Over the past several years information has become vitally important. Information is stored, disclosed, sold, and bought; often unlawfully and without the consent of those who are affected. More often than not, the disclosure of information leads to political and social quakes (as in the case of the Edward Snowden and Julian Assange actions or the Cambridge Analytics scandal).
Information is not only important for large corporations, but also for small entrepreneurs, who do not want information about their business disclosed to the public or passed on to any third party, especially their competitors. Confidential information and the rules of handling it are especially important in the IT sector, because numerous entrepreneurs use the services of IT entities - for example, in order to create a customized application dedicated to the entrepreneur's services, design a website or installation and operation of IT systems on the company's premises. And so, IT specialists often come across another businesses' confidential information during their work. Therefore, it is pivotal to secure the client's confidential data and any failures in this area can result in a total loss of credibility, severe penalties, and exclusion from the market.
But what exactly is confidential information?
The definition of confidential information
Polish law does not define the term " confidential information" (such a definition used to be included in the Act on trading financial instruments, but that definition was tailored for the purposes of that particular legal act). In business practice, to define confidential information, companies use the concept of company secrecy.
According to Article 11 Act 2 of the Law on Combating Unfair Competition a company secret is understood as technical, technological, or organizational information of an enterprise or other economically valuable information that, as a whole or in a specific combination is not generally known to individuals who habitually deal with this type of information or is not easily accessible to such individuals, provided that the person authorized to use or handle such information has taken, with due diligence, measures to keep it confidential.
Accordingly, confidential information in contracts is commonly defined as information, documents, or other materials passed to the other party of the contract, which if shared with unauthorized parties would result in the disclosure of company secrets. However, it is up to the contracting parties to clarify what they consider confidential information to be.
Protection from the unlawful disclosure of confidential information
The contract plays the main role when it comes to protecting confidential information. Contractual provisions regarding such information can be found directly in the contract that regulates the core relationship between the parties (for example, in a B2B agreement between a software developer and a software house), but also in a separate agreement, called a non-disclosure agreement (NDA).
Generally, in such contracts, the stronger party includes plenty of provisions that establish the weaker party's obligations, which the weaker party must comply with, under the threat of a contractual penalty, most often a significant one. What is relevant is that the obligation to keep confidential information secret can be imposed for an indefinite period. However, when formulating the duration of this obligation, one should be careful - to ensure that the other party of the contract could not easily terminate it.
The rules mentioned above are characteristic for b2b contracts. But what about the employment relationship?
In an employment relationship, the secrecy obligation is automatically imposed because, according to the Labor Code, an employee is obliged not to share confidential information, the disclosure of which could expose the employer to harm, and to comply with the secrecy obligations specified in separate regulations (Article 100 § 2, points 4 and 5 of the Labor Code).
Does this mean that a separate NDA agreement cannot be concluded? Not at all, an NDA agreement can be concluded freely, because it will simply specify the employee's confidentiality obligations. However, it should be remembered that the employee is a subject of special protection, so no provision of such an agreement can be less favorable to them than the provisions of the Labor Code.
Sanctions
There are various sanctions for violation of confidentiality in relation to company secrets:
- It is already apparent from the Act on Combating Unfair Competition that "it is an act of unfair competition to disclose, use or obtain someone else's information that constitutes a business secret”. Individuals (entities) who have been specifically or under certain circumstances obliged to keep the information in confidence or who know that they have such information without the consent of the authorized party should be included in the provision's applicability. What are the risks in case of committing an act of unfair competition? According to this law, an entrepreneur whose interest has been threatened or violated may demand the cessation of the forbidden actions, the removal of the effects of such forbidden actions, compensation for the damage caused, but also the payment of compensation of no less that the fees which at the would be due for the granting by the authorized entity permission to use the information for time not longer than until the end of secrecy period, after meeting the conditions indicated in the law;
- contractual sanctions - as it was mentioned earlier, the parties may mutually oblige each other to keep confidential information secret under the threat of imposing a contractual penalty. The contractual penalty may be determined in any amount, whereas during the process regarding the payment of the penalty, the obligated party may request the court to reduce the penalty when it is disproportionately high. Also, keep in mind that the possibility of imposing contractual penalties is far more limited in relation to employees;
- Labor Code sanctions - stipulated for the employee. If an employee violates his employment obligations, the employer has the right to initiate the procedure for punishing the employee, including terminating the contract without notice due to a serious violation of basic employment obligations (for example, when discretion is "inscribed" in the nature of the job position), but can also demand compensation from the employee within the limits of the Labor Code;
- penal sanctions - disclosure of confidential information is a crime. According to Article 266 par. 1 of the Criminal Code, "whoever, disregards the provisions of the law or violates of an undertaken obligation, discloses or uses information with which they came in contact in connection with their profession, work, public, social, economic or scientific activity, shall be subject to a fine, restriction of freedom or imprisonment for up to 2 years."
In addition, according to Article 23 of the Law on Combating Unfair Competition, Whoever discloses to another person or uses in their business activity information that constitutes another enterprise secret shall be subject to a fine, the penalty of restriction of freedom, or the penalty of imprisonment for up to 2 years if it causes severe damage to the harmed enterprise. The same penalty shall be imposed on anyone who, after having unlawfully acquired information that constitutes a business secret, discloses it to another person or uses it in their business activity.
It brings to the conclusion that the protection of confidential information is a key issue for almost every IT entrepreneur. For this protection to be effective, an enterprise should implement a number of security mechanisms not only of a technical nature (in which the IT industry is often best at) but also of an organizational nature (in which we sometimes see notable deficiencies).
Related articles:
Remote work in IT
Outsourcing of IT personnel
Workation in IT
Legal services in IT - tasks
Recruitment in IT - personal data
Publication date: 12.08.2021.