What is a breach of confidentiality?

Even in today’s sharing culture, some things are best kept private... especially sensitive and personal client information. Protecting confidentiality in the workplace is vital if you want to build trust and maintain professional working relationships. But are you clear on what a breach of confidentiality is and how to stop it from happening?

Even in today’s sharing culture, some things are best kept private... especially sensitive and personal client information. Protecting confidentiality in the workplace is vital if you want to build trust and maintain professional working relationships. But are you clear on what a breach of confidentiality is and how to stop it from happening?

Emily Kindness
From the Business team
4
minute read
Do you know someone who could benefit from this article?
Posted 17 MAY 2021

What’s considered confidential information in a business?

All kinds of information can be considered confidential in a business from information about employees, customers and suppliers to intellectual property, financial and legal information. What’s considered confidential information can also vary between businesses so what’s confidential in one business may be boasted about by another. And on top of that there are specific rules governing particular types of information about individuals and how it needs to be protected under GDPR regulations

To make sure you understand how you need to deal with data protection and how handle confidential information, the best place to start is the Information Commissioner’s Office (ICO)

How is breach of confidentiality defined?

According to the Law Dictionary, a breach of confidentiality is ‘the failure to hold quiet all information that is confidential’.  

In a workplace situation, it means that commercially confidential data or personal information held by you has been made known to someone else without the owner’s consent. While most confidentiality breaches are accidental, data can also sometimes be stolen or leaked on purpose by an aggrieved employee.  

Whichever way a breach of confidentiality occurs, it can be costly. If one of your clients is affected, they could be entitled to take legal action against you to recoup financial losses they may have suffered because of your mistake.  

How common are breaches of confidentiality and what financial could result from a breach?

Almost half of businesses (46%) suffered a cyber security breach or attack in the year to March 2020, with firms that hold personal data most likely to experience great harm due to the legislation that governs breaches of personal data and the potential financial implications.    

This makes it all the more pressing to be aware of what breach of confidentiality is as it could also be a personal data breach, how it can happen and ways you can protect your business and clients. 

The Information Commissioner can also fine businesses for breaching GDPR rules if the breach of confidential information contained personal data and the recipient of the information was not authorised to receive it. The maximum amount is £17.5 million, or 4% of the total annual worldwide turnover in the preceding financial year, whichever is higher.

What counts as personal data?

Personal data has a legal meaning in this context – essentially, it is information that relates to an identified or identifiable individual. For example, if a flower seller’s customer data was breached, it could involve a list of florists’ business names and addresses or a list of private customers with names, addresses and significant dates. The former would be customer data, the latter personal data. The best way to fully understand what it means is to check the ICO’s guidance about personal data

If you have a personal data breach that is ‘likely to result in a high risk to the rights and freedoms of individuals’, the UK GDPR says you must inform those concerned directly and as soon as possible.  

Likewise, when a personal data breach has occurred, you need to establish the likelihood of the ‘risk to people’s rights and freedoms’. If a risk is likely, you must notify the ICO within 72 hours of you becoming aware of it. If a risk is unlikely, you don’t have to report it. However, if you decide you don’t need to report the breach, you need to be able to justify this decision, so you should document it.  

So what does the ICO mean when it talks about risk to rights and freedoms here? The ICO is talking about the potential negative implications a breach could have for them which could include emotional distress, and physical and material damage, such as identity theft or fraud, financial loss, damage to reputation and discrimination or other disadvantages. 

A personal data breach can also be much more than just losing personal data. It also means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  

Why is client confidentiality important?

For many types of business, protecting confidential information is essential for maintaining client relationships, trust and professional reputation.  

A slip-up could leave your business open to commercially sensitive information being leaked or trade secrets being stolen. You have both a professional and moral responsibility to protect against this from happening.  

A confidentiality breach could not only lead to legal action against you, but also damage your brand and hamper your efforts to win new business. And you can also potentially face a fine from the Information Commissioner as mentioned earlier.   

Breach of confidentiality examples

It depends what type of business you run, but confidentiality could be breached if:  

  • you have a laptop stolen that contains sensitive client information like names, addresses and credit card information 
  • you accidentally email a confidential attachment containing a client’s future business plans to a competitor 
  • you discuss confidential business matters in a cafe or other public place where you could be overheard 
  • you leave a briefcase on a train that contains designs for a new product about to launch  
  • your business is the victim of a cyber attack in which confidential data is stolen 

Breaches of confidentiality cost UK businesses millions of pounds every year. The overall impact of customer data loss from cyber attacks is estimated to be somewhere between £960 million and £1.44 billion a year, according to the Cabinet Office.  

And it’s not only big companies that need to be on their guard against confidentiality breaches. Smaller businesses and the self-employed depending on the nature of their business can fall victim to them too. 

How to deal with a breach of confidentiality

Breaches can happen to anyone, no matter how careful you are. Seek advice from suitable legal and IT professionals and try and contain or recover the lost information and identify any risks and responsibilities resulting from the breach. 

The consequences of breaching client confidentiality can vary. Sometimes an apology can be enough for a client if little harm was done. But if they’ve suffered financial or reputational loss, legal action may follow. 

How to prevent a breach of confidentiality

It’s important to have policies and procedures in place to help protect against confidentiality breaches, so employees are clear on what they can and can’t do. Take these steps to minimise the risks: 

  • Draw up data protection rules to make sure the information is kept secure, accurate and up to date, including a policy that sets out what employees need to do if they become aware of a personal data breach.  Make sure you’re compliant with GDPR. 
  • Consider a non-disclosure agreement (NDA). This is a legal contract that can be used to protect intellectual property, product information and trade secrets to use with third-parties. You could also consider making sure your employment contracts have robust confidentially obligations for your staff. 
  • Train all staff in security processes, these can include locking computer screens when they’re away from their desks, not taking private company data out of the office and disposing of confidential information securely 
  • Use strong passwords and make sure IT equipment and important files have sufficient information security controls including being password-protected. Follow the National Cyber Security Centre’s guidance on passwords  
  • Limit employee access to data and shared emails, and encrypt sensitive information 
  • Avoid storing information for longer than necessary, and make sure computers have security software installed 
  • Always check with clients before you share potentially sensitive information if you are unsure if you are permitted to do so 

What insurance do I need to protect my business?

While having business insurance in place can’t prevent breaches of confidentiality from happening, it can help to protect you if they land you in hot water. 

Professional indemnity insurance   
If you handle clients’ confidential information, think about taking out professional indemnity insurance. This type of business insurance is designed to protect your business if a client sues you for a mistake you’ve made – including confidentiality breaches. It can help cover the cost of legal fees and any compensation payout awarded because of the claim.  

Cyber insurance 
A cyber-attack can cause a confidentiality breach and a data breach and lead to customer details as well as confidential information getting into the wrong hands. Cyber insurance can protect your business from digital threats. We currently don’t offer cyber cover.  Policies vary, but expect it to cover the cost of investigating the source of the data breach, recovering lost data and fixing any problems caused by the breach. 

Looking for a quote?

Compare business insurance from leading providers

Get a quote
Get a business insurance quote and you could start saving now Start a business insurance quote