Managing a breach of confidentiality or information security
Managing a breach of confidentiality or information security

The following Information Law practice note provides comprehensive and up to date legal information covering:

  • Managing a breach of confidentiality or information security
  • Suggested steps to take following breach of confidentiality

Many companies and government bodies (such as HMRC) have been exposed to loss of confidential information and many other breaches of confidentiality occur but they are not widely reported because of the damage this may cause to a company’s reputation.

Confidentiality obligations may be implied (eg via the duty of good faith (also known as fidelity) implied into employment contracts), express (eg via a confidentiality agreement) or imposed by regulation and statute (eg duties of client confidentiality imposed on financial services and health professionals).

A breach of confidentiality may therefore breach a number of overlapping legal obligations. This Practice Note supplements related Practice Note: Managing personal data breaches, which reflects guidance issued by the UK data protection regulator, the Information Commissioner’s Office, specifically concerning the loss of ‘personal data’ under the data protection regime, which may or may not also be confidential.

When a breach of confidentiality occurs, urgent action to manage both legal and reputational risks is likely to be necessary. This Practice Note sets out practical action steps to take to:

  1. prevent the further spread/loss of confidential information

  2. recover lost information if possible

  3. identify risks and liabilities arising from the breach

  4. notify relevant parties of the breach where appropriate, and

  5. prevent future breaches

Suggested steps to take following breach of confidentiality

IssueAction
1. Prevent the further spread/loss of confidential informationConvene

Popular documents