Key players regularly move around, whether to further careers, branch out or set up a business in parallel to their former employer. In this situation, the obvious question is how can aesthetic clinics protect their confidential information and prevent it from walking out the door with a departing employee?
Information is protected by confidentiality
There are three general categories of confidential information: general skills and knowledge; confidential information (such as patient lists, financial information and marketing strategies); and trade secrets, which include commercially valuable secrets that give an owner a competitive advantage.
During employment, employees have an implied duty to keep all this information confidential. However, once they have left, the picture is different, and employers will be more at risk of misuse of their confidential information and data. Although employees are still subject to an implied duty to keep trade secrets confidential, without specific and robust post-termination confidentiality terms in the employment contract, wider valuable information is at risk of being passed to a competitor.
Practical steps
There are four practical steps that can be taken to protect confidential information.
Identify
Clinics should pinpoint the confidential information that it owns. This may include intellectual property, such as marketing information and its brand, or it may be as simple as a list of patient names and contact numbers. Once identified, that information should be appropriately labelled with ‘confidential’ or ‘not to be disclosed externally’, securely stored and handled accordingly.
Individuals with access to confidential information should be documented. Not everyone in a clinic needs access to confidential information to do their job. For example, administrative staff may require access to patient contact details, but not to other databases. Similarly, some may need to know sourcing arrangements, but not the details of the clinic's overall supply chain. Understanding which employees have access to this information will be useful when it comes to justifying the employment contract protections that need to be put in place.
Protect
Once the important information is identified, as well as the individuals who can access it, employers can use contracts and policies to ensure that there is a legal disincentive against information and intellectual property being poached.
The first layer of business protection will come in the form of bespoke confidentiality clauses incorporated into employment contracts. These should be specifically tailored to information that is relevant to the clinic and tightly drafted to capture only that information it can lawfully protect.
Recent cases have shown that trying to restrict an employee from disclosing generic information ‘relating to the business, products, affairs and finances’ of a business is unlikely to be enforced by the courts.
In addition to confidentiality clauses, well-drafted appropriate restrictive covenants can also effectively protect confidential information. In particular, an enforceable non-compete restriction can prevent an employee from joining a competitor for a specified period of time (generally no longer than 12 months) after their employment ends. Similarly, non-solicitation and non-dealing restrictions may prevent them from contacting and/or working with any patients or suppliers for a limited period.
» To avoid falling into any disputes, it is recommended that clinics are cautious with the wording of job adverts and the conducting of interviews, so as not to encourage new recruits to bring along and disclose confidential information from their old employer «
However, more is not necessarily better. Restrictions will only be enforceable if they operate in a way that is no wider than necessary to protect legitimate interests, as well as goodwill and the stability of the workforce. This can also include trade secrets and confidential information.
The same principles apply when drafting clauses in a settlement agreement where an employee is exiting the business. Given that settlement agreements are often drawn up under contentious circumstances, it is particularly important that the employer focuses their mind on the confidential information that they are seeking to protect.
The agreement may need to ensure a specific payment is made in return for new confidentiality restrictions. This will protect the tax treatment of any separate compensation payments and may assist with enforcement. Similarly, employers should put in place a confidentiality policy that highlights expectations about confidentiality; the types of confidential information existing within the business; and ways to keep such confidential information secure.
For a policy to be effective, it must be read and understood by the workforce, so there is little to be gained from hiding a confidentiality policy deep in a handbook—it must be clearly visible and publicised to all employees and should be read alongside other relevant policies, such as IT security and data protection.
Train
In addition to the legal documents that may be deployed, training should also be provided as a further means of reducing risk. This will help employees to identify the confidential information they may be working with or have access to; understand how to keep that information confidential; and raise awareness of their contractual obligations, both during employment and after leaving the business.
Training is more important than ever now that so many employees have been regularly working from home and may continue to do so through hybrid working arrangements. It is likely to be beneficial to run refresher training sessions that highlight any additional measures and reiterate the importance of protecting confidential information, no matter the location that an employee is working from.
Monitor
Employers should consider how they can monitor their IT systems to pick up any data and confidentiality breaches promptly. Given the growth of hybrid working, employers may now be more vulnerable to the loss of confidential information, as remote working makes it more difficult to ensure data security.
It is possible to monitor the use of confidential information with software that can alert instantly to suspicious behaviour, such as large downloads, emails to personal accounts or voluminous printing.
However, there are various legal restrictions—not least the GDPR—that put employers at risk of overstepping the mark. They will need to ensure that any monitoring is proportionate to the legitimate interest that they are seeking to protect, namely the confidentiality of business information. They would also need to keep employees well informed about the type of monitoring the clinic is likely to perform by means of data privacy notices and other documents.
Post-employment checks can be performed on business devices returned by a departing employee to ensure that confidential information has not been suspiciously downloaded or emailed externally. Employers may also wish to keep a close eye on former employees’ activity elsewhere to spot any early signs of a breach of restrictive covenants or leaks of confidential information to a competitor. This may prompt enforcement action, such as an injunction.
As the hiring employer
The key attraction of any recruit is often their previous experience, sometimes with a competitor, and their depth of knowledge. However, incoming employees may have accessed a large amount of confidential information of their former employer, which will usually be the subject of restrictions. New employers may find themselves subject to duties of confidentiality that prevent them from using it in a useful way for their business, even if it is of a great commercial benefit to them.
A recent case involving Trailfinders (2021) provides a clear warning to businesses that receive information from a competitor, even where they are not aware that the information is necessarily confidential. In this instance, 40 sales consultants at Trailfinders left to join a competitor that encouraged them to bring their customer contact lists; the consultants were not warned that this might lead to a breach of confidence.
The Court of Appeal held that the competitor was in breach of an obligation of confidence. Although it was not explicitly made aware that the information was confidential, it ought reasonably to have known that it was or, if unsure, it should have made enquiries as to whether it was.
To avoid falling into any disputes, it is recommended that clinics are cautious with the wording of job adverts and the conducting of interviews, so as not to encourage new recruits to bring along and disclose confidential information from their old employer. This may be seen as an inducement for an employee to breach their employment contract and could result in a claim against the recruiting firm for any resulting losses.
Also, incoming employees should confirm whether they have any restrictions in their previous employment contract that will impact their new role. Similarly, employees should be discouraged from using or disclosing any information that has come from their former employer without its consent—turning a blind eye does not remove the risk.
Lastly, if information is disclosed to the clinic, it should consider whether it might be confidential. If it is clearly the type of information that any business would consider to be confidential, then it should not be used.
In summary
Confidential information is, by its very nature, valuable, and clinics should take great care to protect it against loss and misuse. Similarly, employers should ensure that they are not put in a position where they might be accused of abusing another's protected information.