Over the past few months, there have been several high-profile instances of workers losing sensitive documents or electronic devices with confidential information.
For example, in March this year a doctor at the United Christian Hospital lost her USB key containing patients' medical records. And, in June last year, a senior civil servant in Britain left top-secret antiterrorism papers on a train.
With more work being done outside the office and with advances in technology making information more portable and accessible, such scenarios are likely to recur. A mislaid BlackBerry, a forgotten laptop, and suddenly data assumed to be strictly private, or available to a limited circle on a need-to-know basis, is in the public domain.
Every time this happens, it highlights that information security is a big issue in the modern workplace. It also calls into question the actions or errors of the employee involved, the policies and practices of the employer, and the need for greater awareness about the risks of data being lost.
For this reason, it is important for all parties concerned to understand where their responsibilities lie.
Employers, in particular, should take the necessary steps to establish guidelines, instruct staff and conduct regular reviews of information security. In doing so, they must realise that a number of areas intersect and specific duties exist. Principally, these are:
Duty of confidentiality A company is expected to maintain as confidential any information denoted as such, which is received from another person or entity. In turn, an employee is under a duty to keep confidential information he or she has been entrusted with in the course of employment. The scope of this duty varies depending on the contractual obligations between the parties, but it is always prudent for a company to set the obligations out clearly. For example, the contract of employment should define confidential information as precisely as possible, prohibit its use outside the performance of the employee's duties, and ensure the obligation to protect it continues even after the job ends.
Duty of care No Hong Kong court has expressly considered this issue in any reported judgments. In other jurisdictions, though, courts have held that the standard of care an employee is expected to exercise over company property is the same standard that person would exercise over his or her personal property. There is no precise formulation and each case is assessed on its own facts. However, the standard required will be higher if the information is particularly sensitive, when, for example, a document contains commercially valuable data or details of a proposed buyout. Loss of company data through negligence or carelessness may be grounds for disciplinary action or dismissal. The right to discipline and the actual method used depend on the terms included in the contract of employment and any applicable policy. If the act of negligence is suitably serious, it may be grounds for summary dismissal, without notice or payment in lieu, under the Employment Ordinance.
Data privacy If the information in question contains personal data supplied by individuals, the data privacy law imposes an extra requirement. In such cases, the employer has to take all practicable steps to ensure personal data is protected from unauthorised or accidental access, processing, erasure and other use. At present, there is no obligation to report any loss, but this is under review.
Professional obligations The legal profession and others have an additional continuing obligation to maintain client confidentiality. Breach of these obligations or codes of conduct may have significant ramifications for the individual and the firm.
To safeguard their interests, employers should first check all their in-house policies. In particular, it is advisable to review information technology practices for the renewal of passwords, levels of authorisation and reporting requirements. There should be specific instructions spelling out responsibilities with regard to confidential information, its possible loss and the disciplinary consequences.
It is also vital that these policies keep pace with technology, such as USB keys and PDAs - not just e-mail - in order to be useful and relevant.
To minimise the risk of data loss, it also pays to evaluate periodically how tasks are actually performed in the workplace. People may act on their own initiative to devise shortcuts, without necessarily realising that their actions potentially compromise security. A review of this type may lead to changing passwords more frequently, encrypting documents systematically, sharing data via remote access to a password-protected server, or limiting the use of storage devices such as USBs.
Imposing such additional measures may not be popular with all staff, but will help to minimise the risk of inadvertent loss and embarrassment for both employer and employees.
Jennifer Van Dale is a partner and Bernard Ng is a registered foreign lawyer (New South Wales) at Baker & McKenzie in Hong Kong
