The early Twitter reveal of the Great British Bake Off winner by judge Prue Leith was a highly public example of an employee breaching employer confidentiality. Baking shows are not the only high-profile example of this, with a number of Strictly Come Dancing contestants also ruining the weekly results due to the filming schedule.
Although likely to occur on a lower scale, how can employers combat these breaches of employer confidentiality?
A breach of confidentiality will take place where an employee discloses information to another individual without the consent of the person who owns that data, e.g. the employer. This breach could take place by releasing confidential information online, sending information to the wrong email recipient or losing information stored on a device.
Before taking any formal action, it is essential to carry out a full investigation into the circumstances of the breach. The investigation should be carried out in a timely manner and should be used to gather as much information as possible, including interviewing other employees, collecting witness statements and other documentary evidence. In some cases, depending on the severity of the breach or the risk of a further breach, the employer may suspend the employee on full pay for the duration of the investigation. Suspension should not be the default position, however, and the employer must consider whether they can be moved to an alternative role, away from confidential data, before taking this step.
The investigation will determine whether a formal disciplinary meeting is necessary. Where the employee has made a genuine mistake, such as an unintentional leak of information, it may be deemed that an informal letter of concern is appropriate in these circumstances. This letter can remind the employee of the rules around confidentiality and inform them that any further incidents will lead to formal action.
Where the investigation uncovers an intentional breach, formal action should be taken under the normal company rules and procedures. A formal disciplinary meeting should be held with the employee where they are given the opportunity to defend the allegations. Once the employee has put forwards their defence, the employer can decide what disciplinary sanction to impose. A substantial and deliberate breach of confidentiality could be classed as gross misconduct, entitling the employer to dismiss the employee without notice. In most cases, a formal warning will be sufficient.
Taking proactive steps to reduce the risk
All employers should have a confidentiality policy, internet and email policy and a social media policy in place to outline the rules around confidential data and the disclosure of this. These policies should inform staff of their obligation to keep data safe, how to avoid a breach of confidentiality and the potential consequences of a breach.
As well as outlining the rules, employers should train employees on an ongoing basis about the correct handling and processing of data. This will become even more important once the General Data Protection Regulation (GDPR) come in to force in 2018 as the potential penalties for a data breach are significantly increased under these regulations.