Having a solid confidentiality policy can protect your business from liability as well as protect your proprietary information. Thus, all employers should have a policy which governs the confidentiality of personnel information (social security numbers, medical information, etc.) management information (investigations, employee discipline, etc.) and business information (financial information, customer information, proprietary information, etc.)
A solid basic confidentiality policy will include the following: a definition of what information is considered “confidential;” a description of what employees must do to protect the information (how it is to be communicated, stored and/or destroyed); and an explanation of what happens to an employee if there is a breach of the expectation of confidentiality. Drafting a lawful confidentiality policy is tricky because the National Labor Relations Board (“NLRB”) has been closely scrutinizing confidentiality provisions of employee handbooks in recent years. More specifically, the NLRB has been hypercritical of any policies from which the inference could be drawn that employees are not permitted to discuss terms and conditions of employment such as wages, hours, or workplace complaints (aka engaging in “Section 7” activities). The NLRB has instructed that even if a policy does not explicitly prohibit Section 7 activities, it may still be found unlawful if: 1) employees would reasonably construe the policy’s language to prohibit Section 7 activity; 2) the policy was promulgated in response to union or other Section 7 activity; or 3) the policy was actually applied to restrict the exercise of Section 7 rights. This includes policies where confidentiality broadly extends to “employee” or “personnel” information without further clarification.
Because navigating the NLRB’s guidance on confidentiality policies is a difficult task, it is critical such policies be drafted or reviewed by an employment lawyer or human resource professional who has been following the Board law on this topic and who is able to help you navigate potential landmines. Finally, it is not enough to have a confidentiality policy; prudent employers will also train their employees on such policies so that expectations and consequences are clear.