless it is given greater knowledge of the wider business being conducted and, in particular, the confidentiality obligations that are being entered into. Currently, it is very unlikely that the business teams in an organisation, or even its legal teams, would think to inform the IT security team of the obligations they are committing to. This position should change if maximum legal protection is to be secured, and demonstrates how IT security teams can and should increase their profile within their organisations for the good of all.
- Tamzin Matthew is a partner in law firm Blake Lapthorn Tarlo Lyons, and specialises in IT law. She can be contacted at Tamzin.Matthew@bllaw.co.uk or on 01865 254262.