We are often called upon by both employers and employees to advise in situations where a departing employee has taken documents or confidential information belonging to their employer.
Sometimes this is completely innocent and there is no intention on the part of the employee to exploit the information, and in others it is taken with the intent to use in their new employment, either way this can be very worrying for employers.
In this episode 232 of the podcast I bring you a run down of the key things employers can do if they find themselves in a situation where confidential information has been taken and how to safeguard and prevent the loss in the first place. In this episode we cover:
- The reasons why departing employees may take confidential information or documents,
- The immediate steps employers should take when they find out that an employee has taken confidential information.
- The legal options available including obtaining an injunction and/or damages.
- The potential criminal consequences of taking confidential information or documents.
- Steps that employers can take during an employee’s employment to safeguard data.
- The importance of a robust confidentiality clause in employment contracts.
- When a non-disclosure agreement may be required.
- Why you should consider post-termination restrictions in your employee contracts.
- The points to note to ensure post-termination restrictions are enforceable.
- Why having robust IT processes and regular audits is important.
Training for your Team
Would you like to arrange training for your team to reduce the risk of both unhappy employees and claims being made against you? Please get in touch for a no obligation discussion, we can offer training anywhere in the UK in person or delivered remotely via MS Teams.
Please drop me an email alison@realemploymentlawadvice.co.uk
Fixed Price Advice from Real Experts
As part of our HR Harbour annual subscription service for employers we provide guidance and training for employers, supervisors and managers. If you would like to know more about the HR Harbour Service and how you can get unlimited support from as little as £210 per month please contact me for a no obligation discussion – alison@realemploymentlawadvice.co.uk or you can find full details here: HR Harbour
Don’t forget you can contact us by telephone 01983 897003, 01722 653001, 020 3470 0007, 0191 375 9694 or 023 8098 2006
We have a variety of free documents and letters which are available to download here: DIY Documents
We are also on YouTube! You can find a range of topics and also listen to this podcast on YouTube here: YOUTUBE
Welcome to the Employment Law and HR podcast with your host, Alison Collie. Hello, and welcome to this episode, 232 of the Employment Law and HR podcast. I'm your host, Alison Collie. I'm an Employment Solicitor and HR Specialist, and I run the firm Real Employment Law Advice, together with my colleagues, we provide advice and assistance to both employers and employees. I'm really pleased to be back with this episode, 232 of the podcast. Those of you who are regular listeners will know that I haven't released an episode since the sort of end of July, and the reason for that is because it has been the summer holidays, the school holidays, and I've taken a break from the podcast. I do have three children, two are school age, one is at preschool, and a number of my team also have children of school age, so it becomes a really busy time for us, either with taking holiday, changing hours for the children, or covering for colleagues. So my apologies, there hasn't been a podcast for several weeks, but the reason is because we've been covering for school holidays and taking so much needed time with the family. But I'm pleased to say I'm back now, and we'll be back to the regular scheduled fortnightly podcast, and I can tell you, without doubt, we're going to have lots to talk about in the forthcoming weeks and months. As many of you know, there are a number of changes that have been proposed by the Labour government and are likely to go through very soon, and I covered this off in a previous episode of the podcast, and I will be sharing in future episodes of the podcast all of the changes that are proposed and all of the detail, as well as the practical steps you need to take as and when it becomes known to us when it's laid before Parliament and more details are known. Whilst I'm on this topic of future changes and lots of things happening, I have become aware recently from a number of businesses who we work with that there are organisations out there who are trying to capitalise on these changes by trying to scare employers into attending events and signing up to their long contracts and basically using scare tactics to get businesses to sign up to contracts for support. Now, there is certainly a place for ongoing support, and we provide our own service ourselves, but what we don't do is scare businesses into signing up for unnecessarily long contracts for support. We work with businesses to make sure that actually what you're signing up for you're going to benefit from, and our contracts are no longer than 12 months. So what I would say to you is, if you are concerned about the potential changes, the impact that that will have on your business, and whether you have the capability in house to manage the changes that might be needed to, for example, documents, then do shop around, make sure you understand the nature of the company that you're going to sign up with. Are they regulated? Are they covered by insurance? Do they have qualifications in employment law? All of those sorts of things before you sign up, and if you go to any of these events, just make sure that you're going with your full disclosure of exactly what kind of organization it is. As far as I'm aware, there are no official government organizations that are providing employment or updates or employment or details about the proposed labor changes. These kinds of events are all being run by commercial organizations. So don't be misled, certainly get the information, and as I say, if you need support, do shop around and make sure that you know exactly who it is you're signing up with and what their terms and conditions are before you do so. So after all of that initial information, I'm going to get into this week's featured content. So this week, what I want to talk to you about is an issue that is relevant for both employers and employees, and something that's been coming up fairly regularly, as in we've been advising both employers and employees on this issue. And that is where employees take confidential information when they leave their employment. So that is where recently what we've found is it's been discovered that employees are either downloading documents or sending them to themselves or in some way taking those kinds of documents and information when they leave their employment. Often this comes out immediately as someone leaves or before they've actually left after they've handed their notice in, or sometimes it can come to light several months later, maybe when the business is undertaking an audit of their IT systems. Either way, what we're finding is the information is being taken by employees and employers are finding out about it or former employers are finding out about it, and then seeking to take action to remedy the situation and to secure their documents. Now in my experience, often we find that actually the intentions of the employee in these situations are innocent. They're not taking the information with the intent to use it in competition in any way or to exploit that information in the future. But rather, they think, actually I need this information so I can help me with my new job or to prompt me or to remind me on how to do things or perhaps as a template for future use. So no real intent to exploit that information in competition, but rather naively the employees believe that it will be useful to them to help them in the future. There are of course situations where we found that employees have deliberately taken information with the intent to use it in future. And those are the situations where it can be really detrimental to the outgoing employer, to the previous employer, if action isn't taken quickly. So what do you do if you're an employer and you find out that an employee has taken confidential information or documents without your permission? Well, there are various things that you can do. The first thing you should do is immediately send a cease and desist letter to that employee. So you send them a formal letter outlining what you've found out. So detailing the information that you have come across that indicates they have taken that confidential information or documents and demanding that they return the data and or documents and that they cease to use them. So you're basically saying, right, we know what you've done, we know what you have, we need you to return all of that information and to stop using it in future. And you would ask them to sign an undertaking that they confirm that they have returned everything or they've deleted everything and that they won't continue to use it in the future. And in that letter, you should also outline the potential legal consequences if they fail to comply and agree to what you're asking of them. And that needs to be sent immediately. Then depending on the response that you receive, you may wish to obtain an injunction. So if you're not satisfied that the employee has complied or they refuse to comply with your cease and desist letter, then you can seek an injunction from the court to prevent the employee from using or disclosing the data that they've stolen or the documentation or information that they have. And the injunction can also compel them to return the documents and data that they have. Now this can be done fairly quickly. And if you're in a situation where you need to obtain an injunction, then I would advise you to seek legal advice in doing so because the process can be complex and it can also be time consuming. And you want to get it right, especially if you're in a situation where the continued use or misuse of that confidential information is causing a detriment to your business. So you do have that option to obtain an injunction from the court, which would prevent them from continuing to use that that informational documents and also compelling them to return. The third thing that you can do is to apply to the court for damages. Now this can be done in conjunction with the injunction application or additional to that or as a separate thing. So if for example you send the cease and desist letter, the employee complies, so they return the documentation, they're given undertaking that they won't use it any further and that they don't have anything else remaining, then you may not need to obtain an injunction because they've agreed to comply. But you may find that the damage has already been done to your business or organization. And in that situation, you can apply to the courts for damages as a result of that employee's breach of confidentiality or theft of the data that they've taken. And this would be to compensate you for your financial loss and any harm to your reputation, for example. So in a fairly straightforward situation, if you find an employee, for example, has taken custom lists and has then started to work in competition, has contacted those customers who have in turn stopped using your services and have now started using the employee services or the employee's new employer services to your detriment, then you could obtain damages in relation to that potentially. So damages is an option that you can use in conjunction with an injunction, conjunction with an injunction, so alongside an injunction or as a separate thing. And the fourth thing is that you could of course report the incident as a criminal matter if the employee has stolen the data or documents. So you can report that to the police or the relevant authorities and the employee may be prosecuted under the computer misuse act or the theft act, for example. And of course, if personal data is involved, then you would need to report the breach to the Information Commissioner's office under your general duties under the data protection regulations anyway. Now in my experience, it's quite rare that the police do become involved in a situation where confidential information or company data has been taken, but it is certainly something that you could consider. And if you're an employee who's in a situation where you have taken confidential information or are contemplating doing so, then it's something that you should be aware of and it is a potential risk. So as an employer, there are a number of things that you can do in a situation where you find that that data has been taken or confidential information has been stolen by the employee. Now, of course, what we're doing here is reacting to something that's already happened, and this can be both time consuming and costly, both in terms of the legal cost, but also the potential for reputational risk in relation to the lost data, etc. So what you really want to do as an employer is to take steps to prevent this from happening. Now, of course, there's no full proof way of stopping it from happening. You know, in situations where employees have accessed information, documents and data, then they can, of course, find ways to take those. But there are some things you can do to help to prevent that and to protect your organization. So the first thing is to ensure that all employees have a confidentiality agreement in place. So this could be by way of a robust confidentiality clause in their employment contracts, which clearly defines what confidential information is and what their obligations are both during their employment, but also crucially, that extends beyond their employment ending, or alternatively, where it might be necessary where you have particular information or particularly highly sensitive information that you want to protect. You may require the employee to design a separate non-disclosure agreement, which explicitly prohibits them from sharing or misusing confidential information during or after their employment. Now, in the majority of cases, an NDA or non-disclosure agreement is not going to be needed, a confidentiality clause in their contract or a general confidentiality agreement will suffice. So it's only really in those very highly sensitive information situations where an NDA may be required. The second thing you can do is include non-compete and non-solicitation clauses in their employment contract. So these are post termination restrictions, which restrict employees from, for example, joining competitors or starting a competing business for a specified period of time. And you can also stop them from poaching your employees or clients or customers. And this, whilst it doesn't prevent them from taking confidential information, does help in relation to the competition and exploitation of any potential confidential information that they may obtain in the course of their employment. It's important in relation to post termination restrictions to make sure that they are enforceable and to do that they need to be drafted really well. So they need to be reasonable and applicable and relevant to that individual's employment. All too often, I see post termination restrictions that have been generally drafted, are overly restrictive and can't be enforced. But if you do take care in that preparation, get those clauses right, then you can use those when somebody leaves to protect your business. One thing you also need to ensure you're doing is making sure that any post termination restrictions, such as non-compete and non-solicitation clause it is, are relevant to that individual. So they need to be relevant based on their role and their length of service, etc. So what might be enforceable for a senior employee who is in perhaps in a role of trust and confidence where they have high levels of access to confidential information or customer data may not be relevant to a junior employee who's just started who doesn't have access to your customers, for example. So you need to tailor those clauses depending on the individual and review them when people's job roles change. That's another thing that people often forget to do in relation to post termination restrictions and thereby impact on their enforceability. Now the third thing you can do to try to protect your business is to limit the access people have to that sensitive information or documentation. So within your IT systems or however you're storing that data and information you could put in place sort of walls between departments or job roles so that everyone in the organization doesn't have access to everything and it's based on their individual job role or positioned in the company. And included with this you can also have some monitoring systems in place so that you track the access and use of confidential information. So this could be logging sensitive files or how they're accessed and who they're accessed by. And of course you can also employ an external company or internal IT department to undertake an audit to check regularly what's happening in relation to data stored on your systems, for example. The fourth thing you can do is to have good exit procedures in place. So that is to conduct thorough exit interviews reminding employees of their confidentiality obligations either verbally or in writing when you acknowledge their notice letter. All in both to be honest would be a good way of ensuring that everybody understands exactly what their confidentiality obligations are when they leave. You could also have a system of identifying potential risks with someone who's left. So assessing if they are high risk for taking documentation or maybe working in competition and poaching your customers or employees. And of course making sure that you obtain back from them all devices, laptops, etc. And ensuring that if they have any of their own personal devices that they might have been using for business purposes that those are wiped clean of any of your data before they leave. And again another thing that you can consider doing is as soon as somebody gives their notice you could revoke their access to your systems, to your email accounts and require them to maybe go on to guard and leave. It may be that you actually need someone to continue to work during their notice period in which case if they are a home worker then you could require them to work from the office during the notice period so that their access to your systems is limited to using your internal computer systems only and that may be one way of dealing with it. But it's about looking at the individual what the risks are and I'm having those good exit procedures in place. The fifth thing you can do is to provide regular training to people on data protection, on confidentiality and the importance of safeguarding company information. Now this is important not only for preventing them from taking information when they leave but also for safeguarding information during their employment of course. And of course highlight them the consequences if they do breach confidentiality and the impact that that could have on them individually. And then finally one thing that often is overlooked is in relation to having a policy in place that prevents employees from downloading documentation to their own devices and also emailing documentation to themselves. The way in which we've found that employees frequently do take documentation is that they email it to themselves from their company email to their personal email or they have things stored on their own hard drive of their own devices. If you have a policy in place which says that this is prohibited and then you you check and put in checks and balances in relation to that then that's a great way of preventing this from happening and if you do find out somebody is emailing themselves documentation or downloading in the course of their employment and they've been told it's prohibited then of course that could be dealt with as a disciplinary matter as well. So to summarize if you're an employer and you find that employees are leaving their employment and taking confidential information or documents when they leave there are things you can do to enforce them to either return the documentation or to stop using it and I would urge you to take action as soon as possible if you find out that has happened. There are also steps you can take to prevent this from happening and to safeguard your documentation and confidential information as I've outlined in the course of the podcast. If you are an employee then I would strongly recommend that you do not take confidential information documentation or anything else that belongs to your employer when you leave your employment and certainly you should not email things to your personal email nor download them to your own personal device and if you do and your employer finds out about it the consequences for you can be quite severe and could have a huge impact on you particularly if you are looking to move to a new employer and your new employer finds out about this it could impact on your new employment or your offer of employment as well. So if you are an employer or employee and find yourself in a situation where you are having trouble in relation to this issue then please don't hesitate to get in touch. Myself or one of the team would be happy to have a chat with you. We offer an initial free half an hour telephone call where we can go through things and give you some general advice and if you wanted to instruct us to assist you with any of these things then we can provide you with a fixed fee or a firm cost estimate in relation to the work that's required. Thanks so much for listening to this week's episode of the podcast. I hope that you've enjoyed it and it's really good to be back with the podcast and I'll be back again in two weeks time with the next episode for you. Thanks for listening and have a great week. Thanks again for listening. Just want to finalise by saying I wouldn't be a lawyer unless I had a legal disclaimer. So I must just say to you that the information in this podcast is for information only. It's general review and a general update. It's always necessary to get specific legal advice about your circumstances. So please don't rely on anything that you've heard in this podcast but please do feel free to contact me if you like further information or specific advice.
