Managing a breach of confidentiality or information security
Managing a breach of confidentiality or information security

The following IP guidance note provides comprehensive and up to date legal information covering:

  • Managing a breach of confidentiality or information security
  • Suggested actions

Many companies and government bodies (such as HMRC) have been exposed to loss of confidential information and many other breaches of confidentiality occur but they are not widely reported because of the damage this might do to a company's reputation.

Confidentiality obligations may be implied (eg via the duty of good faith (also known as fidelity) implied into employment contracts), express (eg via a confidentiality agreement) or imposed by regulation and statute (eg duties of client confidentiality imposed on financial services and health professionals).

A breach of confidentiality may therefore breach a number of overlapping legal obligations. This Practice Note supplements related note GDPR compliance—managing personal data breaches, which reflects guidance issued by the UK data protection regulator, the Information Commissioner's Office, specifically concerning the loss of 'personal data' under the data protection regime, which may or may not also be confidential.

When a breach of confidentiality occurs, urgent action to manage both legal and reputational risks is likely to be necessary. This Practice Note sets out practical action steps to take to:

  1. prevent the further spread/loss of confidential information

  2. recover lost information if possible

  3. identify risks and liabilities arising from the breach

  4. notify relevant parties of the breach where appropriate, and

  5. prevent future breaches

Suggested actions

Steps to take following breach of confidentiality