Protecting confidential information paramount
NEW ZEALAND has traditionally had a good track record of keeping things confidential, and at transparency.org, overall, the country’s business ethics rate 91⁄
2 out of 10 in the corruption scale.
As we progress further into the digital age, however, we are seeing reports of breaches of privacy and confidentiality more often.
Recently, Work and Income, Immigration New Zealand, ACC and Novopay have been in the news for the wrong reasons, inadvertently releasing people’s sensitive information to others.
The Privacy Act 1993 protects personal information. The act has several principles which cover the collection, storage, use, distribution, transfer and protection of a person’s personal information that is collected by public or private organisations.
Failure to comply with the principles can result in fines and damages being awarded against the organisation that is in breach.
The act, however, doesn’t extend to company information in the hands of another. As such, when entering into arrangements with other parties, most companies require a confidentiality clause in their agreement or contract.
This prevents either party from disclosing the other’s confidential information. There is no act that the company is relying on, but rather contract law.
If both parties have agreed to the confidentiality clause, its terms can be enforced.
Once the clause has been included in the contract, if you are receiving confidential information, it’s up to you to put reasonable and adequate protection in place to ensure this information is protected.
This could be storing physical copies of documents within a locked filing cabinet or, if electronically held, using a protected device or network, where only authorised people have access.
Access needs to be restricted to those who have a need to know the information and are allowed, by the terms of the contract, to know the information.
Confidentiality agreements can also be used when at the initial discussion phase of a relationship, before any formal contract is in place.
In terms of protection within an organisation, it’s useful to have in place proper confidentiality protections with staff.
These could be a confidentiality clause in employment agreements and/or a robust privacy and information protection policy.
This will ensure that staff know what is expected of them when handling sensitive information and the processes that should be followed.
Information security audits are also useful to test how the protection is working.
So, if despite all this, the worst happens and you suspect that information you hold has been leaked, what do you need to do?
The first step is to determine what information has been leaked, to whom and how it has happened.
Patching the source of the leak should be the next priority, to prevent further information loss.
Then you need to consider what obligations are owed to whom, whether that be under the Privacy Act or under a confidentiality agreement or both.
If it’s in breach of the Privacy Act, notifying the Privacy Commissioner can be a good way to minimise the negative reaction, rather than waiting for a complaint to be made against you.
In terms of confidentiality agreements, the specific requirements will depend on what has been agreed between the parties.
Overall, if you are collecting or holding sensitive information, you will have obligations to collect and deal with it properly.
It is good practice to ensure that your obligations are being complied with and that your confidential information is secure, so that you or your organisation do not end up in the headlines for the wrong reasons. Dan Moore is a partner in Hamilton law firm Norris Ward McKinnon. Information in Your law should not be a substitute for legal advice.