Confidential information is by its nature valuable, and pharmacies should take great care to protect it against loss and misuse.

Aron Pope, a partner in City law firm Fox Williams, says there are three categories of confidential information – general skill and knowledge; confidential information such as supplier lists, financial information and marketing strategies, and trade secrets including commercially valuable secrets that give the owner a competitive advantage.

He says that employees have an implied duty to keep this information confidential. However, once they have left, the picture is different, and although employees are still subject to an implied duty to keep trade secrets confidential, “without specific and robust post-termination confidentiality terms in the employment contract, valuable information could be passed to a competitor.”

Mr Pope says there are four steps that can be taken to protect what is considered confidential. The first is to pinpoint your confidential information. This may include intellectual property, databases or spreadsheets, or simple lists of supplier details. Once identified, this should be “appropriately labelled with ‘confidential’ or ‘not to be disclosed externally’, securely stored, and handled accordingly.” Individuals with access to confidential information should be documented, as this will help when it comes to justifying employment contract protections that need to be put in place.

Next, employers should use contracts and policies to ensure there is a legal disincentive against information and intellectual property being poached.

Mr Pope says bespoke confidentiality clauses should be incorporated into employment contracts. These “should be specifically tailored to information which is relevant to the business and tightly drafted to capture only that which the business can lawfully protect”.

As well as confidentiality clauses, he points to well-drafted appropriate restrictive covenants: “An enforceable non-compete restriction can prevent an employee from joining a competing business for a specified period after their employment ends. Similarly, non-solicitation and non-dealing restrictions may prevent them from contacting and/or working with any key clients or suppliers for a limited period.”

Restrictions will only be enforceable if they are necessary to protect a business’ legitimate interests as well as goodwill and the stability of the workforce. 

The same principles apply when drafting clauses in a settlement agreement when an employee is leaving. Mr Pope says the agreement may need to ensure a specific payment is made in return for new confidentiality restrictions which “will protect the tax treatment of any separate compensation payments and may assist with enforcement.”

Similarly, employers should put in place a confidentiality policy that highlights the business’ expectations; the types of confidential information within the business; and ways to keep it secure. For it to be effective, he warns that it must be read and understood by the workforce.

Training should be also provided as a means of reducing risk. This will help employees identify confidential information; understand how to keep it confidential, and raise awareness of contractual obligations both during employment and after leaving the business.

Monitoring for abuse 

It is possible to monitor the use of confidential information with software that alerts instantly to suspicious behaviour, such as large downloads, emails to personal accounts or voluminous printing. 

Given the growth of hybrid working, employers may now be more vulnerable to the loss of confidential information as remote working makes it more difficult to ensure data security, says Mr Pope. However, he cautions: “There are various legal restrictions – including GDPR – which put employers at risk of overstepping the mark. They will need to ensure that any monitoring is proportionate to the legitimate interest that they are seeking to protect.” 

He also says employers need to keep employees well informed about any monitoring that’s put in place via data privacy notices and other documents.

Lastly, post-employment, checks can be performed on company devices returned by a departing employee to ensure that confidential information has not been suspiciously downloaded or emailed externally.