Article

Practical steps for protecting confidential information when employees leave

5th June 2024

Photo of someone typing on a keyboard

Your employees have access to valuable confidential information relating to your business, including customer lists, supplier information and financial data. That information is what sets your business apart, and where your employee leaves to work for a competitor, or set up their own business, they may be tempted to take a short cut to success by using your information. This could cause real damage to your business.

This is particularly true for healthcare businesses of all kinds, as the confidential information held in these organisations is – some might argue – even more personal than banking and financial information: medical records.

These intimate details held on records across healthcare organisations are entrusted by customers or clients to medical practitioners with the not unreasonable expectation that they will be kept confidential. Therefore, it is vital that potential for data breaches is minimised.

In view of this, here are some key steps you can take to minimize the risk of employees misusing your confidential information.

  • Although there is an implied duty of confidentiality for all employees, that offers limited protection when they leave, you should ensure that you have confidentiality terms in your employment contracts. You can create stronger and clearer express obligations in a legally binding contract which last after the employment has ended. To avoid doubt, ensure that the contract is signed by the employee and is clear as to what constitutes confidential information.
  • Have a clear policy on data protection and confidentiality in your employee handbook and provide training on what confidential information is and why it should be protected. The training should explain the consequences of unlawful disclosure and use confidential information, both for the business and for the individual.
  • Adopt a “need to know” system. Employees should only have access to the confidential information which they need to do their jobs. Carry out regular audits to ensure information is only available to those who need to know.
  • Keep data secure. Use protection such as encryption, passwords and two-factor authentication to control – and crucially, turn off – access to confidential information.
  • Keep an eye on what your employees are doing. We have seen cases where employees have emailed databases of confidential information from their work accounts to their personal email accounts. Monitor email traffic and other access – such as USB sticks – and investigate any suspicious activity, especially when an employee has given notice to leave. When an employee has left, make sure their account remains active for investigation – for example, what can be found in their deleted emails?
  • Consider gardening leave. If there is provision in your contract, placing an employee who has given notice on gardening leave is a good way to ensure that they have no reason, or opportunity, to access confidential information. This won’t always be suitable, but you will need to judge on a case-by-case basis.
  • Make the most of exit interviews. This is your chance to remind your employees face to face of their obligations regarding confidential information. The employee may also mention something which suggests there is a risk and can trigger an investigation.
  • Collect company property. Most employees will have a company laptop and phone, and may also have documents on CDs or USB sticks as well as hard copy paperwork. Make sure this is all given back before the employee leaves.
  • If you are suspicious or have evidence that the employee has taken confidential information, move quickly. Carry out as detailed an investigation as you can and gather, collate and preserve evidence. Sometimes you may want to engage an external IT specialist contractor to help with this process.
  • Speak to your lawyers as soon as possible. If you believe that your employees have taken confidential information, you may be able to take action to recover it and stop it being used, which may include seeking an urgent court order called an injunction against the employee. However, if there is a delay in instructing your solicitors, it may be too late.

Where in a bank or shop, customers entrust their card or bank details to the proprietor, in a healthcare organisation, customers and clients pass on sensitive details which are not expected to go any further than the organisation or their practitioner. Keeping confidential information protected when employees leave is essential to maintaining your reputation both with clients and other businesses.