Maintaining Confidentiality at Workplace

In today’s business world, confidential information is abundant and an important

obligation for organizations to keep safe. From patient lists and pricing data to
employee information, trade secrets and financial reports, Jay Precision company
must uphold their privacy obligations or they can experience a damaging information
leak or fines for non-compliance.

Why is it Important to Protect Confidential Information?

Failure to protect confidential information from being disclosed can cause a multitude
of problems for organizations:

 Loss of Business: When confidential information is mishandled, it can create

a sense of distrust with customers and clients, which hurts a company’s
bottom line.
 Criminal Activity: When confidential information is misused to commit
criminal activity, such as fraud, it inadvertently tarnishes a company’s
reputation.
 Loss of Competitive Edge: When business plans, intellectual property or
trade secrets are unlawfully disclosed, it puts companies at risk of losing their
competitive edge.
 Decreased Morale: When confidential employee information is stolen, shared
or disclosed without consent, it deteriorates employer trust, confidence and
loyalty.
 Privacy Law Compliance: The Personal Information Protection & Electronic
Document Act establishes rules for we can collect, use and disclose
information about individuals. When organizations or employers fail to protect
confidentiality, they can face hefty legal fines for non-compliance.
Examples of Workplace Information

Confidential workplace information is generally broken down into five categories:

 Employee Information: This can include an employer disclosing confidential

identifying information, such as an employee’s Social Insurance Number,
home address, telephone numbers, e-mail addresses, log-in and password
information, prior surnames, driver’s license number, sensitive medical or
disability information, and more.
 Management Information: This can include documentation regarding private
employer/employee relations issues or disciplinary actions, planned layoffs or
redundancies, workplace investigations of employee misconduct, salary and
contract negotiations, and other employment-related information.
 Company Information: This can include proprietary information or trade
secrets that give a company an edge over its competition, including details
regarding confidential commercial processes, ingredient formulas and secret
recipes, third-party supplier lists, business plans and agreements, financial
data, budgets and forecasts, product development, intellectual property,
passwords and log-ins, marketing strategy, research, and more.
 Customer Information: This can include protecting confidential information,
such as client or customer lists, contact information, financial information,
driver’s license numbers, Social Insurance Numbers, and more.
 Professional Information: This applies to various professions – such as
medical, legal and accounting services – with information including client lists
and contacts, patient diagnoses and treatments, tax and income information,
privileged communications and related advice, and more.

Ways for Protecting Confidential Information in the Workplace

Here are nine practical information security measures that all companies should
practice to protect business confidentiality and minimize the chance of a serious
breach:

1. Develop an Information Destruction Policy

 An information destruction policy is a formal, company-wide, written policy
that directs employees to securely dispose of documents when they are no
longer needed. Instead of disposing of information in a trash can or recycling
bin, an information destruction policy will review what types of data must be
destroyed and how, so that confidential information remains protected and
isn’t improperly disclosed.

2. Sign Non-Disclosure Agreements

A best practice that all companies should implement is having non-disclosure

agreements with employees, contract workers, service providers, suppliers,
investors or any third parties that have access to confidential information. A
non-disclosure agreement can ensure that individuals do not distribute or
disclose secret information or intellectual property. This formal confidentiality
agreement can also prevent unnecessary legal circumstances from arising.

3. Limit Access to Confidential Information

Providing limited access to confidential data on a need-to-know basis can

prevent a serious breach from occurring. When granting access, employers
should keep records of what confidential information has been disclosed and
to whom. This permission should also be revoked upon project completion,
termination of employment or when access is no longer appropriate.

4. Provide Regular Employee Training

Employees who are educated to identify risks can also limit potentially
damaging situations to a company, its stakeholders and reputation. When an
employer invests in ongoing training, information security becomes rooted in a
business by its employees who understand the obligation of properly
disclosing and protecting confidential information.

5. Plan Periodic Audits of Waste Systems

Follow-up employee training with periodic audits of recycling bins and trash
cans throughout the workplace to ensure that appropriate disposal protocols
are being followed 100% of the time. When document disposal procedures
are clear and convenient, there is no reason to find confidential information in
employee blue bins.

6. Establish a Clean Desk Policy

Leaving confidential documents within view of prying eyes makes them more
susceptible to theft. By establishing a clean desk policy, all employees must
clear their workspaces at the end of each day and contain all documents,
files, notes and removable electronic media, such as USB devices, in locked
file cabinets for extra protection.

7. Safeguard Confidential Information with a Visitor Policy

 Every company should have a proper visitor policy in place to protect its
employees and guests, as well as trade secrets, intellectual property and
other confidential information. All organizations, for example, should require
visitors to check-in and check-out, sign a non-disclosure agreement, wear
visitor badges and be accompanied by an employee for the duration of their
visit while on company property.

8. Utilize Off-site Document Storage

Storing confidential information within the workplace increases a company’s

chance of a purposeful or accidental information leak. By storing documents
off-site with a third-party records management service, confidential
information is securely contained and managed with around-the-clock
surveillance and strict safety protocols. Organizations also have the ability to
set predefined access control lists to restrict who can request and receive
electronic copies of physical documents in storage to prevent unauthorized
access of confidential information. When documents reach the end of their
lifecycle, a records management service can carry out secure destruction to
maintain government record-keeping requirements and ensure company
confidentiality.

9. Hire a Shredding Service to Destroy Confidential Information

Properly destroying confidential information is critical for any company, but it

can be a complex, expensive and time-consuming process when handled in-
house by employees. Outsourcing document shredding and media
destruction to a professional service provider not only frees up valuable time
and resources, but it also keeps organizations compliant with privacy laws
and provides protection to all parties to avoid a confidential information leak.

10. Depending on the consequences of a breach in

confidentiality, you can protect confidential information
with the following measures and strategies:

 Provide confidentiality training. This should include

advice on not sharing confidential information
unintentionally – for example, through gossiping, or with
people outside of work.
 Only share confidential information with those who have
a reason to know. The fewer people who know
something, the easier it is to contain the information.
 Use confidentiality, nondisclosure, and non-compete
agreements with employees, clients, and contractors to
 further protect your business. You should use these legal
documents whenever you have to disclose confidential
information to people outside your organization. (These
agreements should be drawn up by a lawyer.)
 Where appropriate, have a confidentiality policy that
describes what information is considered confidential,
and which outlines how to manage and share
confidential information within the organization. It can
also define when confidentiality can be broken. This
typically includes situations where there is a legal
obligation to disclose information, when a criminal act
has been committed, or when someone's health and
safety is in jeopardy.
 Require the proper disposal of sensitive information: for
example, by shredding documents with a cross-cut
shredder, or by destroying old computer hardware. (Be
aware that computer equipment that is "thrown away"
may be salvaged rather than being sent to landfill.)
 Restrict the ability to view, remove, or copy confidential
information. In a computerized environment, it's very
easy to access and disseminate information. Encrypt
highly sensitive information. Use passwords to protect
and limit access to information. Also, be aware that
there are different levels of encryption – some can be
compromised quickly, while others are more secure. (Ask
you IT department for help if you need to know more.)
 Stamp documents "confidential" if required. (But don't
overuse this practice, as people then might ignore it.)
  Secure physical information and files using a lock and
key or a safe. Be sure that you keep track of the keys,
ask former employees to return their keys, and update
access lists regularly.
 Require people who leave their employment to return all
documentation and material to the organization.

Upon commencement of employment

From day one, employees should be educated about the need for
confidentiality in the workplace and what can and cannot be discussed
outside of the work environment. Some businesses will be governed by
specific privacy and confidentiality laws that must be adhered to.

In any case, employees must know what their obligations are from the
very beginning.

To further enhance the importance of confidentiality, all employment

contracts/agreements should have clauses that clearly state the
obligations that an employee has regarding confidentiality. The
agreements should also clearly state that the requirements of
confidentiality remain in place after employment has ceased.

During the employment tenure

Putting systems and procedures in place to protect confidentiality is a
practical step you can take to ensure that your information is not
compromised. Practical initiatives you can put in place include:

 Ensuring all computers and email access is password protected.

 That access to confidential information is granted to employees on a
need to know basis.
 Preventing files from being removed from the workplace without
granting specific permission to do so
 Either forbidding or discouraging employees from using personal
devices to access confidential information. Policies should be clear
and specific regarding this issue.
 Implementation of an ethical surveillance monitoring program
designed to flag any potential breaches of confidentiality policy. The
program needs to be legal and visible to ensure that employees
know that their workplace emails or downloading behaviour can be
monitored.

Employment termination
Some employees will inevitably leave the business at some point.
Employment agreements must have clear statements about what the
employee is obligated to return to the company upon their resignation or
termination. Confidential material that should be listed here includes such
items as:

 Items owned by the company, such as laptops or mobile devices

that contain confidential information.
 Any confidential material held on personal devices, in which case
they should agree to delete the material.

On the last day of employment, the employee’s access to email and other
confidential material should be removed, and the employee should be
again reminded of their confidentiality obligations. This may also be an excellent
time to remind the employee of their responsibilities under the Code of Conduct,
which clearly states that the employee cannot use confidential information to
gain an advantage over their previous employer.

Suppose the employment has ended as a result of a dispute. In that case,

it may be wise to initiate an exit deed that restates the employee’s
responsibilities regarding confidentiality.