When information is given to third parties in confidence, it is necessary to ensure that it cannot be divulged to anyone else. Whilst the law provides some protection against this, it is often best to enter into a written non-disclosure agreement (NDA). This is the best way of ensuring that information is disclosed in circumstances imposing an obligation of confidence and, in addition to avoiding any question of whether the recipient was on notice that the information was being disclosed in confidence, a contractual obligation is also easier to enforce than a claim under general law.
An NDA can be either mutual (where both parties disclose information to each other) or one-way (where only one of the parties discloses information).
NDAs are typically used to protect information that is disclosed in the course of commercial discussions concerning a possible business transaction or collaboration.
An NDA should always contain the following key provisions:
- A definition of confidential information. This should be broad enough to cover any information belonging to the disclosing party that is received by the receiving party, whether or not that information was deliberately disclosed by the disclosing party, and any works derived from the confidential information
- A description of the circumstances in which information ceases to be protected, i.e. when it stops being truly confidential
- An obligation to keep the information secret and confidential
- Any restrictions on, or obligations with respect to, the reproduction or storage of confidential information
- The uses to which the information can be put by the receiving party
- The circumstances in which, and persons to whom, the receiving party is permitted to disclose the information (with exceptions for disclosures required by law and regulation). Disclosures to employees and advisers are usually permitted. Disclosing parties may ask that all employees and advisers who receive the confidential information sign a separate confidentiality agreement or, failing that, the receiving party will usually be required to take responsibility for breaches of confidentiality by its employees or advisers
- Provision, subject to any legal or regulatory requirement to retain certain records containing confidential information, for the return or destruction of the confidential information in certain circumstances (e.g. if confidential information was disclosed in the course of discussions about a possible business transaction and that transaction does not proceed), or, in some cases, on demand
- The duration of the agreement. A realistic assessment should be made, by reference to the type of information being protected, of the period for which the information is likely to remain truly confidential and therefore commercially valuable
Management of confidential information
Practical measures to establish and maintain confidentiality might include:
- Restricting access to confidential information, so that information is disclosed on a need-to-know basis
- Marking documents as confidential where appropriate
- Restricting access to areas where confidential processes are carried out, or developments are made
- Keeping a contemporaneous written record of developments and records to show which projects each employee or consultant has worked on
- Staggering disclosure when making disclosures in the context of negotiations, i.e. not disclosing everything at once
- Including clear and appropriate confidentiality provisions in employee contracts and having and implementing policies for know-how and data protection
- Giving employees practical guidance about keeping information confidential
- Having appropriate physical and electronic security and auditing security procedures regularly
- Ensuring that departing employees and consultants are aware of their continuing obligations of confidentiality and that they have returned all property and information belonging to the business